Internal investigations continue to be a crucial part of a robust compliance management system. Short messages exchanged on smartphones have become a significant source for internal as well as external investigations. The Austrian prosecution authority understands that screening smartphones is close to “manna from heaven” for any investigator. This Market Snapshot reports on two important developments in Austria: a constitutional court decision requiring a significant change of the law, and the impact of the newly implemented law for the protection of whistleblowers.
Landmark Decision for Seizure of Smartphones
In December 2023, the Austrian Constitutional Court rendered a landmark decision for the rule of law and respect of human rights, annulling the previously-controlling rule in connection with the seizure of smartphones and turning the – now unlawful – practice upside down.
Heretofore, the seizure of objects did not require authorization from a court, but only an order from the public prosecutor’s office, whereas a house search required the court’s prior approval. As one smartphone contains likely more sensitive data than a typical house search could produce, the practice of the prosecution authority to seize smartphones without court approval was successfully challenged before the Constitutional Court and declared unconstitutional. By the end of 2024, the relevant pre-existing provisions will be annulled.
In its ruling, the Austrian Constitutional Court ordered that a new regulation must include judicial authorization for the seizure of smartphones and similar data carriers and that the processing of data must be limited to specific data categories. According to statements by the government, the new regulation is planned to become effective within the set deadline, perhaps even sooner.
Protection of Whistleblowers Affecting Internal Investigations
Companies having more than 50 employees should be alert: a new law for the protection of whistleblowers came into force in Austria (HinweisgeberInnenschutzgesetz – the HSchG), finally implementing the respective EU Whistleblower Directive. After significant public criticism, Austria mainly satisfied the directive and did not go beyond it. For example, the new law is restricted to implicating only the 66 European laws specified in the directive.
The HSchG prescribes requirements for establishing Austria’s whistleblower reporting system which are in line with the EU Whistleblower Directive. Inter alia, the requirements are now set for companies’ internal investigations: (1) Companies having more than 50 employees must establish an internal body to process whistleblower reports – with the necessary financial and human resources to operate. The internal body must be planned, organized, and operated in a secure manner so that the confidentiality of the identity of the whistleblower and third parties mentioned is protected. (2) The internal body is bound by a strict confidentiality regime. The identity of the whistleblower must be protected by the internal body and kept confidential within the company, including management. The identity may only be disclosed with the consent of the whistleblower or if ordered by an administrative authority, court, or the public prosecutor’s office. (3) The internal body must investigate in an impartial and unbiased manner. (4) No later than three months after receiving a whistleblower’s report, the internal body must inform the whistleblower of follow-up measures taken or intended to be taken, or if the investigation has been terminated, the reasons why.
In accordance with the HSchG, a company can assign the duties of the internal body to a joint body. Third parties, such as outside counsel, may also be entrusted to carry out the tasks of the internal body. In such cases, the safeguards and requirements for the internal body apply equally to the joint body or third party so engaged.
The HSchG contains no restrictions with regard to group-wide bodies for the operation of the reporting system. However, considerable practical challenges, such as maintaining confidentiality and documentation requirements, need to be mastered. If the technical solution allows the assignment of rights by the third party only, a group-wide system is feasible. As always, it is advisable to consider the latest interpretations by the EU Commission.
By Bettina Knoetzl, Partner, KNOETZL
This article was originally published in Issue 11.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.