Germany Federal Council Rejects Draft Whistleblowing Protection Act

德国否决《吹哨人保护法》草案

The Federal Council announced, on 10 February 2023, its decision to reject the draft Whistleblowing Protection Act (“HinSchG”), following its adoption by the Parliment, on 16 December 2022. In particular, the Federal Council noted that the Federal Government and the German Parliament now have the option of calling a mediation committee to discuss a compromise with the federal states.

2023年2月10日，德国联邦委员会宣布否决德国议会于2022年12月6日通过的《吹哨人保护法》草案。联邦委员会特别指出，联邦政府和议会现在可以选择召集调解委员会，与联邦各州讨论一个折中方案。

The law would have seen companies with 50 or more employees obliged to establish a mechanism by which whistleblowers could reveal problems or criminal activity without fear of reprisals. The main point of criticism was the high economic burden on small and medium-sized enterprises in economically difficult times. The representatives from Hesse and Bavaria criticized, among other things, the overly broad scope of the law, which would go far beyond the EU requirements. Furthermore, the required option of anonymous whistleblowing would mean that IT-based solutions would have to be introduced, which would result in further costs for the companies. The possible fine of up to 20,000 euros for failure to introduce an internal reporting channel also met with resistance, as such a consequence is not required by the EU directive.

该法草案规定，拥有50名及以上雇员的公司有义务建立一个机制，使举报人可以在不担心报复的情况下揭露存在的问题或犯罪活动。对该《吹哨人保护法》草案的批评主要是，在经济困难时期，这给中小企业带来过重的经济负担。来自黑森州和巴伐利亚州的代表批评了这项法律的适用范围过于宽泛，远远超出了欧盟的要求。此外，必须设置匿名举报选项将意味着企业应提供以IT技术为基础的举报渠道，这将导致公司运营成本增加。有关于未能引入内部报告渠道可能会被处以高达2万欧元罚款的规定也遭到了抵制，因为欧盟指令并未要求处以如此高额的罚款。

CJEU Issues Preliminarily Ruling on DPO Dismissal

欧盟法院作出解雇数据保护官的裁决

The Court of Justice of the European Union (“CJEU”) issued, on 9 February 2023, a preliminary ruling in Case C‑453/21 X-FAB Dresden GmbH & Co. KG v FC, following a request submitted by the German Federal Labor Court (“Labor Court”) concerning Articles 38(3) and 38(6) of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). In particular, the preliminary ruling outlines that the request by the Labor Court was submitted in relation to the dismissal of an employee of X-FAB from the position of data protection officer (“DPO”).

应德国联邦劳动法院就《通用数据保护条例》（欧盟第2016/679号条例）第38条第3款和第6款提起的请求，欧盟法院于2023年2月9日对X-FAB Dresden GmbH& Co. KG诉FC案（第C-453/21号案）做出初步裁决。该裁决特别指出，劳动法院提起的请求是关于X-FAB公司解雇一名数据保护官的。

The CJEU ruled that the second sentence of Article 38(3) of the GDPR does not preclude national legislation, so as to provide that a controller or a processor may dismiss an internal DPO solely where there is just cause, even if the dismissal is not related to the performance of that DPO's tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.

欧盟法院裁定，《通用数据保护条例》第38条第3款的第二句并不排除国家立法的效力。只要这种立法不损害《通用数据保护条例》目标的实现，即使解雇的理由与数据保护官的工作无关，数据控制者或数据处理者也可依据正当理由解雇公司内部的数据保护官。

工信部通报46款违规APP

2023年2月8日，工信部发布2023年第一批关于侵害用户权益行为的APP（SDK）通报。该通报指出，依据《个人信息保护法》《网络安全法》《电信条例》《电信和互联网用户个人信息保护规定》等法律法规，工信部组织第三方检测机构，对群众关注的生活服务类移动互联网应用程序（APP）及第三方软件开发工具包（SDK）进行检查。

结果显示，共计46款APP及SDK存在侵害用户权益行为。其中，APP为40款，SDK为6款。对此，工信部要求相关APP及SDK应在2023年2月15日前完成整改落实工作。逾期不整改的，工信部将依法依规组织开展相关处置工作。