With increasing digitisation, the risk of compliance violations is also growing
As the number of vaccinations increases and the number of infections continues to decrease, it is time to come to terms with the crisis and structure New Work. Risks that were previously accepted may now no longer be acceptable. Companies suspect that problems exist. This has been shown by a survey by Deloitte ("The future of compliance 2020 - higher risk of future violations"). However, the risks expected according to the study do not cover all of the actual compliance risks. This article offers a first interdisciplinary overview of the compliance risks triggered by the pandemic and increasing digitisation, especially through the home office and the like. The risks necessitate an adjustment of existing compliance management systems.
1. HR compliance
1.1 Home office in Germany - unrecognised insurance gaps in the statutory accident insurance
Work from a home office creates problems in terms of insurance law due to the mixing of private and professional spheres.
The statutory accident insurance in Germany only covers accidental damage if it is in a work-related context. When working from the home office, insurance gaps can already occur on the way to the coffee machine or the toilet as well as on the way to the day-care centre or school. The Regional Social Court [Landessozialgericht - LSG] of North Rhine-Westphalia established in its ruling of 9 November 2020 (docket No. L 17 U 7487/19) that an employee who injures himself on the way to his study to start home-office work does not enjoy insurance protection under the statutory accident insurance. There is also no statutory accident insurance cover for work interruptions, such as to help with homework in-between or to pick up a child from day-care. According to the case law of the Federal Social Court, the decisive factor in the individual case is whether the employee subjectively wanted to perform an action for work-related purposes that, judged objectively, serves the business operations. Company liability insurance also regularly only covers accidents within the company's own premises. If the employee is located elsewhere, the company liability insurance does not cover an accident.
Employers are at risk of becoming involved in legal disputes in the event of existing insurance gaps, as the distinction between an employment activity performed for one’s own economic purposes and an occupational accident in the context of mobile work is particularly contentious issue. Here, under certain circumstances one should consider extending the company liability insurance in order to avoid further risks. The draft law on mobile work of the German Federal Ministry of Labour and Social Affairs [Bundesministerium für Arbeit und Soziales – BMAS] (October 2020), was, among other things, to close the above-mentioned insurance gaps. However, since the law was stopped, it remains to be seen to what extent the legislator will become active here in the future.
1.2 Mobile work abroad
Many employers are not currently questioning from where their employees are presently "remotely” performing their work. If, for example, employees perform their work in border regions from another member state (because they may have a holiday home or acquaintances there), there is a risk that reporting obligations, social security and tax regulations are not being complied with or that they do not carry the necessary documents with them. It was not uncommon for employees to move their home offices abroad arbitrarily during the pandemic.
1.2.1 Occupational health and safety provisions - more favourable work provisions, overriding mandatory provisions
Working from another country results in the application of the mandatory public law employment provisions there in accordance with § 9 Rome I Regulation. This includes, in particular, the maximum permissible working hours and the applicable health and safety provisions at the location.
1.2.2 Proof of the applicable social security legislation - A1 certificate
If an employee carries out his employment activity in another country, he must provide social security certificates there. An exception to this can be regulated in European Regulation on the Coordination of Social Security Systems, Regulation (EC) 883/2004 or in social security agreements. The obligation to provide proof exists from the first day of the employment activity. In the event of an inspection of employees abroad, the employees must produce a certificate confirming the applicability of German social security law (so-called A1 certificate). This will often be lacking, as the employer has to apply for it but is unlikely to be aware of the employee's own chosen place of work during the pandemic. Failure to carry the A1 certificate can result in fines for the employer. In France and Austria in particular, there have already been increased inspections in this respect.
1.2.3 Double social security liability
If employees reside in a non-EU country, they may be liable to pay contributions twice if the insurance systems are not coordinated by social security agreements. One must check in the individual case whether a social security agreement exists between Germany and the place where the employee performs his employment activity and, insofar as such an agreement exists, which branches of social security the agreement regulates. Often, the agreements do not cover all branches. If there is no social security agreement or if it does not refer to a branch of the German social security system, there may be a double obligation to pay contributions. If the employer does not pay into the foreign social security system due to ignorance of the employee's whereabouts, the employer could face fines.
1.2.4 Health insurance
If an employee resides in a non-EU country and requires medical assistance there, the employer is obliged to provide benefits in kind in accordance with § 17 (1) German Social Code Book V [Sozialgesetzbuch V - SGB V]. The employee's claim against the health insurance company, on the other hand, is suspended during his time abroad, § 16 SGB V. Although the employer can have the costs reimbursed by the health insurance company, the reimbursement is limited to the amount that would have been paid by the health insurance company in Germany. If the employer pays more, then it bears the financial burden.
1.2.5 Reporting obligations abroad
Not only for employment activities in non-EU countries, but also within the EU, are employees obliged to carry certificates or to register with national authorities (e.g. in Belgium the so-called Limosa-1 registration). Within the EU, the permissibility of checking these requirements follows from the Directive Implementing the Posting of Workers Directive. Posting within the meaning of the Directive also applies to short-term employment activities. France, for example, stipulates that employers must designate a contact person in the country. Once again, breaches are penalised with fines.
1.2.6 Right of residence and sanctions for negligent ignorance
If employees reside outside Europe during the pandemic, possibly in order to combine home office with life in a foreign country, a tourist visa is regularly not enough because it does not include a work permit. In the absence of an admissible residence title and if the employer can be accused of negligent ignorance, the employer is liable to sanctions.
1.2.7 Exclusion from public contracts
Violations of social security law, tax law and reporting requirements are sanctioned in some countries with an exclusion from public contracts for a certain period. The sanction applies not only to intentional violations, but also to employee violations of which the employer was negligently ignorant.
1.2.8 Compliance with working time legislation
Compliance risks under working time law also continue to exist when working from a home office. The employer should set clear guidelines in this respect, monitor them and, according to the current legal situation, at least document the overtime. It is also important that employers monitor when the ECJ's working time requirements become transposed into national law. Member states will then have to require employers to introduce an objective, reliable and accessible system for recording daily working time.
2. Tax compliance
2.1 Double taxation, 183-day rule
In an international context, taxation rights are allocated on the basis of double taxation agreements (DTAs). These provide that the right of taxation in case of income from employment (wages) lies with the state in which the employee is resident. However, if the employee also carries out his employment activity in another country, this country also has a right of taxation. An exception to this is the so-called "183-day rule". This provides that the right of taxation remains with the country of the employee’s residence if he has not spent more than 183 days in the other country. Insofar, some DTAs do not take the duration of the stay as the basis, but the duration of the employment activity carried out in the other country (e.g. in Denmark and Belgium).
The corona pandemic has persisted for over a year now, and some companies are even looking proactively allowing their employees mobile work until the end of 2021. Therefore, one cannot exclude the possibility that employees will have already spent more than 183 days working from abroad or may have even transferred their residence abroad in the legal sense. The employee's employment activity abroad may thus entail the risk of double taxation. This is due to the fact that, if the derogation does not apply and the employee works both in his country of residence and in another country, the taxation right/base has to be divided between the countries. This would entail tax obligations on the part of the employer and possibly the employee abroad (possible registration, registration of a wage account and payment of income tax).
2.2 Risk of establishing a foreign permanent establishment
In addition, there is a risk that employees who perform their work from abroad for a long-term basis during the pandemic might possibly establish a foreign permanent establishment for the German company. This could lead, among other things, to a taxation obligation on the company's profits abroad. Insofar, there are already considerations at an international level to regard the home office as a permanent establishment if the employee is not provided with a workplace or if he regularly or continuously uses the home office (abroad) on the instructions of the company. Moreover, employees could establish an agency permanent establishment if they are authorised to conclude contracts on behalf of the company and habitually exercise this authority "in the other country". Even preparatory acts may be sufficient here. According to recent case law, the principles of the agency permanent establishment also apply to corporate bodies and persons with management functions. If a permanent establishment is established in the other country, tax registration in the other country would be required and, in addition, the fulfilment of further obligations (including record-keeping and tax declaration obligations, accounting, profit deferral and the pro rata taxation of company profits).
3. Data protection compliance
3.1 Data security - "cyber security”
Data security is not an isolated topic, but should be seen in the context of preventing digital blackmail. Risks arise through the possibly careless handling of data and documents by employees in the home office. Confidential and personal data might be stored on private devices and private clouds or inadequately secured. Points of attack also exist via the WLAN network, the router or inadequate protection software on private computers. If a home computer is infected with malware and third parties are able to take control of this PC, they effectively also have access to the company's internal data.
Another risk exists where employees do not block their access in the home environment during short periods of absence. There is a risk that unauthorised persons, including flatmates, may gain knowledge of the data.
3.2 Video conferencing
Video conferencing and digital tools for voting have made strong inroads into everyday work as a result of the corona pandemic. The security of such software needs to be monitored. Video conferences in which personal or confidential data are discussed should not be used without access protection. Data protection issues in video conferencing have received little attention lately. However, the shift in the data protection authorities’ wait-and-see approach is evident from a renewed statement made by the data protection commissioners on software solutions and an announcement by Mecklenburg-Western Pomerania's data protection commissioner. The latter is said to have announced that "players at federal state level will be asked over the next few months which video conferencing solutions are being used on which legal basis and how they are technically secured". If the responses are inadequate, the intention is to use the remedial powers under Article 58 (2) GDPR, which provide for a range of sanctions from simple warnings to fines."
3.3 General requirements of the GDPR
Furthermore, companies must also ensure that they comply with the requirements of the GDPR during the corona pandemic. Booking.com was recently fined EUR 475,000 for breaching the obligation to report data breaches within 72 hours (Article 33 GDPR). Even the failure to take the necessary technical and organisational measures can result in a substantial fine (Article 83 (4)(a) in conjunction with Article 32 GDPR).
4. Obstacles to the detection of criminal offences / internal investigations
To date, it has been possible to conduct internal investigations in the company by inspecting the physical documents and investigating the devices located in the company. These established processes are based on the fact that employees are present in the company, IT devices are located in the company and all physical documents are stored on the employer's premises. In case of home offices, the investigation is confronted with the problem of the regularly missing right of access to domestic workplaces, which enjoy the protection of Article 13 German Constitution [Grundgesetz - GG]. Even in the case of a contractually regulated right of access, access is not permitted without restriction and in particular, not surprisingly, without notice, so that the purpose of a local control can hardly be achieved.
Insofar as private devices are used, the employer cannot demand that such devices be surrendered on grounds of its right of ownership. The release of documents is subject to the condition that the employer is aware of their existence in the first place. Even the formulation of judicial applications that sufficiently comply with the principle of specificity can therefore cause problems in practice.
Digital monitoring is only possible under the reservation of data protection. "Screenshot monitoring", "keylogger" and "time tracking" applications are topics of discussion. In terms of data protection law, the use of such measures, to the extent even permissible in the specific case, requires that the employee be informed in accordance with Article 13 (1) GDPR.
Technically, internal investigations face the problem of the sheer volume of data. Ideally, one should consider at an early stage how the amount of data produced by the home office can be backed up and inspected without the need for outside help.
5. Antitrust compliance
5.1 Cooperation with competitors during and after the corona pandemic
During the corona crisis, there was or is an increased need for many companies to cooperate more closely with competitors, e.g. in the context of purchasing cooperations, production cooperations and marketing cooperations, etc. This allows costs to be reduced and resources to be used more effectively. Antitrust authorities around the world have recognised this need and therefore applied antitrust rules for cooperation with competitors much more flexibly than usual during the pandemic. This allowed cooperation between competitors that would otherwise have been prohibited by antitrust law. However, this "crisis benchmark" is temporary. Permissible cooperations that were agreed during the pandemic could therefore "slide" into inadmissibility. Companies should therefore review cooperations entered into with competitors during the corona crisis as to their admissibility under antitrust law in good time. In case of doubt, the contracts will have to be structurally adapted to the antitrust rules for the period after corona and, in the worst case, they may even have to be terminated.
5.2 Preventive antitrust compliance for the time after corona
In times of crisis, the number of cartels usually increases significantly; economically difficult times are - wrongly - still widely regarded as a justification for cartel agreements. In addition, working from a home office can encourage contact with competitors in violation of antitrust law because employees feel less observed and monitored. In addition, many antitrust authorities suspended or severely limited antitrust enforcement during the pandemic.
The authorities are expected to resume cartel prosecution as infection figures decline. By this time at the latest, the risk of detection of cartels will increase significantly. Companies should therefore already optimise their preventive antitrust compliance today and, in case of doubt, more closely inspect some of their transactions from the period during the pandemic.
6. Export control compliance
If employees move their home office abroad, export control problems may arise if employees need export-controlled technical documents (technology/ tech data) for their work. Their (physical) transport to the foreign location may be subject to approval, as may be the dial-up to the employer's server from abroad. In the case of dual-use technology, this problem particularly arises for locations in non-EU member states; in the case of defence-related technology, it arises for any location outside Germany.
The aforesaid compliance risks, which were either first triggered or increased by the corona pandemic and the associated digitisation, therefore necessitate adjustments to existing compliance management systems in order to minimise liability risks.