Comprehensive product compliance can generally only be achieved by means of a centrally controlled and well-organised compliance management system. For this reason, it has traditionally been an executive matter. In the past, however, if a company’s top management failed to integrate such a system properly into the corporate structure and, as a result, the company was fined for violating the requirements under product safety law, this regularly led to the question of whether and how the company could hold its managing directors liable internally. To a lesser extent, this also applied to other people in management positions.
While most lower courts – just recently, for example, the 6th Cartel Senate of the Düsseldorf Higher Regional Court (case no.: VI-6 U 1/22 (Kart), cf. in this respect the discussion of said decision by our colleagues Dr Sebastian Janka and Martin Lawall in the Luther blog) – deny companies the right to recover administrative fines in such circumstances, the Dortmund Regional Court expressed not long ago, in its decision of 21 June 2023 (case no.: 8 O 5/22), its preliminary legal opinion that such recourse could come into consideration. The draft bill implementing the Network and Information Security 2.0 Directive (NIS 2 Directive) also states clearly that the liability of managing directors provided for therein includes liability for administrative fines.
There are, hence, current endeavours by both judiciary and legislature to make managing directors personally liable internally for corporate fines. In the following, we will start by giving a general description of the problem (2.) and then go on to discuss the line of reasoning followed by the current proponents of managing directors’ liability (3.) before setting out the consequences for product-related law in practice (4.).
Intentional violations of compliance obligations are generally classified as administrative offences by the laws applicable in the particular case and are thus subject to administrative fines. The amount of these fines has deliberately been set high, especially at Union level, in order to ensure that also large companies are actually bound by the law, by preventing them from buying their way out of the statutory obligations. In some cases, fixed (absolute) amounts have been stipulated in this context: the German Product Safety Act and the German Market Surveillance Act, for example, provide for administrative fines of up to EUR 100,000, depending on the kind of violation. In other cases, a relative scale has been chosen: the German Act incorporating the NIS 2 Directive into national law, for example, provides for administrative fines of up to 2% of worldwide annual turnover (not profit!). Under the Draft AI Regulation, the upper limit of the scale of fines is even as high as 6% of worldwide annual turnover, pursuant to Article 71. Even the largest companies cannot afford, and do not want, to incur an administrative fine in this amount. As a result, especially in cases where the scale of fines is determined in relative terms, particularly stringent requirements for product compliance should be defined.
One of the central tasks of any company’s management is, therefore, to organise, structure and optimise the company in such a manner as to ensure that it acts in compliance with the applicable statutory provisions. In addition to observing the general obligation to comply with statutory obligations (obligation of lawful conduct), a company’s management is also required to ensure that the individual employees, too, act in a lawful manner (obligation to monitor lawful conduct). For the purposes of stricter monitoring of compliance with these obligations, the German legislator has not only significantly increased the investigative powers vested in market surveillance authorities under the German Market Surveillance Act, but has also enacted a new Whistleblower Protection Act which is intended to give whistleblowers the opportunity to uncover internal compliance violations and other maladministration with as little risk as possible.
If a managing director violates any of his or her (product-related) obligations, this raises the question of whether the company can hold the managing director liable internally for the administrative fine to be paid. While the prevailing opinion denies companies the right to recover administrative fines, as has already been stated, there is now a case, following the decision of the Dortmund Regional Court, in which it has been considered possible for a company to recover fines from managing directors. As a consequence, the latter, in addition to having a general interest in managing the company properly and efficiently, now also have a stronger personal interest in ensuring product compliance and avoiding any liability of the company for product defects.
The Dortmund Regional Court, in its decision of 21 June 2023 (case no.: 8 O 5/22), expressed its preliminary legal opinion that a managing director’s liability for administrative fines incurred, and sought to be recovered, by the company must be affirmed on the merits. In the case at issue, a partner had been involved in an antitrust violation attributable to the partnership.
The Court argued that the sanctions under civil and regulatory law existed alongside each other, making it impossible for the intended function of the administrative fine as a regulatory sanction against the company to be undermined by the company’s holding the managing director subsequently liable under civil law. The reasons given by the Court for this view were, firstly, that the company must initially advance the administrative fine, thus being exposed to the risk of the managing director becoming insolvent; secondly, that the administrative fine is generally too large an amount to be fully recoverable from the managing director; and thirdly, that the company additionally suffers reputational damage, which cannot be passed on. As a result, if a right to recover administrative fines were acknowledged, this would not affect the function of the administrative fine as a deterrent and preventive measure. If, on the other hand, the right to recover administrative fines were fully denied, this would mean sending out the wrong signals to managing directors, who could feel encouraged to generate advantages for themselves and the company by violating the law.
Consequently, the decision is not based on an antitrust lex specialis, but on the general judgment that a managing director should not be tempted by the internal limitation of liability between the managing director and the company to procure an economic advantage for the company or him- or herself by intentionally violating the law. This judgment could be applied accordingly to product safety law, under which a managing director would most probably also regularly have a heightened individual interest in ensuring product compliance if he or she were required, upon the occurrence of a product incident, to personally bear the administrative fines imposed as a result of such incident.
The discussion regarding the recoverability of corporate fines is gaining momentum in the light of these current developments.
As of now, the Dortmund Regional Court’s decision expresses a minority opinion in case law, which has not been adopted by, for example, the Düsseldorf Higher Regional Court in a recent decision (case no.: VI-6 U 1/22 (Kart)), as already stated. However, as leave has been granted in said matter to file an appeal on points of law with the German Federal Court of Justice, this issue can be expected to be finally clarified at least for the field of antitrust law.
By contrast, the bill incorporating the NIS 2 Directive into national law will in all likelihood be enacted in the spring of 2024. This means that the right to recover administrative fines will, for this area, be embedded in statutory law in the foreseeable future. In the field of cybersecurity, the responsible managing directors would, therefore, be well-advised to install a comprehensive and effective compliance system in their company now, at the latest, in order to avoid rendering themselves personally liable internally. The establishment of such compliance systems has been provided for by the Union in all Directives and Regulations which, as part of what is known as the “New Legislative Framework”, are intended to ensure uniform product compliance in the EU and, to this end, require binding product risk analyses, market monitoring obligations, reporting obligations and risk prevention measures in collaboration with the competent authorities, with administrative fines for compliance violations. Examples of such Regulations are, inter alia, the upcoming AI Regulation, the new Machinery Regulation and the Market Surveillance Regulation, and also the German Product Safety Act has been adjusted now to take account of the “New Legislative Framework”. In this context, it would not come as a surprise if the right of companies to hold their managing directors liable for administrative fines found its way into other areas of product liability in the future. Introducing such a right would, for example, be the obvious thing to do in the area of liability for violations of AI compliance, which overlaps in various respects with the field of cyber-security anyway.