As a general rule, court actions on data protection breaches are an exemption. As reported in our Newsflashes in March 2014 and August 2014 the German government is planning to encourage court actions against breaches of data protection law. After German Federal Ministry of Justice presented an initial draft in June 2014, the German Government recently proposed its draft bill for an amendment of the German Act on Injunctive Relief (GAIR) [Unterlassungsklagengesetz] to the German Parliament on February 4, 2015 further clarifying the new regulations. One important consequence of the proposal would be that consumer protection associations as well as market protection associations (Sec. 3 (1) and Sec. 4 of the GAIR) will be entitled to claim and enforce data protection law breaches with regard to the collection, processing and usage of consumer personal data.
Until now, only individuals and data protection authorities may claim and enforce breaches of German data protection law. Although individuals may file court actions in case of infringement of their privacy rights, they are often reluctant to do so. German data protection authorities (DPAs) are more active, but they are restricted to enforce data protection laws against entities and persons that are situated in the territory of the competent DPA: Each German Federal State has its own data protections authority. In addition, it appears that some DPAs are far less active than others are.
In some exceptional cases, consumer associations and competitors are already now entitled to claim against breaches of data protection law under Sec. 4 No. 11 of the German Unfair Competition Act (GUCA) [Gesetz gegen unlauteren Wettbewerb]. However, the applicability of Sec. 4 No. 11 of the GUCA requires that the purpose of the respective data protection regulation is, amongst other things, the regulation of the market conduct and behavior of market participants. Since the purpose of data protection law is the protection of natural persons' right to privacy, it is controversial whether and which data protection law regulations fulfill this condition.
Although German data controllers must take data protection laws seriously and be aware that incompliance may lead to severe sanctions, infringing companies barely face the risk of being sued. In contrast, consumer associations and trade associations (which may be founded by competitors) actively pursue breaches of consumer protection laws as consumer protection law is subject to the GAIR. The GAIR entitles consumer protection associations as well as trade associations to claim and enforce breaches of consumer protection laws (see Sec. 2 (1), Sec. 3 (1) and Sec. 4 (2) of the GAIR). Many of such organizations were founded for the sole purpose of enforcing consumer protection laws by cease and desist letters and court actions. Consumer protection law infringing companies are thus facing a far higher risk of being subject to cease and desist claims than for infringements of data protection laws that generally do not fall under the GAIR.
Sec. 2 (2) of the GAIR contains a catalogue of laws that are deemed "consumer protection laws" (e.g. regulations regarding distance and off-premises contracts). Data protection law is not yet part of the catalogue. Although the catalogue is not conclusive, the GAIR is mainly not considered to be applicable with regard to data protection laws because – as mentioned above – the purpose of data protection law is the protection of individuals' rights to privacy but not a consumer protection right.
Pursuant to the draft bill, the catalogue of consumer protection laws in Sec. 2 (2) of the GAIR will be extended to regulations on the admissibility of the collection, processing and usage of personal data for the purpose of marketing products and services, conducting market and opinion research, running credit report agencies, generating user and personality profiles, addresses and data trading as well as for similar purposes. However, the collection, processing and usage of consumer personal data for the purpose of entering, executing or terminating a contract or a quasi-contractual fiduciary relationship with the consumer will not be covered. This means that the GAIR is not applicable for any data collection, processing or usage for entering into and execution of a contract with a consumer, and therefore consumer associations will not be able to claim data protection breaches in this regard. Since the GAIR is a consumer protection law, it does not apply to the collection, processing or usage of personal data of non-consumers. The government's proposal is directed at businesses that use personal data of consumers for making them available to other parties.
Nevertheless, it is very likely that the number of legal actions of consumer protection associations and trade associations against infringers of privacy laws will increase dramatically. In addition, the new law will help to enforce data protection laws and many data dealers, credit report agencies and advertising agencies will have to change their attitude in order to become compliant with German and European data protection laws. Many hotly discussed questions of the construction of German data protection laws will soon be decided by German courts and it might well be that a new and hefty light will be shed on data protection and infringers.
As data protection is and has always been in the focus of the German public, it is very likely that the proposal will pass the German Parliament soon although one may expect intensive lobbying of the affected industries.