A German law recently came into effect that permits consumer protection associations and other associations to bring “class action”-like claims1 against businesses and file for injunctions for breach of German data protection law.2
Under this law, consumer protection associations, industry and commerce chambers and other approved business associations now have legal standing to bring lawsuits against businesses for non-compliance with data protection laws. These associations and industry and commerce chambers are separate from the data protection authorities of the German states and did not have this authority before. The new law essentially creates a new independent private supervisory authority in these associations and industry and commerce chambers and will likely encourage inspections of improper use of consumer data. Consequently, this law will significantly strengthen the enforcement of data protection laws in Germany and may potentially result in a wave of collective legal actions for data protection breaches.
The new enforcement powers of these associations and chambers will also have a noteworthy impact on foreign companies outside Germany, including those that have their headquarters or affiliates in the U.S. and that receive personal data from Germany.
Background on data protection claims
Before Germany adopted this law, affected individuals, data protection authorities and German criminal prosecutors were the only plaintiffs that had legal standing to sue businesses for violations of German data protection law. Especially for affected individuals, it was often difficult, expensive and intimidating to identify and challenge violations of data protection laws of big corporations.
Consumer protection associations were only permitted to sue businesses in data protection cases if contract clauses or business conditions violated consumer protection law. The new law amends Germany’s Act on Actions for Injunctions. The amendment enables consumer protection associations and the other mentioned associations to allege claims against companies for improper use of consumer data. These associations now have legal standing if the processing is for the following purposes: advertising, marketing and opinion research, creation of personal profiles, addresses or data trading and similar commercial data processing operations.
What is the impact on businesses?
Businesses that process personal data for these purposes may now face an augmented risk that their processing of data protection will be subject to strict scrutiny by affected consumers and various associations – increasing the likelihood that data protection violations will be detected. It will be important for businesses to avoid claims for violations of data protection laws and the negative reputational effects that businesses may suffer after a lawsuit for a breach of data protection.
Protection for companies that used “Safe Harbor” in international data transfer
Consumer protection associations and industry and commerce chambers cannot bring claims for violations of international data transfer rules, if the businesses relied on the “Safe Harbor” agreement between the U.S. and Europe and based the data transfer on this agreement before the Court of Justice to the European Union (“CJEU”) decision on October 6, 2015, Schrems v. Data Protection Commissioner of Ireland which declared this agreement invalid on the basis that it did not provide enough guarantees that data on EU citizens will remain safe when transferred to the U.S.3
This explicit exclusion of claims for data transfer based on the Safe Harbor agreement is to prevent disadvantaging German businesses that relied on that framework in good faith prior to it being declared invalid. The exclusion will be effective until September 30, 2016. It does not apply to any further data transfers and German businesses that transfer personal data for the aforementioned purposes to the U.S. will need to ensure that another legitimizing method to ensure “adequacy” of the protection of that data is utilized (such as model contracts or – when it is adopted [expected shortly] – Privacy Shield).4
Other EU member states and the future
Germany’s move to permit actions by consumer associations and chambers goes further than most prominent European countries. Italy, Spain and the UK do not permit such actions, and though France permits claims by consumer groups, its limited scope does not cover data protection breach. However, there is a general movement throughout Europe (on this and other consumer issues) to allow collective redress. In data protection, further changes will be effective as part of the coming into force of the General Data Protection Regulation (“GDPR”) (to be formally adopted in April 2016) in 2018. The GDPR contains two relevant provisions:
- It contains a right for a data subject to mandate a representative body (which fulfills certain requirements including that it is not for profit and that it has the public interest as its statutory objective) to exercise some of its rights; namely, to lodge a complaint with a regulator, to seek a judicial remedy against the regulator and to seek an effective judicial remedy against a controller or a processor. In addition, the member states may allow the representative body (mandated by the individual) to exercise the individual’s right to compensation, but this provision is not obligatory.
- It also allows (but does not oblige) a member state to allow the representative body to bring actions directly against regulators, controllers or processors (even without a data subject mandate).
In other words, there will be partial harmonization on this area, following the entry into force of the GDPR, but not full harmonization in respect of certain important rights (the right to allow a body to bring an action for compensation and the option on direct actions). However, the new legal standing of the German associations and industry and commerce chambers to bring a claim would be available for corresponding groups throughout Europe. The position will still vary from country to country.
It remains to be seen whether the new German law will lead to significant activity by the German associations and industry and commerce chambers and whether this type of action (strictly, not a “class action” as understood in U.S. law) will have significant effect for the benefit of protecting consumer rights. Nonetheless, German companies (and indeed companies throughout the EU and the U.S. as the GDPR looms) should be expecting closer scrutiny from regulators and will be well advised to ensure their compliance programs are refreshed.