Following the European Court of Justice’s Schrems decision invalidating the Safe Harbor data transfer mechanism, much attention has focused on the future aspects of cross-border data transfers to the US and respective violations.
In order to strengthen data protection rights, the German legislature recently passed a new law called the “Act to Improve the Civil Enforcement of Consumer Protection Provisions of Data Protection Law.” On 17 December 2015, the German Bundestag passed a bill extending the rights of consumer protection organizations (Verbraucherverbände), the chambers of commerce and certain other associations to take action in court to prevent violations of consumer data protection regulations. The new Act’s general objective is to further improve consumer protection, as well as protect compliant businesses against unfair competition, and is expected to come into force by March 2016.
One of the most significant clauses of the Act is a provision granting nonprofit consumer protection organizations the right to take court action regarding data protection violations on behalf of consumers. This is achieved by amending the definition of consumer protection provisions to explicitly include data protection provisions that govern the processing of personal data for the purposes of advertising and marketing, opinion research, creating personality profiles, selling addresses and other trading activities. As a consequence and also pursuant to Art. 3 c) cc) of the Act, consumer protection organizations can take a court action to claim the wrongful collection, processing or use of a consumer’s personal data by an enterprise as long as the enterprise collected or used consumer data “for the purpose of marketing, market or opinion research (…) or for similar commercial purposes.” As a limitation, Art. 3 c) dd) further stipulates that no data protection violation giving rise to a class action is given if an enterprise’s “data collection, data processing or data use occurs exclusively for the purpose of establishing, performing or terminating a legal relationship with the consumer.” The amendment does not, however, allow courts to award damages. The new law also grants a grace period for companies relying on the invalidated data transfer agreements. Special emphasis should be placed on the fact that violations of international data transfer rules cannot be claimed by consumer protection organizations until 30 September 2016.
The new Act may potentially lead to an increase in consumer court proceedings against companies active in Germany, due to the fact that German consumer organizations have a reputation of being active litigants. Moreover, German civil law practice contains a mechanism for effectively enjoining data protection violations without having to file a lawsuit. Typically, the consumer protection organization will first send the allegedly offending company a cease and desist letter (Abmahnung), and the company can then prevent the filing of an injunction suit by entering into a cease and desist agreement with the consumer organization. If a lawsuit takes place, the company will generally have to assume the entire cost risk of any ensuing injunction proceeding (including statutory attorneys’ fees). Finally, in order to ensure the uniform application of data protection law, the Act requires civil courts to hear the competent local state data protection authority prior to issuing a decision concerning violations of consumer data protection regulations.