On 4 February 2015, the German federal government published a draft law on the improvement of enforcement of data protection provisions protecting consumers (Entwurf eines Gesetzes zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts)(“Draft Law”). Provided the Draft Law passes the German parliament, consumer protection associations and industry chambers will be able to file class actions against companies violating data protection provisions protecting consumers.
According to its reasoning, the new law intends to protect consumers from increased threats due to recent technical developments. As a result of the continuous development of information technology, it has become simpler and faster to collect and process personal data. Personal data are often used for purposes different from the original purpose for which the data were collected, without sufficient information being given to the data subjects or obtaining proper consent. For example, service providers offering free online services through apps or social networks use the personal data originally collected for the purpose of providing their service for profiling, advertising, data warehousing, and market research, with the aim of making their service more profitable.
Under the existing laws, consumer protection associations have very limited means to act in the case of data protection violations: they may only file cease and desist orders against companies whose general terms and conditions violate data protection laws. In particular, class actions are not permissible since, to date, courts have not recognized data protection laws as laws protecting consumers.
According to the Draft Law, the existing Injunctions Act (Unterlassungsklagegesetz, “UKlaG”) applicable to consumer protection laws will be extended to explicitly cover provisions regulating the admissibility of collecting and processing consumers´ personal data in the following areas: advertising, market and opinion research, scoring, creating personality and user profiles, as well as data warehousing (i.e. selling address data and other personal data for commercial purposes). As a result of this change, consumer organizations will be entitled to file for a cease and desist order if a company violates data protection laws to the disadvantage of consumers by collecting or using personal data for any of the above commercial purposes. However, it should be noted that the Draft Law protects the collective interests of consumers. Such interests are affected only if the significance and weight of the violation of data protection laws goes beyond the individual case. This applies especially if a large number of consumers are affected.
As a result of the proposed law, companies processing personal data for one or more of the mentioned commercial purposes should be prepared to face severe consequences for inadmissible practices. Consumer protection associations are likely to focus on consumer data protection compliance in the future. This will lead to an increased risk that non-compliance with data protection laws will be detected, which may not only lead to financial damages but also to competitive disadvantages and loss of reputation. Companies are well advised to review and adapt relevant data processing practices in order to be prepared once the new law enters into force.