On 24 February 2016, an amendment to the German Act on Injunctive Relief came into force entitling eligible associations to bring cease and desist actions against companies for violations of certain data protection provisions. So far, in Germany, only affected individuals and data protection authorities (and in some very limited circumstances competitors and consumer associations) had standing to sue companies for data protection infringements. Large technology companies (including non-EU companies) targeting data subjects in Germany are likely to be most affected by the amendments.
Who may bring an action?
Only certain associations may bring a cease and desist action under the new provisions. These include:
- reputable consumer protection associations which are registered with the German Ministry of Justice or the EU Commission;
- business associations that promote commercial or independent professional interests and satisfy certain other conditions; and
- the Chambers of Industry and Commerce as well as the Chambers of Trade.
When may an action be brought?
An action may only be brought in case of an alleged infringement of those data protection provisions which serve the purpose of protecting consumers. Such provisions are, amongst others, provisions that govern the collection, processing and use of personal data for the purpose of advertising, market or opinion research, credit scoring, profiling, address and other data trading and similar commercial purposes.
To the extent, businesses collect or process data solely in order to perform their contracts with a consumer or to comply with their legal obligations, no actions for infringement may be brought by consumer associations.
What is the outcome that may be sought?
Eligible associations are entitled to seek interim injunctions both in order to enjoin and suspend data protection law infringements.
What is the role of data protection authorities?
In any infringement proceedings brought by an eligible association under the new provisions, the competent data protection authority has a right to be heard (except in proceedings where no hearing takes place).
The amendments were introduced in order to strengthen data protection in Germany and add another dimension to the enforcement of data protection provisions. The right is likely to force companies to take compliance with German data protection laws more seriously for the following reasons:
- rather than receiving sporadic privacy complaints from a handful of consumers which can generally be dealt with easily (e.g., by deleting a person’s data from a database rather than bringing data collection and processing practices generally in compliance with the law), businesses are likely to not only face an increase in complaints but will also be asked to omit/ change certain data collection processing activities altogether;
- companies may decide to denounce their competitors’ data protection violations to eligible consumer associations (even on an anonymous basis) in the hope that the association takes action; and
- while companies have no explicit right under the new law to sue their competitors for data protection violations, companies might feel empowered to do so and courts might be more willing to grant interim injunctions in these cases. In Germany, the question whether companies may bring cease and desist actions against competitors that breach data protection provisions has been controversially discussed for many years and is yet to be settled. There is an argument that the legislative amendments will make it easier for companies to bring cease and desist actions against competitors for violations of those data protection provisions that are now classified as consumer protection provisions.
In light of the recent Google Spain and Weltimmo decisions of the European Court of Justice, the amendments are likely to not only affect German companies but to also affect companies located outside of Germany if they have an establishment or representative in Germany and are processing data of data subjects in Germany. The General Data Protection Regulation will further expand the territorial scope of European data protection law and will therefore likely further increase the impact of this new right to pursue data protection infringements.