With the new "Law for the Improvement of Civil Enforcement of Consumer Protection Rules under Data Protection Law" (which amends the German Act on Injunctive Relief, “UklaG”) the German legislator has now given the very active consumer protection and competition associations in Germany their own right to pursue data protection violations. This considerably increases the enforcement risk for companies in case of data protection violations.
Until today, consumers associations had a very limited ability to seek injunctive relief based on the UklaG in relation to data protection breaches (e.g. in the context of terms and conditions and direct marketing). The competent civil courts did not consider most data protection provisions to be consumer protection laws. This will significantly change with the new law.
Upon their own initiative or at the request of consumers, competitors or employers, Associations may now, by way of an association action (although not identical to the US concept of "class action", it may have similar effect in practice) take own action against many violations of data protection provisions.
This increases the enforcement risk in two ways: Firstly, the main objective of these associations is to take action against such breaches (and they have the required financial funds to do so). Secondly, a cease and desist order obtained by an associations benefits the general public. While a cease and desist order by a consumer or other person only triggers the threat of sanctions in relation to that consumer or person, now where a court renders an order for an association, the relevant processing must be ceased towards the general public. Failure to comply with such an order will result in potential contractual penalties and fines may be imposed. This poses a particular risk, as cease and desist orders may be obtained in Germany very easily (and cost- efficiently) a short notice by way of a preliminary injunction and are therefore very commonly used.
Scope of Application
Not all data protection violations may be pursued by way of associations suits but only those that are considered "consumer laws". According to the new law, consumer laws shall be all rules which concern (i) the admissibility of the collection of personal data of a consumer by a company or (ii) the processing or use of consumer personal data collected by a company. Further, the law only applies where personal data is collected, processed or used for certain purposes. However, the purposes this covers is broad and includes the following purposes:
- market research and public opinion surveys;
- operation of credit reporting agencies;
- creation of personality and usage profiles;
- address trading;
- other data trading; and
- other similar commercial purposes.
Data protection regulations may be contained in federal and state data protection laws as well as in sector-specific data protection legislation and in any laws, regulations and acts of the European Union.
The following matters shall also be excluded from the scope of application:
- All data protection law provisions that do not contain admissibility requirements for the collection, processing or use of consumer personal data, e.g. the provisions governing the appointment of a data protection officer.
- Associations' suits based on the Schrems "Safe Harbor" judgment of the European Court of Justice are excluded until 01 October 2016. However, this only relates to data transfers which were previously justified by a Safe Harbor certification of the data importer in the United States. All other not legally compliant international data transfers (in particular failure to implement standard contractual clauses) fall within the scope of application.
Impact in practice
As a result, the risk for companies which do not act in compliance with data protection laws or act in in legal grey zones increases significantly (particularly where this is clear to competitors, consumers and other affected persons). As an example, insufficiently detailed or over-reaching privacy policies, non-compliant consents, unlawful data collection, use of data for advertisement and profiling, use of data in the area of social and digital media as well as non-compliant international data transfers will trigger warning letters and litigation.
Companies which are established in Germany or process data in Germany should assess whether their processing is in compliance with data protection laws and should reassess any risk assessments made in the past. In the future the risk will further increase due to the General Data Protection Regulation. Actions taken by the associations may in some cases also alert the data protection authorities which may impose considerably higher fines when the General Data Protection Regulation comes into force