Germany has enacted a new data protection statute, which came into force on February 24, 2016, and enables business associations and consumer groups to enforce violations of German data protection laws against businesses. Since these associations and groups act as a type of class representative, the effect of the new law could be described as allowing the German version of U.S. “class actions” to be brought in relation to data privacy. The new enforcement powers are specifically aimed at foreign companies having their headquarters or operating from outside Germany, including the United States, a representative of the German Ministry of Justice has reportedly pointed out1. The potential impact on businesses is discussed below.
What the Act does
The newly adopted Act to Improve the Civil Enforcement of Consumer Protection Provisions of Data Protection Law (the “Act”) amends the German Act on Injunctive Relief. In general, the Act extends the power of business associations and consumer groups to enforce provisions of certain consumer laws in the context of data protection, including in the context of processing or collecting such data for the purposes of advertising, marketing, opinion research, certain profiling, and trading of addresses or other data. The Act includes a catchall provision referring to data processed and collected for any other similar commercial purposes. It is yet unclear in what circumstances this provision can be invoked, but it appears to provide an opportunity for wide application of the Act.
The consumer associations have been empowered to issue cease-and-desist letters against businesses and seek injunctive relief for alleged data privacy violations (for example, using consumers’ data without a valid consent or having a noncompliant privacy notice). Cease-and-desist letters usually identify breaches by their addressees and request that any offending behavior be ceased. The letters may involve the imposition of contractual penalties or fines, and could also lead to court proceedings for injunctive relief if the behavior is not ceased. Proceedings may be brought on the associations’ own initiative or at the request of consumers, competitors or employers. Under the Act, the consumer associations are able to ask for the offending behavior to cease in general (as opposed to against a certain consumer in particular), and, therefore, the associations’ actions would likely have an impact on the general public. Further, the German data protection authorities may also play a role in this type of “class action,” since they may be allowed to present their views and analysis of the alleged data protection law violations in court.
The Act curtails the associations’ powers to bring claims for violations of international data transfer rules against companies relying on the invalidated Safe Harbor agreement. However, such powers are limited only until September 30, 2016, and to the extent that the transfer of data was based on the Safe Harbor Framework until October 6, 2015.
What the impact on businesses is likely to be
The Act poses several risks for businesses in relation to potential data privacy violations.
First, the clarification through the Act that consumer associations can issue cease-and-desist letters in the context of data privacy brings a significant change expanding the powers of these associations. There is an increased risk of proceedings being brought by associations in reliance on the Act. In general, these associations are considerably active, since their main aim is pursuing the protection of consumers’ rights. In the past, the German data protection authorities often lacked the resources to enforce data protection laws against a large number of companies. With the new Act, the consumer associations have such powers and may take an active role in data protection enforcement in the context of consumer protection. Furthermore, since the associations’ powers to instigate proceedings are derived from statute, it is unlikely that businesses would be able to limit the German Court’s jurisdiction in that respect by relying on contractual dispute resolution clauses.
Second, businesses that are established in Germany or process data in Germany would benefit from reviewing their privacy policies to confirm that they are compliant with the country’s data protection laws. A reassessment of the risk of violating such laws might be necessary in light of the new Act. If such laws are infringed, the risk of imposing fines is likely to increase in the future, particularly since the actions taken by the consumer associations may alert the data protection authorities, which may impose considerably higher fines when the General Data Protection Regulation comes into force. Further, with reliance on Safe Harbor no longer possible, and the new EU-U.S. Privacy Shield not yet in force, businesses would be well advised to review their policies, particularly in relation to international data transfers, in order to reduce the risk of becoming subject to proceedings by active consumer associations.