Germany: New Right of Action for Consumer and Competition Associations Increases Risk of Data Protection Violations

Until today, consumers associations had a very limited ability to seek injunctive relief based on the UklaG in relation to data protection breaches (e.g. in the context of terms and conditions and direct marketing). The competent civil courts did not consider most data protection provisions to be consumer protection laws. This will significantly change with the new law.

Upon their own initiative or at the request of consumers, competitors or employers, Associations may now, by way of an association action (although not identical to the US concept of "class action", it may have similar effect in practice) take own action against many violations of data protection provisions.

Increased Risk

This increases the enforcement risk in two ways: Firstly, the main objective of these associations is to take action against such breaches (and they have the required financial funds to do so). Secondly, a cease and desist order obtained by an associations benefits the general public. While a cease and desist order by a consumer or other person only triggers the threat of sanctions in relation to that consumer or person, now where a court renders an order for an association, the relevant processing must be ceased towards the general public. Failure to comply with such an order will result in potential contractual penalties and fines may be imposed. This poses a particular risk, as cease and desist orders may be obtained in Germany very easily (and cost- efficiently) a short notice by way of a preliminary injunction and are therefore very commonly used.

Scope of Application

Not all data protection violations may be pursued by way of associations suits but only those that are considered "consumer laws". According to the new law, consumer laws shall be all rules which concern (i) the admissibility of the collection of personal data of a consumer by a company or (ii) the processing or use of consumer personal data collected by a company. Further, the law only applies where personal data is collected, processed or used for certain purposes. However, the  purposes this covers is  broad and includes the following purposes:

• advertising; 
• market research and public opinion surveys; 
• operation of credit reporting agencies;
• creation of personality and usage profiles; 
• address trading;
• other data trading; and 
• other similar commercial purposes.

Data protection regulations may be contained in federal and state data protection laws as well as in sector-specific data protection legislation and in any laws, regulations and acts of the European Union.

The catch-all provision “other similar commercial purposes” shall apply in particular where consumer personal data is initially collected or stored without specifying a specific purpose in order to later use the data for a company's own commercial purposes. Given the broad wording and possibilities for interpretation, it is still unclear under what circumstances this provision shall apply and how it will be applied by the courts. In any case, it opens a wide scope of application for the courts. The law only stipulates that there is no scope for application of this provision where personal data of consumers are collected, processed or used exclusively for the creation, performance or termination of a legal transaction with the consumer. However, according to the Federal Government’s reasoning, the law shall apply to contracts whose subject matter is the commercialisation of consumer data(e.g. the terms of use of a social media platform).

The following matters shall also be excluded from the scope of application:

• All data protection law provisions that do not contain admissibility requirements for the collection, processing or use of consumer personal data, e.g. the provisions governing the appointment of a data protection officer.
• Associations' suits based on the Schrems "Safe Harbor" judgment of the European Court of Justice are excluded until 01 October 2016. However, this only relates to data transfers which were previously justified by a Safe Harbor certification of the data importer in the United States. All other not legally compliant international data transfers (in particular failure to implement standard contractual clauses) fall within the scope of application.

Impact in practice

As a result, the risk for companies which do not act in compliance with data protection laws or act in in legal grey zones increases significantly (particularly where this is clear to competitors, consumers and other affected persons). As an example, insufficiently detailed or over-reaching privacy policies, non-compliant consents, unlawful data collection, use of data for advertisement and profiling, use of data in the area of social and digital media as well as non-compliant international data transfers will trigger warning letters and litigation.

Companies which are established in Germany or process data in Germany should assess whether their processing is in compliance with data protection laws and should reassess any risk assessments made in the past. In the future the risk will further increase due to the General Data Protection Regulation. Actions taken by the associations may in some cases also alert the data protection authorities which may impose considerably higher fines when the General Data Protection Regulation comes into force