With the new "Law for the Improvement of Civil Enforcement of Consumer Protection Rules under Data Protection Law" (which amends the German Act on Injunctive Relief, “UklaG”) the German legislator has now given the very active consumer protection and competition associations in Germany their own right to pursue data protection violations. This considerably increases the enforcement risk for companies in case of data protection violations.
Until today, consumers associations had a very limited ability to seek injunctive relief based on the UklaG in relation to data protection breaches (e.g. in the context of terms and conditions and direct marketing). The competent civil courts did not consider most data protection provisions to be consumer protection laws. This will significantly change with the new law.
Upon their own initiative or at the request of consumers, competitors or employers, Associations may now, by way of an association action (although not identical to the US concept of "class action", it may have similar effect in practice) take own action against many violations of data protection provisions.
This increases the enforcement risk in two ways: Firstly, the main objective of these associations is to take action against such breaches (and they have the required financial funds to do so). Secondly, a cease and desist order obtained by an associations benefits the general public. While a cease and desist order by a consumer or other person only triggers the threat of sanctions in relation to that consumer or person, now where a court renders an order for an association, the relevant processing must be ceased towards the general public. Failure to comply with such an order will result in potential contractual penalties and fines may be imposed. This poses a particular risk, as cease and desist orders may be obtained in Germany very easily (and cost- efficiently) a short notice by way of a preliminary injunction and are therefore very commonly used.
Not all data protection violations may be pursued by way of associations suits but only those that are considered "consumer laws". According to the new law, consumer laws shall be all rules which concern (i) the admissibility of the collection of personal data of a consumer by a company or (ii) the processing or use of consumer personal data collected by a company. Further, the law only applies where personal data is collected, processed or used for certain purposes. However, the purposes this covers is broad and includes the following purposes:
Data protection regulations may be contained in federal and state data protection laws as well as in sector-specific data protection legislation and in any laws, regulations and acts of the European Union.
The following matters shall also be excluded from the scope of application:
As a result, the risk for companies which do not act in compliance with data protection laws or act in in legal grey zones increases significantly (particularly where this is clear to competitors, consumers and other affected persons). As an example, insufficiently detailed or over-reaching privacy policies, non-compliant consents, unlawful data collection, use of data for advertisement and profiling, use of data in the area of social and digital media as well as non-compliant international data transfers will trigger warning letters and litigation.
Companies which are established in Germany or process data in Germany should assess whether their processing is in compliance with data protection laws and should reassess any risk assessments made in the past. In the future the risk will further increase due to the General Data Protection Regulation. Actions taken by the associations may in some cases also alert the data protection authorities which may impose considerably higher fines when the General Data Protection Regulation comes into force