Hanno Timner and Jens Wollesen
Privacy + Data Security
Germany has strengthened the ability of consumer groups to enforce data protection rights. On December 17th, 2015, Germany’s lower house of Parliament, the Bundestag, passed a bill extending the rights of consumer protection organizations, the chambers of commerce or craft and certain other associations to take actions in court to prevent violations of consumer data protection regulations.
While not introducing a right to class action, which is not recognized under German law, the bill empowers consumer protection organizations registered with the Federal Office of Justice (Bundesamt für Justiz), such as the more than 40 tax funded consumer advice centres (Verbraucherzentralen) in Germany.
The objective of the law is to further improve consumer protection as well as to protect compliant businesses from unfair competition. Under the current version of the German Act on Injunctive Relief (Unterlassungsklagegesetz), consumer protection organizations (and similar associations) are entitled to enforce cease-and-desist orders if a company's general terms and conditions (Allgemeine Geschäftsbedingungen) are in breach of data protection laws. Other than that, the associations may only take actions in case of a breach of consumer protection provisions. Data protection regulations, including those of the Federal Data Protection Act (Bundesdatenschutzgesetz), are not, however, considered to qualify as such consumer protection provisions.
The law allows consumer protection organizations and certain trade associations to take businesses to court for violations of data protection laws (even if the violations are unrelated to the general terms and conditions used by the business). This is achieved by amending the definition of consumer protection provisions to explicitly include data protection provisions that govern the processing of personal data for the purposes of advertising and marketing, opinion research, creating personality profiles, selling addresses and other trading activities.
In practice, the bill allows consumer protection organizations to enforce cease-and-desist orders in case of violations of consumer data protection laws on a larger scale. The amendment does not, however, allow courts to award damages. The law also provides for a grace period for companies relying on the invalidated Safe Harbor agreement. Until September 30, 2016, violations of international data transfer rules cannot be claimed by consumer protection organizations.
Given the strong standing of consumer protection associations in Germany, it is to be expected that under the new law, enforcement actions will become substantially more frequent. To ensure a uniform application of data protection law, the bill requires civil courts to hear the competent local state data protection authority prior to issuing a decision concerning violations of consumer data protection regulations.
The bill must now be signed by the president and published in the Federal Law Gazette before becoming law. It does not require upper house approval.
The bill is available (in German) at http://dip21.bundestag.de/dip21/btd/18/046/1804631.pdf.
Contact our world-class privacy and data security lawyers.
Cyber Crime Firm of the Year
Privacy Group of the Year
Legal 500 Media, Technology and Telecoms Regulatory Firm of the Year
©1996-2019 Morrison & Foerster LLP. All rights reserved.