German Government proposes class actions for data protection violations

By Reka Hatala and Britta Hinzpeter

On 4 February 2015, the German federal government published a draft law on the improvement of enforcement of data protection provisions protecting consumers (Entwurf eines Gesetzes zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts) (“Draft Law”). Provided the German parliament passes the Draft Law, consumer protection associations and industry chambers will be able to file class actions against companies violating data protection provisions protecting consumers.

According to its reasoning, the new law intends to protect consumers from increased threats arising from recent technical developments. As a result of the continuous development of information technology, it has become simpler and faster to collect and process personal data. Personal data is often used for purposes other than those for which it was collected, without sufficient information being given to the data subjects or without obtaining proper consent. For example, service providers offering free online services through apps or social networks use personal data, which was originally collected for the purpose of providing their service, for profiling, advertising, data warehousing and market research, with the aim of making their service more profitable.

Under existing laws, consumer protection associations have very limited means at their disposal to deal with data protection violations: they may only file cease and desist orders against companies whose general terms and conditions violate data protection laws. In particular, class actions are not permissible since, to date, courts have not recognized data protection laws as laws protecting consumers.

According to the Draft Law, the existing Injunctions Act (Unterlassungsklagegesetz, “UKlaG”) applicable to consumer protection laws will be extended to explicitly cover provisions regulating the admissibility of collecting and processing consumers’ personal data in the following areas: advertising, market and opinion research, scoring, and creating personal and user profiles, as well as data warehousing (i.e. selling address data and other personal data for commercial purposes). As a result of this change, consumer organizations will be entitled to file for a cease and desist order if a company violates data protection laws to the detriment of consumers by collecting or using personal data for any of the above commercial purposes. However, it should be noted that the Draft Law protects the collective interests of consumers. Such interests are affected only if the significance and impact of the violation of data protection laws goes beyond the individual case. This applies especially if a large number of consumers are affected.

What’s the relevance?

As a result of the proposed law, companies processing personal data for one or more of the stated commercial purposes should be prepared to face severe consequences for inadmissible practices. Consumer protection associations are likely to focus on consumer data protection compliance in the future. This will lead to an increased risk that non-compliance with data protection laws will be detected, which may not only lead to financial damages but also to competitive disadvantages and loss of reputation. Companies are well advised to review and adapt relevant data processing practices in order to be prepared once the new law enters into force.