Who: German government
Where: Berlin
When: 24 February 2016
Law stated as at: 24 February 2016
What happened: On 24 February 2016 a new law came into force in Germany enabling consumer and professional associations to pursue specific violations of data protection provisions against data controllers.
This article examines the scope of this new legislation and how it differs from the previous legal situation in Germany. It also points out its potential impact on businesses outside Germany.
1.What can be enforced and against whom can it be enforced?
The new law covers certain data protection violations in specific areas of application.
1.1 Business to consumer
First and foremost, the new law is only applicable in cases in which a commercial entity processes personal data of private consumers.
1.2 Relevant breaches of data protection law
The new law applies to breaches of provisions of German data protection law regulating the permissibility of data processing operations. In order for the new law to be engaged and associations to be eligible to pursue a representative claim for breach, the breach in question must actually embody an unlawful, thus inadmissible processing of personal data.
Such violations occur if for example the data controller does not have the valid consent of the affected data subject and/or the respective data processing cannot be justified on the basis of the consent originally provided.
Conversely, violations of other data protection provisions not interfering with the general lawfulness of a data processing operation, e.g. failing to appoint a data protection officer, cannot be enforced under the new rules as the recitals to the law explicitly state this.
In the light of the latter, to our understanding it is fair to assume that defective or even missing privacy policies on websites will also not trigger any potential legal action under the new law as any such violations generally do not automatically lead to the inadmissibility of any described (or rather not described) data processing operation.
Further below we will touch on the possible enforcement of such violations on the back of German competition law.
1.3 Affected businesses
The new law solely applies if personal data are collected or used for the purposes of advertising, market research, operating a credit agency, creating personality and usage profiles, compiling address lists for sale or licensing to third parties or other similar commercial purposes. Any other purposes, e.g. performing a contract, do not fall within its scope. Thus any unlawful dealing with personal data in performing a contract may not be enforced on the back of the new law.
Against this background most adtech businesses will have to carefully consider these new provisions and the risk of being prosecuted by German associations.
With the inclusion of “similar commercial purposes” the law is deliberately drafted in a technically open manner in order to extend to future fields of application for data processing for commercial purposes similar to the abovementioned. It is fair to assume that the lawmaker was thinking about the emerging interest in big data research undertakings when drafting that passage.
The law however further explicitly states that any data processing pertaining to the establishment, conduct or termination of a contractual relationship with a consumer does not constitute a “similar commercial purpose”. Therefore any violations of data protection laws in the course of processing data for such purposes will not be enforceable under the new law, i.e. if for instance an online provider of goods or services merely processes the personal data of its customers to provide the respective service to them.
1.4 Grace period regarding Safe Harbour violations
With an eye to the vacuum created by the cancellation of the Safe Harbor treaty by the Court of Justice of the European Union (CJEU), any violations regarding the transfer of personal data to the US on the basis of the (now defunct) Safe Harbor framework may not be enforced under the new law until 30 September 2016.
2. How can violations be enforced?
The new law empowers eligible associations to file claims requiring the cessation and elimination of any enforceable violation.
Thus the data controller not only has to cease the respective unlawful data processing operation, but may also be obliged to further rectify the unlawful situation by blocking or erasing the respectively affected personal data.
These rights may be exercised by way of cease-and-desist letters obliging the affected data controller to sign a corresponding declaration and pay a penalty for each future violation, or seeking judicial interim injunctions.
3. How will things actually change for data controllers?
Prior to the new law at hand, associations could already (and still can) enforce certain violations of data protection laws on the basis of German competition law and if general terms and conditions of a data controller are in violation of data protection law.
Pertaining to the latter, in several prominent cases the German courts have ruled that pre-drafted consents would have to be deemed general terms and conditions and thus any unlawful data capture could already be pursued by associations prior to the recent changes.
Any legal action on the basis of competition law, however, requires that the respectively violated data protective provision constitutes a so called “market conduct rule”. As such the rule in question must have the effect of regulating the behaviour of a competitor in the relevant market, with the actual breach of that provision thereby having relevance to competition among market players.
Thus far, the proverbial jury is still out with regard to which violations of data protection law actually fulfil those requirements. The courts assume that, for instance, measures impacting direct marketing have the needed market relevance. Other than that, especially regarding defective privacy policies, German case law does not provide a clear picture.
However, with the new law in place, associations will not have to jump through those hoops any longer in order to enforce data protection law within the framework set out above.
Why this matters
The recitals to the new law explicitly state that solely German national data protection provisions may be enforced under the new regime. Consequently, any businesses to which German data protection law applies will have to potentially deal with German associations (and courts) in the future.
This could have ramifications for businesses based outside Germany considering the rather broad interpretation of the German courts as well as the CJEU in recent cases as to when the data protection laws of EU member states apply.
Cases where the risks of such findings might be higher might include situations where international businesses are providing goods or services to German consumers or collecting personal data of German data subjects for e.g. advertising or credit rating purposes. Organisations in this category should re-evaluate whether they are compliant with German data protection law.