For years German direct marketers have enjoyed the “List Privilege”, allowing businesses to use certain customer data without their prior consent. But restrictions apply and these have been abused, leading to moves to all but abolish the right. Gereon Abendroth of Osborne Clarke Cologne reports.
Topic: Direct Marketing
Who: Companies
Where: Germany
When: Since February 2008
Law stated as at: February 2009
What happened:
Several data protection scandals took place in Germany during the last 12 months shaking the foundation of the legal system of data protection and putting the screws on the legislator to tighten the data protection laws.
In a couple of cases, German consumer protection associations in their attempt to test compliance with data protection laws were able to buy millions of personal data files including behavioural data and sensitive bank data – the transmission of which is strictly regulated by law and usually forbidden – for incredibly low prices. Moreover, German newspapers were offered huge packages containing bank data as well.
In Addition, the theft of 17 millions of highly sensitive personal data files at Deutsche Telekom, Germany’s leading telecommunications service provider, in 2007 (without informing the affected costumers) and the loss of tens of thousands credit card data files by the Landesbank Berlin significantly increased the public demand for higher data security and new law regulation in Germany, which became even louder in view of the systematic surveillance of employees in big German enterprises such as Lidl (supermarket chain) or Deutsche Bahn (national railway company).
The concentration of the latest scandals concerning data security and the fact that data of large parts of the German population seemed to be affected induced a growth of sensitivity concerning private data.
Thus, the latest attempts of internet social networks such as Facebook and the German StudiVZ to change their terms of use in order to save their users’ data even after they deleted their accounts encountered public resistance and were (partly) abandoned, having nonetheless enhanced public mistrust.
The legal impact
The incidents that occurred within the last year can basically be graded into two categories.
Companies as well as private individuals took advantage in one way by misusing a specific right to trade personal data in German data protection law called the list privilege (Listenprivileg). This privilege permits the use and transmission of personal data of individuals belonging to a certain group (e.g. customers of a certain store) and compiled in lists for purposes of advertising, market and opinion research without prior consent of the individual. A set of data compiled in such lists may only include information on the individuals belonging to the group in question about its occupation or branch of trade, its name and title, academic titles, address and year of birth but must not contain any additional information. In particular such list may not be enriched with information like the value of purchases made in a certain store, what product the individual purchased or other preferences or behavioural information about the individual. The transmission of bank data as part of such lists, the root of most of the recent scandals, is likewise forbidden.
"Privilege" abused
During the last years, a lot of advertising has been done on the legal basis of the list privilege as it allows an approach towards potential new customers without personally acquiring their data or even seeking their consent. With the vast opportunities to exchange data, the monitoring of this “business” is understandably hard if not impossible. Naturally this circumstance induces the abuse of the mentioned legal list privilege. Data sets that were originally compiled under the umbrella of the list privilege have been enriched illegally with additional information like bank data, which now appears to be one of the main reasons for the recent cases of data misuse to the public.
The surveillance of employees, the simple loss as well as the theft of personal data and the unilateral change of contract conditions however form another category of incidents. All scandals have one aspect in common: the intentional or grossly negligent violation of existing data protection provisions. The respective companies simply ignored their obligations in a way that was unheard of in Germany before.
Why this matters:
German data protection legislation is developing and changing at a fair rate. Since data protection incidents have accumulated throughout 2008 and in early 2009, also causing an increase in media attention, public sensitivity for personal data protection has changed significantly. While the legal impact of Facebook’s and its peers’ actions might diminish quickly, it has attracted consumers' attention. For the first time consumers feel directly affected and are starting to develop an attitude towards the handling and trading of personal data, almost condemning the fact that the latter is legal at all.
Responding to this, German legislators have stated their intention to further constrict a body of data protection laws which has been among the most restrictive in the world and within the European Union already. A new draft of the Federal Data Protection Act was introduced by the German Government in the second half of 2008 in an attempt to close the gap created by the list privilege.
"List privilege" under threat
The intended changes will virtually abolish the list privilege and restrict direct marketing to own customer data. Trading or using of aggregated personal data will then require the explicit consent of the respective individual. Even if the law has not passed German parliament yet, it is likely to come into effect in July 2009: Thus, all data collected after that date must not be used without the explicit consent of the individual. With respect to data acquired under the umbrella of the list privilege the draft of the law allows for a grace period of three years and allows such data to be used on the current terms until July 2012.
Strong industry resistance
However, since the intention of the German legislator to basically abolish the list privilege has become public, the marketing industry is lobbying and tries to avert the changes. Meanwhile, in February 2009 several committees of the Bundesrat (German Federal Council) raised concerns regarding several provisions contained in the draft amendment of the German Government. The committees suggested e.g. to replace the abolition of the list privilege by a strengthened right of objection. This would help the marketing industry, as it would almost preserve the status quo. Whether the law will come into force as it currently stands in the draft of the German Government is hard to predict since the resistance is strong.
Another law recently proposed by German home secretary Wolfgang Schäuble as a reaction of the recent events that will allocate and strengthen all employees’ data protection rights will not be passed before 2010.
However, all companies involved in B2C direct marketing should – in view of the important changes intended by German government – be highly aware of the upcoming modifications of data protection law and prepare for readjusting their marketing strategies.
Updates on the development will be provided here. For further questions please email gereon.abendroth@osborneclarke.com.
