Pursuant to a press release of the German Federal Ministry for Justice and Consumer Protection, the German Government approved a draft law to strengthen the private enforcement of certain data protection law provisions that aim to protect consumers. In particular, the draft law empowers consumers and other qualified associations to send cease-and-desist letters and to initiate legal action for injunctive relief against companies violating the law’s provisions. The draft Act targets the data handling practices of companies whose business models are based on the commercialization of data. Specifically, it allows class actions in cases involving violations of the rules governing the processing of consumers’ personal data for the purpose of:
- advertising and market and opinion research;
- the creation of personality or usage profiles;
- address and data brokering; or
- similar commercial uses.
The Federal German Minister for Justice and Consumer Protection emphasized the importance of data protection enforcement to prevent abusive practices that can have a significant impact on the rights of individuals. Especially for consumers, it often can be difficult to know whether a company has violated data protection law and many would be afraid of the costs and effort related to pursuing data protection violations. By empowering associations to take action, the German Minister expects to strengthen the enforcement of consumer rights, particularly against powerful online companies.
The private enforcement of data protection rules is intended to complement the work of the data protection authorities that lack resources. Under the draft law, any civil court would have to consult the competent German data protection authority in the oral hearing. This provision has two objectives: (1) to allow the court proceedings to benefit from the regulator’s expertise, and (2) to inform the data protection authorities of possible violations. The legislative reasoning in fact suggests that, on the basis of this information, the authorities could themselves investigate the allegations. The draft law does not address, however, the possibility of conflicting findings or disagreement in such parallel proceedings before the court on the one hand and the competent data protection authority on the other hand.
Consumer associations in Germany traditionally have actively used their rights of action under existing law. In recent years, they also have turned their focus to the Internet and successfully challenged certain provisions in privacy policies of prominent online companies (see Inside Privacy, Berlin Court Condemns Google, Strikes Provisions in Privacy Policy and Terms, November 21, 2013). Under the current rules, however, consumer associations essentially can only challenge violations of provisions that regulate market behaviour or protect consumers, and civil courts have not commonly qualified data protection rules as falling into these two categories. The draft law will render moot discussions on the legal qualification at least of those broadly defined types of data protection provisions that are mentioned in the draft and thus close some loopholes. The draft Act even goes a step further, enabling associations not only to challenge the use of illegal contractual clauses but also the underlying illegal data handling practices.
The draft law plays a pioneering role and pre-empts similar types of class actions that the European Commission has proposed in its draft General Data Protection Regulation. It will now have to pass the legislative process, requiring parliamentary approval, before it can enter into force.