Today, a German law to strengthen the private enforcement of certain data protection provisions that aim to protect consumers (the Law) entered in to force, following its publication in the Official Journal yesterday. We previously reported on the draft law here.
The Law empowers certain qualified associations to seek injunctive relief against companies or self-employed individuals for violations of the rules governing the collection, processing or use of consumers’ personal data in specific cases of commercial use, namely for the purposes of:
- advertising;
- market and opinion research;
- the creation of personality or usage profiles;
- address and data brokering; or
- similar commercial purposes.
An exception applies if the personal data is exclusively collected, processed or used for the creation, performance or termination of a contract with the consumer. Interestingly, the Law also expressly excludes the possibility of seeking injunctive relief, until September 30, 2016, for the violation of the data protection rules on international data transfers that took place prior to October 6, 2015 on the basis of the European Commission’s adequacy decision regarding the EU-U.S. Safe Harbor, i.e., the day when the adequacy decision was declared invalid by the Court of Justice of the EU in its ruling in the Schrems case (for details, see here).
German courts hearing cases for injunctive relief must consult the competent German data protection authority, except in certain interim proceedings. However, since the courts are not bound by the opinion of the authority, the Law does not exclude the possibility of conflicting findings by, or disagreement with, the data protection authorities.
Consumer associations in Germany traditionally have actively and successfully used their (limited) rights of action under existing rules to challenge provisions in online privacy policies. As a result of the Law, we expect to see a significant uptake in those legal challenges, targeting beyond privacy policies to reach data handling practices more generally.
The Law plays a pioneering role and preempts (albeit in more limited circumstances) similar types of class actions that are foreseen under the General Data Protection Regulation.