The German government recently released a draft bill seeking to grant authority to the country’s consumer and business associations to enforce compliance with data protection laws. Because the proposed draft bill appears to have received support from the governing parties, we believe there is a high probability of the bill being enacted in the near future. Indeed, a representative of the Germany’s Ministry of Justice pointed out that the new enforcement powers are specifically aimed at foreign companies having their headquarters or operating from outside Germany, including the U.S.
Currently, consumer and business associations in Germany often pursue violations of individuals’ consumer rights under the country’s consumer protection legislation and unfair competition laws. The associations act as a type of a class representative by bringing actions on behalf of groups of German consumers and businesses. This mechanism could best be described as the German judicial system’s version of U.S. class actions.
The draft law would expand the associations’ “class action” authority to enforcing organizations’ violations of the country’s data protection laws. The authority would include issuing cease-and-desist letters (which is a required step prior to initiating litigation) and seeking interim injunctions for alleged data protection violations. The violations could include, for example, collecting, processing or using consumer personal data without a valid consent of the individuals or another legal basis under German data protection laws (including those implementing the EU Data Protection Directive 95/46/EC), or having a non-compliant (e.g., overly broad) privacy notice.
The expanded authority is designed to complement the supervisory role currently carried out by the country’s data protection authorities (DPAs). The DPAs would also play a role in the “class actions” by being allowed to articulate their views and analysis of the alleged data protection law violations in court.
From the technical perspective, the bill is a proposed amendment to the Injunctions Act (UKlaG), that would allow both data protection laws and consumer protection laws to come within the meaning of section 2, paragraph 2 UKlaG.
The proposed law may result in substantial additional risk of enforcement in Germany for companies whose privacy practices are inconsistent with the country’s data protection laws. Companies offering services and goods to consumers in Germany should begin reviewing their privacy practices, including notices and consents, to ensure they are compliant with the country’s laws. In the past, DPAs often lacked the resources to enforce data protection laws against a large number of companies. With the new law, we expect consumer organizations (which are powerful in Germany) to take an active role in privacy enforcement.