Data Protection Report - Norton Rose Fulbright

new German law, which grants authority to the country’s consumer and business associations to enforce compliance with data protection laws, goes into force on February 24, 2016.  A representative of the German Ministry of Justice pointed out that the new enforcement powers are specifically aimed at foreign companies having their headquarters or operating from outside Germany, including the U.S.

Currently, consumer and business protection associations in Germany often pursue violations of individuals’ consumer rights under the country’s consumer protection legislation and unfair competition laws. The associations act as a type of a class representative by bringing actions on behalf of groups of German consumers and businesses. This mechanism could best be described as the German judicial system’s version of a U.S. class action.

The new law expands the associations’ “class action” authority to enforcing organizations’ violations of the country’s data protection laws. The new powers include issuing cease-and-desist letters (which is a recommended step prior to initiating litigation) and seeking interim injunctions for alleged data protection violations such as collecting, processing or using consumer personal data without a valid consent of the individuals or another legal basis under German data protection laws (including those implementing the EU Data Protection Directive 95/46/EC), or having a non-compliant (e.g., overly broad) privacy notice.

Remarkably, with regard to the transfer of personal data to third countries, the law prevents consumer and business protection associations from bringing infringement claims relying on the invalidated Safe Harbor agreement until the end of the day of September 30, 2016 to the extent the transfer of personal data was based on the Safe Harbor Framework until October 6, 2015.

The expanded competences are designed to complement the supervisory role currently carried out by the country’s data protection authorities (DPAs). The DPAs would also play a role in the “class actions” by being allowed to articulate their views and analysis of the alleged data protection law violations in court.

From the technical perspective, the bill is a proposed amendment to the Injunctions Act (UKlaG), allowing both data protection and consumer protection laws to come within the meaning of section 2, paragraph 2 UKlaG.

Our take

The new law does result in an additional risk of enforcement in Germany for companies whose privacy practices are inconsistent with the country’s data protection laws. Companies offering services and goods to consumers in Germany should begin reviewing their privacy practices, including notices and consents, to ensure they are compliant with the country’s laws. In the past, DPAs often lacked the resources to enforce data protection laws against a large number of companies. With the new law, we expect consumer organizations to take an active role in privacy enforcement.