Data protection class actions under German consumer protection regulations

On 24 February 2016 a new Bill to promote civil class actions in consumer protection regulations under data protection law (Gesetz zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts) came into force.

Strengthening of data protection enforcement

German consumer organisations and regulatory bodies (including data protection authorities, but not the Federal Financial Supervisory Authority (BaFin)) now have the power to bring collective legal action for data protection breaches arising out of the collection, processing and use of consumer data for commercial purposes (such as advertising, market research, address trading or credit rating). This is a significant change because previously, only data subjects could bring legal action for data protection breaches in Germany; data protection authorities could only investigate and impose fines but were not entitled to bring legal actions.  This Bill will strengthen data protection enforcement in Germany by giving data protection authorities a powerful tool for prosecution of data breaches.  This will likely lead to an increasing number of cases filed against companies for data breach.

First legislative reaction to the invalidity of Safe Harbor

The new enforcement powers are specifically aimed at targeting non-compliant data transfers outside the EU. As a result, this Bill will have a particular impact on companies who have affiliates or their headquarters located outside of Germany.  However, in light of the on-going EU – U.S. negotiations surrounding the Privacy Shield framework, and the pending decision of the Article 29 Working Party on the validity of transfer mechanisms such as binding corporate rules and model clauses, there will be a grace period until 30 September 2016, during which time no legal actions can be brought under the Bill in respect of non-compliant data transfers to the U.S based on the Safe Harbor principles.

Consumer protection only

As the Bill is focused on consumer protection (and accordingly only addresses collection, processing and use of consumer data for commercial purposes), collective actions cannot be brought for breaches regarding other categories of personal data, such as employee data.

New consumer notification regulations

In addition to the strengthening of data protection enforcement, the Bill also provides for new regulations relating to consumer notifications. Businesses will no longer be permitted to require consumers, in their general terms and conditions, to make declarations or notifications in anything stricter than text form (i.e.  email or fax would be sufficient).  However, these regulations will only come into force on 1 October 2016.

The Bill can be accessed here (German only).

If you have any questions about this blog post please contact bastian.renner@allenovery.com.