Germany's data protection laws, already known as one of the strictest in the world, are facing an even stricter approach when Federal Minister of Justice Heiko Maas on February 11, 2014 announced a new draft bill that would allow consumer protection associations to take businesses to court for data protection law breaches. The draft bill, which implements an action point from the agenda of the new German government in charge since December 2013, is expected to be presented by the end of April 2014. While the position may still be amended or changed in the legislative process, it can generally be expected that the bill will be passed as proposed and will enter into force sometimes later this year.
[Consumer protection associations will be allowed to take direct and own actions]
Subject to more details becoming available when the text of the bill will actually be presented, the Minister announced that data protection associations shall be granted an own right to issue warnings and to bring actions for injunctions for all kind of unlawful use of a consumer's personal data.1 At present, only the individual concerned by such data protection law breach would be entitled to take respective actions, while consumer protection associations would only be entitled to take actions if the breach has been caused by clauses in general terms and conditions.2 The Minister claimed that this will significantly improve data protection for consumers, and sincere businesses will be protected against unfair competitors. The new rights of consumer protection associations would not be directly integrated into the German Federal Data Protection Act (Bundesdatenschutzgesetz), but rather into the German Act on Injunctive Relief(Unterlassungsklagengesetz).
[Actions against data protection law breaches likely to be on the rise]
In practice, the new bill would mean that consumer protection associations satisfying some minimum requirements would be allowed to directly issue warnings (abmahnen) to businesses breaching a consumer's rights under the data protection laws, and also taking such businesses to court with an action for injunction (Unterlassungsklage). As a number of large consumer protection associations in Germany enjoy a powerful position and are well-equipped, it is very likely that respective actions will become more frequent.
[Similar rights in EU General Data Protection Regulation]
It is worth mentioning that the proposed EU General Data Protection Regulation3, as adopted at first reading by the European Parliament on March 12, 20144, also promotes rights for associations with respect to personal data breaches. Associations acting in the public interest shall be granted the right to lodge complaints with supervisory authorities in case of an infringement of such individual's rights on behalf of the concerned individual or on the association’s own behalf if they consider that a breach of the Regulation has occurred.5 Further, such associations shall also have the right to file a judicial remedy against a decision of a supervisory authority, to open court proceedings in case of an infringement of the rights of an individual under the Regulation and to claim damages that a person suffered from an unlawful data processing operation of a data controller or a data processor.6 However, in the latter cases, the association would only be entitled to open such proceedings if mandated by the concerned data subject. In this point, the Regulation, which is to be taken over by the next European Parliament after the May 2014 elections and still needs approval by the European Council, announces to be less far-reaching than the forthcoming German draft bill, the consequences of which remain to be seen.
Businesses should be well aware of the legislative changes. Consequences of non-compliance with data protection laws will become even more far-reaching. They are well advised to treat data protection law compliance as a key topic, and to keep track of the latest changes and requirements in the data protection laws both on national and EU level in order to stay on the safe side.
1 - See press release issued by the German Federal Ministry of Justice and Consumer Protection dated February 11, 2014, available at http://www.bmjv.de/SharedDocs/Pressemitteilungen/DE/2014/20140211_Safer_Internet_Day.html?nn=1468684 (in German language only – last accessed March 17, 2014).
2 - See paragraphs 1 and 3 of the German Act on Injunctive Relief (Unterlassungsklagengesetz).
3 - Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM/2012/11/Final, available at http://ec.europa.eu/prelex/detail_dossier_real.cfm?CL=en&DosId=201286 (last accessed March 17, 2014).
4 - For more information, go to the press release of the European Commission dated March 12, 2014 at http://europa.eu/rapid/press-release_MEMO-14-186_en.htm (last accessed March 17, 2013).
5 - Cf. Article 73 (2) and (3) of the proposed General Data Protection Regulation (COM/2012/11/Final).
6 - Cf. Article 76 (1) of the proposed General Data Protection Regulation (COM/2012/11/Final).