Over the past year, the German government has been working on legislation to implement the EU’s General Data Protection Regulation (GDPR). On July 6, 2017, Germany did so by passing a statute titled the Data Protection Amendments and Implementation Act. The Act repeals Germany’s venerated Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG) and replaces it with an entirely new BDSG, aptly referred to as the “BDSG-New.” Germany becomes the first EU Member State to pass a GDPR implementation statute. Given Germany’s reputation as one of, if not the, most serious privacy jurisdiction in the EU, the BDSG-New is a critical piece of legislation for companies with EU operations.
Alston & Bird is pleased to provide a five-part, English-language overview of BDSG-New provisions likely to be of significance to companies.
These articles are related to a two-part summary of the BDSG-New that Daniel Felz published in Bloomberg BNA Privacy and Data Security Law, 16 PVLR 1190, 11311 – click here and here to read.
This final installment of the series focuses on the “business end” of the GDPR’s and BDSG-New’s data protection provisions: regulatory oversight, lawsuits, and sanctions.
The GDPR strengthens the rights of Data Protection Authorities (DPAs) charged with overseeing compliance with data protection law. Article 57 GDPR confers upon DPAs an extensive list of powers far broader than currently exists in the law of most Member States, while Article 52 GDPR underscores DPAs’ “complete independence” in exercising their powers. In addition to the powers the GDPR conveys upon DPAs, the European Court of Justice recently held in its Schrems I judgment that DPAs must investigate complaints from data subjects, and that their investigation of the lawfulness of international transfers is not barred by adequacy decisions of the European Commission.
At the same time, the GDPR attempts to streamline DPA oversight for companies with a larger EU footprint, and to permit Member States to harmonize DPA oversight with their privilege and professional secrecy doctrines. The BDSG-New contains Germany-specific rules in both areas with potentially significant effects on German DPA oversight.
a. One-Stop Shop, German Version
The GDPR introduces a “one-stop shop” mechanism for companies with operations in multiple EU Member States. These companies can centralize oversight of their cross-border processing operations with the DPA having jurisdiction over their “main establishment” within the EU. The intent of the “one-stop shop” mechanism is to streamline supervision so that the same EU-wide operations are not subject to oversight by up to 28 different regulators.
Within Germany, a similar situation can arise. Germany is famous for its 17 different DPAs, one of which is federal and 16 of which are maintained by the German states (or Länder). The state DPAs could be said to be the DPAs of “general jurisdiction,” having supervisory authority over almost all private companies. The federal DPA has jurisdiction only over telecommunications and postal-service companies.
Since the state DPAs are the primary supervisors of private enterprise, companies with multiple German locations may find each of their locations subject to a different German DPA. During public during drafting, the Upper House of the German Parliament (Bundesrat) suggested that a “One Stop Shop” mechanism similar to what is available under the GDPR be made available within Germany.
Just before passage of the BDSG-New, the Bundestag’s Interior Affairs Committee adopted the Bundesrat’s suggestion and the full Parliament approved. Section 40 BDSG-New now introduces an intra-German One Stop Shop provision. If a company has multiple German establishments, the German DPA with jurisdiction over the company’s “main establishment” can serve as the company’s Lead DPA within Germany. Furthermore, if the German DPAs disagree about who among themselves should be the Lead DPA, they resolve the matter via consistency procedures set forth in § 18 BDSG-New.
Consolidating oversight under a single German DPA could significantly streamline German privacy compliance for companies with multiple German establishments, while providing a chance to develop a constructive and long-term relationship with the company’s regulator.
b. Confidentiality and Privilege in DPA Investigations
Article 90 GDPR permits Member States to “adopt specific rules to set out [DPAs’] powers” concerning controllers subject to “obligation[s] of professional secrecy.” This article gave rise to one of the BDSG-New’s most intensely debated provisions.
Early BDSG-New drafts contained a short paragraph that eliminated DPAs’ investigatory powers over what are often referred to as “professional privilege carriers” (Berufsgeheimnisträger) – such as attorneys, accountants, and doctors – to the extent that doing so was “necessary and proportionate to reconcile” data protection with professional confidentiality. This led Germany’s Federal DPA to complain that the GDPR did not permit the legislature to restrict its ability to comprehensively investigate any data controller it wished.
The public comment period showed attorneys and accountants raising arguments in favor of limiting DPA investigations that would violate privilege. The Institute of Public Auditors (Intsitut der Wirtschaftsprüfer) pointed out that professionals do not own privilege claims – their clients do – and it would be difficult for professionals to permit DPAs to access client records. (The Institute’s position paper is available in German here.) The German Bar Association (Bundesrechtsanwaltskammer, or “BRAK”) weighed in, stating that if DPAs could affect attorneys’ ability to process client data, clients would be in a worse position than if they had not retained an attorney. (The BRAK’s public comment is available in German here.) The BRAK even suggested it might serve as a sector-specific privacy supervisor exercising jurisdiction over all 164,000 licensed attorneys within Germany (a proposal which was not accepted).
The final version of the BDSG-New maintains limits on DPA investigatory powers in the interest of preserving professional privilege obligations. Its § 29(3) states that German DPAs do not have the power to access personal data held by privilege-carrying professionals, or to conduct on-site inspections at professionals’ offices, to the extent that these measures would lead to violations of professional secrecy or confidentiality. Among the professionals shielded from DPA investigations are lawyers, accountants/tax advisors (Steuerberater), health care professionals, and employees of insurance companies. The statute also extends this exemption to any processors that in-scope professionals have engaged, which brings professionals’ IT vendors under equivalent protection.
This exemption potentially provides law firms and professional advisory firms with a basis for resisting significant portions of DPA investigations. Still, German DPAs are likely to (a) interpret the exemption narrowly, and (b) to challenge it where possible. For example, shortly after the BDSG-New passed the Bundestag, the Berlin DPA issued a statement arguing that this professional-privilege exemption exceeds the German legislature’s powers under Article 90 GDPR. This exemption is new to German law, and the courts may need to weigh in on its scope.
Sanctions and Fines
Present German law contains a multi-tiered fining regime. The current BDSG differentiates between what can be described as “formal” violations – which can be fined at up to € 50,000 – and “substantive” violations, which can be fined at up to € 300,000. German law also permits fines to be raised to match any profit a company has received from committing privacy violations. A famous example occurred when the DPA of Rheinland-Pfalz fined the German insurance company Debeka € 1.3 million for operating a “lead generation system,” in which it paid public employees “tip-off fees” to forward new hires’ contact information.
The BDSG-New completely does away with the fining levels of present German law, indicating in commentary that the GDPR now comprehensively regulates fine levels. (Section 43 of the BDSG-New does permit €50,000 fines for violating consumer credit disclosure obligations, but this implements the EU Consumer Credit Directive and is outside the GDPR’s preemptive ambit.) As many companies are aware, when the GDPR enters into force, fine potential increases to up to 4% of annual worldwide turnover.
Still, within Germany, several questions remain as to what post-GDPR fining practice will look like:
• Are fines automatic? One question is to whether German DPAs will make use of their new, increased fining powers – and if so, to what degree. To date, German DPAs have been hesitant to issue fines. The DPA of Nordrhein-Westfalen has previously stated that it views fines as the “last resort” (ultima ratio), and in 2015-2016, the largest fine that the Bavarian DPA levied was five figures. At the same time, recent years have seen German DPAs issue their first fines exceeding € 1 million. Additionally, the Bavarian DPA recently stated that it reads the GDPR as requiring fines whenever a violation is discovered, meaning that as of May 2018, fines will be automatic – the only remaining question is how high they will be. Similarly, the DPA of Baden-Württemberg recently indicated it expected “clearly higher” fines, and was hiring 2-3 new agents exclusively devoted to managing fines and the issues relating to their assessment.
• Fining Factors. Some companies have inquired what factors go into calculating a fine. Article 83 GDPR provides a long list of factors that DPAs can consider in setting fines. The Berlin DPA recently provided guidance indicating that the (a) duration of the violation, (b) the types of data affected, (c) whether the violator received financial benefits, and (d) the company’s willingness to cooperate will affect fining levels. Importantly, the Berlin DPA also indicated that self-reporting could result in lower fines.
• Imputation of Employee Misconduct. One significant open question is how the GDPR fine provisions will interact with German civil-law and corporate-law rules on imputing liability to companies. The BDSG-New provides that Germany’s “Act on Regulatory Offenses” (Gesetz über Ordnungswidrigkeiten) governs the German DPAs’ assessment of fines for privacy violations. The Act is generally used throughout German practice as a basis for imputing liability for employee misconduct to organizations. However, unlike the common law’s respondeat superior doctrine, the Act does not strictly impute liability whenever any employee within the organization creates liability within the scope of his employment. Instead, the Act only imputes liability when top-level managing employees, such as executives, either (a) commit wrongful acts, or (b) negligently supervise subordinates. This potentially results in a significantly reduced ability to impute employee misconduct to companies for GDPR fining purposes.
The Berlin DPA has already pushed back against limiting organizations’ fine exposure in this fashion, arguing that the GDPR adopts EU antitrust law’s “functional” approach to imputed liability. Under this approach, whenever any employee commits a wrongful act while acting within his assigned “function,” liability is imputed to the company. (For US readers, this ‘functional’ approach more or less tracks common-law agency and respondeat superior doctrines.) Some German commentators have already lined up on the other side from the Berlin DPA. Companies who are fined based on their employees’ actions may have materials supporting consideration of a non-frivolous challenge before a court.
In either case, until further court decisions are in place, it will be important for companies to have procedures in place for (a) reporting and/or identifying potential GDPR violations, and (b) documenting instructions to employees to cease conduct that results in the potential violation(s). Only with prompt action and documented compliance-ensuring instructions can companies maintain colorable arguments that misconduct by their employees should not be attributed to them.
• Whose Revenue is at Issue? Lastly, another question on the minds of many international companies is whose revenue serves as the basis 2% or 4% sanctions – the non-EU parent, the German subsidiary, or both? Recital 150 of the GDPR indicates that the concept of an “undertaking” contained in the Treaty on the Functioning of the European Union (TFEU) governs this question. German DPAs have recently indicated that Recital 150 GDPR incorporates EU antitrust law’s “single economic entity” approach to corporate groups into GDPR sanctions practice. The “single economic entity” approach was formulated in European Court of Justice (ECJ) antitrust decisions, which at times involved multiple affiliated entities coordinating across borders to facilitate anticompetitive conduct. For these cases, the ECJ developed a concept of an “undertaking” that pooled the revenue of “every entity engaged in an economic activity” for fining purposes, regardless of whether the entities were legally separate (albeit affiliated) entities. ECJ antitrust decisions permit companies to be grouped together as a “single entity” for fining purposes if a parent company can exercise control over a subsidiary, e.g. via majority ownership. Notably, under ECJ decisions to date, there is a rebuttable presumption that a parent and subsidiary are a “single economic unit” when the parent owns all or substantially all shares of the subsidiary. In such a situation, ownership alone is sufficient to show that a “single economic unit” is present; the parent’s involvement in violations, or actual knowledge that the subsidiary is engaged in legal violation has – at least to date – not been required.
Recently, the Article 29 Working Party indicated that the ECJ’s “single economic entity” approach applies for GDPR fines (the Working Party’s guidance on fines is available here; see our analysis of the guidance here). German DPAs have made similar statements. In the Berlin DPA’s words, “if a subsidiary violates data protection provisions, its revenues together with those of its parent corporation constitute the basis for assessing fines.” Similarly, all federal and state DPAs in Germany jointly released the following statement: “parent and subsidiary are viewed as an economic unit, so that their combined turnover is the basis for calculating fines.” (View the DPAs’ joint statement in German here.)
However, here also, commentators are lining up on both sides of the issue. Commentators have argued that textual asymmetries within the GDPR, and the GDPR’s drafting history, raise questions as to whether the GDPR intended a full-scale import of “single economic unit” jurisprudence from ECJ antitrust cases. Additionally, antitrust fines under the “single economic unit” theory are typically limited to a percentage of the monetary value obtained by anticompetitive conduct, whereas GDPR fines may exceed the damages or actual losses suffered by any individual. A company that receives a significant fine based on corporate group revenue may find a challenge merited.
Lastly, the “single economic unit” approach may raise questions of first impression when applied to parties that are not in a parent-subsidiary relationship – such as franchisor-franchisee, or licensor-licensee.
Challenging DPA Actions
German procedural law is bifurcated in regards to challenging DPA action. This arises from what commentators have described as the ‘competing’ goals of DPA activity. DPAs are supervisors entrusted with overseeing how processing is conducted, and able to use state-granted coercive powers to require changes. On the other hand, DPAs can issue fines, which does not itself change companies’ behavior, although companies often elect to change behavior in response.
These differing goals are supported by different procedures. “Supervisory” DPA action will result in an administrative order to perform (or not perform) certain actions in order to come into compliance with privacy law – a recent example occurred when the DPA of Hamburg prohibited WhatsApp data from being transferred to Facebook. Supervisory actions are conducted via administrative proceedings (Verwaltungsverfahren), and the results can be challenged in Germany’s administrative court systems. The administrative courts are specialized courts separate from Germany’s ordinary civil courts of general jurisdiction, and are under the ultimate authority of the Federal Supreme Administrative Court (Bundesverwaltungsgericht), which itself is a specialized court of last resort separate from the German supreme court for civil or criminal matters.
In contrast, DPAs assess fines through procedures set forth in Germany’s Act on Regulatory Offenses (Gesetz über Ordnungswidrigkeiten). Proceedings under the Act are quasi-criminal in nature, and result in a “Fine Notice” (Bußgeldbescheid) as opposed to an administrative order. Companies have a right to object to the Notice, and if they do, the Notice – along with all underlying evidence – is forwarded via the public prosecutor to the local magistrate court (Amtsgericht) for review. The courts that review fines are not administrative courts, but rather the ‘ordinary’ courts of general jurisdiction.
The BDSG-New maintains this bifurcated structure. For “supervisory” orders, Section 20 maintains the administrative courts as a forum for challenges. For fines, the BDSG-New maintains the Act on Regulatory Offenses, although a late amendment to Section 41 ensures that if a fine is over €100,000, challenges are not heard by a magistrate, but by the district court (Landgericht) above it. This appears to recognize the seriousness of GDPR fine potential.
For US companies, it is worth noting a key difference between challenges to US agency action, versus challenges brought against German DPAs’ action in German courts. Notably, German DPAs’ interpretation of data-protection law is not subject to the kind of Chevron deference that US agencies can receive from US courts. Indeed, recent German administrative court decisions have reviewed DPAs’ interpretations of law de novo, and have reversed or questioned them in part. Companies who are recipients of adverse DPA actions should not let fears of insurmountable judicial deference preclude consideration of a challenge.
DPA Challenges to International Transfer Mechanisms
Given DPAs’ extensive supervisory and fining powers, they can achieve many of their statutory tasks without resorting to offensive litigation. However, as we reported last year, following the ECJ’s Schrems decision, German DPAs demanded statutory standing to challenge decisions of the European Commission, such as the EU-U.S. Privacy Shield, when they thought the decision was in violation of EU privacy law. Representatives from Hamburg presented a proposal to enact such rights, but their proposals were tabled when the Interior Ministry indicated that the BDSG-New would address the issue.
The final Section 21 of the BDSG-New grants DPAs the limited right to challenge EU Commission decisions that they requested. A DPA must first encounter a Commission decision “whose validity is determinative” for its decision. When it does, it may institute a challenge directly before Germany’s Supreme Administrative Court (SAC). If the SAC believes the Commission decision is lawful, it may issue a final decision and dismiss the DPA’s challenge. But if the SAC shares the DPA’s doubts, it must refer the case to the European Court of Justice for review.
These standing rights went into effect immediately, so DPAs do not need to wait until the GDPR enters into force in order to exercise them. However, given that Digital Rights Ireland has already filed a challenge to Privacy Shield before the EU courts, German DPA challenges may be unlikely in the near term.
Lawsuits and Litigation
Germany is not traditionally a plaintiff-friendly jurisdiction. Without extensive discovery or collective damages proceedings such as class actions, and with parties bearing the full cost risk of proceedings upon a loss – including opponents’ attorney’s fees – Germany can be challenging for plaintiffs. As further complications, parties to German proceedings must generally proceed (and translate evidence into) in German; e-filing is not yet readily available; and German courts do not yet widely have the tradition of case management that international litigation hubs tend to cultivate. For individuals, German filing fees can be a significant hurdle, since they rise with the amount in controversy – for example, a €100,000 civil claim could require around €12,000 in filing fees (although legal aid is available in limited circumstances).
In Germany, data-protection law suffers a particular dearth of case law. Commentaries abound and the privacy community is active and vocal, but few data-protection cases have proceeded to a court decision. Of course, cases in other fields such as employment law can involve privacy questions, but even where privacy arises as an issue in a case, case law can be can be fractured between Germany’s administrative courts (where companies challenge DPA action), labor courts (where employees challenge employers’ privacy practices), and ordinary civil courts (where, e.g., B2B litigation involving privacy questions occurs). Within the limited subset of cases that focus primarily on privacy, much of significant recent litigation has been “defendant-driven” administrative litigation of by companies challenging DPA measures, not civil suits brought by individuals against companies.
The BDSG-New cannot itself introduce a sea change to present German practice, but it does work within the GDPR framework to ensure that aggrieved individuals have avenues to redress under a reduced burden:
• Special Jurisdiction and Service Provisions. Article 79 GDPR provides a new special jurisdiction rule giving German courts jurisdiction over individuals’ privacy claims when the defendant-company has an establishment in Germany, or when the aggrieved individual resides in Germany. Additionally, if the defendant-company has no EU presence – but has appointed an EU representative as required by the GDPR – Section 44 of the BDSG-New deems the representative authorized to receive service of privacy suits. This can ease plaintiffs’ burden in instituting a lawsuit, obviating a need to resort to international service methods. In Germany, the reduction in expense can be significant, since applicable rules may otherwise require plaintiffs to pay court-approved translators to translate both the complaint and all supportive documentary evidence before the lawsuit may be served internationally.
• Expanded Damages. Importantly, Article 82(1) GDPR will permit individual claimants to recover “non-material damage” from companies for privacy violations. This expands the German liability regime, which previously only awarded actual losses. This thus expands companies’ liability risk and may incentivize lawsuits. For example, the GDPR suggests that the mere “loss of control over  personal data” or “unauthorized reversal of pseudonymization” may be sufficient to trigger awards for “non-material” damages. If so, this would provide for more readily-available damage awards than the jurisprudence of some US circuits. Also, it bears remembering that consumers as well as employees are potential plaintiffs.
• Strict Liability? Traditional problems of proof may also be lessened under the GDPR. Article 82 GDPR is structured so that companies are presumably liable as soon as they are “involved in” processing, but may rebut this presumption by showing they are not in any way “responsible” for harm to the plaintiff. Some German commentators have suggested that this introduces no-fault liability for privacy violations. As a result, German plaintiffs would need only show that a company is “involved in” processing in order to recover from the company; it would then be the company’s burden to show it bears no fault for any privacy violations. Given the consumer-protection rationales of data-protection law, it may be difficult for companies to successfully argue they are not in any way “responsible” for privacy harms.
• Class Actions? In January 2016, we reported that the German legislature had granted consumer-protection organizations new statutory standing to pursue injunction class actions against companies for data protection violations. That legislation remains unaffected by the BDSG-New. As a result, German consumer organizations may attempt to cease-and-desist how companies are processing data, backed up by a threat of an injunction suit.
Still, Germany maintains no collective-redress mechanism for seeking damages akin to what plaintiffs in the US can achieve via Rule 23 class actions or multidistrict litigation. When multiple German plaintiffs want to collectively assert similar claims against a defendant, they sometimes assign their claims to a special purpose vehicle, which appears before court as a single plaintiff. This approach is not without risk; German statutes prohibit making a business of soliciting and asserting third-party claims. For example, in Austria (which has a similar legal system), Max Schrems is attempting to receive assignments of individuals’ claims to assert them against Facebook – and as we reported, one issue is whether he is prohibited from receiving the assignments because he is operating a business. (In a recent opinion, ECJ Advocate General Bobek argued that Mr. Schrems should not lose his consumer status because he received assignments of claims from other individuals, but also that the Austrian courts do not have jurisdiction over claims assigned to Mr. Schrems in his capacity as a consumer.)
Article 80 GDPR attempts change the situation to some degree. It permits individuals to “mandate” nonprofit consumer-protection organizations with asserting their rights in court, essentially permitting consumer organizations to bring opt-in class actions. The individual plaintiffs would not be assigning their claims to the nonprofit, but instead be represented by the nonprofit. Although nonprofits do not have the right to “receive compensation” on plaintiffs’ behalf – perhaps an attempt to avoid funds being distributed by plaintiffs’ lawyers – they can still obtain collective liability determinations.
Still, it is an open question whether any consumer organizations in Germany would be capable of handling litigation of this scope. Germany already has a provision permitting consumer organizations (Verbände) to represent consumers in certain contexts, and it has not yet created a plaintiffs’ bar comparable to what is present in the US. Another critical question is whether, in addition to receiving mandates, such organizations can actively solicit privacy claims from individuals; German law restricts solicitation of third-party claims, and the GDPR is silent on the issue. Still, companies with a German presence may want to begin discussing collective litigation scenarios.
• Suits against DPAs. Article 78 of the GDPR provides that individuals have a right to bring an action against DPAs to challenge any “legally binding decision,” or whenever DPAs do not take action on a complaint within three months. Section 20(1) of the BDSG-New confirms that the German administrative courts are open to all “disputes between a natural or legal person and a federal or state DPA.” Such a suit can have the effect that a mandamus action in U.S. courts would have, and as an example, the Schrems litigation that invalidated Safe Harbor began as a suit against the Irish DPA.