On December 17, 2015, the German Parliament passed a new act which permits consumer protection associations, industry and commerce chambers or other approved business associations to file privacy class actions. The law is expected to become published and be in force shortly.
This act brings important changes. German law generally does not recognize the concept of class actions. As a consequence, each consumer must either try to enforce its data privacy rights in court on his/her own, file a complaint with the competent data protection supervisory authority, or — in exceptional cases — file a complaint with a state prosecutor who can then either commence administrative or criminal proceedings. Previously, consumer protection associations and the other mentioned associations were only able to sue companies for breaches of data protection law in very limited cases. The associations could sue, for example, if a company’s general terms and conditions describe a processing of personal data in violation of the law or if the violation of data privacy law also constituted an infringement of Germany’s unfair and deceptive trade practices act. The latter was only possible if the infringed data protection provision also aimed to regulate the market behavior — rare since the primary aim of German data protection law is to protect the right to privacy of natural persons and not to regulate the market behavior. As a result, consumer protection agencies or the other listed bodies were rather conservative with filing law suits for violations of data privacy law.
Under the new act, consumer protection associations, industry and commerce chambers or other approved business associations will have the standing to file for injunctions against any data privacy violation which affects consumers in the areas of:
- creating of personal profiles (e.g. for credit checks),
- address and data trading, or
- similar commercial data processing operations.
These bodies will not be entitled to claim damages under this act. It is also noteworthy that the German legislator explicitly excluded the right to sue for data privacy violations based on Safe Harbor-based data transfers until September 2016.
The changes are important because they will likely encourage additional activism by German consumer protection associations. By providing a collective action, they overcome the resistance that individuals have when making a significant investment in bringing suit individually. Despite the fact that there may be no damages and that the consumer protection associations have limited resources, German business associations have thus expressed concern about an increase in class actions. Ultimately, companies should expect to see a rise in data privacy-related litigation, increasing the potentially negative reputational effects that companies may suffer after a data privacy breach.