On 24th February, a new law for the civil enforcement of violations of data protection rules, specifically protecting consumers entered into force. With this new law, certain provisions of the German Act on Injunctive Relief (Unterlassungsklagengesetz – UklaG) are amended and also extended.
Previous situation
Until now, consumer protection organizations (e.g. the Federation of German Consumer Organisations – vzbv) were only able to challenge privacy policies of companies under the German Act on Injunctive Relief if the competent court acknowledged that the respective policy could be considered as general terms and conditions (see for example one press release about a recent lawsuit against Facebook, pdf). In general, certain clauses of privacy policies were therefore the aim of legal actions if these clauses deviated from the statutory provision of data protection law. If personal data were in fact processed in an unlawful way was merely the question.
New situation
With the freshly amended German Act on Injunctive Relief, this workaround is not necessary anymore: consumer protection as well as business organizations may now take legal action (e.g. issuing cease-and-desist letters and seeking interim injunctions) in case of violations of certain data protection provisions. According to Section 2 of the German Act on Injunctive Relief, if someone acts contrary to consumer protection law provisions, he may face legal actions from certain consumer protection or business organizations.
The new law now creates a Section 2 para 2 No. 11 of the German Act on Injunctive Relief, according to which consumer protection law provisions are also provisions, which govern the admissibility a) of the collection of personal data of a consumer by an entrepreneur or b) the processing or the use of personal data collected about a consumer by an entrepreneur, if the personal data is collected, processed or used for purposes of advertising, market research, operating a credit agency, creating personality and usage profiles, address trade, other data trade or other similar commercial purposes.
In comparison to the past, the wording or certain sections of privacy policies will now not be the determining factor for legal challenges. Consumer protection organizations may sue companies if they factually process personal data in an unlawful way. However, the crucial question will be how a consumer organization wants to proof that personal data is processed illegally, since the data processing operations take place “within” a company, not publicly visible for third parties.
Involvement of data protection authorities
The new law also creates a legal obligation for the competent court to consult the competent national data protection authority before passing a judgement (new Section 12a of the German Act on Injunctive Relief). According to the objectives of the new law, although a data protection authority in another European country might be competent for the company (the data controller), this data protection authority does not have to be consulted by the German court. One can conclude from this objective, that the German legislator took note of a situation where a foreign company (from another European member state) might be sued by a German consumer protection organization in Germany and a foreign data protection authority would be competent. But in this case, an assessment by that foreign data protection authority would not be necessary.
Grace period for data transfers under Safe Harbor
At the last moment, the Committee on Legal Affairs and Consumer Protection of the German Bundestag inserted a new Section 17 of the German Act on Injunctive Relief. According to this provision, Section 2 para 2 No. 11 of the German Act on Injunctive Relief does not apply until the end of 30th September 2016 to infringements of Section 4b of the German Federal Data Protection Act, in so far as the transfer of personal data, until 6th October 2015, was based on the European Commission decision of 26th July 2000 (Decision 2000/520/EC) in accordance with Directive 95/46/EC on the adequacy of the principles of the “Safe Harbor” and the relevant “Frequently asked questions” (FAQ). Section 4b of the German Federal Data Protection Act transposes Article 25 of Directive 95/46/EC into German law. Companies may therefore not be sued by a consumer protection organization if they based data transfers on the invalidated Safe Harbor-decision. According to the reasoning (pdf) of the Committee on Legal Affairs and Consumer Protection, Section 17 of the German Act on Injunctive Relief shall give companies time to shift their data transfers to the USA to another legally secure basis.