Consumer associations are currently entitled to initiate
proceedings against inadmissible data protection provisions in
general terms and conditions, e.g., failure to satisfy the
requirements for valid consumer consent. Consumer associations
cannot bring action, however, for certain other data protection
violations. This will change if the draft legislation is adopted.
Germany's Federal Justice Minister Heiko Maas (Social
Democrats) viewed the proposed new right of consumer associations
to bring collective action as necessary, arguing that many
consumers alone would not bring action against big companies.
Minister Maas maintained that consumers need a strong advocate of
their interests, namely the consumer associations, to strengthen
the enforcement of consumers' rights, for example, with regard
to powerful internet companies.
The draft legislation would, among other things,
change the German Act on Injunctive Relief
(Unterlassungsklagengesetz—source document in
German). It would implement a new collective right of action
against companies that collect, process, and use personal data of
consumers without authorization. For purposes of the proposed
legislation, certain data protection statutory provisions will be
deemed consumer protection laws if they apply to companies
collecting, processing, or using data for the purposes of
advertising, market or opinion research, operation of credit
inquiry agencies, creation of personality and usage profiles,
address trading, other trade in data, and similar commercial
purposes. In the case of violation of these provisions, the
eligible associations will be entitled to institute collective
legal action against the infringing company to enjoin the practice
and (newly inserted) remove the infringement.
The right of action will be granted to consumer associations
registered with the German Ministry of Justice or the European
Commission. In addition, trade associations fulfilling certain
relevance criteria will be eligible, as will the Chambers of
Industry and Commerce (Industrie- und Handelskammern) and
the Chambers of Crafts (Handwerkskammern).
Consultation of the Data Protection Authorities
As many civil courts do not have practical experience with the
application of data protection laws, the draft bill would also
implement "a right to be heard" by the competent Data
Protection Authority. This right will not be applicable in
preliminary injunction proceedings without an oral hearing.
Some trade associations have criticized the proposed
legislation. The Federal Association for Information Technology,
Telecommunications, and New Media ("BITKOM"), for
example, has expressed concerns that the proposed legislation will
increase legal uncertainty for companies because it creates two
different legal proceedings available for data protection
violations (i.e., civil court proceedings and proceedings before
the competent data protection authority). BITKOM is also worried
that such proceedings will severely damage the reputation of
companies if a consumer association publicly brings action, even if
the claims are judged to be unfounded.
The draft legislation could open a new door for litigation in
Germany concerning data protection violations. Individual data
subjects rarely bring data protection violation claims, even where
their data has been misused, and the possibility for associations
and competitors to bring claims for data protection violations
under the German Unfair Competition Act is restricted to cases of
violations of market conduct rules. Consumer associations would
likely exercise their right to file legal action for data
protection violations to a greater extent. These claims could seek
a preliminary injunction in a rather quick process. In light of the
criticism the draft bill has received, in particular from trade
associations, it remains to be seen if—and to what
extent—the draft bill will undergo further changes in the
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Brexit will have fundamental implications for the UK data protection regime. Until Brexit takes place, there will be a period during which its precise form and implications for UK data protection laws are not clear.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
The EU Commission has now formally adopted the EU-US Privacy Shield arrangement for the legal transfer of personal data from the EU/EEA to the US.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).