On December 17, 2015, the German Parliament passed a new act
which permits consumer protection associations, industry and
commerce chambers or other approved business associations to file
privacy class actions. The law is expected to become published and
be in force shortly.
This act brings important changes. German law generally does not
recognize the concept of class actions. As a consequence, each
consumer must either try to enforce its data privacy rights in
court on his/her own, file a complaint with the competent data
protection supervisory authority, or — in exceptional cases
— file a complaint with a state prosecutor who can then
either commence administrative or criminal proceedings.
Previously, consumer protection associations and
the other mentioned associations were only able to sue companies
for breaches of data protection law in very limited cases. The
associations could sue, for example, if a company's general
terms and conditions describe a processing of personal data in
violation of the law or if the violation of data privacy law also
constituted an infringement of Germany's unfair and deceptive
trade practices act. The latter was only possible if the infringed
data protection provision also aimed to regulate the market
behavior — rare since the primary aim of German data
protection law is to protect the right to privacy of natural
persons and not to regulate the market behavior. As a result,
consumer protection agencies or the other listed bodies were rather
conservative with filing law suits for violations of data privacy
Under the new act, consumer protection
associations, industry and commerce chambers or other approved
business associations will have the standing to file for
injunctions against any data privacy
violation which affects consumers in the areas of:
creating of personal profiles (e.g.
for credit checks),
address and data trading, or
similar commercial data processing
These bodies will not be entitled to claim damages under
this act. It is also noteworthy that the German legislator
explicitly excluded the right to sue for data privacy violations
based on Safe Harbor-based data transfers until September 2016.
The changes are important because they will likely encourage
additional activism by German consumer protection associations. By
providing a collective action, they overcome the resistance that
individuals have when making a significant investment in bringing
suit individually. Despite the fact that there may be no damages
and that the consumer protection associations have limited
resources, German business associations have thus expressed concern
about an increase in class actions. Ultimately, companies should
expect to see a rise in data privacy-related litigation, increasing
the potentially negative reputational effects that companies may
suffer after a data privacy breach.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On 25 May 2016 the European Commission tabled a package of measures designed to help businesses and consumers buy and sell products and services online with more ease...
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).