Following the European Court of Justice’s Schrems decision invalidating the Safe Harbor mechanism, much attention has focused on how the Data Protection Authorities (DPAs) of EU member states would interpret and enforce Schrems.
While close attention to DPA activity is important—and will become even more so upon the passage of the EU General Data Protection Regulation—some DPAs currently appear to be operating near enforcement capacity. For example, the DPA of the German state of Hamburg recently released a report titled “Numbers – Facts – Shortcomings – Solutions” in which it indicated that its personnel was limited such that it (a) could no longer conduct random audits, (b) could not perform on-site visits, and (c) was constrained to enforcing most consumer complaints via a letter requesting a written explanation.
To strengthen data-protection enforcement, the German legislature recently passed a law that permits registered consumer-protection organizations (called Verbände) to bring suits on behalf of consumers to enjoin data-protection violations. The law—styled as an “Act to Improve the Civil Enforcement of Consumer-Protection Provisions of Data-Protection Law” (the “Enforcement Act”)—was proposed in spring 2015 and, after spending months in committee, was passed on December 17, 2015. Many of the Enforcement Act’s provisions will enter into force as soon as it is published in Germany’s Federal Gazette.
The Enforcement Act’s most salient feature is a provision granting standing to Verbände—which are qualified, federally-registered, nonprofit consumer-protection organizations—to bring actions on behalf of consumers to enjoin data-protection violations. These kinds of organization-brought injunction suits (called Verbandsklagen) resemble injunction class actions under Federal Rule of Civil Procedure 23(b)(2) because the consumer organization seeks, and is empowered to obtain, a ‘global’ injunction prohibiting a company from engaging in purportedly wrongful conduct that harms consumers (or a class of consumers) generally. They are well-established in German law and legal culture.
However, prior to the Enforcement Act, the statutes authorizing such suits did not permit consumer organizations to bring them to enjoin data-privacy violations. Instead, consumer organizations were limited to bringing injunctive actions to remedy, e.g., competition-law violations, illegal provisions contained in an enterprise’s general terms and conditions, or certain violations of consumer-protection laws.
The Enforcement Act now expressly incorporates data-protection law into the legal provisions consumer organizations are permitted to enforce via civil injunction actions. Under its Art. 3, consumer organizations can bring an action to enjoin the wrongful collection, processing, or use of a consumer’s personal data by an enterprise, so long as the enterprise collected or used consumer data “for the purpose of marketing, market or opinion research, operating a credit reporting agency, assembling personal or user profiles, trading in addresses, buying or selling data,” or for “similar commercial purposes.”
As a limitation, the same Art. 3 further provides that no data-protection violation giving rise to an injunction class action has occurred if an enterprise’s “data collection, data processing, or data use [occurs] exclusively for the purpose of establishing, performing, or terminating a legal relationship with the consumer.”
The Enforcement Act provides for a twofold injunctive remedy. On the one hand, a company can be ordered to cease from engaging in the complained-of data-protection violations in the future. On the other hand, a company can be ordered to “eliminate” data-protection violations the consumer organization has cited. Thus, conceivably, if a company has been unlawfully collecting excessive user data, it could be ordered to stop doing so, and also to locate and delete all wrongfully collected data.
Commentators have stated that the Enforcement Act may lead to an uptick in consumer class actions filed against companies active in Germany. This is partially due to the fact that German data-protection consumer organizations are under the reputation of being active litigants. Moreover, German civil practice contains a mechanism for effectively enjoining data-protection violations without having to file suit. Typically, the consumer organization will first send the allegedly offending company a cease-and-desist letter (called an Abmahnung). The company can prevent the filing of the injunction suit by entering what is essentially a cease-and-desist agreement with the consumer organization (called a strafbewehrte Unterlassungserklärung). If the company does not enter such an agreement, it generally assumes the entire cost risk of any ensuing injunction proceedings (which includes statutory attorney’s fees). Upon entering the cease-and-desist agreement, the company must usually agree to substantial penalties if it is later found to be engaging in the same data-protection violation.
To monitor the development of data-protection class actions, the German Parliament’s Committee on Legal Affairs and Consumer Protection inserted a reporting requirement into the Enforcement Act. Consumer organizations must file an annual report with the Federal Justice Office identifying (a) every cease-and-desist letter they served within the past year, (b) every injunction action they commenced, and (c) the outcomes of each. The Justice Office may use this information to evaluate whether consumer organizations are fulfilling the consumer-protection mission set forth in their organizing documents.
Alston & Bird will be closely monitoring the development of data-protection class actions in Germany. The text of the Enforcement Act (in German) can be found here.