As a general rule, court actions on data protection breaches are an exemption. As reported in our White & Case Newsflashes in March 2014 and August 2014 the German government is planning to encourage court actions against breaches of data protection law. After German Federal Ministry of Justice presented an initial draft in June 2014, the German Government recently proposed its draft bill for an amendment of the German Act on Injunctive Relief (GAIR) [Unterlassungsklagengesetz] to the German Parliament on February 4, 2015 further clarifying the new regulations. One important consequence of the proposal would be that consumer protection associations as well as market protection associations (Sec. 3 (1) and Sec. 4 of the GAIR) will be entitled to claim and enforce data protection law breaches with regard to the collection, processing and usage of consumer personal data.
Until now, only individuals and data protection authorities may claim and enforce breaches of German data protection law. Although individuals may file court actions in case of infringement of their privacy rights, they are often reluctant to do so. German data protection authorities (DPAs) are more active, but they are restricted to enforce data protection laws against entities and persons that are situated in the territory of the competent DPA: Each German Federal State has its own data protections authority. In addition, it appears that some DPAs are far less active than others are.
In some exceptional cases, consumer associations and competitors are already now entitled to claim against breaches of data protection law under Sec. 4 No. 11 of the German Unfair Competition Act (GUCA) [Gesetz gegen unlauteren Wettbewerb]. However, the applicability of Sec. 4 No. 11 of the GUCA requires that the purpose of the respective data protection regulation is, amongst other things, the regulation of the market conduct and behavior of market participants. Since the purpose of data protection law is the protection of natural persons' right to privacy, it is controversial whether and which data protection law regulations fulfill this condition.
Although German data controllers must take data protection laws seriously and be aware that incompliance may lead to severe sanctions, infringing companies barely face the risk of being sued. In contrast, consumer associations and trade associations (which may be founded by competitors) actively pursue breaches of consumer protection laws as consumer protection law is subject to the GAIR. The GAIR entitles consumer protection associations as well as trade associations to claim and enforce breaches of consumer protection laws (see Sec. 2 (1), Sec. 3 (1) and Sec. 4 (2) of the GAIR). Many of such organizations were founded for the sole purpose of enforcing consumer protection laws by cease and desist letters and court actions. Consumer protection law infringing companies are thus facing a far higher risk of being subject to cease and desist claims than for infringements of data protection laws that generally do not fall under the GAIR.
Sec. 2 (2) of the GAIR contains a catalogue of laws that are deemed "consumer protection laws" (e.g. regulations regarding distance and off-premises contracts). Data protection law is not yet part of the catalogue. Although the catalogue is not conclusive, the GAIR is mainly not considered to be applicable with regard to data protection laws because – as mentioned above – the purpose of data protection law is the protection of individuals' rights to privacy but not a consumer protection right.
Pursuant to the draft bill, the catalogue of consumer protection laws in Sec. 2 (2) of the GAIR will be extended to regulations on the admissibility of the collection, processing and usage of personal data for the purpose of marketing products and services, conducting market and opinion research, running credit report agencies, generating user and personality profiles, addresses and data trading as well as for similar purposes. However, the collection, processing and usage of consumer personal data for the purpose of entering, executing or terminating a contract or a quasi-contractual fiduciary relationship with the consumer will not be covered. This means that the GAIR is not applicable for any data collection, processing or usage for entering into and execution of a contract with a consumer, and therefore consumer associations will not be able to claim data protection breaches in this regard. Since the GAIR is a consumer protection law, it does not apply to the collection, processing or usage of personal data of non-consumers. The government's proposal is directed at businesses that use personal data of consumers for making them available to other parties.
Nevertheless, it is very likely that the number of legal actions of consumer protection associations and trade associations against infringers of privacy laws will increase dramatically. In addition, the new law will help to enforce data protection laws and many data dealers, credit report agencies and advertising agencies will have to change their attitude in order to become compliant with German and European data protection laws. Many hotly discussed questions of the construction of German data protection laws will soon be decided by German courts and it might well be that a new and hefty light will be shed on data protection and infringers.
As data protection is and has always been in the focus of the German public, it is very likely that the proposal will pass the German Parliament soon although one may expect intensive lobbying of the affected industries.
 - See White & Case Newsflashes of March 2014 and August 2014, Footnote 1.
 - Draft Bill of the German Government on the Improvement of Civil Law Enforcement of Consumer Protecting Privacy Law Regulations [Gesetzesentwurf der Bundesregierung Entwurf eines Gesetzes zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts], bmjv.de/SharedDocs/Downloads/DE/pdfs/Gesetze/RegE-UKlaG.pdf
 - The GAIR applies already now if the consent of a consumer for the collection, processing and usage of consumer personal data is included in standard terms and does not meet the requirements of Sec. 4 and 4a of the German Data Protection Act for valid consents (see German Federal Supreme Court, decision of July 7, 2008 - VIII ZR 348/06). However, subject to any such claims is the wording of contractual standard clause but not the collection, processing and usage of the personal data itself.
 - the Court of Appeals of Berlin (decision of January 24, 2014 – 5 U 42/12), the Court of Appeals of Cologne (decision of January 17, 2014 - I-6 U 167/13, 6 U 167/13) and the Court of Appeals of Karlsruhe (decision of May 9, 2012 – 6 U 38/11) decided that Sec. 4 No. 11 GUCA does apply to infringement of Sec. 28 (3) of the German Data Protection Act. Likewise the Court of Appeals of Munich (decision as of January 12, 2012 - 29 U 3926/11) decided that Sec. 4 No. 11 GUCA does not apply to Sec. 28 (1) of the German Data Protection Act. Sec. 28 of the German data Protection Act is the cornerstone of compliant personal data processing by private entities.
 - With regard to Sec. 28 (3) of the German Data Protection Act, some authors are already now of the opinion that the GAIR is applicable (see Köhler, Commentary on the German Unfair Competition Act, 33rd Edition 2015, Sec. 3 GAIR recital 13). As for Sec. 4 of the German Data Protection Act, the Court of Appeals of Frankfurt decided that the GAIR does not apply (decision of June 30, 2005 - 6 U 168/04).
 - See EU Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council.
 - See Reference in Footnote 5.
 - See Reference in Footnote 5.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2015 White & Case LLP