The German Federal government this month approved a draft law that puts increased pressure on companies in the area of data protection. If passed, it could even signal the start of a type of class action in Germany for data protection violations.
The “Entwurf eines Gesetzes zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts” seeks to punish companies that are violating data laws in the areas of advertising, market research and profile creating. The law has not yet been passed by the German Parliament.
Germany has a somewhat unusual data protection system. It has a regional rather than a Federal system of data protection where each German Land or State appoints its own data protection regulator. These regulators try to adopt a common stance on issues affecting Germany through an informal organisation called the Dusseldorfer Kreis.
The draft law gives rights to consumer associations. It allows consumer associations to take class actions on behalf of consumers when their rights have been violated in the area of data usage for marketing, advertising and profile creating. This means that hundreds, or even thousands, of data subjects could get together and bring an action against any company. The draft law seeks to give consumers a mechanism for grouping together and taking on large companies when they might have been reluctant to do so alone. The draft law also allows the consumer associations to apply to the court for injunctions to stop companies from misusing data in the area of advertising or marketing.
A further worrying aspect of this for companies is that when one of these cases is taken, the court would have to advise the relevant the German data protection regulator. As we mentioned in our alert last week German regulators are expressing their concerns more readily and more publicly. This would mean it will be more difficult for companies to keep an allegation of a data protection infringement out of court and away from the media.
We are already starting to see the prospect of class action litigation in Europe for alleged data protection violations. Currently an Austrian law student Max Schrems is assembling an action against Facebook over alleged breaches of their privacy policy. Schrems spent part of his studies at university in the US and wrote about Facebook after listening to a lecture from one of Facebook’s lawyers. He then made a subject access request against Facebook which he said disclosed 1,200 pages of information about him. He felt that this was incomplete. The first hearing in Vienna with (according to Schrems) more than 25,000 plaintiffs is listed for April 9th. Schrems claims that another 50,000 potential claimants have registered an interest in the case. Schrems says that a judgement against Facebook could cost them €10m (approximately $11.5m). The action is funded by a German litigation finance provider.
Under the proposed German law, companies would have to deal with the problem of more cases like this, more intervention from regulators and more publicity following data breaches. The days when companies could settle data breaches in a quiet and amicable manner may soon be at an end.
Jonathan Armstrong is a lawyer with Cordery in London where his focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com