Privacy & Cybersecurity Law Blog

On December 17, 2015, the German Federal Diet (Bundestag) adopted a draft law introducing class action-like claims that will enable consumer protection associations to sue companies for violations of German data protection law.

The law amends Germany’s Act on Actions for Injunctions to allow consumer protection associations to bring lawsuits against companies for improper use of consumer data in violation of German data protection law. At this time, only affected individuals, German criminal prosecutors and data protection authorities have legal standing to sue businesses for breaches of data protection law.

The law will enable consumer protection associations to allege claims for violations of the German rules governing the processing of consumers’ personal data for the purposes of (1) advertising, market and opinion research; (2) operation of a credit agency; (3) creation of personality or usage profiles; (4) address or other data trading; and (5) comparable commercial purposes. Such comparable commercial purposes, however, do not include the collection, processing or use of consumer personal data exclusively for the establishment, performance or termination of a business relationship with a consumer. As such, the law is designed to mainly address data processing by companies whose business models are based on the commercialization of personal data in both the offline and online contexts.

Importantly, the law prevents consumer protection associations from bringing claims for violations of international data transfer rules against companies relying on the invalidated Safe Harbor agreement until the end of the day of September 30, 2016 to the extent the transfer of data was based on the Safe Harbor Framework until October 6, 2015.

The draft law still needs to be signed by the president and published in the Federal Law Gazette before becoming law.