Greetings from Brussels!

Following the European Court of Justice’s Schrems decision last year invalidating the now infamous Safe Harbor mechanism, much focus has shifted to how the Data Protection Authorities of EU member states would continue to interpret and enforce Schrems. There has been much member state discussion of late around DPAs operating at full capacity in terms of their resources and how best to optimize efforts to cope with an increasing demand for enforcement activity. The task at hand can be quite sizable taken the breadth of activity ranging from random audits to on-site visits as well as handling consumer complaints and answers.

The Germans appear to be taking things in hand to strengthen data protection enforcement — their legislature recently passed a law that permits registered consumer protection organizations (called Verbände) to bring suits on behalf of consumers to tackle data protection violations. The new German law that grants authority to both consumer and business associations to enforce compliance with data protection laws went into force Feb. 24.  A representative of the German Ministry of Justice pointed out that the new enforcement powers are specifically aimed at foreign companies having their headquarters or operating from outside Germany, including the U.S.

This is a considerable change in that before the newly revised Enforcement Act, the statutes authorizing such suits did not permit consumer organizations to bring them to enjoin data privacy violations. Instead, consumer organizations were limited to bringing injunctive actions to remedy, e.g., competition-law violations, illegal provisions contained in an enterprise’s general terms and conditions, or certain violations of consumer protection laws. The expanded competences are designed to complement the supervisory role currently carried out by the country’s DPAs. The latter could also play a role in the “class actions” by being allowed to articulate their views and analysis of the alleged data protection law violations in court.

A big question here is whether the Enforcement Act may lead to an uptick in consumer class actions filed against companies active in Germany. This is partially due to the fact that German data-protection consumer organizations have the reputation of being active litigants. The new powers include issuing cease and desist letters (which is a recommended step prior to initiating litigation) and seeking interim injunctions for alleged data protection violations such as collecting, processing or using consumer personal data without a valid consent of the individuals, or via another legal basis covered by local German data protection laws.

What does this mean in practice for the many organizations operating in Germany? This new law looks to support additional enforcement and by extension poses additional risks to those companies operating in Germany whose privacy policies fail to comply with the rigors of local German laws. The consumer organizations will likely act as an additional watchdog in concert with DPAs. Companies would do well to review their privacy practices where offering goods and services to consumers and ensure they are in good standing. These new legal provisions are again another indicator that Europe is heading toward an age where data protection is becoming increasingly critical to organizational governance and strategy. One can only assume that we will see similar reinforcement across European borders as the GDPR becomes reality — it seems a good time to proactively assess risk wherever one is trading in the EU thereby avoiding future problems down the line.