Companies operating in Germany may have cause to be wary of a new law that will allow consumer associations to sue them over perceived data protection violations in their commercial practices.

The law, which cleared the Bundesrat (Senate) just before Christmas and is currently awaiting the signature of German President Joachim Gauck, goes further than existing legislation that allows consumer associations to sue over a company's terms and conditions. It also lets them sue over violations of principles such as data minimization.

Industry representatives and legal experts warn the law means companies may face parallel procedures from consumer associations, which sometimes have an activist tinge, and data protection authorities that will attack using administrative rather than civil law. They say this will make life particularly difficult for startups and other smaller companies that may lack the resources to be properly prepared.

Our proposal would have been to strengthen the data protection authorities, to give them more people to enforce data protection, but not to give other associations who don't deal with data protection all day the same competences. This parallel structure will lead to contradictions in interpretation of data protection law. — Martina Knauss 

However, the consumer associations say they are more likely to target bigger names in the league of Google and Facebook.

"If you log into [a service such as] Facebook and they ask you to give your name, this is OK, but if there is a vast amount of data collected with Facebook needing it for the offered service, it might be a breach of German security law," said Heiko Dünkel, legal secretary for the Federation of German Consumer Associations (VZBV).

"So far, without the new legislation, we have had vast problems in tackling these kinds of infringements, when it's not written in terms and conditions but it's in the way a certain company acts. This new legislation allows us to tackle also this kind of infringements, we hope."

The VZBV does not have any specific suits planned yet, but other types of violations in its crosshairs include companies sending advertisements to people against their wishes, and using children's games to collect information about their parents. Practices around personal profiling and data brokering are likely to face more challenges.

"Companies should expect to be sued more often," said Monika Kuschewsky, a German data protection lawyer working in the Brussels office of Covington & Burling.

The new legislation, the "Act to Improve the Civil Enforcement of Consumer-Protection Provisions of Data-Protection Law," is expected to be in place from March. Its introduction follows lobbying from consumer associations on one side and the tech industry on the other, and the EU's General Data Protection Regulation (GDPR) — finalized just two days before the Bundesrat vote — provided last-minute support for its future legality.

A clause in Article 76 of the GDPR ensures that EU countries can have laws allowing organizations to lodge data protection complaints without the go-ahead of an affected data subject. This will fit with the practices of Germany's consumer associations, which may go on the offensive after learning of new developments, without waiting for individuals to come forward with their concerns.

According to Martina Krauss, a policy officer with German digital association Bitkom, the industry did not know until very recently whether or not this would be allowed — and the result will be fragmentation between the regimes of different countries.

"[Germany] pushed the opening clause in the General Data Protection Regulation hard to be able to implement this German collective action law," said Krauss. "Now we have a different solution in Germany than in the rest of Europe."

Krauss complained that Germany already provides challenges for companies due to there being a separate data protection authority (DPA) in each state — a system that has already caused discord over the implications of the European Court of Justice's Safe Harbor ruling. Now there is scope for even more variety in readings of the law.

"Our proposal would have been to strengthen the data protection authorities, to give them more people to enforce data protection, but not to give other associations who don't deal with data protection all day the same competences. This parallel structure will lead to contradictions in interpretation of data protection law," she said.

This view was backed by Kuschewsky.

"When consumer associations sue, that goes to the civil courts, which apply civil law. They will apply data protection law, but more through the lens of the consumer protection angle. The administrative court may take a different view – the administration court only looks at what the [current data protection law, or in future the] GDPR says and applies that," she said.

According to Bitkom's Krauss, consumer associations also have more of a reputation than DPAs for making a big media splash with their suits. "A lot of companies fear their reputation will be damaged, even if [the allegations] are proven to be unfounded later on," she said.

Kuschewsky agreed that the consumer associations go for "nice headlines," but this generally happens with big-name targets. "If they learn about something really bad that happens with a small company, they will also go after them," she added.

The VZBV's Dünkel said consumer associations and DPAs, both of which are resource-constrained, would not formally coordinate their actions against companies. However, he noted, there is "a constant exchange of ideas" between such organizations.

"We have to take our measures very carefully. ... We did it in the past with extensive care, and there is no prospect that we will now change our mood and sue every company, also small startups, and kill their ideas," he said.

"We write our press information very carefully and don’t make any populist statements. We try to avoid this, though sometimes the wording has to also be interesting for journalists."

Photo credit: Nico Trinkhaus - Potsdam Germany - CC-BY-NC