Data protection is consumer protection law – infringements may result in consumer protection organisations‘ claims for case and desist. While the requirements for a consumer protecting effect of data protection law has long been subject to debate, the legislator has now implemented a new Section 2 (2) No. 11 into the German Cease and Desist Claims Act (Unterlassungsklagen Gesetz – UklaG). Section 2 (2) No. 11 UKlaG now establishes the consumer protection effect of data protection law and brings new claims for consumer protection organisations. Any company is well advised addressing these new compliance risks.
1. Content of the Amendment
The “Act on Improvements for Civil Law Enforcement of Consumer Protecting Provisions of Data Protection Law” (Gesetz zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts), inter alia, implements Section 2 (2) No. 11 UKlaG stating:
“Consumer protection provisions by the meaning of this act are, inter alia, […] No.11: provisions governing the permission to
a) collect a consumer’s personal data by a company or
b) >process or use of a consumer’s personal data by a company
where these data are collected, processed or used for the purpose of advertising, marked and opinion research, operating a mercantile credit agency, generating person- or user profiles, address trading or other trading of other data or comparable commercial purposes.”
The new provision of Section 2 (2) No. 11 UKlaG now clearly states that data protection law may be consumer protecting law. This is in particular the case where a company processes a consumer’s personal data for marketing and related purposes. Section 2 (2) No. 11 UKlaG does, however, not apply to data processing that is carried out for initiating, carrying out or terminating agreements with consumers. The new provision will turn relevant in particular when using personal data collected in the context of an agreement with a consumer beyond the purposes directly related to such agreement.</p>
<p>The legislator’s intention for implementing these new provisions was preventing “consumer rights infringements at a large scale” and the assumed lacking consumers’ ability to defend their rights. In other words, there was no lack in consumer protecting legislation assumed but rather in executing such legislation.<p>
2. Role of Consumer Protection Organisations
The enforcement of consumer protecting data protection provision lies with the consumer protection organisations according to Section 2 (2) No. 11 UKlaG. These enforcement powers now accompany the classical data protection subjects’ powers to enforce data protection rights vis à vis the data controller, to involve the data protection officer and the data protection authorities.
In particular, the consumer protection organisations may under Section 2 (1) UKlaG bring action for cease and desist of infringements of consumer protection data protection law to the court in regular and interim proceedings. The consumer protection and the data protection organisations are therefore both competent for enforcing data protection law – the data protection authorities under public and the consumer protection organisations under civil law. The legislator was aware of this conflict and aims for easing it out by implementing a right for the data protection authorities to be heard in respective court proceedings under Section 12a UKlaG:
“Before issuing its decision in proceedings in respect to infringements under Section 2 (2) No. 11 UKlaG, the Court must hear the competent data protection authority. Sentence 1 does not apply to interim injunctions without oral hearing.”
This new role of consumer protection organisations as new guardian of consumer protecting data protection law does not per se fit into the German and European conception for enforcing data protection law. The known conception rather provides for independent data protection authorities as enforcement bodies. This has been subject to critique and debate throughout the hole legislative procedure.
From the perspective of applying data protection law in everyday business, it will now be highly important whether or not the consumer protection organisations will pick up and apply the data protection authorities’ interpretation of data protection law or if they would implement a second and diverting quasi-official interpretation of data protection law. The latter would then be subject to the civil courts’ jurisdiction rather than the administrative courts’ jurisdiction for decisions of the data protection authorities. It remains to be seen which way of coexistence the consumer protection organisations will take.
3. General Data Protection Regulation (GDPR) in Sight
The GDPR may further increase the relevance and powers of consumer protection organisations with respect to enforcing data protection law. Art. 80 (1) GDPR states that data subjects may assign claims enforcing their data protection rights to not-for-profit organisations (such as possibly consumer protection organisations).
“The data subject shall have the right to mandate a not-for-profit body, Organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.”
It is possible that consumer protection organisations may extend their currently limited right to action in respect to data protection claims. Under 80 (1) GDPR, they also bring action in respect to non-consumer protecting provisions of data protection law. This might lead to ever increased parallel responsibilities of data protection authorities and consumer protection organisations.
The amendment to the UKlaG establishes consumer protection organisations as new guardians of data protection law with respect to consumers. This brings increased enforcement risks for affected companies. They are well advised to assess and amend their data protection compliance in regard to processing consumers’ personal data.