By July 1, 2022, companies that enable consumers to conclude certain paid continuing obligations on their websites must have implemented the statutory requirements of Section 312k of the German Civil Code (BGB) on the so-called cancellation button. Find out here what data protection pitfalls this provision entails.
What is at issue?
With the Fair Consumer Contracts Act, the German legislator introduced the new Section 312k of the German Civil Code (BGB), which is intended to make it easier for consumers to terminate continuing obligations in electronic commerce. The core of this new provision, which will apply from July 1, 2022, is the obligation of companies falling within the scope of the provision to provide a “permanently available as well as directly and easily accessible confirmation button” to enable the consumer to declare the termination of his contract (Section 312k (2) (2)). In order to provide for a convenient cancellation, under Paragraph 2(1), entrepreneurs may ask the consumer only to provide certain information which identifies him and the contractual relationship subject to his termination declaration. Furthermore, the entrepreneur must immediately inform the consumer by electronic means of the content, date, and time of receipt of the notice of termination and the date on which the contractual relationship is to be terminated (Par. 4).
The details of this new regulation are just as controversial as its concrete scope of application and will probably occupy the courts for some time to come. However, it can already be stated today that the legislator has not “thought through” the regulation to the end in terms of data protection law.
Where are the data protection problems?
The data controller for the processing of personal data must undertake technical and organizational measures to ensure that no unauthorized person accesses or even changes this data, especially if such a change in inventory data involves a risk to the rights and freedoms of the data subject. Such access control is typically ensured on online portals by requiring users to authenticate themselves by entering their secret credentials. However, according to the German legislator´s explanations (BT-Drucks. 19/30840, p. 18), it is precisely this access control that is to be denied to the entrepreneur. It expressly states that consumers must be able to access the confirmation page at any time without first having to log on to the website. In other words, the entrepreneur is prohibited from taking the usual technical precautions to prevent legally formative declarations by an unauthorized person to the detriment of the data subject.
Now, according to Section 312k (2) (1) (b), as amended, the entrepreneur may in fact require information from the consumer on the confirmation page “for his clear identification”. However, according to the German legislator´s explanations, this should “typically” only require “the name and address of the consumer”. This view of the legislator is in obvious contradiction to the practice of the German data protection authorities, as well the state of the art within the meaning of Art. 32 (1) of the GDPR, as defined for example in the IT-Grundschutzkompendium of the German Federal Office for Information Security (BSI). In fact, since the infamous sanctioning proceedings of the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) against the telecommunication provider 1&1, it has been a common practice of the German data protection supervisory authorities to require data controllers to authenticate the user with at least one secure factor, i.e., secret knowledge of the data subject. Depending on the risk situation, the Authorities may also demand two-factor authentication as a means of access control, and they enforce these requirements even under the threat of a fine.
Finally, according to Section 312k (4) of the German Civil Code (BGB), as amended, the confirmation of receipt must be sent to the consumer “immediately” to the e-mail address provided by the consumer on the confirmation page. Neither the wording of the law nor the explanatory memorandum leave any room for checking whether the e-mail address given is actually that of the consumer – or even only that of the user posing as this consumer. The company may therefore be required to send such an e-mail to an unconfirmed e-mail address and, by doing so, disclose that a contractual relationship with the data subject exists.
The risks of misuse of the cancellation button can thus hardly be overlooked. A similarly spurned ex-lifer like the one who triggered the above-mentioned fine proceedings by obtaining the data subject´s mobile phone number from the 1&1 customer hotline could now proceed as follows: She would declare notices of termination on all websites of known or suspected providers with whom the data subject maintains electricity, mobile communications or other essential continuing contracts, merely stating the name and address of the data subject and, in doing so, ensuring by providing a false e-mail address that the data subject does not learn of this, or at least learns of it too late. And if at the same time, she harbors a grudge against the provider’s company itself, she would give as the e-mail address that of a third party, from whom she may assume that the latter will issue warnings against corresponding e-mails as alleged spam and combine this with claims for information under data protection law. The cancellation button also opens up unimagined opportunities for unfair competitors to anonymously and harassingly hinder their competitors.
Companies that have to implement the cancellation button are therefore in a quandary. If the company requires the consumer to provide a password or a similar secret authentication feature as information “for his unique identifiability”, customers could regard this as a violation of Section 312k (2) of the German Civil Code (BGB), as amended, and claim the right to immediate termination under Section 312k (6) of the German Civil Code (BGB), as amended. In addition, there is a risk of warnings under competition law and – albeit probably only theoretically – of a fine on the basis of Article 246e §2 (2) sentence 1 EGBGB.
If against this background, the company refrains from the implementation of such an authentication feature, it must hope that the competent data protection supervisory authority will tolerate this with regard to the requirements of Section 312k of the German Civil Code (BGB), as amended. However, it remains open whether and how this undercutting of the legal level of data protection of Art. 32 (1) GDPR, which is apparently “intended” by the legislator, can be justified dogmatically. One could see in the new regulation a statutory exception based on the opening clauses of Art. 6 (2) and (3) GDPR. Conversely, however, the data protection level of Article 32 (1) of the GDPR could also be included in the definition of “clear identification” in Section 312k (2) (1) (b) of the German Civil Code (BGB), as amended, by way of interpretation in conformity with European law.
What should companies be advised to do?
Companies that have appointed a data protection officer can make use of the possibility of consultation with the competent data protection supervisory authority as set out in Section 40 (6) sentence 1 of the German Federal Data Protection Act (BDSG). This way, potential risks of fines under data protection law for a lack of access control can be reduced.
In any case, it is advisable to be prepared for possible misuse of the cancellation button at an early stage and to ensure that the potentially increasing number of complaints or requests for information (Art. 15 GDPR) from possible third party data subjects are processed and answered promptly.
Finally, companies should carefully consider the design of the confirmation of receipt of termination within the meaning of Section 312k (4) of the German Civil Code (BGB), as amended. Only the data that the user himself has entered in the cancellation form should be included in the confirmation. In doing so, any advertising content – even the reproduction of logos, claims or test marks – should be avoided as far as possible in order not to expose oneself to claims against unlawful e-mail advertising within the meaning of Sec. 7 of the German Unfair Competition Act (UWG).