Christian Schröder, head of Orrick’s IP/IT & Data Privacy Practice Group in Germany, was interviewed in the latest issue of Cybersecurity Law Report regarding a new act passed by German Parliament that permits certain associations to file privacy class actions. An excerpt from the article entitled "Germany Eases Restrictions on Certain Privacy Class Actions" is included below.
CSLR: What is the official name of the act and when will it become effective?
Schröder: The official name is Gesetz zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts (Act for the Improvement of Enforcing Consumer Protecting Data Privacy Regulations Before Civil Courts). Within the coming weeks, it will be published and then the next day, it will become law.
CSLR: What are the biggest changes that this new act brings under German law?
Schröder: This act brings important changes. Generally, German law (and that of many other European countries) does not recognize the concept of filing a lawsuit on behalf of other persons. You cannot file a class action that has an effect for others – you need to have your own standing. As a consequence, each consumer must either try to enforce his or her data privacy rights in court individually by filing a claim with a civil court, a complaint with the competent data protection supervisory authority or, in exceptional cases, by filing a complaint with a state prosecutor who can then commence criminal proceedings.
Under the new act, consumer protection associations, industry and chambers of commerce or other approved business associations now have the standing to file for injunctions against any data privacy violation which affects consumers in the areas of: (1) advertising; (2) creating personal profiles (i.e., for credit checks); (3) address and data trading; or (4) similar commercial data processing operations.