On March 29, the German Federal Cabinet approved a proposal for the law that will implement the EU Collective Redress Directive into German law. The EU Collective Redress Directive requires EU Member States to adopt new laws that allow ‘mass claims’ by consumer associations. The Directive calls this “collective redress”. Depending on how this plays out in practice, the financial risks associated with such collective redress actions could be higher than the risks of fines under the GDPR or other privacy laws.
The upcoming German law, the “Verbraucherrechtedurchsetzungsgesetz” (VDuG) will enable consumer protection associations to bring collective actions against companies who infringe the law.
The VDuG will enable qualifiying organisations (most importantly the German consumer associations, the Verbraucherzentralen) to lodge lawsuits that are brought on behalf of a potentially unlimited group of consumers. The consumers do not have to present themselves, they can (even at a later stage) ‘opt in’ to the claim.
This type of court action shares many similarities with US-style class actions, but in Germany can only be brought by qualifiying German organisations. This is a new development, because German law has previously not allowed for such collective actions – except for a complex procedure called “Action for Model Declaration” (Musterfeststellungsklage) which was only rarely used in practice.
The new VDuG act will introduce another type of claim, which will be called “Action for Redress” (Abhilfeklage). Under this Action for Redress, consumer protection agencies will be able to bring claims on behalf of large groups of consumers, inter alia for damages.
This ‘Action for Redress’ can be brought in respect of any infringement of a law that protects consumer interests, if multiple (at least 50) consumers are affected in a unified way. The underlying EU Collective Redress Directive, however, explicitly refers to the GDPR and the national laws implementing the ePrivacy Directive (Recital 13).
This creates an explosive mixture, because the new Action for Redress can be combined with a claim for immaterial damages under Article 82(1) GDPR. There are currently many cases pending, both before German courts and before the European Court of Justice, that concern the question of whether affected individuals can claim monetary compensation even for ‘moral’ damages and minor infringements of data privacy laws.
Most importantly, the EU Court of Justice will soon adopt a decision in the Austrian Post case (C-300/21). In this case, there is already an opinion of the Advocate General, in which he argued that "a mere feeling of displeasure", respectively "mere upset" should not entitle a claimant to damages. However, the EU Court of Justice has not yet spoken on the point; a decision will be published on 4 May 2023.
In summary, this means that a company that infringes the GDPR or other laws might become subject to a collective Action for Redress, lodged by a consumer protection organisation. This organisation will be able to claim damages on behalf of all consumers affected by the infringement. Depending on the number of consumers affected, this could lead to very high amounts of money being at stake.
In short, the risk can be calculated by multiplying the number of affected consumers by the amount of damages that can be claimed. For example, if a privacy infringement affects 100,000 consumers and each consumer is entitled to damage compensation of 500 EUR, the overall risk exposure is 100k x 500, namely 50 million EUR.
This means that one of the decisive factors for risk calculation, and also for risk mitigation strategies, is the number of consumers who actually decide to opt-in to such a collective claim. In this regard, the German government has chosen to use an ‘opt-in’ approach that allows only such consumers to claim damages that have opted-in before the court of first instance hands down a decision (§ 46 and § 13(4) VDuG draft). This means that the highest risk scenario is off the table for now; consumers will not be able to join the “class” of consumers entitled to damages after the court makes its ruling. This differs from other countries where the national laws can allow consumers to claim damages even if they did not actively opt-in (see Recital 43 of the Collective Redress Directive).
Opting in under the new law will require that consumers register themselves in a public registry maintained by the Federal Office of Justice (Bundesamt für Justiz). An opt-in will be possible for up to two months after the first court hearing, but not after the court of first instance hands down its decision.
During this period, consumers can opt-in by filling an online form in the public registry. Registering will require that the consumer types in a significant amount of information about themselves and their claim. Opting-in will therefore take some time and cannot simply be done through one click. It will however be cost-free.
Overall, this means that the risk exposure of companies depends on the amount of publicity that a collective action attracts. The risk exposure will therefore be particularly high in cases where a breach attracts significant publicity and where the acting consumer association (or interested third parties) actively promote the collective action. Time will tell if and to what extent this will happen.
According to the draft legislation, how will the cases play out in practice? The following is a step-by-step description:
The upcoming VDUG act will introduce a fundamental change to German law. To date, German law does not include a mechanism for a “class action”. Consumer protection associations can currently only bring actions for injunctive relief (Unterlassungsklage) and the ‘Action for Model Declaration ‘, which is only very rarely used in practice.
The new Action for Redress means that companies, even in the case of otherwise minor legal violations and associated damage amounts, could find themselves exposed to enormous sums in damages due to the potential volume of plaintiffs. For companies with a very large customer base, the amount of these damages could even exceed fines under the GDPR.