Data Protection in France and Germany – a 9 months review

The insecurity was great on 25 May 2018, when the General Data Protection Regulation (GDPR) came into force across Europe. Small and medium-sized enterprises (SMEs) in particular were afraid of the huge bureaucracy and costs involved. In fact, despite a two-year transition period and the big announcement, many latecomers did not adapt their regulations in time and risked fines. According to a German study, only ¼ of German companies had fully implemented the GDPR four months after the deadline. Another study reports a similar situation on French companies, which states that only 24% of them complied after the entry into force of the Directive. Under these circumstances, German companies without sufficient implementation risked, in addition to fines, being warned by competitors.

1. Waves of warning letters in Germany

Unlike the unproblematic situation in France, where the law on unfair competition in general does not provide for warnings between competitors, in Germany almost a wave of such warnings was expected. The Unfair Competition Act (UWG) allows a fee-based warning to be issued against a competitor’s breach of market conduct.  With the entry into force of the GDPR, it was feared that lawyers would lead to increased warnings and thus attempt to generate capital from actual or alleged infringements of the GDPR.

The question arises as to whether infringements of the GDPR are admonishable as violations of the UWG. In essence, it is necessary to clarify whether a violation of law actually exists and whether the companies are indeed entitled to issue warnings to competitors according to the GDPR.

Here not only the opinions in literature but also in the case law are divided. Last year several judgements were rendered on this issue. The regional courts (LG) of Bochum, Frankfurt, Hamburg, Wiesbaden, Würzburg and the Higher Regional Court (OLG) of Hamburg have already ruled on this subject. Particular attention should be paid to the decision of the Hamburg Higher Regional Court.

The judgement of the OLG Hamburg has a repealing effect on the previous judgement of the Court of Hamburg, which issued an injunction. The applicant filed an appeal and thus the legal dispute between two competitors went to the appeal court. The OLG explained that in individual cases it must be determined on the basis of the purpose of the respective provision of the GDPR whether a breach of the law exists pursuant to the UWG. It is noteworthy, however, that the Higher Regional Court of all other courts does not specifically advocate or oppose the application of the Unfair Competition Act to data protection violations, but is open for discussion.

The Court of Wiesbaden and several other courts frequently agree with the opinion expressed in the literature by the German competition law expert Prof. Dr. Helmut Köhler, who explicitly excludes in of the Unfair Competition Act.

The Court of Würzburg was the only one to declare its decision in favour of the warning capability of a violation of the GDPR under the UWG. Without going into the controversial final regulation of the GDPR or the opinion dispute in literature and practice, the Würzburg Regional Court issued a temporary injunction against a lawyer who could not show a sufficient data protection declaration on her homepage. Especially here, an oral hearing and a detailed explanation of the decision would have made sense.

What to expect in the future?

Lawyers and consumer associations hope with new decision also a clear answer to the warning ability.

Clarification could also be created by a new law, which should tackle abusive warnings. A first draft was presented at the request of the German Bundestag in the summer of 2018. The draft provides for changes in the Unfair Competition Act, the Injunctions Act and the Court Costs Act.

Until then, uncertainty will persist and discussions on the regulation of the GDPR will continue. However, this dispute has also lead many warning lawyers in the direction of not issuing new warnings to competitors in the event of violations of the GDPR . Eventually the dreaded wave of warnings failed to materialise.

2. Developments throughout Europe and first fines

Despite these difficulties still to be clarified, the first nine months in Europe after the entry into force of the GDPR went quite well in practice, according to the European Data Protection Board (edpb). The report states that cooperation between national supervisory authorities has been successful by creating several general guidelines for consistent interpretation and an information system between the supervisory authorities. In addition, cooperation mechanisms were initiated to identify the lead supervisory authority at transnational level and to carry out the main proceedings collaborative and a database was set up to record all cross-border cases centralized.

Since its entry into force, a total of 206,326 data protection cases have been recorded across Europe, of which 94,622 are based on complaints and 64,684 were reported by the responsible themselves (status as of 26 February 2019). 52% of the cases have already been closed. The total amount of fines imposed by all supervisory authorities’ amounts to 55,955,871 euros.
Contrary to initial fears, the imposition of fines has so far been low if one considers that the 55,955,871 euros includes the 50 million euro penalty payment of the Google decision of 21 January 2019.

When the GDPR came into force, the consumer protection organization NOYB filed lawsuits against Google in France, Instagram in Belgium, WhatsApp in Hamburg and Facebook in Austria. So far, only the decision of the French national data protection authority CNIL is taken, which imposed the first record fine of 50 million euros on Google based on the GDPR.

The CNIL complained that Google’s terms of use and data protection violated the transparency and information requirements for the collection of personal data (articles 12-14 GDPR) and that the rights of persons were not communicated clearly enough (articles 15-22 GDPR). The relevant information is scattered and only accessible after several clicks. In addition, the descriptions are too vague and indefinite. It has also been criticized that the user’s consent to the processing of personalized advertising is not sufficiently informed and identified.

A less impressive, but the first and therefore important fine was also imposed in Germany. Because of an offence against art. 32 of the GDPR  a fine of 20,000 euros was imposed by the Office of the  data protection authority (LfDI) in Baden-Württemberg against a social-media provider. In contrast to the centralized data supervision in France with its national data supervisory authority CNIL, the German data protection is federally organized. Each German federal state has a competent data protection authority to which complaints must be addressed.

The company condemned by the LfDI Baden-Württemberg had itself reported a data breakdown after a hacker attack in September 2018. During the hacker attack, personal data of approximately 330,000 users were stolen, including e-mail addresses and passwords. The latter were stored unencrypted and non-alienated, as the company also informed the LfDI. Due to the constructive cooperation of the company with the LfDI and the cooperation to take extensive measures to improve data protection, the fine pursuant to Art. 83 IV of the German GDPR law was relatively low. Attention was also paid to the current financial situation of the company.

These two examples illustrate that while there can be very harsh decisions, the imposition of fines does not have to be dissuasive but instead appropriate and proportionate. In the end, it is the improvement of data protection and the security of personal data of users that counts and not the imposition of the highest possible fines, according to the data protection authority of Baden-Württemberg.

3. Conclusion

After nine months of GDPR, the initial excitement has settled and the first small achievements have emerged. The complaints received show that citizens are exercising their new rights. Within the first six months, the German Federal Data Protection Authority has already received about 4000 complaints. According to the French data protection authority, there were 6000 complaints, an increase of 34% over the previous year.

A study by the French data protection authority CNIL confirms that awareness handling confidential data has improved. 66% of French people are more cautious with their data since the GDPR. While the new rules have been and continue to be a significant burden and cost for many companies, in times in which personal data is used for business purposes, they will necessarily be forced to inform and organize themselves when dealing with them.

Elisabeth HEIL with the participation of Manon GITTERMANN (Franco-German Law Student in Mainz)