German Privacy Chiefs Set Stricter Consent Target

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti

April 25 — Companies doing business in Germany may be facing stricter interpretations by privacy regulators of user consent requirements if recent guidance from German state data protection authorities (DPAs) is any indication.

The guidance is intended to clarify rules and makes business compliance easier under German data protection laws, but it also shows a “more activist” approach by the 16 regional German DPAs, attorneys told Bloomberg BNA. The guidance is a joint effort of the regional DPAs acting together with the federal DPA as the Düsseldorfer Kries.

Over the past six months, the approach of the regional DPAs to transfers of data to countries outside the European Union and data subject consent declarations have been “stricter than the courts,” the attorneys said.

“There is a tendency there to be stricter than the code,” Holger Lutz of Baker & McKenzie's Information Technology Group in Frankfurt said. “It is definitely more active. You see the direction they are heading.”

German flag

Sebastian Meyer, a data protection attorney at BRANDI in Bielefeld, Germany, said that regardless of the increased activism, DPAs have been limited by lackluster funding, and companies know that.

“If you're interested in getting more customers and more chances to use personal data, you will from time to time ignore these guidelines,” he said. Companies will realize that the limited funding will hamper the DPAs ability “to go after all the companies which aren't in compliance with” the consent provisions, Meyer said.

Opt-in Required

The guidance on consent declarations under the Federal Data Protection Act and the German Telemedia Act noted that valid consent requires opt-in rather than opt-out provisions regarding use of personal data. Opt-out provisions had been standard practice.

“If you're interested in getting more customers and more chances to use personal data, you will from time to time ignore these guidelines” from German data privacy regulators on consent obligations.

“It does not create new requirements but merely summarizes existing case law and best practices about how consent should be obtained from individuals in the context of terms and conditions or other pre-formulated contracts,” Anna Pateraki, a data protection attorney at Hunton & Williams in Brussels, said.

The guidance “will help companies better comply with the existing requirements in Germany that when consent is given together with other documents, it should be drafted properly and be placed in a separate and clearly visible position,” she said.

Stricter Interpretation

But the guidance is stricter than both German laws and court rulings, Lutz said.

“It's definitely stricter than what we have had before, and it deviates—they are saying you need a separate opt-in version of consent, in principle and in general,” he said. “But the Supreme Court said in principle you don't need an opt-in.”

In response to an inquiry by Lutz about what he sees as a “contradiction,” DPA representatives said “it's not really a contradiction—in principle, there might be an exception and one of the exceptions might be the case set out in the court decisions.”

Lutz said he would advise his clients on the guidance principles but would also mention that the courts have taken a different view thus far, and it is the courts which would make a final and binding interpretation of the law—not the DPAs.

Under the forthcoming European Union General Data Protection Regulation (GDPR), the consent requirements are stricter because it requires as a matter of principle an opt-in consent—a pre-ticked tick box wouldn't be sufficient anymore, he said.

The German DPAs are “kind of taking the data protection regulation already into account” even though there is a two-year implementation period for the GDPR, he said.

No Blanket Consent

Areas of statutory law presenting gray areas for interpretation of proper consent are also being more strictly enforced, attorneys said.

“In many cases, it's not that clear whether you have the statutory permission—if the data controller has a justified interest in processing the data,” Lutz said. “Here there is room to argue, and so many companies try to collect the consent to be secure even though they might not necessarily need it,” he said.

The DPAs “don't want it now,” Lutz said. “They are saying, ‘please don't collect consent for things you are allowed to do.’ The authorities are saying, ‘we don't like these broad overwhelming U.S.-style statements where you include everything—that won't work for us.’”

The ability of data subjects to withdraw consent is also of concern to the German DPAs. The DPAs' guidance advised companies to always tell the data subject they can withdraw consent .

The obligation to inform data subjects of the right to withdraw consent is only specified in the Telemedia Act, which covers website providers. But DPAs are now applying that obligation more broadly, attorneys said.

Increased Activism

There has been increased activism by the DPAs over the past six months, Lutz said.

The DPAs—even from the more business-friendly Bavaria—have applied the consent rules much more strictly, an attorney who asked not be named because of current ongoing negotiations with the authorities said. The approach has resulted in many more fines, the attorney said.

DPAs are openly in interviews with media and in their annual reports citing specific companies for privacy violations, something the regulators had previously refrained from doing, he said.

Lutz said that “a lot of the DPAs have sent questionnaires to companies now asking them specific questions," such as, “do you have a data protection officer; do you transfer data abroad; if yes, how do you do that; what mechanism are you using, and so forth,” Lutz said. “And if there is information in the reply they deem strange, they dig deeper, ask other questions or do an audit,” he said.

Meyer said that a recent law that allows consumer protection agencies to sue on grounds of data protection violations may lead the authorities to look for ways to collaborate with these groups to better monitor companies' compliance.”

Having the new consumer redress statute “is basically a good thing because it means that there will be no advantage for companies which are not complying with data protection provisions against those who make the investment to do so,” he said.

To contact the reporter on this story: Jabeen Bhatti in Berlin at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

The data protection consent guidance is available, in German, at

Request Bloomberg Law: Privacy & Data Security