Previously, consumer and business associations could bring actions under consumer protection and competition laws on behalf of groups of consumers or business. Under an amendment to the country's Injunctions Act, this has now been expanded to cover data protection law, and associations will be able to initiate litigation and seek injunctions for data protection infringements.
There is a real chance that this could lead to a rush of collective action suits for companies, said data protection expert Niels Tacke of Pinsent Masons, the law firm behind Out-Law.com.
Data protection authorities have been responsible for compliance with the regulations to date, but these are often understaffed, Tacke said.
"The new regulations obviously increase the manpower available to control the collection and processing of data by companies. But while some data protection authorities are aware of how difficult it is to comply with all of the data protection laws, and are correspondingly pragmatic in what they expect of companies, that is not likely to be the case with the consumer and business associations, so the risk of companies being subject to legal actions is increased," he said.
"By their very nature, business and consumer associations are not independent like data protection agencies, but are influenced by their members," Tacke said.
The problem is compounded by the fact that the new law does not explicitly state whether minor infringements can be challenged, Tacke said.
"In the introduction to the law, it states that the proceedings and actions can only begin if the infringement in question is 'of some importance and/or weight'. However, that is not stated in the law itself. So that effectively means that associations will be able to take action against the most minor infringements. It's not yet clear how the courts will deal with this, and whether they will pay attention to the introduction," he said.
It is very difficult for German business to comply with every aspect of data protection legislation, "even if they are really trying", said Tacke.
"Parts of the law are unclear and are interpreted in different ways by different data protection authorities, and now there is the risk that consumer associations will interpret them in yet another way," he said.
Due to its federal state system Germany has 16 data protection authorities, which sometimes differ in their interpretation of the law, Tacke said.
"By adding consumer associations into the mix, you raise the risk of having contrasting cases, one run by a data protection authority and a second by a consumer association, and getting different outcomes on the same data protection issue. Currently, we just don't know how such a scenario would play out," he said.
"The lack of clarity and the apparent ability to take action on the most minor infringements leads me to believe we will see many proceedings based on this," he said.
Any UK business is that is subject to German data protection law should bear this new amendment in mind, said UK data protection expert Claire Edwards, also of Pinsent Masons.
There is no equivalent law in the UK, although individuals can complain to the Information Commissioner and bring claims for compensation, Edwards said.