July 6, 2009

Germany Introduces Stricter Privacy Laws – Impact on Database Marketing

This report on recent legislative developments in Germany with respect to the “list exception” and related matters is made possible through the assistance of our colleague Dr. Ulrich Wuermeling of the law firm of Latham & Watkins.  Opinions and observations on the law appearing below are those of The Prescott Report and they are made with all the limitations inherent in observing legal developments in a foreign legal system and language.  Readers faced with important strategic or investment decisions involving German consumer data should seek advice from competent counsel in Germany. 

Last Friday, July 3, the lower house of the German Parliament (Deutscher Bundestag) passed an amendment to the German data protection law that incorporates the recommendations of the Interior Committee of July 1, 2009.  It appears to be a widely held belief that it is likely that the upper house of the German Parliament (Deutscher Bundesrat) will adopt the legislation shortly and that  the law would then come into effect on September 1, 2009.

Bottom line for Database Marketing.

Personal data may no longer be used for marketing purposes unless the individual consents to such use.   There are very important exceptions to this sweeping prohibition, which would otherwise prove the death-knell for direct marketing. These exceptions will permit the industry to remain robust, although handicapped.

First, and most importantly, the use of current data files of customers and prospects in the possession of marketers will continue to be governed by the old law until August 31, 2012. In short, companies have 3 three years to accommodate themselves to a new environment if this law is not overturned. This means that lists as they stand now can be rented through the “list exception” until that date.   However, the new restrictions apply on September 1 for new clients and data intake after September 1, 2009. 

Second, no consent for marketing use will be required for direct mail solicitations to existing customers, customers whose names and addresses are available in “public directories”, in the B2B context, and by charitable fund-raisers.

Third, the transfer of address data remains legal without the individual’s consent, if the marketing message discloses where the data has been collected in the first place.

Fourth, data can be used to market third party products and services, if the marketing message discloses the identity of the company providing the data for that purpose. This will allow companies to continue to rent out address lists through mailing houses and data processing companies, which was primarily the way the industry operated in the past.

Other changes to the data protection system are of interest as they will impact internal corporate disciplines and potential data “richness” available for use by a company:

*Corporate internal data protection officers receive new status and authority. This is a position required by law in Germany and increasingly expected in US companies as “a best practice”. The DPO’s employment status is made stronger and his function, once assumed, may not be terminated by management without good reason. He also is entitled to attend continuing education programs at his employer’s expense.

            *For those with processing facilities in Germany, the principles called “avoidance” and “minimization” will apply not only to the use of data but for the file structuring and data maintenance. Files and data should be made anonymous or “masked” by pseudonymization”, unless this involves a “disproportional effort”.  The consequence of this for list rental and data use will be that matching and de-duping files may essentially become impossible.

*Adopting an increasingly common response to data losses, companies will have to inform the authorities and the individuals affected where certain categories of data, such as bank account data, are compromised and where the consumer runs a risk of “considerable impairment”.  (It is noteworthy that there is consideration given to the issue of the magnitude of the risk to which a consumer is put by a privacy breach before the expense of notification is imposed on the data controller. This discussion will only become more complex as technology’s weaknesses continue to be stressed and the world’s technically sophisticated  criminal element  continue to poke and prod for the weak seams, which no doubt they will find.)

* The use of personal data for market and opinion research continues to be limited by the “balance of interests” test.  Note that under the Directive this same test is supposed to apply to the use of personal data for marketing purposes. Data collected in a research or opinion project may only be used for that purpose and must be anonymized if used for any other. The only exception is data obtained from publically available information or data one is authorized to publish.

* In fact, from a marketing point of view, a new treatment of employee data is irrelevant, but it is an interesting piece of information and an insight into Germany for anyone interested in that country and the internal business environment. Employee data now receives additional protection. Access to records of individual employees is limited when the company carries out an internal investigation to identify employees who are accused or suspected of committing criminal offences.

* New regulations will dictate more content of contracts between data controllers and outsourced data processors. This could impact foreign data companies with German clients. The law contains a list of the provisions that must be found in data processing agreements, and includes the obligation to inform about data breaches.  No doubt German company contracts will begin to put these into their forms.

* The Data Protection Authority gets new powers, including regulation interpretation. Watch this new power very carefully. Remember that Germany is a Federal Republic, and, like the United States, its States have individual authorities who doubtless will have their own opinions on many issues.  Moreover, the Green Party is a powerful anti-marketing voice and many topics, such as the kinds of things the DPA’s may need to interpret, obviously impact marketing. Thus these officials may be the focus of new pressures.

* Credit reporting agencies face new restrictions on scoring, including use of geo-scoring, or micro-geographic data use for credit scoring. Fortunately, companies can use this data for marketing purposes, provided that the marketing materials do not contain offers that can be accepted to form binding contracts.

* Bigger penalties. Fines of up to €50,000 (doubled). Serious violations attract fines of up to €300,000. Fines can be increased to “claw-back” gains above those levels realized by the violator.

            A legal analysis prepared by the well known German academic Prof. Dr. Ulrich Hoeren comes to the conclusion, that it is questionable whether many of these changes regarding use of data for marketing are in compliance with the 1995 Directive.Therefore, the industry may press their trade associations to challenge this callous disregard of the 1995 Directive.

In short, a complex piece of intensely negotiated legislation that the industry will need to digest bit by bit. Apparent first look conclusion: No change to current practices until 2012 with respect to existing files. The restrictions noted above begin on September 1.  New customers acquired after September 1 should be noted as such for compliance purposes.

Dr. Wuermeling can be reached at +49.69.6062.6502  or at 

E-Mail: ulrich.wuermeling@lw.com

The Prescott Report can be reached at +1.914.533.6890 or at

E-mail: Editor@PrescottReport.com