Climate change, data protection and cybersecurity litigation, as well as collective redress, are major trends and will have significant impact on key industries in Germany.
Climate change litigation
Climate change litigation has gained significant momentum in Germany. The trend clearly results from the landmark decision from the German Federal Constitutional Court (FCC), in which the FCC found the German Climate Change Act to be partially unconstitutional. The FCC held the then-current version of the Climate Change Act violated the fundamental freedom rights of the individual plaintiffs because its provisions irreversibly shifted major greenhouse gas (GHG) emissions reduction burdens beyond 2030, thereby violating the plaintiffs’ fundamental freedom rights in the future. Following the FCC’s decision, the German legislator promptly tightened up the German Climate Change Act, setting a new path to GHG neutrality by 2045 with stricter emission goals. Another significant push in German lawsuits against emitting companies came from the Hague District Court’s decision in Milieudefensie et al v Royal Dutch Shell [2021]. In that decision, the Hague District Court ordered Shell to reduce its CO₂ emissions by 45% by 2030 compared to 2019 levels.
In September 2021 and October 2021, climate activists affiliated with German NGO Deutsche Umwelthilfe filed the first lawsuits against two major car manufacturers and Germany’s largest oil and gas company, aiming at emission reduction. The activists requested, inter alia, that the court order the car manufacturers to cease-and-desist from selling combustion-engine and hybrid cars beyond 31 October 2030. As regards the oil and gas company, the activists in particular requested that the court issue an order that would require the company to cease-and-desist from extracting oil and gas that causes more than 0.31 Gt CO₂ (oil) and 0.62 Gt CO₂ (gas) emissions when combusted, and to cease and desist from exploring any new oil and gas fields beyond 31 December 2025.
The activists base their claims on a combination of tort law and fundamental rights enshrined in the German constitution. On the one hand, the activists rely on the FCC’s jurisprudence as regards the ‘intertemporal’ effect of fundamental rights. They argue that the use of the combustion-engine and hybrid cars, as well as the combustion of oil and gas, consumes such significant portions of the global and national CO₂ budget available before GHG neutrality must be achieved in 2045, resulting in serious future impairments of freedom. On the other hand, the activists adopt a surprising approach to justify the violation of their own rights (which is necessary for a successful tort claim): they argue that the CO₂ emissions violate their future general personality rights. General personality rights, which are non-statutory and rooted in fundamental freedom rights, were developed by the FCC and other German courts to protect individuals from attacks to their private life and personality such as stalking, doctored photos, or fictitious interviews. The activists contend that their general personality rights are impaired by anticipated restrictions on their future general way of life. However, the FCC did not address a violation of the general personality right in its decision of 24 March 2021. Whether the courts addressing these issues will agree that general personality rights are part of the impaired future fundamental freedom rights as established by the FCC, remains an open question – the more so since the courts will have to weigh the companies’ rights against the activists’ general personality rights.
The activists are entering uncharted legal territory with their claims and even more with their argument that GHG emissions can violate general personality rights under German law. These lawsuits may pave the way for more lawsuits from other activists against emitting companies. In view of a series of legislative proposals to adapt existing EU climate and energy legislation to be presented by the EU Commission, it is conceivable that consumer-protective EU-directives aiming at climate protection could form a new basis for representative actions also in Germany.
Data protection/cybersecurity litigation
Data protection and cybersecurity related litigation are also becoming increasingly important in Germany, taking on a variety of different forms. Soon, decisions by the German Federal Court of Justice (FCJ) could provide more legal certainty.
One aspect of data protection and cybersecurity litigation in Germany that is being followed with great interest is the steady rise of data subjects’ claims for immaterial damages under Article 82 of the EU General Data Protection Regulation (GDPR). An issue to highlight in this context is the question of whether data subjects are only entitled to compensation for immaterial damages if the violation of their GDPR rights has reached a certain materiality threshold. In principle, a German civil court would award compensation for only immaterial damages where a plaintiff’s rights have been severely infringed. However, there are courts and scholars who take the view that a violation of the GDPR is, on its own, a sufficient basis to entitle a plaintiff to compensation of immaterial damages under Article 82 GDPR, regardless of severity.
In a recent case before the FCC a plaintiff sought compensation based on Article 82 GDPR for immaterial damages he allegedly suffered due to receiving an unsolicited email from a retailer. Plaintiff’s claim was initially dismissed by the lower court on the grounds that the materiality threshold had not been met. In its decision, the FCC held that given the conflicting views in Germany on the question of whether a materiality threshold applies under Article 82 GDPR, the lower court could not unilaterally reach a decision in this regard. Instead, this question – as a question of EU law – would have to be referred to the Court of Justice of the European Union (CJEU) for consideration. How the CJEU will decide this question could have major implications for controllers and processors, who could face the prospect of having to compensate any data subject whose GDPR rights have been violated, independent from whether a materiality threshold has been reached.
Further, in a recent case before the Higher Regional Court of Stuttgart, a plaintiff sued a credit card company seeking compensation of immaterial damages under Article 82 GDPR due to the publication of her personal data processed by the company in the context of a credit card bonus programme on the internet after a hacker attack. The plaintiff claimed that the card issuer had implemented insufficient safety measures to protect her personal data and thus violated Article 32(1) GDPR. In its decision, the Higher Regional Court of Stuttgart rejected the plaintiff’s claim on the grounds that a violation of the GDPR by the company could not be established. The court acknowledged that Article 32(1) GDPR provides for the principle of security of processing. However, it held that the plaintiff had failed to submit sufficient evidence or substantive facts to support her allegation that the card issuer had violated Article 32(1) GDPR. In particular, her unsubstantiated assertion that the issuer had not maintained a certain industry standard (PCI-DSS) was not sufficient to establish such a violation. As the court emphasized – in line with the Austrian Supreme Court – Article 82 GDPR does not modify the general principle of German civil procedural law that a plaintiff bears the burden of proof with regard to an alleged infringement of rights. The judgment is not yet final; the Higher Regional Court of Stuttgart has explicitly allowed the appeal to the FCJ. It also remains to be seen whether the FCJ will refer the question with regard to the burden of proof to the CJEU. However, as Union law does not contain any specific provisions on the burden of proof, national law applies here meaning that an admissible subject of referral is missing. The decision nevertheless illustrates that businesses should ensure comprehensive documentation of the measures taken to comply with data protection requirements in order to be able to meet a secondary burden of proof in court proceedings.
In another case involving the alleged violation of Article 32 GDPR, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), in 2019, issued a €9.55m fine under Article 83 GDPR to a German telecom provider on the grounds of an insufficient authentication procedure in one of its call centers. Although the provider fully complied with BfDI by increasing its security requirements following the security breach, BfDI maintained that the fine of €9.55m was appropriate. The provider challenged the fine before the Regional Court of Bonn, which held that the provider violated Article 32 of the GDPR, but found that the fine amount issued was disproportionate relative to the nature of the violation. Consequently, the fine was reduced by more than 90%, to €900,000. Although the Regional Court of Bonn did not provide an explanation for determining that the fine of €900,000 was appropriate, it stated that the provider already suffered a reputational loss through the publication of the high fine, which needed to be taken into consideration. The decision highlights that there is a need for businesses to closely follow legal developments and market practices in order to adjust their assessment of compliance of all company processes and that even minor violations of the GDPR can be costly.
Increasingly, disputes about the scope of data subjects’ rights of access pursuant to Article 15 GDPR are also being brought before German courts. Very recently, the FCJ held that access to personal data always has to be granted in an exhaustive manner and that, as a principle, an access request under Article 15 GDPR refers to all stored or processed data that can be linked to a data subject, including internal documents of the controller and correspondence with or about the data subject. Nevertheless, the FCJ ruled that there are certain limits to the right of access. Thus, in the at-issue case, the plaintiff could not request access to internal legal analyses that the controller carried out in his regard. Referring to the jurisprudence of the CJEU, the FCJ clarified that although legal analyses may contain personal data, the results of such analyses do not qualify as personal data.
Collective redress in Germany
When it comes to collective redress in general, the public eye is on the German legislator rather than on court actions. Following the endorsement of Directive (EU) 2020/1828 on representative actions for the protection of the collective interests of consumers (the Directive) by the European Parliament EU member states are required to transpose the Directive into national law by 25 December 2022, with its measures taking effect from 25 June 2023.
Hopes are therefore high that the German legislator will use the need transpose the Directive into national law to correct perceived deficits of the key mechanism for something akin to class actions in Germany, the Model Declaratory Action (MDA). The MDA was introduced into the German Code of Civil Procedure in 2018. In similar fashion to the Directive, the MDA allows qualified consumer associations to pursue claims by consumers through a model proceeding, where at least 50 consumers join. The model proceeding ends with either a settlement or a declaratory decision; the declaratory decision being binding on the consumers who joined. As indicated by its name, the MDA does not provide for damages to be awarded to the individual consumer; in order to be awarded damages, each consumer needs to bring a stand-alone claim before the German courts. This is most likely the crucial weakness of the MDA, and this may have been the reason that less than 20 collective actions have been filed so far, most of them against financial institutions and car manufactures. Collective actions under different legal regimes have also picked up pace: Various amendments have recently been made to the Act against Restraints of Competition, allowing for the more effective recovery of damages resulting from anti-competitive practices such as cartels. An opt-in collective action was brought in early 2021 by circa 2,000 hotels against an online booking platform, in line with similar actions in other jurisdictions. Representative actions have also been provided for in the Environmental Damage Act and the Environmental Judicial Review Act granting authorised environmental associations to file claims in relation to environmental damage. A rise in claims under this framework has occurred in the last two years, prompting discussions about the need to limit the standing of the associations.