How can companies defend themselves against product warnings and information from data protection authorities? | Fieldfisher
Skip to main content

How can companies defend themselves against product warnings and information from data protection authorities?



I. Introduction

Governmental product information and warnings by data protection authorities of the states and the federal government have increased in frequency recently. Such statements can have a lasting negative impact on the reputation of the company concerned, which is why it can make sense to consider possible legal protection options for such a case. This is because it is generally the case that such information activities are also subject to legal framework conditions, which must always be complied with.

The following example will serve as an illustration:

Company A sells IT products. The state authority for data protection and freedom of information of the corresponding federal state of the company's registered office subsequently publishes a notice pointing out significant data protection-related security gaps in Company A's IT products.

From the company's point of view, such official notifications raise the question of whether and when such action is permissible and how companies in Germany can defend themselves against it.

II. Legal Classification of Governmental Information Activities

In contrast to traditional governmental prohibitions or requirements, such official notifications only indirectly affect the company since potential adverse effects are only felt through changes in customer behavior. In particular, not only official product warnings but also mere product information can develop a character that makes judicial protection of the company concerned possible or even necessary.

From the authorities' point of view, the purpose of such product information and warnings is to promote market transparency to support the market's ability to function. This instrument is also available to the authorities if the facts of the case still need to be fully clarified. In this case, there is a fundamental need to explain the facts as carefully as possible, for example, by questioning the companies concerned. In this case, the authority must always point out that a complete assessment was not possible in the individual case. Finally, in such cases, there is always the possibility that the information or warning disseminated may subsequently turn out to be incorrect. In this case, the promotion of market transparency by disseminating false information is no longer given.

Consequently, in such a constellation, the authority must always investigate and correct the situation, which it must do with the involvement of the person concerned.

Thus, if an official notice is published about a product of our example company A and the authority needs to clarify the facts fully, this must be clearly stated as incomplete in the notice.

III. Statements by data protection officers are also considered encroachments on fundamental rights

Since data protection authorities are executive bodies endowed with sovereign powers, they are also bound by fundamental rights according to Article 1 (3) of the German Basic Law ("GG"). Therefore, statements by such authorities on products of any kind must always be considered within the applicable constitutional limits.

IV. When is official information action lawful - and when is it no longer so?

In principle, government bodies require a basis of authorization to take action in the relationship between the state and the citizen. According to established case law, this also applies to indirect interventions such as the official information action discussed here. However, the acting authority cannot derive this legal basis for authorization from its official task itself.

Instead, there is legal inconsistency concerning the basis for authorization for statements by data protection authorities as to which norm could provide such a basis. 

Since, in our view, neither the GDPR nor state data protection laws or press laws provide a suitable basis for authorization, two cases must be differentiated:

On the one hand, there is the possibility that the authority publishes a product warning or information and names the company in the process. Such an official statement would probably not be legally tenable without a basis for authorization.

On the other hand, there is the alternative that an official announcement is made without mentioning the company's name and only refers to the product. However, even and especially in this scenario, the authority is bound by further requirements, which it must always comply with..

The two cases are again illustrated using our example company A:

If the competent data protection authority publishes a product warning or notification mentioning Company A, we believe this is an unlawful information act due to the lack of a suitable basis for authorization.

However, if only the IT product of Company A is mentioned in the notice without the name, this would be legally possible in principle. In this case, however, there is a clear legal framework for the authority.

V. Warnings and product information must always be factual, correct in content, and proportionate

First of all, the acting authority may only disseminate information that is correct in content. For this, a comprehensive analysis of the facts is necessary. In particular, it must always be specified to which version of the product the warning refers explicitly. For a software product, for example, the product must be re-evaluated after each update. For a detailed clarification of the facts, a hearing of the company can be relevantly accommodating and thus prevent discrepancies in advance. 

Furthermore, the considerations of the authority must contain exclusively factual reasons. Therefore, a comprehensively correct and carefully clarified presentation of the facts or the product is necessary. A company may not be denounced as an individual, possibly even detached from the product in question, for example, by defaming the company. 

The following scenario - based on the example given at the beginning - should serve as an illustration:

The state authorities published a product warning concerning the products of Company A. The state authorities issued the product warning. In the context of this product warning, it is also mentioned that the managing director B of company A "probably does not demonstrate trustworthy business practices anyway."

Here, it becomes clear that the part of the communication referring to managing director B lacks any factual basis. Consequently, such communications by a public authority do not satisfy the legal requirements and are, therefore, unlawful.

Finally, the official notification must also be appropriate. The information or warning must therefore be suitable for countering the identified risk. Furthermore, it must be necessary for form, content, and the time chosen. In the end, the warning must be equal to the desired increase in safety.

Within the framework of this proportionality, the competing public interests in the notification of information must be weighed against the disadvantages of the companies concerned. In this context, the stricter requirements, the greater the potential adverse effect on the company concerned. In each case, the data protection authorities must always determine the extent of the risk quantitatively and qualitatively. In particular, the significance of possible declines in sales and threats to the company's existence must not be disregarded.

Thus, if the data protection authority did not attempt a discussion concerning our example company A or did not include the significance of possible risks in the official consideration, the product warning would no longer tend to be proportionate.

VI. Legal Protection Options for Companies

If data protection authorities do not comply with these requirements, this may lead to claims for injunctive relief or possibly even compensation claims.

In principle, it is always possible to reach an out-of-court settlement with the acting authorities outside of administrative or civil court proceedings before the information is provided. However, if an official notification has already been issued, the only option is to take legal action. This usually means that a so-called general action for performance is filed as a motion for an injunction. Under certain circumstances, this can be followed by a compensation payment by an official liability claim according to Section 839 of the German Civil Code ("BGB") in conjunction with Article 34 of the German Basic Law.

To contain any damage to reputation as quickly as possible in the event of possibly unlawful information action, there is always the possibility of interim legal protection according to Section 123 (1) of the German Administrative Court Rules ("VwGO"). In principle, there must be a so-called reason for the order, which requires an irreversible company impairment. This will regularly be the case in the context of incorrect information provided by the authorities since even subsequent corrections can only partially eliminate damage to a company's image. Whether interim legal protection is successful depends on a case-by-case assessment by the court via a weighing of the interests of the disputing parties.

VII. Conclusion

As a result, government action to provide information by data protection authorities can considerably influence a company's image, which is why such official intervention must always comply with the legal framework. 

In the context of the actions of data protection authorities, a suitable basis for authorization still needs to be given. In addition, there are the preconditions that the information action must always be factual, correct in terms of content, and appropriate. In any case, it is always worth examining any legal protection options, as legal action against such issues can be successful from the company's point of view, even if there are doubts about one of these requirements - be it in the form of an injunction or even a compensation payment.