German Appeals Court Invalidates Sale of Brokered Data for Marketing, Prohibits Marketing Using Brokered Data

The General Data Protection Regulation (GDPR) introduces enhanced consent requirements throughout the European Union. Data-broker-provided data used for direct marketing is one area where the GDPR’s new consent requirements may develop some special relevance.

Current EU law under the ePrivacy Directive generally requires companies to obtain individuals’ prior consent before sending them electronic marketing communications. Compliance is straightforward if a company collects its own consents, then sends its own direct marketing communications.

But the issue becomes more complex if one company collects data from individuals and obtains some form of consent, then sells the data to third-party companies to use for their marketing. Any marketing sent using this purchased data must still be supported by individuals’ consent to receive such marketing. The GDPR will require this consent to be “specific” and “informed” and to be revocable at will. The question then becomes what effective consent to receive direct marketing looks like in the context of purchased data. Is consent sufficiently specific if the broker has generally informed individuals it may sell their data to third parties, who will use it to send marketing? Or do individuals need to be provided with the identities of the companies from whom they may eventually receive marketing in order for their consent to be “specific” vis-à-vis those companies? Additionally, how can individuals exercise their right to revoke consent if they do not know who is receiving their data?

Despite increasing discussion around this issue, there has been little case law—until recently. A German appeals court voided an attempted sale of email data that was to be used to support direct-marketing campaigns. In doing so, the court primarily relied on the lack of effective consent. Given the similarities between Germany’s current consent requirements and the GDPR, the case may serve as a harbinger of how courts and regulators may treat consents to receive marketing that are “purchased” alongside broker-provided data.

Facts of the Case

An unnamed German company (Company A) was active in the data brokerage industry. Through an online sweepstakes, it collected a significant number of email addresses. Company A eventually went into Chapter 7-style liquidation bankruptcy. The trustee sold the email address data to Company B, which was also active in the data brokerage industry and intended to use the data for marketing.

The trustee also sold Company A’s servers, which ended up with Company C. The email addresses had not been deleted from the servers, and Company C began using them to send direct marketing. Company B, seeing the value of its data depleted, sued the trustee on breach-of-contract theories for damages and an injunction.

The trial court (the District Court of Frankfurt) found for Company B on all counts. On appeal, however, the Frankfurt Court of Appeals reversed and entered a new judgment entirely in favor of the bankruptcy trustee.

Decision by the Frankfurt Court of Appeals

The court found that Company B had no contractual claims against the trustee because the data sale contract was void, since performing it resulted in violations of law. The court ruled that German law required individuals to provide effective consent for Company B to send them direct marketing communications via email – and that consent was missing.

The EU ePrivacy Directive requires companies to obtain consent to send individuals direct marketing communications via electronic channels. In Germany, this requirement is codified in Section 7(1) of Germany’s Unfair Trade Practices Act (UTPA), which states that direct marketing emails cannot be sent to individuals unless companies obtain prior, express consent. Here, Company A had obtained the following consents from individuals as part of its promotion:

• I accept the Terms and Conditions and agree to receive information, offers, and lottery sweepstakes updates from You, the Sponsors, and other companies via email and SMS.

The court found that this did not provide effective consent by the individuals to receive marketing communications from third-party data purchasers such as Company B. The court emphasized that, under German law, consent must be easily revocable by individuals at any time. For this reason, the court held that—if consent is to cover direct marketing by multiple companies—consent language must identify the name and address of each company that will provide marketing. Without such a list, the court reasoned that individuals could not effectively exercise their right to withdraw consent. Accordingly, the court held that Company A’s consent language was ineffective as to any third parties—and that Company B therefore had no consent on the basis of which it could send marketing.

This finding led the court to hold that the data-sales contract resulted in violations of Section 7 UTPA, making it an illegal contract. The court also held that Company B had no recourse against the trustee or Company A for unjust enrichment, since Company B knew it was relying on ineffective consent language and thus was acting with unclean hands.

The result was that Company B was left sitting on data it could not use for marketing (due to a lack of effective consents), while also having no recourse against the data seller.

Looking Forward

The Frankfurt Appeals Court is the first court to evaluate whether one company can collect consent that supports marketing by third-party data purchasers. Its decision may be the first in a longer line of cases, which may differ in result or in reasoning. Some factors support continued application of the court’s decisions, while others may limit its influence:

Factors Supporting Persuasiveness of the Court’s Opinion

Similarities between German law and GDPR consent requirements may make the court’s decision relevant in future cases. Under German law, consents must be (1) voluntary, (2) specific and informed regarding all intended processing purposes, (3) revocable at any time, and (4) given via consent language that is conspicuous and distinguishable from other matters. These same requirements will be present under the GDPR.

Additionally, even after the GDPR enters into force, sending direct marketing communications to individuals will continue to require obtaining their prior consent. “Prior consent in order to send direct marketing” is not a GDPR rule, but instead an ePrivacy rule that will not be abrogated by the GDPR (and which has appeared in all drafts of the ePrivacy Regulation to date). Instead, the GDPR’s entry into force provides arguments that the consent companies obtain—or believe they are purchasing—in order to support direct marketing must now meet the GDPR’s requirements for consent.

In the Frankfurt court’s opinion, consent could not meet these requirements, specifically the “withdrawable at any time” requirement, if individuals were not told of the companies that might purchase their data to use for sending marketing. The court’s solution was to require companies that collect and sell data to list every potential recipient—or be found as having improperly burdened individuals’ withdrawal rights.

Additionally, the GDPR will give consumers the ability to recover “non-material damages” suffered by unlawful uses of their data, potentially including sending them marketing without effective consent. The GDPR also permits consumer organizations to spearhead opt-in class actions. Unexpected marketing communications may provide individuals with opportunities or organizations to sue or interact with supervisors, and the Frankfurt court’s decision may serve as a basis for such complaints.

Factors Potentially Limiting the Persuasiveness of the Court’s Decision

Some factors may limit the persuasiveness of the court’s decision.

Bankruptcy. It bears remembering that the court delivered its opinion in the context of a dispute between the equivalent of a Chapter 7 trustee and an asset purchaser. The bankruptcy context presents special challenges for data privacy, most particularly that the trustee in principle has the legal power to sell the bankrupt company’s data to any other company. Once sold, the purchaser’s uses of this data can go beyond the scope of existing consents or of the processing purposes that were initially disclosed to individuals, and thus create significant risks for individual privacy. In fact, in its last activity report, the Bavarian Data Protection Authority reported it attempted to block a bankruptcy trustee’s sale of data from a distressed company for this reason. The court may have been mindful of these considerations.

If this was the case, however, the Frankfurt court did not indicate so in its opinion. The Frankfurt Court was not acting as a bankruptcy court when it issued its opinion; instead, the proceedings instituted by Company B were ordinary civil proceedings separate and distinct from the bankruptcy proceeding against Company A. The court did not cite bankruptcy law or considerations in reaching its decision—instead, it relied entirely on German privacy and civil law. Additionally, beyond the Bavarian DPA’s enforcement action mentioned above, there was little binding guidance or German case law on data protection obligations in the bankruptcy context for the court to rely on. Its opinion is sufficiently general in tone and holding that it could be cited as persuasive authority in future cases.

Unclean Hands. The same individual served as managing director of Company A at the time the email address data was gathered, and then later as managing director of Company B at the time Company B purchased the data from the trustee. For this reason, the court held that this individual subjectively knew exactly how limited the consent language used in the online sweepstakes was – and that it was not sufficient to support marketing by a third-party purchaser. This permitted the court to hold the managing director had acted with unclean hands, precluding Company B from asserting equitable theories to recover the purchase price it had paid for the email addresses.

Most companies who purchase brokered data will not find themselves in a comparable position. However, the court did not find that this kind of subjective knowledge of underlying consent language was necessary to invalidate data sales. Instead, it merely precluded a post-invalidation unjust-enrichment claim. Companies’ “clean hands” therefore would not preclude the invalidation of data purchases under the court’s holding, although they may leave open equitable theories with which companies could potentially claw back at least a portion of the purchase price.