Violation of Data Protection Rules by Discount Service Operator Payback

by Tim Wittwer*

I. Introduction

In its decision of February 1st, 2001, the Munich District Court declared certain contract terms contained in a membership application form by discount service operator, Payback, invalid (Az.: 12 O 13009/00). The contract required customers to authorize Payback to use personal customer data.

Payback is a discount system intended to tie customers to various businesses. Customers receive a so-called payback card. By showing this card at qualified points of purchase they earn bonus points. Collected bonus points can be traded for various products or cash. More than twenty companies including Lufthansa and AOL participate in the Payback system.

Defendant Payback is incorporated as Loyalty Partner GmbH and was sued by plaintiff Verbraucherschutzverein Berlin, a non-profit consumer rights group. The plaintiff argued that Payback’s terms would be too extensive and violate federal law. Loyalty Partner GmbH defended its contract as legal.

II. Violation of Data Protection Rules

The court held that the contractual privacy terms were overbroad and enjoined Payback from their use. It focused on the privacy provisions in Payback’s contract.

The court pronounced Payback’s privacy terms vague. These permit the use of personal data by Payback, participating companies and third parties that access any information from the participating ventures. It concluded that such authorized use was improperly defined. Various unidentified parties could uncontrollably access, use and trade personal data from Payback system. The court noted that trading the data increases the risk of generating complete images of the customers. The participating companies can learn about the most private aspects of their customers. Studying and observing customers' behavior renders individuals transparent and abuse looms large.

In addition, Payback’s contract terms permit the use of personal data for selective and intensive customer advertising without stating its precise scope. The terms permit "Mailing" without defining it. For that reason, "Mailing" can mean any transmission including mailing, telephone calls or emails. The customer is unprotected against "Mailing" after signing the application form, the court held.

These contract terms place the customers at an unreasonable disadvantage and, therefore, violate § 9 of the federal Statute on General Business Terms (Gesetz über die Allgemeinen Geschäftsbedingungen, 12/09/76, BGBL. I p. 3317, AGBG, Schönfelder Nr. 26) and §§ 4 and 28 Federal Data Protection Act (Bundesdatenschutzgesetz, 12/20/90, BGBL. I, p. 2954, BDSG, Sartorius Nr. 245).

§ 9 I AGBG prohibits putting customers at an unreasonable disadvantage. To substantiate this general rule § 9 II (1) AGBG clarifies the existence of such disadvantage. Under (1) an unreasonable disadvantage constitutes an offense against common principles of law. Here, the court turned to the BDSG, which could be violated by Paybacks’ system.

The court found a violation of the basic principles of §§4 II and 28 BDSG. § 28 BDSG permits data collection if it remains compatible with privacy interests. The collection of personal data for promotional purposes is legal, but subject to the limitation of § 4 II BDSG. Under § 4 II BDSG the data gatherer is required to inform its customers clearly about the extent and purpose of the collected data in the event that the data gatherer intends to retain the data in a database. Additional, the data gatherer is required to advise customers of the transmission of data. Payback’s contract terms fail on both counts.

As a result, the court enjoined Payback’s use of such contract terms and threatened a fine of up to 500,000 Deutsche Mark or imprisonment of up to six months for any violation. Subsequently, Payback changed its terms but appealed the ruling in order to forestall an adverse precedent.

Despite the huge differences in data protection in the United States and Germany, this case bears some similarity to an earlier U.S. Development. On July 10, 2000, the Federal Trade Commission filed a lawsuit in the U.S. District Court for the District of Massachusetts against Toysmart to prevent the sale of customer information. Toysmart promised its customers that the personal information they had collected would not be sold to a third party, but the bankruptcy order, in fact, would allow a sale to a third party. When Toysmart ran into financial difficulties, it attempted to sell all of its assets, including its detailed customer databases. The settlement announced by the Massachusetts District Court on 21st of July, 2000, resolved the issues in that lawsuit. The District Court's order required that Toysmart immediately delete or destroy all information collected in violation of law and that Toysmart confirm through a sworn statement under penalty of perjury that it has never previously violated its privacy statement.