Remember? Some time ago, a wave of warning letters swept across Germany because website operators were using Google Fonts. The amounts to be paid were low. One person who paid is now suing for a refund. One of the key questions is: Are damages also payable in cases of abusive behavior?
Background to the proceedings
The starting point for the legal dispute is the mass mailing of warning letters due to the dynamic integration of Google Fonts. The defendant had used a web crawler to automatically visit websites that loaded fonts via Google servers. This type of integration of Google Fonts resulted in the respective IP address being transmitted to Google in the USA.
The defendant then sent standardized letters via his lawyer to the operators of the affected sites, demanding €170 in “compensation for pain and suffering.”
One website operator paid the amount but demanded a refund after learning about the mass warning letters (over 100,000 (!) such warning letters were sent).
The lower courts ruled differently: The Hanover Local Court awarded the plaintiff €70, while the Hanover Regional Court ultimately awarded the full amount. The Regional Court considered the action to be intentional immoral compensation. Interestingly, the defendant was not only the person who used the web crawler, but also his lawyer, who ultimately sent the warnings.
The Regional Court ruled that there was a claim for damages because
- the disclosure of the defendant’s dynamic IP address to Google USA did not involve any personal data;
- no damage had been caused; and
- – even if there had been damage – the claim for compensation would be excluded due to abuse of rights.
The defendants appealed against the decision of the Regional Court, so that the case ended up at the Federal Court of Justice (decision of August 28, 2025 – VI ZR 258/24).
The latter found that the case raised questions of EU law interpretation of the GDPR that went beyond national law. It therefore referred three complex questions to the ECJ for a preliminary ruling.
Is the IP address personal data?
The first question concerns whether dynamic IP addresses are personal data.
Specifically, the Federal Court of Justice wants to know whether personal data already exists if any third party – such as the internet access provider – has additional knowledge that allows identification.
Or whether it depends on whether the controller (in this case, the website operator) or the recipient (in this case, Google) itself has the legal and factual means to determine the identity of the person whose IP address was transmitted.
The BGH thus questions the relative approach that has prevailed to date and suggests a possible objective interpretation.
Damage despite deliberate provocation?
The second question referred for a preliminary ruling concerns the interpretation of Article 82(1) GDPR, according to which any person who has suffered material or non-material damage as a result of an infringement of the GDPR is entitled to compensation. The ECJ is to clarify whether non-material damage can also exist if the data subject deliberately and exclusively provokes the infringement in order to be able to claim compensation.
The BGH refers to recent ECJ case law, according to which even a well-founded fear of misuse of personal data can constitute non-material damage. However, it remains unclear whether this approach also applies if the data subject intentionally causes the data transfer – as in the present case, in which over 100,000 websites were visited automatically.
The Regional Court of Hanover had denied damages because the defendant had voluntarily disclosed his IP address and there was no actual impairment.
Not all damage is the same
However, from the perspective of the Federal Court of Justice, it must be clarified what constitutes damage. In German law, lawyers understand this to mean “any involuntary loss of material and immaterial goods as a result of a specific event.” This understanding excludes compensation for damages if the loss is voluntary.
However, the GDPR does not refer to the respective national law for the concept of immaterial damage, so that a so-called autonomous interpretation under EU law must be made. And only the ECJ is allowed to do this.
In the past, the ECJ has had frequent opportunities to comment on the concept of damage. For example, a mere violation of the GDPR is not sufficient; rather, damage must have occurred as a result of this violation. However, a loss of control may be sufficient. And—very importantly—the burden of proof for the occurrence of damage lies with the data subject.
In principle, according to the BGH, such a loss of control could have occurred as a result of the (unlawful) transfer of data to Google – and thus a compensable damage.
However, this consideration may be countered by the fact that the defendant deliberately intended to transfer the data to the US.
Such provocation to violate the law has not yet been the subject of ECJ case law, which is why the BGH is referring this question to the ECJ.
Abuse of rights and limits under EU law
Finally, the BGH would like to know from the ECJ whether, in cases of this kind, a claim for compensation for non-material damage can be ruled out on the grounds of abuse of rights. According to established case law of the ECJ, abusive reliance on EU law is inadmissible, even in relations between private individuals.
The BGH is seeking clarification as to whether the deliberate creation of the conditions for a data protection violation – combined with the aim of obtaining financial advantages from it – already qualifies as abusive conduct within the meaning of EU law. It also remains unclear whether such conduct is only considered an abuse of rights if the financial motivation was the sole determining factor, or whether “mixed” motives – such as an alleged interest in data protection – are also sufficient.
Significance for practice and data protection law – not only when using Google Fonts
The preliminary ruling is of considerable relevance in practice. On the one hand, it touches on the fundamental question of when technical identifiers such as dynamic IP addresses constitute personal data.
This question is particularly relevant for website operators, e.g. also for the use of Google Tag Manager and the need to obtain consent.
On the other hand, the proceedings concern the increasing trend toward “warning letters and claims for damages” in data protection law. If the ECJ also affirms a claim for damages in the case of provoked data protection violations, this could lead to a new wave of warning letters as a source of income for those affected.
If, on the other hand, the ECJ denies the eligibility for compensation or recognizes an abuse, this would prevent attempts to derive financial benefits from targeted GDPR violations.
Outlook
Until the ECJ’s decision, it remains unclear whether the transmission of a dynamic IP address is in itself personal data and whether deliberately provoked data protection violations can constitute compensable immaterial damage. The decision of the Federal Court of Justice (BGH) makes it clear that the relationship between data protection and abuse of rights under the GDPR remains unclear. The ECJ once again has the opportunity to answer fundamental questions of European data protection law.
We are happy to assist you with any questions you may have about data protection.
Cookie banners are a recurring topic for supervisory authorities and courts. The Hanover Administrative Court has now once again highlighted formal aspects. It has also ruled that Google Tag Manager may only be used if the user has given their express consent.
The Administrative Court of Hanover (judgment of March 19, 2025, 10 A 5385/22) has issued a ruling on the data protection assessment of the use of Google Tag Manager (GTM). Another subject of the decision was the design of cookie banners.
The subject of the proceedings was the question of whether the operation of a journalistic online portal is designed in compliance with data protection regulations. It specifically concerned the issue of obtaining consent for cookies, third-party tracking, and the use of GTM.
The decision deals with the requirements for voluntary and informed consent within the meaning of Section 25 TTDSG and Art. 6 (1) (a) GDPR.
Note: The TTDSG is now called TDDDG.
Google Tag Manager on website
The plaintiff, a regional publishing house, operates an online journalism service via its website, which is financed by subscriptions and advertising. It used a variety of cookies and third-party services on its website, including the Google Tag Manager.
After a technical review, the State Data Protection Commissioner of Lower Saxony (LfD) prohibited it from using certain services without the effective consent of users.
In particular, the LfD criticized the fact that Google Tag Manager was already active when the page was first loaded. It transmitted data to Google servers in the US without users having given their express consent beforehand. LfD ordered the plaintiff to obtain or implement effective consent for the use of cookies on its website.
The plaintiff appealed against this order before the administrative court.
The plaintiff defended itself by arguing that Google Tag Manager merely served as a technical aid for reloading additional scripts and that, in this respect, no data processing relevant to data protection law took place.
It also disputed that the LfD had any jurisdiction at all, as the TDDDG was not a data protection regulation.
Court decision: LfD has jurisdiction
The Administrative Court of Hanover dismissed the publishing house’s lawsuit.
It first clarified that the State Data Protection Commissioner was indeed responsible for monitoring compliance with Section 25 TTDSGG.
Section 25 TTDSGG is an “other data protection provision” within the meaning of Section 20 (1) of the Lower Saxony Data Protection Act. Even though the TTDSG protects communication secrecy in addition to data protection objectives, there is a close connection to the GDPR in terms of content. Access to end devices and the associated processing of personal data are generally inseparable. A separation of supervisory responsibilities would therefore be contrary to the system and practically unmanageable.
The question of responsibility for compliance with the TTDSG is very important. This law did not come into force until long after the GDPR. If a state data protection authority takes action against a company on the basis of this law, it must first be examined within the state data protection laws whether the authority is even authorized to monitor the TTDSG.
The Administrative Court of Hanover has now clarified this for Lower Saxony. However, the decision on this issue has no significance for other federal states.
Design of the cookie banner
The decision focused on the legal classification of the cookie banner used and the treatment of Google Tag Manager.
In the court’s opinion, the design of the banner did not meet the requirements for informed and voluntary consent.
When the website was accessed, the “first level” of the banner was initially displayed. Here, users could choose between “accept all cookies” or changing the settings. There was no direct rejection option at this level.
Those who chose to change the settings were confronted with sub-levels, complex drop-down menus, and default settings.
In the court’s view, users were thus effectively pressured into giving their consent. In addition, the various sub-levels and categories gave the impression that users could not significantly influence the type of data processing.
To make matters worse, if consent was refused, the banner reappeared every time the page was accessed, whereas if consent was given, surfing was possible without hindrance.
The court assessed this design as a so-called “dark pattern,” i.e., manipulative user guidance. This design, in conjunction with the different color schemes of the options, led the court to deny the voluntary nature of the consent given. This meant that the consent was not effective—neither within the meaning of Section 25 TTDSG nor within the meaning of the GDPR.
Google Tag Manager only with consent?
The ruling pays particular attention to the use of Google Tag Manager. The court clarifies that this is not merely a technical infrastructure that, as a neutral platform, simply reloads other scripts.
Rather, the integration of GTM itself already accesses the user’s end device, and data is transferred to the US – namely by retrieving the gtm.js script from Google servers. Among other things, IP addresses and device properties are transmitted in the process.
The fact that GTM itself does not perform any specific analysis services is irrelevant. The processing of personal data begins as soon as the Google script is called up for the first time. However, this requires consent in accordance with Section 25 TTDSG.
The plaintiff’s attempt to invoke the exemption under Section 25 (2) TTDSG was also unsuccessful. According to this provision, consent is not required if the storage of information in the end user’s terminal equipment or access to information already stored in the end user’s terminal equipment is strictly necessary for the provider of a digital service to provide a digital service expressly requested by the user.
The GTM is neither technically necessary nor expressly requested by the user. The court emphasized that the integration of the GTM is in no way necessary to enable the basic functionality of the website. Rather, the GTM serves exclusively for the flexible reloading of marketing and tracking services. Therefore it is typically associated with processing that is relevant under data protection law.
Consequences for practice
The ruling of the Administrative Court of Hanover sends a clear signal to operators of websites and online platforms: in the court’s opinion, the use of Google Tag Manager – even without directly reloaded tracking scripts – constitutes a measure requiring consent within the meaning of the TTDSG.
Other authorities, such as the LfDI NRW, share this view.
Website operators should therefore ensure that GTM is only loaded once the user has given their consent. This requires a technical implementation that controls the reloading of GTM depending on the user’s consent.
It is equally important that the consent banner is designed in accordance with data protection regulations. The decision makes it clear that users must not be pressured into giving their consent through design, color, placement, or technical hurdles. A simple, equivalent option for refusing consent should already be available on the first level of the banner.
Information about the purposes, scope, and recipients of data processing must also be provided in a clear and understandable manner.
Solution and recommended action
Website operators who use Google Tag Manager should check at short notice whether it is triggered before consent is given. If this is the case, regulatory measures may be imposed.
Technically, this can be achieved by conditional script execution via a consent management platform (CMP). In this case, the GTM script is only loaded once the user has consented to the use of corresponding cookies and third-party technologies.
At the same time, the consent banner should be adjusted: a “Decline” button should be offered on the same level. It must be presented with the same visual weighting as the approval options.
The repeated appearance of the banner in the event of rejection should also be avoided.
Conclusion
The ruling of the court confirms the opinion of many supervisory authorities with regard to the reject function at the first level. The decision also shows that even seemingly neutral services are relevant under data protection law. Operators of digital services should therefore review not only their consent banner but also the entire technical architecture of their website in terms of data protection law.
Since the GDPR came into force in 2018, there has been debate in Germany as to whether competitors and consumer associations can issue warnings for violations of the GDPR. Now, the Federal Court of Justice (BGH) has finally clarified this issue.
The BGH (judgment of March 27, 2025, I ZR 186/17, I ZR 222/19, and ZR 223/19) has ruled that both consumer protection associations (such as consumer centers) and competitors can issue warnings for violations of the GDPR. This increases the risk for companies that (consciously or unconsciously) do not comply with data protection regulations.
Consumer center against Facebook
In one case, the The Federation of German Consumer Organisations (vzbv) sued Meta Platform Ireland Limited, which operates the social network Facebook. The case concerned Facebook’s failure to adequately inform its users about the scope and purpose of the collection and use of their personal data.
After the ECJ had already ruled that consumer protection associations can also pursue GDPR violations by means of injunctions, the BGH has now followed this assessment.
The BGH press release states:
“Art. 80 (2) GDPR provides a suitable basis for associations to pursue violations of the General Data Protection Regulation under the Law Against Unfair Competition and the Injunction Act.
The aforementioned consumer associations are therefore authorized under Section 8 (3) No. 3 UWG and Section 3 (1) Sentence 1 No. 1 UKlaG to take action against violations of information obligations pursuant to Art. 12 (1) Sentence 1 GDPR in conjunction with Art. 13(1)(c) and (e) GDPR for violations of the Unfair Competition Act and a consumer protection law within the meaning of Section 2(1) and (2) sentence 1 No. 13 UKlaG, as well as the use of an invalid general term and condition pursuant to Section 1 UKlaG by way of an action before the civil courts.
In this respect, it is irrelevant that the plaintiff brought his action independently of the specific violation of data protection rights of a data subject and without a mandate from such a person. Since an institution within the meaning of Art. 80 (2) GDPR cannot be required to identify in advance the individual person who is specifically affected by the processing of data that is presumed to violate the provisions of the General Data Protection Regulation, the designation of a category or group of identifiable natural persons is sufficient for the filing of such a class action.
It is also sufficient for the entity to invoke that the violation of the rights of that person occurs in connection with the processing of personal data and is based on a breach of the obligation incumbent on the controller pursuant to Art. 12(1) sentence 1 and Art. 13(1)(c) and (e) of the GDPR, because in the case in dispute it cannot be assumed that the plaintiff is asserting purely hypothetical violations with his action.”
If the information is not communicated to the user in accordance with Art. 13 GDPR, this constitutes a violation of § 5a (1) UWG, as essential information is withheld.
Shipment of medicinal products via Amazon
In the two other proceedings, competing pharmacies disputed the admissibility of distributing medicinal products via the Amazon platform.
On the one hand, this concerned the question of whether competitors can issue warnings to each other for GDPR violations. The other issue was whether the data entered by a customer when ordering medicines from Amazon constitutes health data within the meaning of Art. 9 GDPR.
The BGH answered both questions in the affirmative in its ruling. From the press release:
“The processing and use of data entered by customers of the defendant when ordering a medicine online via a pharmacist’s account on the Amazon Marketplace, such as the customer’s name, delivery address, and information necessary for the individualization of the ordered medicine, violates Art. 9 (1) GDPR if, as in the case in dispute, it is carried out without the express consent of the customers. The order data constitutes health data within the meaning of this provision, even if the medicine does not require a doctor’s prescription.
Article 9(1) GDPR is a market conduct regulation within the meaning of Section 3a UWG, so that a violation of this provision can be prosecuted by a competitor pursuant to Section 8(3)(1) UWG by way of a competition law action before the civil courts. The provisions on the requirement of consent to the processing of personal data serve to protect the personal rights interests of consumers, particularly in connection with their participation in the market. Consumers should be free to decide whether and to what extent they disclose their data in order to participate in the market and conclude contracts.“
In these proceedings, too, the Federal Court of Justice had previously referred the matter to the ECJ.
Conclusion
So far, only the press release of the Federal Court of Justice is available; the full text of the decisions with detailed reasoning is expected to be published in the next few days.
However, it can already be said that the issue of data protection is becoming even more important. The risk of being held liable for violations of the GDPR is increasing as a result of these decisions by the Federal Court of Justice.
And there is a danger that the risk will increase even further.
The Advocate General at the ECJ (C-655/23) expressed the view that data subjects are also entitled to injunctive relief against a company if it has violated the GDPR.
We are happy to assist you with any questions you may have regarding data protection and data security.
Since 2018, in Germany the question has been whether competitors can issue each other with warnings if the GDPR is violated. Now the ECJ has ruled: they can. In this article, we explain why we do not expect a new wave of warnings despite this ruling.
The ECJ (judgment of October 4, 2024, C-21/23) had to clarify the question of whether competitors can issue warnings to each other for violations of the GDPR.
Sale of medication via Amazon
At issue was a dispute between two pharmacists. One of them was selling prescription-only medicines via Amazon. The other was of the opinion that this distribution via Amazon was unlawful because customers did not consent to the processing of their health data.
The Regional Court of Dessau-Roßlau (in Germany) agreed and ruled that selling prescription-only medicines via Amazon constituted unfair commercial practices.
Ultimately, the case ended up before the German Federal Court of Justice (“BGH”).
Questions referred by the BGH
The BGH suspended the proceedings and referred two questions to the ECJ for a preliminary ruling:
- Do the provisions of Chapter VIII of the GDPR preclude national provisions which, in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the possibilities for legal protection of the data subjects, grant competitors the power to take action against the infringer before the civil courts for violations of the GDPR on the grounds of the prohibition of unfair commercial practices?
- Are the data that customers of a pharmacist who is a seller on an online sales platform enter when ordering medicines that are pharmacy-only but not prescription-only on that platform (customer name, delivery address and information necessary for the individualization of the ordered pharmacy-only medication), health data within the meaning of Art. 9 para. 1 GDPR and data concerning health within the meaning of Art. 8 para. 1 of the Data Protection Directive?
Decision of the ECJ
The ECJ first notes that the wording of the GDPR does not preclude a competitor’s right to injunctive relief.
A violation of the GDPR may not only affect the interests of the data subject, but also those of third parties, such as competitors. Article 82(1) of the GDPR clarifies that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation” has the right to receive compensation.
The Court has also already ruled in previous decisions that a violation of the GDPR may constitute a violation of consumer protection rules or an unfair commercial practice.
“In this context, it should be noted that access to personal data and its use in the digital economy are of considerable importance. Access to personal data and the possibility of processing it have become an important parameter of competition between companies in the digital economy. In order to take account of actual economic developments and to maintain fair competition, it may therefore be necessary to take into account the rules on the protection of personal data when enforcing competition law and the rules on unfair commercial practices.”
In the past, the ECJ had already ruled that consumer protection agencies can issue warnings for violations of the GDPR.
The ECJ sees the possibility for competitors to take action against GDPR violations as a way to strengthen the practical effectiveness of the GDPR. It also believes that this could improve the desired high level of protection of the data subjects with regard to the processing of their personal data.
No restriction of other legal remedies in the GDPR
The ECJ also states that the possibility of injunctive relief does not affect the other legal remedies under the GDPR. For example, a data subject can still lodge a complaint with the supervisory authority.
Fines imposed by the authorities also remain a possibility.
Efficient law enforcement
The ECJ emphasizes that injunctive relief from competitors can help prevent numerous violations of the rights of data subjects.
Cease-and-desist letters are possible
In summary, the ECJ answers that competitors can issue cease-and-desist letters for violations of the GDPR and can also assert their claims for injunctive relief in court.
Health data in der GDPR
In response to the second question, the ECJ ruled that in a case in which a pharmacy operator sells pharmacy-only medicines via an online platform, data that its customers have to enter when ordering these medicines online (such as name, delivery address and information necessary for the individualization of the medicines) constitute health data within the meaning of these provisions, even if the sale of these medicines does not require a medical prescription.
This means that the strict rules of Art. 9 GDPR apply.
No GDPR warning letters to fear
Despite this clarification by the ECJ, new waves of warning letters are not to be expected.
This is partly due to Section 13 (4) no. 2 of the German Unfair Competition Act (UWG). According to this provision, the person issuing the warning will not be reimbursed for their costs if the person being warned has fewer than 250 employees.
On the other hand, however, the admonisher would have to expect a counter-admonishment under certain circumstances. Particularly in the area of data protection, many companies are likely to still have areas that need improvement, since the implementation of the GDPR in practice is associated with numerous challenges.
In this case, the motto “What I can’t do right myself, I won’t criticize in another” should apply.
Conclusion
The ECJ ruling clarifies the legal situation. It does not come as a surprise. Especially in the recent past, there were hardly any voices left that doubted that competitors could also issue warnings for violations of the GDPR.
Despite this possibility, it is not to be expected that waves of warnings will now roll across the country.
The “long-running issue” of Microsoft 365 continues to keep data protection supervisory authorities busy. The European Data Protection Supervisor (EDPS), the independent supervisory authority responsible for the EU institutions and bodies, has now spoken out.
In a decision dated March 11, 2024 (https://www.edps.europa.eu/press-publications/press-news/press-releases/2024/european-commissions-use-microsoft-365-infringes-data-protection-law-eu-institutions-and-bodies_en), the EDPS instructed the EU Commission until December 9, 2024 to:
- suspend all data flows resulting from the use of Microsoft 365 to Microsoft and its affiliates and sub-processors in countries outside the EU/EEA that are not covered by an adequacy decision; and
- bring the processing operations resulting from the use of Microsoft 365 into compliance with Regulation (EU) 2018/1725.
The decision of the EDPS is not based on the GDPR, but on Regulation 2018/1725. This is the data protection law for EU institutions and bodies. However, the content of the regulation largely corresponds to the GDPR.
In the opinion of the EDPS, the Commission has not sufficiently examined and agreed which personal data is processed by Microsoft for which purposes and transferred to subcontractors.
In particular, the Commission was required to
- carry out a “transfer mapping” to determine which personal data is transferred to which recipients in which third countries, for which purposes and subject to which safeguards. This should also include onward transfers, i.e. the entire subcontractor chain used by Microsoft:
“appraise […] what personal data will be transferred to which recipients in which third countries and for which purposes, thereby […] obtaining the minimum information necessary to determine whether any supplementary measures are required to ensure the essentially equivalent level of protection […]“
The transfer of data to subcontractors in third countries without an adequate level of protection must be refrained from. - expressly determine which data is processed by Microsoft and for what purposes, taking into account the purpose limitation principle:
“sufficiently determine the types of personal data collected under the […] agreement concluded with Microsoft […] in relation to each of the purposes of the processing so as to allow those purposes to be specified and explicit; ensure that the purposes for which Microsoft is permitted to collect personal data [….] are specified and explicit; provide sufficiently clear documented instructions for the processing […]“.
It must be transparently regulated which data is agreed for which purposes. This processing must, of course, be lawful. In particular, clear and detailed regulations should ensure that Microsoft’s data is really only used on behalf of the Commission.
The points of criticism of the EDPS correspond in part to the criticism of the German supervisory authorities, which was last published in the “Evaluation of the current agreement on commissioned processing” of 2.11.2022 (https://www.datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365_abschlussbericht.pdf). It remains to be seen what practical consequences the EDPS’s decision will have for German companies and whether the German supervisory authorities will take the decision as an opportunity to tighten up their own auditing practices.
The European Commission published the draft Data Act on February 23, 2022. The Data Act draft regulates the provision of data by the data owner to the user, to third parties and to public bodies and includes legal frameworks for data access and data use. The background to the regulation is that there is currently no legal regulation on data sovereignty and all parties involved rely on voluntary exchange.
With the Data Act draft, the European Commission now wants to clarify who may commercially exploit data and under what conditions this takes place. In addition, special provisions are made for micro, small and medium-sized enterprises as well as so-called “gatekeepers”.
Basic content of the draft Data Act
The draft regulates the exchange of user-generated data between companies and between consumers and companies. Large parts of the data collected by companies and by consumers in connection with networked devices and digital services must in future be made technically and legally accessible to users, who can then pass the data on to third parties.
The regulations in the draft include, for example, product requirements for easy and secure data access (“access by design and by default”), pre-contractual information obligations and the need for a usage agreement between data owner and user, data access claims and provision obligations, as well as regulations on data transfer by the data owner to third parties at the instigation of the user. However, it also regulates requirements for corresponding consideration (e.g., fairness, appropriateness) and criteria for abusive contractual clauses in order to protect smaller companies.
In addition, there are to be regulations for the transfer of data to public bodies and EU institutions, bodies and other bodies in emergency situations.
The draft also stipulates that the European Commission should provide non-binding model contractual conditions for data access and use. The member states are then to issue corresponding regulations on sanctions in the event of violations.
Addressees of the draft Data Act
The Data Act draft applies to
- All manufacturers of products and providers of related services placed on the market in the EU and users of such products or services;
- data controllers who provide data to recipients in the EU;
- Data recipients in the EU to whom data is provided;
- public bodies and EU institutions, bodies and agencies;
Similar to the GDPR, the regulations are also intended to apply to companies based outside the EU if they provide relevant services to customers in the EU.
Outlook
The European Parliament and the Council have adopted their positions on the draft and, like the member states, are calling for various amendments. Further negotiations will focus in particular on the scope of application of the Data Act, ensuring the protection of trade secrets, remuneration issues and regulations on provider switching and protection against unfair contract terms. On March 29, 2023, the first trilogue took place. However, as the positions of the Council and Parliament are not too far apart, an agreement is generally expected before the summer break or shortly thereafter.
