Violations of the GDPR are also competition violations

Since 2018, in Germany the question has been whether competitors can issue each other with warnings if the GDPR is violated. Now the ECJ has ruled: they can. In this article, we explain why we do not expect a new wave of warnings despite this ruling.

The ECJ (judgment of October 4, 2024, C-21/23) had to clarify the question of whether competitors can issue warnings to each other for violations of the GDPR.

Sale of medication via Amazon

At issue was a dispute between two pharmacists. One of them was selling prescription-only medicines via Amazon. The other was of the opinion that this distribution via Amazon was unlawful because customers did not consent to the processing of their health data.

The Regional Court of Dessau-Roßlau (in Germany) agreed and ruled that selling prescription-only medicines via Amazon constituted unfair commercial practices.

Ultimately, the case ended up before the German Federal Court of Justice (“BGH”).

Questions referred by the BGH

The BGH suspended the proceedings and referred two questions to the ECJ for a preliminary ruling:

  1. Do the provisions of Chapter VIII of the GDPR preclude national provisions which, in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the possibilities for legal protection of the data subjects, grant competitors the power to take action against the infringer before the civil courts for violations of the GDPR on the grounds of the prohibition of unfair commercial practices?
  2. Are the data that customers of a pharmacist who is a seller on an online sales platform enter when ordering medicines that are pharmacy-only but not prescription-only on that platform (customer name, delivery address and information necessary for the individualization of the ordered pharmacy-only medication), health data within the meaning of Art. 9 para. 1 GDPR and data concerning health within the meaning of Art. 8 para. 1 of the Data Protection Directive?

Decision of the ECJ

The ECJ first notes that the wording of the GDPR does not preclude a competitor’s right to injunctive relief.

A violation of the GDPR may not only affect the interests of the data subject, but also those of third parties, such as competitors. Article 82(1) of the GDPR clarifies that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation” has the right to receive compensation.

The Court has also already ruled in previous decisions that a violation of the GDPR may constitute a violation of consumer protection rules or an unfair commercial practice.

“In this context, it should be noted that access to personal data and its use in the digital economy are of considerable importance. Access to personal data and the possibility of processing it have become an important parameter of competition between companies in the digital economy. In order to take account of actual economic developments and to maintain fair competition, it may therefore be necessary to take into account the rules on the protection of personal data when enforcing competition law and the rules on unfair commercial practices.”

In the past, the ECJ had already ruled that consumer protection agencies can issue warnings for violations of the GDPR.

The ECJ sees the possibility for competitors to take action against GDPR violations as a way to strengthen the practical effectiveness of the GDPR. It also believes that this could improve the desired high level of protection of the data subjects with regard to the processing of their personal data.

No restriction of other legal remedies in the GDPR

The ECJ also states that the possibility of injunctive relief does not affect the other legal remedies under the GDPR. For example, a data subject can still lodge a complaint with the supervisory authority.

Fines imposed by the authorities also remain a possibility.

Efficient law enforcement

The ECJ emphasizes that injunctive relief from competitors can help prevent numerous violations of the rights of data subjects.

Cease-and-desist letters are possible

In summary, the ECJ answers that competitors can issue cease-and-desist letters for violations of the GDPR and can also assert their claims for injunctive relief in court.

Health data in der GDPR

In response to the second question, the ECJ ruled that in a case in which a pharmacy operator sells pharmacy-only medicines via an online platform, data that its customers have to enter when ordering these medicines online (such as name, delivery address and information necessary for the individualization of the medicines) constitute health data within the meaning of these provisions, even if the sale of these medicines does not require a medical prescription.

This means that the strict rules of Art. 9 GDPR apply.

No GDPR warning letters to fear

Despite this clarification by the ECJ, new waves of warning letters are not to be expected.

This is partly due to Section 13 (4) no. 2 of the German Unfair Competition Act (UWG). According to this provision, the person issuing the warning will not be reimbursed for their costs if the person being warned has fewer than 250 employees.

On the other hand, however, the admonisher would have to expect a counter-admonishment under certain circumstances. Particularly in the area of data protection, many companies are likely to still have areas that need improvement, since the implementation of the GDPR in practice is associated with numerous challenges.

In this case, the motto “What I can’t do right myself, I won’t criticize in another” should apply.

Conclusion

The ECJ ruling clarifies the legal situation. It does not come as a surprise. Especially in the recent past, there were hardly any voices left that doubted that competitors could also issue warnings for violations of the GDPR.

Despite this possibility, it is not to be expected that waves of warnings will now roll across the country.

MICROSOFT 365 and no end in sight

The “long-running issue” of Microsoft 365 continues to keep data protection supervisory authorities busy. The European Data Protection Supervisor (EDPS), the independent supervisory authority responsible for the EU institutions and bodies, has now spoken out.

In a decision dated March 11, 2024 (https://www.edps.europa.eu/press-publications/press-news/press-releases/2024/european-commissions-use-microsoft-365-infringes-data-protection-law-eu-institutions-and-bodies_en), the EDPS instructed the EU Commission until December 9, 2024 to:

  • suspend all data flows resulting from the use of Microsoft 365 to Microsoft and its affiliates and sub-processors in countries outside the EU/EEA that are not covered by an adequacy decision; and
  • bring the processing operations resulting from the use of Microsoft 365 into compliance with Regulation (EU) 2018/1725.

The decision of the EDPS is not based on the GDPR, but on Regulation 2018/1725. This is the data protection law for EU institutions and bodies. However, the content of the regulation largely corresponds to the GDPR.

In the opinion of the EDPS, the Commission has not sufficiently examined and agreed which personal data is processed by Microsoft for which purposes and transferred to subcontractors.

In particular, the Commission was required to

  • carry out a “transfer mapping” to determine which personal data is transferred to which recipients in which third countries, for which purposes and subject to which safeguards. This should also include onward transfers, i.e. the entire subcontractor chain used by Microsoft:

    appraise […] what personal data will be transferred to which recipients in which third countries and for which purposes, thereby […] obtaining the minimum information necessary to determine whether any supplementary measures are required to ensure the essentially equivalent level of protection […]

    The transfer of data to subcontractors in third countries without an adequate level of protection must be refrained from.
  • expressly determine which data is processed by Microsoft and for what purposes, taking into account the purpose limitation principle:

    sufficiently determine the types of personal data collected under the […] agreement concluded with Microsoft […] in relation to each of the purposes of the processing so as to allow those purposes to be specified and explicit; ensure that the purposes for which Microsoft is permitted to collect personal data [….] are specified and explicit; provide sufficiently clear documented instructions for the processing […]“.

    It must be transparently regulated which data is agreed for which purposes. This processing must, of course, be lawful. In particular, clear and detailed regulations should ensure that Microsoft’s data is really only used on behalf of the Commission.

The points of criticism of the EDPS correspond in part to the criticism of the German supervisory authorities, which was last published in the “Evaluation of the current agreement on commissioned processing” of 2.11.2022 (https://www.datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365_abschlussbericht.pdf). It remains to be seen what practical consequences the EDPS’s decision will have for German companies and whether the German supervisory authorities will take the decision as an opportunity to tighten up their own auditing practices.

The European Commission published the draft Data Act on February 23, 2022. The Data Act draft regulates the provision of data by the data owner to the user, to third parties and to public bodies and includes legal frameworks for data access and data use. The background to the regulation is that there is currently no legal regulation on data sovereignty and all parties involved rely on voluntary exchange.

With the Data Act draft, the European Commission now wants to clarify who may commercially exploit data and under what conditions this takes place. In addition, special provisions are made for micro, small and medium-sized enterprises as well as so-called “gatekeepers”.

Basic content of the draft Data Act

The draft regulates the exchange of user-generated data between companies and between consumers and companies. Large parts of the data collected by companies and by consumers in connection with networked devices and digital services must in future be made technically and legally accessible to users, who can then pass the data on to third parties.

The regulations in the draft include, for example, product requirements for easy and secure data access (“access by design and by default”), pre-contractual information obligations and the need for a usage agreement between data owner and user, data access claims and provision obligations, as well as regulations on data transfer by the data owner to third parties at the instigation of the user. However, it also regulates requirements for corresponding consideration (e.g., fairness, appropriateness) and criteria for abusive contractual clauses in order to protect smaller companies.

In addition, there are to be regulations for the transfer of data to public bodies and EU institutions, bodies and other bodies in emergency situations.

The draft also stipulates that the European Commission should provide non-binding model contractual conditions for data access and use. The member states are then to issue corresponding regulations on sanctions in the event of violations.

Addressees of the draft Data Act

The Data Act draft applies to

  • All manufacturers of products and providers of related services placed on the market in the EU and users of such products or services;
  • data controllers who provide data to recipients in the EU;
  • Data recipients in the EU to whom data is provided;
  • public bodies and EU institutions, bodies and agencies;

Similar to the GDPR, the regulations are also intended to apply to companies based outside the EU if they provide relevant services to customers in the EU.

Outlook

The European Parliament and the Council have adopted their positions on the draft and, like the member states, are calling for various amendments. Further negotiations will focus in particular on the scope of application of the Data Act, ensuring the protection of trade secrets, remuneration issues and regulations on provider switching and protection against unfair contract terms. On March 29, 2023, the first trilogue took place. However, as the positions of the Council and Parliament are not too far apart, an agreement is generally expected before the summer break or shortly thereafter.