by Dr. Detlev Gabel, Erasmus Hoffmann, and Markus Langen

Left to Right: Dr. Detlev Gabel, Erasmus Hoffmann and Markus Langen (photos courtesy of White & Case LLP)

Background

The German Federal Court of Justice (Bundesgerichtshof), tasked with resolving a conflict between two competing pharmacists, sought guidance from the Court of Justice of the European Union (“CJEU”) on interpreting the General Data Protection Regulation (“GDPR”). The defendant’s business sells over-the-counter (“OTC”) medicinal products online. During the ordering process, customers must provide certain information, including their name, delivery address, and details about the relevant OTC product. Invoking German legislation on unfair commercial practices, the claimant, a competitor, asked the German courts to halt this practice of the competing pharmacy, unless there is assurance that customers give prior consent for the processing of their health-related data.

The courts at both the first and second instance determined that the ordering process involves processing of health data, which is prohibited under the GDPR in the absence of explicit customer consent or other justification. The courts found this practice to be in breach of the GDPR, and thus unfair and unlawful under the German Unfair Competition Act. The German Federal Court of Justice sought clarification on whether the GDPR allows national legislation to permit competitors to initiate legal action against a person allegedly violating the GDPR. Furthermore, it inquired if the information provided during the ordering process qualifies as health data under the GDPR, even though the relevant OTC products do not require a prescription.

In its judgement of October 4, 2024, the CJEU provided clarity on these issues.

Key Takeaways

First, the CJEU concluded that the GDPR does not bar national laws from enabling competitors to legally contest alleged data protection violations as unfair commercial practices in front of civil courts. This legal avenue is available to competitors in addition to the intervention powers of supervisory authorities responsible for GDPR enforcement and the remedies provided to data subjects under the GDPR. In the CJEU’s view, the GDPR does not aim to fully harmonize legal remedies for GDPR breaches or exclude competitors from filing lawsuits based on national laws against unfair commercial practices. While an injunction by a competitor primarily seeks to ensure fair competition, it may also aid in the compliance with GDPR provisions, thereby strengthening the rights and protection of affected individuals. Such injunctions, akin to those filed by consumer protection associations, can effectively prevent GDPR infringements, the CJEU states.

Second, the CJEU held that the above-mentioned information entered by pharmacy customers when ordering OTC products online constitutes health data within meaning of the GDPR. According to the CJEU, this data can reveal information about the health status of an identified or identifiable person because a link is established between the person placing the order and a medicinal product and its use cases.  In the court’s view, this holds true even in the absence of a prescription and considering that the customer may place the order for another person.

Impact on Businesses

In its reference for a preliminary ruling, the German Federal Court of Justice assumed that the GDPR provisions applicable to the processing of health data qualify as market conduct rules within the meaning of the German Unfair Competition Act. Violations of such provisions entitle competitors to assert claims for injunctive relief. It remains to be seen to what extent further provisions of the GDPR will be classified as market conduct rules in the future, as was the case under the German data protection legislation preceding the GDPR. Given the broad notion of health data set out in the CJEU judgment, affected businesses, such as pharmacies selling OTC products online, will need to review their data practices.

Now that the CJEU has cleared the way, it is to be expected that civil claims for data protection violations by competitors will rise in Germany. Businesses should therefore be prepared for legal action by competitors when implementing new products and services, and ensure compliance with data protection law. Since unfair competition law often involves requests for preliminary injunctions, it is particularly important to be able to respond appropriately to legal action at short notice. Preparatory measures include, among others, having litigation counsel readily available or filing protective writs in advance.

Dr. Detlev Gabel, Erasmus Hoffmann, and Markus Langen are Partners at White & Case LLP. This post first appeared on the firm’s blog. 

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).