Infringement of GDPR as an Unfair Commercial Practice

2024-10-07

Infringement of GDPR as an Unfair Commercial Practice

CJEU C-21/23 ("Lindenapotheke")

EthiLEX Editorial Team

The EU Court of Justice responded to request for preliminary ruling in a dispute concerning the online sale of para-pharmaceutical products to German consumers. In the matter under examination a pharmacist sued a competing seller under the German legislation on unfair business practices (Gesetz gegen den unlauteren Wettbewerb - 3 July 2024) for having violated GDPR rules on consumer consent. The German legislation allows a business to enter litigation based on damage to consumer welfare, which is presumed to occur in situations where their personal data is not sufficiently protected. In this specific case, the sales were entered via Amazon Marketplace, where the consumers could not explicitly consent to their sensitive medical data being processed (which is a requirement under the GDPR).

The German courts were in doubt as to whether this commercial legislation (or the judicial practice based thereon) was compatible with the GDPR, given that it is normally an administrative supervisory body or the data subjects themselves that litigate based on infractions to GDPR, and not private businesses unconnected to the data subjects.

The Court ruled "that the provisions of Chapter VIII of the GDPR must be interpreted as not precluding national legislation which, alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing that regulation and the remedies available to data subjects, confers on competitors of the person allegedly responsible for an infringement of the laws protecting personal data standing to bring proceedings against that person, by means of an action before the civil courts, for infringements of that regulation and on the basis of the prohibition of unfair commercial practices" (pt. 73).

It added that "such an application for injunctive relief brought by a competitor may prove, like that brought by a consumer protection association, to be particularly effective in ensuring such protection, in so far as it is capable of preventing a large number of infringements of the rights of data subjects by the processing of their personal data" (pt. 70).

From a textual point of view, the Court arrived at this conclusion primarily through article 82(1) of the GDPR, which states that "Any person who has suffered... damage as a result of an infringement of this Regulation shall have the right to receive compensation... for the damage suffered". The Court interpreted this to mean that this damage may be suffered indirectly, even if the aggrieved party is not the data subject (pt. 55). The present ruling is an extension of their previous decision in C-319/20 (Meta Platforms Ireland), where the action was brought by a consumer protection association. In that ruling, the Court already highlighted that GDPR infringements can generate parallel heads of damages beyond that suffered by the data subject, including, for example, based on unfair competition (the same German legislation was used in that case).

This ruling is a helpful reminder for businesses and their counsel to avail themselves of this head of litigation when facing competitors that disregard data protection principles. Even in countries without jurisprudence or legislation similar to the German one in question, it would be clearly unfair for one market operator to sell goods with complete disregard for GDPR (or other important regulations) while another operator is fully compliant, and bears the full burden such compliance entails. From a moral perspective, even if business competitors may submit such litigation primarily for their own gain, leveraging this power ultimately benefits data subjects. The Court's promotion of this particular form of "citizen justice" is commendable, especially given that most (if not all) supervisory authorities are severely understaffed.

SOURCE