Do users’ data processed by ecommerce operators qualify as health data? ECJ says yes

Health sector operators who sell their products, as well as third-party companies offering such intermediation services, process personal data provided by users during the ordering and purchasing phase. Defining the nature of this data is very important, as it may entail specific obligations and precautions that must be adopted by the data controllers. Indeed, if such information falls within one of the “special categories of data” under EU Regulation 2016/679 (“GDPR”) – in particular, “health data” – it must be processed in accordance with Article 9 of the GDPR. This would require certain operators to obtain the explicit consent of users for the processing of their personal data provided during the ordering/purchasing phase (name and surname, delivery address, references to the purchased product, etc.).

Health data

According to the GDPR^[1], “health data” means personal data related to the health of a natural person that allows information to be inferred regarding their past, present, or future physical or mental health status, including information collected in the course of providing healthcare services. What makes data health-related is essentially the possibility of inferring information about the health conditions of the data subject.

The processing of “health data”, given its sensitive nature, can pose significant risks to the rights and fundamental freedoms of data subjects and is therefore generally prohibited under Article 9 of the GDPR. Nevertheless, European legislation, through the same Article 9 of the GDPR, introduces some exceptions that allow the processing of such data in specific cases, including the explicit consent of the data subject or when the processing is necessary for healthcare purposes based on Union or Member State law or in accordance with a contract with a healthcare professional subject to confidentiality obligations.

To ensure an adequate level of protection for personal data, European case law has traditionally adopted a broad and extensive interpretation of “health data”^[2]. Italian case law has also favored an extensive interpretation, considering any information that can (even indirectly) reveal a person’s health conditions as health data, regardless of explicit references to pathology or specific healthcare treatment^[3].

With this in mind, when it comes to pharmaceuticals, the qualification of data provided by users when ordering and purchasing such products as “health data” can now be considered established, particularly in light of the most recent European case law. The question then arises as to whether the same considerations can apply to medical devices and food supplements, which, in most cases, can also provide health-related information.

The position of the most recent CJEU case law

The Court of Justice of the European Union (CJEU) recently confirmed its position that the data of customers of an online pharmacy related to the purchase of pharmaceuticals, even if not subject to medical prescription, are qualified as “health data” under Article 9 of the GDPR. This is the judgment published on October 4, 2024, in case C-21/23, which disregards the conclusions of the Advocate General, who had argued that in the absence of a certain link between the purchaser and the beneficiary of the pharmaceuticals, the purchase data should not be considered health-related personal data.

In particular, the issue concerns a German pharmacy (DR) that had asked the national court to prohibit the online sale, through the Amazon platform, of non-prescription pharmaceuticals by a competing pharmacy (ND). According to the plaintiff, ND had violated Article 9 of the GDPR by processing the data of customers who had ordered pharmaceuticals online (names, delivery addresses, and information related to the ordered product) without first obtaining their explicit consent. This would have legitimized DR to act to prohibit such conduct, as under German law, the violation of a legal provision – including privacy regulations – can constitute an act of unfair competition by one company to the detriment of another.

The case ended up before the Bundesgerichtshof, the German Federal Court of Justice, which decided to suspend the proceedings and refer the matter to the Court of Justice of the European Union, submitting, among other things, the following question: whether the data of customers of a pharmacy, collected during the online purchase of non-prescription pharmaceuticals, constitute ‘health data’ under Article 9(1) of the GDPR.

As anticipated, in his conclusions presented on April 25, 2024, Advocate General Maciej Szpunar had argued that the online purchase data of non-prescription pharmaceuticals should not be qualified as “health data”, as it would not be possible to infer the actual health status of a specific individual solely from this data^[4]. However, disregarding the position of the Advocate General, in the judgment published on October 4, the CJEU once again recognized that the online purchase data of pharmaceuticals, even if not subject to medical prescription, must always be classified as “health data” and therefore must be processed in accordance with Article 9 of the GDPR.

In particular, the Court emphasized that such information is always capable of revealing, through an intellectual operation of comparison or deduction, information about the person’s health status. This is because the online order implies the creation of a link between a pharmaceutical, its therapeutic/usage indications, and an identified or identifiable natural person through elements such as the person’s name and delivery address.

Furthermore, it is irrelevant whether the customer making the purchase is the actual user of the pharmaceuticals, a circumstance that can occur in the case of products dispensable without a medical prescription. In line with the GDPR’s objective of ensuring a high level of protection of personal data, pharmaceutical purchase data must be considered ‘health data’ even if there is only a probability – and not absolute certainty – that the products are intended for the purchaser^[5].

A rigorous approach

The judgment of the Court of Justice once again confirms the precautionary approach that must be adopted in the processing of personal data, particularly those belonging to the so-called special categories, with the aim of ensuring the widest protection for data subjects and mitigating the risks associated with processing.

For operators involved in the offering and sale of health products online, this means that it will be necessary to assess whether the data provided by the user should be considered “health data”, according to the extensive interpretation followed by both European and national courts. As mentioned, this seems now indisputable in the case of pharmaceuticals (even without prescription) and very likely (following the same reasoning of the Court) also for medical devices, whose use is always connected to a specific medical purpose and therefore capable of revealing information about the health status of the purchaser/user. The case of food supplements is partially different, as their use cannot always be associated with a particular health condition of the user, being products intended to supplement the common diet and provide nutrients. However, in the case of supplements indicated for specific physiological states, it cannot be excluded that the processing of the related information may fall within the scope of Article 9 of the GDPR.

Once this assessment is made, in the case of “health data”, their processing must be carried out in accordance with the GDPR. In the case of entities such as pharmacies that sell pharmaceuticals and other products online, the hypothesis referred to in paragraph 2, letter h, of Article 9 of the GDPR^[6] may apply, which allows processing, among other things, in cases of “management of health or social care systems and services based on Union or Member State law or in accordance with a contract with a healthcare professional” bound by professional secrecy (such as the pharmacist). Conversely, this hypothesis does not seem to apply to other operators such as online platforms involved in the provision of booking/delivery services for pharmaceuticals or marketplaces for medical devices or supplements: these entities, if they process health data of users for their own purposes, may be required to obtain the explicit consent of their customers in advance.

---

[1] Article 4, point 15, and Recital 35 of the GDPR.

[2] See, for example, the judgment of 4 July 2023 in case C-252/21, where the CJEU adopted a broad interpretation of the notion of “data concerning health” for the purposes of applying Article 9 of the GDPR. The Court clarified that a personal data qualifies as “health data” even if the processing is not explicitly aimed at revealing health-related information and regardless of its accuracy. Consequently, any processing that, even indirectly, allows inferences to be drawn about a person’s health must be regarded as processing of sensitive data, and is therefore subject to the general prohibition on processing (except in cases of specific derogations).

[3] Among the most recent decisions, see the Order of the Italian Supreme Court of 11 October 2023, No. 28417.

[4] The Advocate General’s position was supported by the argument that such medicines (i) can be purchased by anyone, and therefore not necessarily by the actual end user (e.g., by a family member on behalf of another); (ii) the purchasing methods do not allow for the final user to be clearly identified; and (iii) they are generally intended to treat everyday ailments, not indicative of a specific pathology or health condition, and are often purchased preventively, to be kept on hand if needed. Based on these premises, the Advocate General concluded that it would not be possible to derive reliable information about the purchaser’s health status solely from the data shared at the time of purchase (name, delivery address, and product ordered)

[5] Moreover, in cases where the customer and the end user do not coincide, the processing of purchase data may still allow identification of the actual user of the medicine. For example, this may occur when the products are delivered not to the customer’s address but to that of another individual who can be identified as the user, or when, regardless of the delivery location, the customer refers within the order to another identified or identifiable person (e.g., a family member).

[6] This refers to the case in which the processing is necessary “for the purposes of preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to a contract with a health professional”, subject to the conditions and safeguards referred to in paragraph 3 of the same Article 9 of the GDPR