In October 2024, the Grand Chamber of the Court of Justice of the European Union (CJEU) issued a judgement[1] affirming the legal standing of a competitor seeking to have a civil court find a breach of the General Data Protection Regulation (GDPR) by a company against its own customers if said breach also constituted unfair commercial conduct harming competitors according to national law.
Factual background
Since 2017, ND, who operates a pharmacy, has marketed pharmaceuticals on Amazon. The competitor, DR, who also operates a pharmacy, initiated legal proceedings before the Regional Court of Dessau-Roßlau, Germany. DR sought to have the court order ND to cease online marketing of medicinal products, as ND’s customers could not provide the required prior consent for their health data to be processed the way they were. DR argued that a competitor’s conduct that fails to comply with GDPR requirements pertaining to the acquisition of customer consent constitutes an act of unfair competition under German law (similar to Article 2598 of the Italian Civil Code), since it gives ND an unfair advantage, resulting in unjust competitive harm to DR. ND countered that DR had no standing, as its claims were founded on a breach of the GDPR harmful to third parties (ND’s customers), the only parties with standing to claim a breach of the GDPR pursuant to the same.
DR was successful in the first instance and on appeal. However, ND appealed the decision before the German Federal Court of Justice, which found that the outcome of the dispute depended on interpretation of the provisions outlined in Chapter VIII and Article 9(1) of the GDPR. Chapter VIII and Article 9(1) of the GDPR cover remedies, liability, and penalties for breach of the GDPR and identify the data subjects that have standing against perpetrators of a breach. It does not mention competitors of the infringer whose business may be adversely affected by the same conduct. Therefore, the court referred the dispute to the CJEU for a preliminary ruling.
The main question referred to the CJEU was whether Chapter VIII of the GDPR provides a closed list of entities that have legal standing to claim a breach of the GDPR; and thus to determine whether these EU rules are compatible with Member State legislation that allows a competitor to bring suit before civil courts to ascertain a breach of GDPR consent rules by the infringer as a foundation for a claim of unfair commercial conduct harming competitors.
Judgement
After studying the files, the context, and the objectives of the GDPR, the CJEU determined that EU law does not preclude Member States from allowing a competitor to bring a civil case before a civil court to ascertain breach of the GDPR by a competing firm against its own customers as grounds for an unfair competition claim.
The GDPR’s wording does not expressly prevent a competitor from bringing a civil case before national courts alleging a breach by a competing undertaking of the obligations set forth by the GDPR, even when the claimant is not one of the data subjects harmed by the privacy breach. By contrast, the European legislature included several safeguard clauses in the GDPR (“without prejudice”) regarding the ability of Member States to provide other administrative, judicial, and extrajudicial remedies in addition to the mandatory ones set out in the GDPR.
The court stated that while the GDPR breach in this case primarily affects the data subjects, Article82(1) provides a right to compensation for “any person who has suffered material or non-material damage as a result of a breach of this Regulation.” Therefore, it is possible to conclude that the GDPR covers harm to third parties. Furthermore, prior case law of the CJEU says that infringement of data protection rules may simultaneously result in infringement of rules on consumer protection, competition law, or other unfair commercial practices. Though the GDPR was designed to ensure harmonization of national legislation on the protection of personal data, it also contains provisions that expressly allow Member States to establish additional stricter or derogating national rules that establish a margin of discretion in the implementation of those provisions (known as the “clauses d’ouverture”). The provisions of Chapter VIII of the GDPR do not specifically provide such clauses, but the terms and context of the provisions in Chapter VIII indicate that by adopting the GDPR the EU legislature did not mean to achieve full harmonization of the remedies available in the event of infringement of the provisions of the GDPR. This is evidenced by the fact that it did not exclude the possibility for a company to allege a breach of the GDPR by a competitor to seek redress under national laws prohibiting unfair commercial conduct.
Finally, the court examined the objectives of the regulatory framework . Allowing a competitor to take action in the civil courts to stop conduct in breach of the GDPR by a competitor claiming that it constitutes an act of unfair competition is likely to reinforce the usefulness of these provisions and thus the high level of protection of data subjects when it comes to the processing of their personal data.
Takeaways
This judgement marks a further step toward the legitimate use of the GDPR as a basis for claims of infringement of consumer protection, competition law and other laws that prohibit unfair commercial conduct. Multi-offense conduct—i.e., conduct that may be found to be in breach of different sets of legislation with different but complementary legal objectives—has become pervasive in the new economic environment, particularly in digital ecosystems. A single act therefore can be a source of different levels of harm affecting different market players and involving different legislation and authorities. Notably, the rules on consent for collecting customer data may be significantly sensitive when it comes to competition in the digital environment, since skipping consent requirements can provide a decisive advantage in engaging with consumers and leveraging data analytics to grow sales. Conversely, the way data are collected and treated by firms in the digital world is also taken into account by consumers in assessing the quality of a product/service and has become a competitive driver. Hence, with this judgement the CJEU has made it clear that EU law does not preclude undertakings from leveraging the GDPR to obtain redress of unfair competitive harm suffered because of a competitor’s failure to protect its customers’ rights to the requisite standard – and even encourages them to do so.
[1] in case C-21/2023