back

GDPR Breaches, Unfair Competition, and Health Data: The CJEU Weighs In

Article IT and Data Protection European Law Competition, Retail and Consumer Law | 21/10/24 | 12 min. | Florence Chafiol Alexandra Berg-Moussa Maëva Ammel Alexandra Antalis

Data Privacy Life sciences & Healthcare Data protection European Law and Public Policy

In a judgment dated October 4, 2024[1], the Court of Justice of the European Union (“CJEU”) stated that the provisions of the GDPR do not prevent a national regulation (in this case, German) from allowing competitors of a company that has violated the GDPR to bring an action before civil courts against that company, based on the prohibition of unfair commercial practices.

 

Summary of Facts

The dispute involves two German pharmacists. One of which sells medicines reserved to pharmacies through the online platform Amazon Marketplace. During the online ordering process, customers must provide personal data such as their name or delivery address, as well as necessary information for identifying the medicines.

One of the competitors, invoking Article 3 of the German Act Against Unfair Competition (“UWG”), brought the case before the competent court, requesting that the first pharmacist be ordered to cease the sale  of medicines via the platform, arguing that there is no guarantee that customers have previously consented to the processing of their personal health data (which would constitute a breach of Article 9 of the GDPR). Article 3 of the UWG states that any act that violates a legal provision aimed at regulating market behavior in the interest of its participants is deemed unfair, provided that this breach significantly affects the interests of consumers, other market participants, or competitors.

The lower court granted the competitor's request. The defendant appealed to a German regional appellate court, which upheld the initial ruling. The defendant then filed a request  before the German Federal Court of Justice.

Firstly, the Federal Court of Justice noted that the provisions of Chapter VIII of the GDPR do not mention “the possibility for competitors of an undertaking to bring an action against that undertaking, in particular where the infringement of data protection legislation constitutes unfair commercial practices” It questioned whether the competing pharmacist had the right to bring an action.

Secondly, it sought to determine whether the information recorded during online purchases of medicines reserved to pharmacies constitutes health data under Article 9, paragraph 1 of the GDPR, even though some medicines are not subject to a medical prescription.

In this context, the German Federal Court of Justice referred the matter to the CJEU.

CJEU Assessment

Regarding the first preliminary question, as a general principle, when the processing of personal data constitutes a breach of the GDPR, only (i) the data subjects[2] and (ii) non-profit organizations[3] or associations representing these data subjects may file a complaint with a supervisory authority[4], initiate legal action against the data controller and/or processor[5], and, if necessary, seek effective judicial remedies against decisions made by a supervisory authority affecting the data subjects[6]. However, the GDPR clarifies that these remedies are “without prejudice” to any other administrative, judicial, or extrajudicial recourse.

The CJEU indicated that, in this case, the action was initiated by a competitor of the pharmacist based on the prohibition of unfair commercial practices due to alleged breaches of the GDPR committed by the latter. Therefore, the action does not aim to protect the freedoms and fundamental rights of the data subjects concerning the processing of their personal data but seeks to ensure fair competition.

While Chapter VIII of the GDPR does not expressly mention this possibility, it does not exclude the possibility for a competitor to bring an action for unfair commercial practices based on a breach of GDPR provisions. This omission is explained by the fact that the data protection guaranteed by the GDPR is exclusively intended for the data subjects.

Thus, the Court concluded that the legislator (i) did not intend to provide an exhaustive harmonization of the remedies available in case of GDPR breaches and (ii) did not intend to exclude a remedy based on the prohibition of unfair commercial practices.

Therefore, an action for an injunction brought by a competitor against a company based on the prohibition of unfair commercial practices due to breaches of GDPR provisions is not in any way prejudicial to (i) the system of remedies provided for in Chapter VIII of the GDPR (since they are fully preserved and may still be exercised by the data subjects), nor (ii) the objective of ensuring a consistent level of protection for individuals throughout the European Union and preventing divergences that could obstruct the free movement of personal data within the internal market.

The CJEU noted that access to personal data and the ability to process such data have become significant parameters of competition in the digital economy. It also stated that the coexistence of remedies under data protection law and competition law does not pose a risk to the uniform application of the GDPR. On the contrary, an action for injunction initiated by a competitor undeniably contributes to compliance with GDPR provisions and, therefore, strengthens the rights of data subjects and ensures a high level of protection.

The CJEU concluded that the provisions of Chapter VIII of the GDPR should be interpreted as not precluding a national regulation which, in addition to (i) the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the GDPR, and (ii) the possibilities for data subjects to bring an action, confers on the competitors of the defaulting party the right to bring an action against the latter by means of proceedings before the civil courts, on the basis of the prohibition of unfair commercial practices.

In France, the Court of Cassation has previously held that non-compliance with regulations in the exercise of commercial activity could constitute an act of unfair competition, as it necessarily provides an unfair competitive advantage to its perpetrator (complying with a regulation invariably incurs costs, thus enabling the offender to save on what is generally a mandatory expense)[7]. Several courts have followed the reasoning of the Court of Cassation in cases of GDPR breaches. The Judicial Court of Paris, followed by the Paris Court of Appeal, have both considered that a company selling products on an online sales site or platform while failing to adhere to applicable data protection rules benefits from an unfair competitive advantage and engages in acts of unfair competition to the detriment of its competitor[8].

Thus, the CJEU ruling confirms the position of the French courts.

Regarding the second preliminary question: The CJEU reiterated that personal data revealing information about a person’s past, present, or future physical or mental health, including data relating to the provision of health care services to that individual, constitutes health data as defined in Article 9, paragraph 1 of the GDPR.

It adopted a broad interpretation of the notion of “health data,” aiming to ensure a high level of protection, in line with the GDPR's objectives. Therefore, the personal data which are likely to reveal, through correlation or deduction, information about the health status of the individual concerned, may qualify as health data. As such, the data provided by a customer on an online sales platform when ordering medicines reserved to pharmacies are likely to reveal, through correlation or deduction, information about the health status of the data subject, to the extent that this order establishes a link between (i) a medication, its therapeutic indications or uses, and (ii) an identified or identifiable individual through elements such as that individual's name or delivery address.

Specifically regarding the sale of medicines that are not subject to a medical prescription (in which case the medicines may be intended not for the customer placing the order but for third parties) through an online sales platform, the CJEU holds that the information customers provide during the ordering process constitutes health data even if it is only with a certain probability—and not with absolute certainty—that these medicines are indeed intended for these customers.

The CJEU clarifies that even if such medicines are intended for individuals other than the customers, it is still possible that those individuals can be identified (for instance, if the medicines are not delivered to the customer but to the home of the individual).

The CJEU thus reinforces the legal framework applicable to health data. It concludes that Article 9, paragraph 1 of the GDPR should be interpreted as meaning that, in situations where a pharmacy operator sells, through an online sales platform, medicines reserved for pharmacies, the information that customers enter when ordering these medicines—such as their name, delivery address, and details necessary for identifying the medicines—constitute health data under these provisions, even when the sale of such medicines does not require a medical prescription. Distinguishing based on the type of medicine and whether or not its sale is subject to a prescription would contradict the GDPR's objective of ensuring high protection of fundamental rights and freedoms.

Consequently, such data may be processed if one of the conditions set forth in Article 9, paragraph 2 of the GDPR applies. In this case, the CJEU considers that two conditions may be met: (i) the data subject has given explicit consent for processing[9], or (ii) the processing is necessary for health care provision based on European Union law, the law of a Member State, or under a contract with a health professional[10][11].

Therefore, while the CJEU considers that the competing pharmacist has the right to bring an action based on the prohibition of unfair commercial practices, it is unlikely that the German Federal Court of Justice will find a breach of Article 9 of the GDPR, as the CJEU seems to suggest that the pharmacist is allowed to process health data of users without obtaining their prior consent.
 

[1] CJEU, grand chamber, 4 Oct. 2024, aff. C. 21/23, Lindenapotheke.

[2] Articles 77 to 79 of the GDPR

[3] Article 80 of the GDPR.

[4] Article 77 of the GDPR.

[5] Article 79 of the GDPR.

[6] Article 78 of the GDPR.

[7] Cass. com. 12 February 2020, n°17-31.614 and Cass. com. 17 March 2021, n°19-10.414.

[8] Tribunal judiciaire de Paris, 15 April 2022, no. 19/12628 Paris Court of appeal, 9 November 2022, no. 21/00180.

[9] Article 9, paragraph 2, point (a) of the GDPR.

[10] Article 9, paragraph 2, point (h) of the GDPR.

[11] In France, pharmacists (in retail or hospital settings) are considered health professionals (Articles L4211-1 to L4252-3 of the Public Health Code).

Explore our collection of PDF documents and enrich your knowledge now!
[[ typeof errors.company === 'string' ? errors.company : errors.company[0] ]]
[[ typeof errors.email === 'string' ? errors.email : errors.email[0] ]]
The email has been added correctly