What is it all about?
Tomorrow, the Federal Court of Justice wants to clarify an interesting question that could be particularly exciting in light of Google Fonts cease-and-desist letters. The issue at stake is whether data protection violations are to be regarded as market conduct rules within the meaning of competition law and can thus justify warnings from competitors.
The case to be decided involves pharmacists.
In the first case, the defendant sells its products via Amazon. The plaintiff complains that the sale of pharmacy-only drugs via Amazon violates the provisions of the German Medicines Act (AMG), the German Drug Advertising Act (HWG), the German Pharmacy Operations Regulation (ApBetrO) and the Professional Code of Conduct for Pharmacists on the one hand, and data protection regulations on the other.
However, the district court dismissed the action. There were no violations of the provisions of the German Medicines Act, the German Drug Advertising Act, the Pharmacy Operating Regulations or the Professional Code of Conduct for Pharmacists. With regard to violations of data protection regulations, the plaintiff does not have standing. The General Data Protection Regulation contains a conclusive system of sanctions that does not include the competitor.
On appeal by the plaintiff, the Higher Regional Court amended the judgment of the Regional Court and allowed the action in part. It assumed that the provisions of the General Data Protection Regulation were to be regarded as market conduct provisions within the meaning of Section 3a UWG in the specific case constellation. The Defendant processes health data of its customers in the context of orders within the meaning of Art. 9 para. 1 GDPR. The consent required for this in the case in dispute was lacking. However, there was no infringement of the other provisions cited by the plaintiff. The Higher Regional Court allowed the appeal. Both parties have appealed against the decision of the Higher Regional Court.
The situation is similar in the second case. Here, the plaintiff complains that the defendant did not obtain consent for the collection and processing of personal data during the ordering process. The defendant is of the opinion that the plaintiff has no standing to sue. There is also no processing of health data. In addition, the data processing was lawful.
In this case, the district court upheld the claim. It considered data protection law to be a market conduct regulation within the meaning of Section 3a UWG because it also served to protect the interests of competitors. The sale of pharmacy-only products via the Amazon Marketplace platform violates data protection and professional regulations.
The Higher Regional Court dismissed the defendant’s appeal in this case. It assumed that the provisions of the General Data Protection Regulation were to be regarded as market conduct provisions within the meaning of Section 3a UWG in the specific case constellation. The Defendant processes health data of its customers in the context of orders within the meaning of Art. 9 para. 1 GDPR. The consent required for this in the case in dispute was lacking. The defendant has filed an appeal, which was allowed by the Court of Appeal.
What happens next?
By order of September 8, 2020, the BGH had stayed both proceedings pending the decision of the Court of Justice of the European Union on its reference for a preliminary ruling of May 28, 2020 (I ZR 186/17, GRUR 2020, 896 = WRP 2020, 1182 – App-Zentrum – see regarding this proceeding the date notice for the September 29, 2022 suspended. With this request, the BGH had referred the question to the ECJ whether the provisions of Chapter VIII and in particular Article 80 para. 1 and 2 and Art. 84 para. 1 GDPR preclude national regulations which, on the one hand, grant competitors and, on the other hand, associations, bodies and chambers authorized under national law, the power to take action against the infringer by way of an action before the civil courts for infringements of the GDPR irrespective of the infringement of specific rights of individual data subjects and without a mandate from a data subject.
In its judgment of 28 April 2020 (C-319/20 – Meta Platforms Ireland), the ECJ, noting that the main proceedings did not raise the question of the standing of a competitor, answered only that part of the question referred to it by the Bundesgerichtshof which related to the standing of associations, bodies and chambers entitled to bring actions under national law within the meaning of Article 80(1) of the EC Treaty. 2 GDPR refers. It held that that provision must be interpreted as not precluding a national rule under which an association for the protection of consumers’ interests may bring an action against the alleged infringer of the protection of personal data, without a mandate to that effect and irrespective of the infringement of specific rights of data subjects, on the grounds that the prohibition of engaging in unfair commercial practices, a consumer protection law or the prohibition of the use of ineffective general terms and conditions has been violated, provided that the data processing in question may affect the rights of identified or identifiable natural persons under this Regulation.