Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”). Since the entry into force of the GDPR, three German courts have been asked to decide whether an infringement of the GDPR can similarly serve as a basis for such claims. While the first two decisions were issued by courts of first instance, the third and most recent decision was decided by the High Court of Hamburg.
In a first decision of July 8, 2018 (available here), a company asked for injunctive relief against a competing company because the competing company’s website privacy policy failed to comply with the information requirements under Art. 13 GDPR. The court stressed in its decision that it is still disputed under German law, whether a violation of the GDPR can serve as a claim against a competitor under the UWG. The court refused to grant injunctive relief in that case on the grounds that the GDPR does not allow competitors to claim infringements of data protection law – only the data subjects and, under certain conditions, non-profit bodies can do this. The court concluded that “the EU legislature did not intend to extend [a similar] possibility to competitors of an infringer.”
The second decision of September 13, 2018 (available here) also relates to a claim for injunctive relief regarding a company’s website privacy policy that did not comply with Art. 13 of the GDPR. The court decided that this constituted a violation of “a [data protection] statutory provision that is also intended to regulate market conduct in the interests of market participants and [that] the infringement [of this data protection provision] is likely to significantly prejudice the interests of consumers, other market participants or competitors” – i.e., a violation of Art. 3a of the German Act Against Unfair Competition. On this basis, the court granted the injunctive relief.
Finally, in the most recent decision of October 25, 2018 (available here), the High Court of Hamburg was asked by a pharma company to grant injunctive relief against a competing pharma company because it erroneously relied on a provision of the old German Data Protection Act allowing for the processing of health data for health care and medical diagnosis. According to the court, that provision did not apply to the pharma company, which should have obtained the patients’ consent similar to its competitors. However, the court held that to determine whether an infringement of a data protection provision could serve as the ground for an anti-competition claim, the provision allegedly infringed must be assessed on a case-by-case basis looking at its “market behavior regulating character”. In this case, the norm that requires the company to obtain consent does not have a “market behavior regulating character” and therefore the claim was rejected.
The above judgments show that, at this moment, the question of whether a GDPR violation can serve as the basis for anti-competition claims remains unsettled in Germany. In an attempt to resolve this issue, the German Region of Bavaria proposed a bill before the German Federal Parliament in June 2018 (available here), which excludes data protection provisions from the scope of the UWG. If adopted, violations of data protection law could no longer serve as a basis to bring claims against competitors under the UWG.