Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”).  Since the entry into force of the GDPR, three German courts have been asked to decide whether an infringement of the GDPR can similarly serve as a basis for such claims.  While the first two decisions were issued by courts of first instance, the third and most recent decision was decided by the High Court of Hamburg.

 In a first decision of August 7, 2018 (available here), a company asked for injunctive relief against a competing company because the competing company’s website privacy policy failed to comply with the information requirements under Art. 13 GDPR.  The court stressed in its decision that it is still disputed under German law, whether a violation of the GDPR can serve as a claim against a competitor under the UWG. The court refused to grant injunctive relief in that case on the grounds that the GDPR does not allow competitors to claim infringements of data protection law – only the data subjects and, under certain conditions, non-profit bodies can do this.  The court concluded that “the EU legislature did not intend to extend [a similar] possibility to competitors of an infringer.”

The second decision of September 13, 2018 (available here) also relates to a claim for injunctive relief regarding a company’s website privacy policy that did not comply with Art. 13 of the GDPR.  The court decided that this constituted a violation of “a [data protection] statutory provision that is also intended to regulate market conduct in the interests of market participants and [that] the infringement [of this data protection provision] is likely to significantly prejudice the interests of consumers, other market participants or competitors” – i.e., a violation of Art. 3a of the German Act Against Unfair Competition.  On this basis, the court granted the injunctive relief.

Finally, in the most recent decision of October 25, 2018 (available here), the High Court of Hamburg was asked by a pharma company to grant injunctive relief against a competing pharma company because it erroneously relied on a provision of the old German Data Protection Act allowing for the processing of health data for health care and medical diagnosis.  According to the court, that provision did not apply to the pharma company, which should have obtained the patients’ consent similar to its competitors.  However, the court held that to determine whether an infringement of a data protection provision could serve as the ground for an anti-competition claim, the provision allegedly infringed must be assessed on a case-by-case basis looking at its “market behavior regulating character”.  In this case, the norm that requires the company to obtain consent does not have a “market behavior regulating character” and therefore the claim was rejected.

The above judgments show that, at this moment, the question of whether a GDPR violation can serve as the basis for anti-competition claims remains unsettled in Germany.  In an attempt to resolve this issue, the German Region of Bavaria proposed a bill before the German Federal Parliament in June 2018 (available here), which excludes data protection provisions from the scope of the UWG.  If adopted, violations of data protection law could no longer serve as a basis to bring claims against competitors under the UWG.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.