German Courts Decide Whether an Infringement of the GDPR also Qualifies as Unfair-Competitive Behavior
Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”). Since the entry into force of the GDPR, three German courts have been asked to decide whether an infringement of the GDPR can similarly serve as a basis for such claims. While the first two decisions were issued by courts of first instance, the third and most recent decision was decided by the High Court of Hamburg.
Finally, in the most recent decision of October 25, 2018 (available here), the High Court of Hamburg was asked by a pharma company to grant injunctive relief against a competing pharma company because it erroneously relied on a provision of the old German Data Protection Act allowing for the processing of health data for health care and medical diagnosis. According to the court, that provision did not apply to the pharma company, which should have obtained the patients’ consent similar to its competitors. However, the court held that to determine whether an infringement of a data protection provision could serve as the ground for an anti-competition claim, the provision allegedly infringed must be assessed on a case-by-case basis looking at its “market behavior regulating character”. In this case, the norm that requires the company to obtain consent does not have a “market behavior regulating character” and therefore the claim was rejected.
The above judgments show that, at this moment, the question of whether a GDPR violation can serve as the basis for anti-competition claims remains unsettled in Germany. In an attempt to resolve this issue, the German Region of Bavaria proposed a bill before the German Federal Parliament in June 2018 (available here), which excludes data protection provisions from the scope of the UWG. If adopted, violations of data protection law could no longer serve as a basis to bring claims against competitors under the UWG.