June 17, 2019

June 14, 2019

Subscribe to Latest Legal News and Analysis

German Courts Decide Whether an Infringement of the GDPR also Qualifies as Unfair-Competitive Behavior

Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”).  Since the entry into force of the GDPR, three German courts have been asked to decide whether an infringement of the GDPR can similarly serve as a basis for such claims.  While the first two decisions were issued by courts of first instance, the third and most recent decision was decided by the High Court of Hamburg.

 In a first decision of July 8, 2018 (available here), a company asked for injunctive relief against a competing company because the competing company’s website privacy policy failed to comply with the information requirements under Art. 13 GDPR.  The court stressed in its decision that it is still disputed under German law, whether a violation of the GDPR can serve as a claim against a competitor under the UWG. The court refused to grant injunctive relief in that case on the grounds that the GDPR does not allow competitors to claim infringements of data protection law – only the data subjects and, under certain conditions, non-profit bodies can do this.  The court concluded that “the EU legislature did not intend to extend [a similar] possibility to competitors of an infringer.”

The second decision of September 13, 2018 (available here) also relates to a claim for injunctive relief regarding a company’s website privacy policy that did not comply with Art. 13 of the GDPR.  The court decided that this constituted a violation of “a [data protection] statutory provision that is also intended to regulate market conduct in the interests of market participants and [that] the infringement [of this data protection provision] is likely to significantly prejudice the interests of consumers, other market participants or competitors” – i.e., a violation of Art. 3a of the German Act Against Unfair Competition.  On this basis, the court granted the injunctive relief.

Finally, in the most recent decision of October 25, 2018 (available here), the High Court of Hamburg was asked by a pharma company to grant injunctive relief against a competing pharma company because it erroneously relied on a provision of the old German Data Protection Act allowing for the processing of health data for health care and medical diagnosis.  According to the court, that provision did not apply to the pharma company, which should have obtained the patients’ consent similar to its competitors.  However, the court held that to determine whether an infringement of a data protection provision could serve as the ground for an anti-competition claim, the provision allegedly infringed must be assessed on a case-by-case basis looking at its “market behavior regulating character”.  In this case, the norm that requires the company to obtain consent does not have a “market behavior regulating character” and therefore the claim was rejected.

The above judgments show that, at this moment, the question of whether a GDPR violation can serve as the basis for anti-competition claims remains unsettled in Germany.  In an attempt to resolve this issue, the German Region of Bavaria proposed a bill before the German Federal Parliament in June 2018 (available here), which excludes data protection provisions from the scope of the UWG.  If adopted, violations of data protection law could no longer serve as a basis to bring claims against competitors under the UWG.

© 2019 Covington & Burling LLP


About this Author

Kristof Van Quathern, Covington, data privacy attorney
Special Counsel

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Mr. Van Quathem has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Anna Oberschelp de Meneses, Regulatory lawyer, Covington

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Ms. Oberschelp de Meneses advises companies on European data protection law, with a focus on German and Portuguese privacy law.

32 2 549 5249