The Court of Justice of the European Union (CJEU), the EU’s highest court, recently announced its significant Lindenapotheke decision, permitting companies to use the General Data Protection Regulation in business-to-business competition litigation and adopting an expansive meaning of “health data” impacting many life sciences, healthcare, consumer, and retail businesses.
Specifically, the court ruled that companies may bring unfair competition claims with respect to EU General Data Protection Regulation (GDPR) infringements committed by its competitors to the extent that such claims are permitted under EU member state unfair competition laws. In turn, alleged GDPR infringements now expose companies not only to potential regulatory enforcement action and private litigation brought by affected data subjects, but also to potential unfair competition claims brought by its competitors.
Secondly, the court adopted an expansive understanding of “data concerning health” under the GDPR to include information relating to pharmacy orders which could indirectly reveal (even if potentially inaccurately) health conditions even if the order involved non-prescription products or was for the benefit of a person other than the customer. This could potentially subject many life sciences, healthcare, consumer, and retail businesses (for example, research and drug development, medical devices, health and fitness clubs, healthcare providers, app developers, online retailers, sellers of specialty foods, books, or lifestyle products) to restrictive GDPR rules relating to “special category” data.
In Lindenapotheke, a business in Germany alleged that its online pharmacy competitor was not obtaining the necessary GDPR-quality “explicit consents” from data subjects with respect to orders of non-prescription products and was in turn infringing the GDPR. The business then sought to injunct its online pharmacy competitor under German unfair competition laws which, in certain circumstances, appeared to treat breaches of statutes (such as the GDPR) as an actionable unfair business practice.
Prior to the Lindenapotheke decision, it was considered that alleged GDPR infringements may be the subject of either:
It was unclear whether companies were able to directly bring claims against other companies with respect to GDPR infringements. (Of course, companies were—and still are—able to directly bring breach of contract claims relating to GDPR-related contract provisions, such as GDPR-related data processing provisions, against other companies.)
The CJEU’s decision now clarifies this issue: it makes clear that GDPR infringements may serve as the basis for business-to-business unfair competition law claims—but, importantly, if and to the extent such claims are provided for under relevant EU member state law. In the CJEU’s view, allowing for such claims would help advance the protections afforded to data subjects under the GDPR.
Overall, the Lindenapotheke decision raises the GDPR stakes for companies by allowing the GDPR to be used as a “sword” in business litigation. That is, alleged GDPR infringements now expose companies not only to potential regulator-led enforcement action and private litigation brought by data subjects, but also to unfair competition claims brought by its competitors.
The CJEU held that when customers of the online pharmacy provide their name, address, and the information required for the selection and delivery of products, the pharmacy was to protect such information as “health data” in accordance with restrictive GDPR rules relating to “special category” data. (The processing of “special category” data may require data controllers to obtain “explicit consent” from the data subject to process personal data). That is, if any information “indirectly [reveals] sensitive information” (paragraph 82) through “intellectual operation[s] involving collation or deduction, information on the health status of the data subject … entail[ing] establishing a link between a medicinal product, its therapeutic indications or uses [and a data subject]” (paragraph 84) such information could be “health data.”
In this respect, according to the court, it was irrelevant whether the product required a prescription, or whether the product was intended for use by the customer or by an (unknown) third party. Equally, it was irrelevant whether the inferences regarding health status were accurate, or whether the company was even actively seeking such health inferences.
Overall, the court’s approach could potentially subject many life sciences, healthcare, consumer and retail-focused businesses (for example, health and fitness clubs, healthcare providers, drug and medical device manufacturers, app developers, online retailers, sellers of specialty foods, books, or lifestyle products) to restrictive GDPR rules relating to “special category” data (which includes data revealing health, and political and religious beliefs). For example, sellers in the EU of political biographies or kosher-food may potentially be regarded as processing personal data revealing the political or religious beliefs, respectively, of data subjects. Such companies may potentially need to obtain “explicit consent” to process such data (which could sweep in, for example, addresses of customers).
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: