As long as the system of remedies and the objectives are not undermined: The Court of Justice on GDPR enforcement (Case C-21/23, Lindenapotheke)

 

 

 

Alessandra Fratini and Giorgia Lo Tauro, Fratini Vergano European lawyers

Photo credit: via Wikimedia Commons

Introduction

On 4 October 2024, the Grand Chamber of the Court of Justice of the European Union issued its judgment in Lindenapotheke (Case C-21/23), a case concerning the online sale of pharmacy-only medicinal products and its implications as regards GDPR compliance. In its request for a preliminary ruling, the German Federal Court of Justice (Bundesgerichtshof) raised two questions on the interpretation of the GDPR. While acknowledging the importance of the second question on the meaning of ‘data concerning health’, this post focuses on the first one, concerning the compatibility of the system of remedies established in Chapter VIII GDPR with other remedies under national law. The paragraphs below, after a short overview of the facts of the case and the preliminary questions, review the main findings of the Advocate General and of the Court of Justice on the first question and conclude by placing the judgment within the rising trend of addressing the challenges of digital markets through a broader enforcement of EU digital regulation.

 

Facts of the case and questions referred

The main proceedings involved two competitors operating pharmacies in Germany, ND and DR. ND, which operates a pharmacy under the trade name ‘Lindenapotheke’, has been selling pharmacy-only medicinal products via the ‘Amazon-Marketplace’ online platform since 2017.

DR brought an action before the German Regional Court seeking an order for ND to cease selling pharmacy-only medicinal products via the online marketplace on the basis that such marketing constituted an unfair commercial practice in so far as it was pursued in breach of Article 9 GDPR, which requires that the data subject’s prior explicit consent be obtained for the processing of data concerning health. According to the German law against unfair competition, in fact, “anyone who infringes a statutory provision intended, inter alia, to regulate market conduct in the interest of market players acts unfairly where that infringement is capable of having an appreciable adverse effect on consumers, other market players or competitors”; such an infringement constitutes a prohibited unfair commercial practice enabling any competitor to claim an injunctive relief (paras. 21-23 of the judgment). The Regional Court upheld the action and the subsequent appeal brought by ND was dismissed by the Higher Regional Court, which held that such an online marketing was contrary to the national law against unfair competition. ND lodged an appeal on a point of law before the German Federal Court of Justice, which raised a request for a preliminary ruling on the interpretation of Chapter VIII and Article 9(1) GDPR, but also Article 8(1) of Directive 95/46 (the previous data protection Directive) before the Court of Justice.

Question 1

With its first question, the referring court asked the Court of Justice whether a competitor, who is not a data subject within the meaning of Article 4(1) GDPR, has standing to bring an action before the civil courts against the alleged infringer of the GDPR, on the basis that the alleged infringement falls within the prohibition of unfair commercial practices. The referring court noted that the provisions of Chapter VIII GDPR do not mention, nor do they explicitly exclude, the possibility for competitors to bring an action against an undertaking, where the infringement of data protection law constitutes an unfair commercial practice (para. 35). The referring court underlined the uncertainty of the situation and highlighted both the risks of recognising such a possibility for competitors, in terms of potential encroaching on the powers of the supervisory authorities and ensuing divergences, and its potential benefits in terms of ‘effet utile’ to ensure the highest level of data protection (paras. 36-39).

Question 2

With its second question, the referring court asked the Court of Justice to clarify whether the data which customers must enter on the online sales platform when ordering medicinal products (such as name, delivery address and information required for individualising the medicinal products ordered) constitute ‘data concerning health’ within the meaning of Article 8(1) of Directive 95/46 and Article 9(1) GDPR. In particular, the doubts of the referring court concerned non-prescription medicinal products, since these may be intended not necessarily for the customers but for third parties, who may not be identifiable (para. 41).

In the opinion of the referring court, the questions of a competitor’s standing to bring proceedings (para. 39) and of the notion of ‘special categories of personal data’ (para. 43) had not been clarified by the case-law of the Court of Justice and warranted its request for a preliminary ruling.

 

The Opinion

In his Opinion, Advocate General Szpunar first changed the order of the proposed questions, as he considered that if the answer to the second one were to be negative, there would be no need to answer the first one (para. 31 of the Opinion). Addressing the second question at the outset, the AG suggested to answer that “the data of the customers of a pharmacist which are transmitted when an order is placed on an online sales platform for pharmacy-only but non-prescription medicines do not constitute ‘data concerning health’ within the meaning of Article 4(15) and Article 9 of the GDPR, in so far as only hypothetical or imprecise conclusions as to the health status of the person placing the online order may be drawn, which it is for the referring court to verify” (para. 54).

In the light of that proposed negative answer, the first question was dealt with in the Opinion only for the sake of completeness. Having acknowledged that the GDPR confers no rights on undertakings and their competitors, as that regulation grants rights only to data subjects (paras. 79-81), the AG assessed whether the GDPR system of remedies has to be seen as an exhaustive system, in the sense that it precludes undertakings from relying on a GDPR infringement in the context of other remedies provided for by national law (paras. 82-89).

First, he noted that the action at issue in the main proceedings was not based on a GDPR infringement, but took such an infringement into account in an incidental manner. The Court already accepted, in its judgment in Meta Platforms and others (2023), that data may be taken into account in an incidental manner and that an infringement of the GDPR may constitute an infringement of competition law (paras. 90-91), and the AG considered that was applicable to the present case (para. 91). Second, as regards the interaction between national actions in which the GDPR can be invoked incidentally and the GDPR system of remedies, the AG observed that the former should be accepted only on condition that they do not undermine the GDPR system of remedies or the attainment of its objectives (para. 95). In the present case, since an action brought by an undertaking against a competitor is not intended to ensure respect for the data subjects’ rights but pursues another objective, the actions made available to data subjects by the GDPR system of remedies are preserved and may still be exercised in those circumstances (paras. 100-101). Furthermore, in the AG’s view, the objectives pursued by the GDPR, such as the high level of protection of natural persons and the consistent and homogenous application of the data protection rules (recital 10), are not threatened (but, as for the high level of protection, actually strengthened) by the possibility afforded to an undertaking to bring an action for an injunction against a competitor based on the prohibition of acts of unfair competition, in reliance on a GDPR infringement by that competitor (paras. 103-104). Finally, the AG noted that, far from being undermined, the effectiveness of the GDPR would be reinforced by the fact that compliance with its provisions may also be enforced in judicial proceedings distinct from those within its system of remedies. Accordingly, he concluded that such national remedies may exist alongside the system established by the GDPR (paras. 105-108).

 

The Judgment

The Court of Justice considered the questions in the order they were raised by the referring court and departed from the Opinion with regard to the answer to the second question.

To address the first question, the Court interpreted the relevant provisions of Chapter VIII GDPR by relying on their wording, the context and the objectives pursued by the GDPR (para. 52 of the judgment). As to the wording, the Court noted that not only the provisions of Chapter VIII do not expressly rule out the possibility for additional national remedies, but the rights provided for by Article 77(1), Article 78(1) and Article 79(1) are ‘without prejudice’ to any other administrative, judicial or non-judicial remedy (para. 53). When it comes to the context, while it agreed with the AG that only data subjects are beneficiaries of the GDPR protection, the Court noted in addition that the infringement of its substantive provisions is also liable to adversely affect third parties (in this sense, it referred to the right to compensation provided for by Article 82(1); para. 55). The Court recalled that it had already held that the infringement of data protection rules may at the same time give rise to an infringement of rules on consumer protection or unfair commercial practices (judgment in Meta Platforms Ireland, 2022, para. 78) and may be “a vital clue” in the assessment of an abuse of a dominant position (judgment in Meta Platforms and others, 2023, para. 47) (para. 55). It also noted the importance of access to personal data and the ability to process such data, which “have become a significant parameter of competition between undertakings in the digital economy”, so that it may be necessary to consider rules on data protection when enforcing competition law and the rules on unfair commercial practices (para. 56).

Interestingly, while the above would have been sufficient to interpret Chapter VIII in the light of the context, the Court went further to consider the margin of discretion enjoyed by Member States in the implementation of the GDPR. In this respect, even though the GDPR “seeks to ensure the harmonisation of national legislation on the protection of personal data which is, in principle, full, the fact remains that several provisions of that regulation expressly make it possible for Member States to lay down additional, stricter or derogating national rules, which leave them a margin of discretion as to the manner in which those provisions may be implemented (‘opening clauses’)”(para. 57). After referring to its judgment in Meta Platforms Ireland (2022, para. 57), which concerned a provision of the GDPR (Article 80) expressly containing an opening clause, the Court added: “It is true that the provisions of Chapter VIII of the GDPR do not specifically provide for such an opening clause which would expressly allow Member States to make it possible for a competitor of an undertaking which allegedly infringes the substantive provisions of that regulation to bring an action in order to put an end to that infringement. However, it follows from the wording and context of the provisions of Chapter VIII (…) that, by adopting that regulation, the EU legislature did not intend to bring about an exhaustive harmonisation of the remedies available in respect of infringements of the provisions of the GDPR and, in particular, did not wish to rule out the availability of such remedies to competitors of the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of national law relating to the prohibition of unfair commercial practices” (paras. 59-60, emphasis added).

In the Court’s view, that interpretation was corroborated by the GDPR objectives (i.e., ensuring a consistent and high level of protection of natural persons with regard to the processing of personal data and removing obstacles to the flow of such data within the EU; strengthening of the rights of data subjects and of the obligations of those who process and determine the processing of data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States; providing natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for data controllers and processors, and ensuring consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States) (para. 61). It found therefore that the possibility of national remedies like those at stake does not undermine those objectives but actually enhances the effectiveness of the GDPR provisions (para. 62). These national remedies are in addition to those of Chapter VIII and pursue an objective (fair competition) which is different from those pursued by the GDPR. In this context, as the German government observed, the uniform interpretation of the GDPR remains ensured by the preliminary ruling procedure under Article 267 TFEU (paras. 65-67). Furthermore, the Court held that national remedies aimed at ensuring fair competition undoubtedly contribute to compliance with the GDPR and, therefore, to strengthening the rights of data subjects: an application for injunctive relief filed by a competitor may also prove particularly effective in so far as it may prevent a large number of infringements of data subjects’ rights (paras. 69-70).

In the light of the above, the Court concluded that Chapter VIII does not preclude national legislation providing for such remedies to the benefit of competitors, while leaving to the referring court the assessment of whether the alleged infringement of the GDPR, in so far as it is established, also constitutes a breach of the prohibition of unfair commercial practices under the relevant national law (paras. 71-72).

As to the second question, suffice it to say that the Court, unlike the AG, found that the information which customers enter when ordering online pharmacy-only medicinal products, the sale of which does not require a prescription, does constitute ‘data concerning health’ even where it is “only with a certain degree of probability, and not with absolute certainty, that those medicinal products are intended for those customers” (para. 90). This, however, does not preclude it from being processed, in specific contexts, if the conditions for exemptions are met (para. 92), i.e. does not mean automatically that the processing is in breach of the GDPR.

 

Concluding remarks

The judgment in Lindenapotheke, as far as the first question is concerned, provides an interpretation of the GDPR system of remedies aimed at enhancing the effectiveness of data protection. The remarkable point of the reasoning is the emphasis placed on the margin of discretion recognised to Member States in implementing the GDPR, with a view to enhancing the protection afforded by it. While in Meta Platforms Ireland (2022) the Court could rely on the wording of the provision concerned (para. 59: “(…) Article 80(2) of the GDPR, which leaves the Member States a discretion with regard to its implementation. (…) Member States must make use of the option made available to them by that provision to provide in their national law for that mode of representation of data subjects”), in Lindenapotheke it admitted that Chapter VIII does not expressly provide for any opening clause allowing Member States to make available further remedies for actors other than data subjects invoking a GDPR infringement. However, by relying on the wording and context of Chapter VIII, as well as on the legislator’s intention and the GDPR objectives, it came to the conclusion that Member States can make available such remedies to competitors of the person allegedly responsible for an infringement of the laws protecting personal data, since such a possibility is not being ruled out by the GDPR system of remedies and its objectives (paras. 60-61). The Court’s interpretation actually seems to encourage Member States to make additional remedies available under national laws, insofar as they enhance the effectiveness of data protection (paras. 62 and 69).

From this perspective, the Court’s conclusion is significantly relevant when placed in the context of the ongoing debate on the GDPR (under) enforcement (Gentile-Lynskey, 2022), the shortcomings of its composite enforcement system (Hofmann-Mustert, 2024) and the Commission’s Proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR (2023). When it comes to the handling of complaints and the role of complainants, it has been observed that these vary significantly among Member States, which in turn results in a limitation of individual procedural rights (Hofmann-Mustert, 2024). Against this background, some rightly fear, by comparing this judgment with previous case law, that its “implications have the potential to be more disruptive” as regards the consistent enforcement of the GDPR and introduce “greater potential risks of interference between administrative and judicial enforcement” (van den Poel, 2024).

However, the implications of the judgment are less daunting when considering the GDPR enforcement in the broader context of digital legislation. The Commission Second Report on the application of the GDPR, published on 25 July 2024, makes it clear that “the development of digital regulations raises the need for close cooperation across regulatory fields. Such cooperation is all the more necessary since data protection issues increasingly intersect with questions of, for example, competition law, consumer law, digital markets rules, electronic communications regulation and cybersecurity. (…) data protection authorities are taking steps to ensure their actions are complementary and coherent with other regulatory fields”. In its statement of 3 December 2024 on the Commission Second Report, the EDPB also recognised that it “would support a holistic methodological approach for the next evaluation of the GDPR that explores the interplay between the GDPR and other EU digital legislation”.

The judgment fits into this context of growing institutional awareness of the need for a holistic and coordinated approach for the effective protection of personal data, in line with the “more ‘collaborative approach’” proposed by scholars for the enforcement of data protection, competition law and unfair competition law (Vandendriessche, 2024). The Court insists on the likely enhanced effective enforcement of the GDPR via national remedies aiming at other objectives (Holtz, 2024), by proposing an interpretation where the GDPR as such calls upon the Member States for its effective enforcement (again, paras. 60-61). By stating that “such an application for injunctive relief brought by a competitor may prove, like that brought by a consumer protection association, to be particularly effective in ensuring such protection, in so far as it is capable of preventing a large number of infringements of the rights of data subjects by the processing of their personal data” (para. 70), the Court recognises the preventive effect of a potential “private enforcement” (Opinion, para. 93) through remedies allowed under national laws, which has been read as an ‘incentive’ for market players to contribute to GDPR compliance (Vandendriessche, 2024). In this sense, the judgment embraces an emerging approach in the EU regulation of the digital environment, which is aimed at involving in the enforcement multiple actors of society as a whole. This approach is evident when it comes to making the online world safer and fairer, namely with the DSA: for example, as far as institutional actors are concerned, in the cooperation required between the Commission and the Digital Services Coordinators with regard to systemic risk mitigation measures (Peukert, 2024); even more, as far as non-institutional actors are concerned, in the mechanisms required to allow any user - individual or entity - to notify illegal content online, or in the required cooperation with “trusted flaggers” (Articles 16, 22, 35 DSA) (in this sense, see also Commission’s dialogue with Civil Society Organisations for implementing the DSA).

It remains to be seen whether such an approach succeeds in becoming consolidated through greater coordination of EU institutions and national authorities and greater awareness of society at large, alongside the required adjustments for the effective implementation of the remedies the GDPR grants to data subjects.