News

Legal uncertainty continues regarding warning notices from competitors due to GDPR infringements

27.11.2018

When the General Data Protection Regulation (GDPR) came into force in May, there was much talk of an imminent "wave of warning notices". So far, however, the predicted large masses of warning notices due to GDPR infringements have not materialized. This could be at least partly explained by the currently unclear legal situation. In fact, it is highly controversial whether the violation of data protection obligations under the GDPR – such as incomplete or incorrect privacy statements – enables competitors to send a warning notice to a peer. The GDPR itself does not provide for such a possibility. Prior to its introduction, however, the regional courts have predominantly allowed this course of action regarding data protection infringements under competition law. The question now arises as to whether the GDPR will continue to allow competitors to take such action under the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG).

Inconsistent court decisions to date

The court decisions which have been announced so far on this issue have not been consistent. In August, the Bochum Regional Court rejected an application for a temporary injunction due to the competitor’s lacking locus standi (Bochum Regional Court, judgment of 7 August 2018 – 12 O 85/18). In doing so, it followed a view expressed in academic literature, according to which the group of persons entitled to file a claim is conclusively regulated in the GDPR. The Regional Court based this in particular on Article 80(2) of the GDPR, according to which, in addition to the persons concerned themselves, only non-profit-making organisations may independently exercise the rights of the persons concerned under the GDPR, subject to further conditions. According to the Regional Court, it could be concluded from this that the EU legislator did not wish to allow an extension of the right to take legal action to competitors.
In another case, the Wiesbaden Regional Court also recently rejected the competitor’s locus standi on similar grounds (Wiesbaden Regional Court, judgment of 5 November 2018 – O 214/18). It reasoned that since there was no gap in the legal protection under the area of the GDPR, no such gap had to be closed by applying the provisions of the German Act Against Unfair Competition.
On the other hand, however, the Würzburg Regional Court granted a competitor injunctive relief, prohibiting a lawyer from continuing to operate her unencrypted website without a privacy statement (Würzburg Regional Court, decision of 13 September 2018 – 11 O 1741/18 UWG). However, the Würzburg Regional Court did not go into more detail on the issue of locus standi.

Compromise position of the Hamburg Higher Regional Court

The first decision of a German higher regional court has been published in October. The Higher Regional Court of Hamburg took the middle ground (Hamburg Higher Regional Court, judgment of 25 October 2018 – 3 U 66/17). It firstly found that competition law action against competitors was not generally blocked even in data protection matters, stating that the GDPR only set a minimum standard, but was open with regard to other legal remedies not regulated in the GDPR itself.
On the other hand, however, the Higher Regional Court emphasised that the other requirements for a claim laid down in sections 3(1) 1, 3a German Act Against Unfair Competition in conjunction with sec. 8(3) no.1 German Act Against Unfair Competition must be satisfied as well. The court stated that this required that the data privacy rule concerned had the character of regulating market conduct and that this had to be examined specifically in each case. With regard to the provision of the German Federal Data Protection Act (old version) (Bundesdatenschutzgesetz – BDSG), which was the applicable law in this case, the Higher Regional Court held that the required relation to market conduct did not exist.
If this approach were to become established in case law, this would mean that the courts first have to examine based on each obligation anchored in the GDPR whether the specific data protection infringement concerned is eligible for a warning notice or not. It would therefore be difficult in the foreseeable future for the national courts to bring about legal certainty with regard to the warning risk.

Clarification by the ECJ?

The ECJ could soon contribute to a more fundamental clarification. The Düsseldorf Higher Regional Court appealed to the Court of Justice in January 2017 in the “Fashion ID” case. It asked whether the EU Data Protection Directive, in force at the time, precluded the application of German competition law (Düsseldorf Higher Regional Court, referral order of 19 January 2017 – I-20 U 40/16). The preliminary ruling procedure therefore does not concern the new legal situation under the GDPR. However, it seems conceivable that in their still outstanding ruling the Luxembourg judges will also give an indication as to the current discussion.

Remedy by the German legislator

In addition, the federal government also wants to “prevent the abuse” of warning notices, as is stated in the 2018 Coalition Agreement. In September, a draft bill of the Federal Ministry of Justice and Consumer Protection was released, which, among other things, provides for stricter requirements regarding the right to assert claims. It also reduces financial incentives for warning notices. However, the proposed legislative amendments do not refer directly to the GDPR.
At the same time, the Bundesrat is discussing a bill proposed by the State of Bavaria. This proposal aims in particular to exclude claims based on the infringement of the GDPR from the scope of application of the German Act Against Unfair Competition Act.

Position of the Commission

statement issued by the European Commission also attracted attention recently. In response to a parliamentary question, Justice Commissioner Věra Jourová commented on the right of third parties to take legal action with respect to the legal remedies under the GDPR. Ms Jourová stated that outside the scope of Article 80 GDPR third parties were not entitled to independently enforce the rights of the person concerned. It remains open, however, whether the Commission is therefore of the opinion that warning notices under the German Act Against Unfair Competition Act are precluded by the GDPR provisions.

Contact

Pascal Schumacher
Pascal Schumacher+49 30 20942030

Data Privacy
Telecommunications
Regulatory and Governmental Affairs
Arbitration

Share

Show all

Insights

people shopping sun with pulse
News

Regulatory & Governmental Affairs – Europanews 2024

25.04.2024
blurred motion on railway
News

New since 15 March 2024: Third-party notices in DIS arbitration proceedings - The Supplementary Rules for Third-Party Notices (DIS-TPNR)

18.04.2024
hand touching led wall screen
News

Data Compliance Governance

16.04.2024
compass with pulse
News

Data Act – Scope, Impact, Implementation

16.04.2024
binoculars sun with pulse
News

Russia sanctions: EU banks’ reporting obligations clarified

16.04.2024
LED field Data Protection Litigation
News

Update on the Data Governance Act

12.03.2024
street view with pulse
News

European data protection authorities start coordinated investigation into right of access

11.03.2024
balloon sky
News

Green light for CCS and CCU – German federal government presents key issues paper

01.03.2024
library
News

Judgment of the Cologne Administrative Court of 17 November 2023 – BNetzA Acted Unlawfully by Naming Company in Press Release

01.03.2024