Legal uncertainty continues regarding warning notices from competitors due to GDPR infringements
When the General Data Protection Regulation (GDPR) came into force in May, there was much talk of an imminent "wave of warning notices". So far, however, the predicted large masses of warning notices due to GDPR infringements have not materialized. This could be at least partly explained by the currently unclear legal situation. In fact, it is highly controversial whether the violation of data protection obligations under the GDPR – such as incomplete or incorrect privacy statements – enables competitors to send a warning notice to a peer. The GDPR itself does not provide for such a possibility. Prior to its introduction, however, the regional courts have predominantly allowed this course of action regarding data protection infringements under competition law. The question now arises as to whether the GDPR will continue to allow competitors to take such action under the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG).
Inconsistent court decisions to date
The court decisions which have been announced so far on this issue have not been consistent. In August, the Bochum Regional Court rejected an application for a temporary injunction due to the competitor’s lacking locus standi (Bochum Regional Court, judgment of 7 August 2018 – 12 O 85/18). In doing so, it followed a view expressed in academic literature, according to which the group of persons entitled to file a claim is conclusively regulated in the GDPR. The Regional Court based this in particular on Article 80(2) of the GDPR, according to which, in addition to the persons concerned themselves, only non-profit-making organisations may independently exercise the rights of the persons concerned under the GDPR, subject to further conditions. According to the Regional Court, it could be concluded from this that the EU legislator did not wish to allow an extension of the right to take legal action to competitors.
In another case, the Wiesbaden Regional Court also recently rejected the competitor’s locus standi on similar grounds (Wiesbaden Regional Court, judgment of 5 November 2018 – O 214/18). It reasoned that since there was no gap in the legal protection under the area of the GDPR, no such gap had to be closed by applying the provisions of the German Act Against Unfair Competition.
On the other hand, however, the Würzburg Regional Court granted a competitor injunctive relief, prohibiting a lawyer from continuing to operate her unencrypted website without a privacy statement (Würzburg Regional Court, decision of 13 September 2018 – 11 O 1741/18 UWG). However, the Würzburg Regional Court did not go into more detail on the issue of locus standi.
Compromise position of the Hamburg Higher Regional Court
The first decision of a German higher regional court has been published in October. The Higher Regional Court of Hamburg took the middle ground (Hamburg Higher Regional Court, judgment of 25 October 2018 – 3 U 66/17). It firstly found that competition law action against competitors was not generally blocked even in data protection matters, stating that the GDPR only set a minimum standard, but was open with regard to other legal remedies not regulated in the GDPR itself.
On the other hand, however, the Higher Regional Court emphasised that the other requirements for a claim laid down in sections 3(1) 1, 3a German Act Against Unfair Competition in conjunction with sec. 8(3) no.1 German Act Against Unfair Competition must be satisfied as well. The court stated that this required that the data privacy rule concerned had the character of regulating market conduct and that this had to be examined specifically in each case. With regard to the provision of the German Federal Data Protection Act (old version) (Bundesdatenschutzgesetz – BDSG), which was the applicable law in this case, the Higher Regional Court held that the required relation to market conduct did not exist.
If this approach were to become established in case law, this would mean that the courts first have to examine based on each obligation anchored in the GDPR whether the specific data protection infringement concerned is eligible for a warning notice or not. It would therefore be difficult in the foreseeable future for the national courts to bring about legal certainty with regard to the warning risk.
Clarification by the ECJ?
The ECJ could soon contribute to a more fundamental clarification. The Düsseldorf Higher Regional Court appealed to the Court of Justice in January 2017 in the “Fashion ID” case. It asked whether the EU Data Protection Directive, in force at the time, precluded the application of German competition law (Düsseldorf Higher Regional Court, referral order of 19 January 2017 – I-20 U 40/16). The preliminary ruling procedure therefore does not concern the new legal situation under the GDPR. However, it seems conceivable that in their still outstanding ruling the Luxembourg judges will also give an indication as to the current discussion.
Remedy by the German legislator
In addition, the federal government also wants to “prevent the abuse” of warning notices, as is stated in the 2018 Coalition Agreement. In September, a draft bill of the Federal Ministry of Justice and Consumer Protection was released, which, among other things, provides for stricter requirements regarding the right to assert claims. It also reduces financial incentives for warning notices. However, the proposed legislative amendments do not refer directly to the GDPR.
At the same time, the Bundesrat is discussing a bill proposed by the State of Bavaria. This proposal aims in particular to exclude claims based on the infringement of the GDPR from the scope of application of the German Act Against Unfair Competition Act.
Position of the Commission
A statement issued by the European Commission also attracted attention recently. In response to a parliamentary question, Justice Commissioner Věra Jourová commented on the right of third parties to take legal action with respect to the legal remedies under the GDPR. Ms Jourová stated that outside the scope of Article 80 GDPR third parties were not entitled to independently enforce the rights of the person concerned. It remains open, however, whether the Commission is therefore of the opinion that warning notices under the German Act Against Unfair Competition Act are precluded by the GDPR provisions.
Any questions? Please contact: Pascal Schumacher
Practice Groups: Data Privacy; Telecommunications; Regulatory & Governmental Affairs; Litigation, Arbitration & ADR