The relation between competition and data protection laws is becoming increasingly crucial as digitalization progresses. Both national and European competition authorities, regulators and courts have addressed various issues at the intersection of competition and data protection laws. In particular, the enforcement of the General Data Protection Regulation (GDPR) through competition law remedies entails considerable litigation risks for data-driven companies. This is hardly surprising, as the processing of personal data is regularly at the heart of digital business models and thus creates the basis for digital companies' profitability.
GDPR Violations in Antitrust Law
One important area of competition law, antitrust law, has recently experienced significant developments due to recent decisions and legislation. A key milestone in this area occurred when the Court of Justice of the European Union (CJEU) upheld a landmark decision by the German Federal Cartel Office (FCO) (decision of 6 February 2019, B6-22/16). This decision found that a major technology company had abused its market dominance by allegedly infringing the GDPR. In its decision of 4 July 2023 (C-252/21), the CJEU confirmed that, depending on the case's specifics, a GDPR violation could indeed form part of a dominance abuse assessment (see our blog post from last year for more details).
Another important intersection of data protection law and antitrust law is Article 5 para. 2 of the EU Digital Markets Act (DMA). This article sets out specific obligations concerning the handling of personal data applicable to so-called gatekeepers once nominated by the EU Commission as such. Similar rules are contained in Section 19a para. 2 of the German Act against Restraints of Competition (GWB) enabling swift competition law enforcement into large digital platforms.
However, within another part of competition law, the law of unfair competition, there are still open questions regarding its overlap with data protection law, which the CJEU is expected to close soon.
Competitors' Rights Under German Unfair Competition Law
One contentious issue in Germany is whether companies can sue their competitors for violating the GDPR. Section 3a of the German Act against Unfair Competition (UWG) allows non-competition law provisions that affect company conduct to be enforced through unfair competition law actions against competitors or associations. Whether this also applies to breaches of the GDPR, with the result that a company's data protection breach can be warned and prosecuted by a competitor under the UWG, has been controversial in case law and literature since the GDPR came into force.
Legal Implications of GDPR and UWG
The GDPR aims to safeguard personal data. Under the GDPR, the data subject refers to the person whose data is being processed. In contrast, the UWG seeks to protect consumer-facing competition, including competitors, consumers, and other market participants, from unfair business practices. Purely private acts, such as occasional sales by private individuals on a platform, are not covered under the UWG. Additionally, the UWG grants a broader group of individuals the right to file claims compared to the GDPR. Besides qualified institutions, associations, and chambers, direct competitors also have the right to issue warnings to companies for violating unfair competition rules and can take legal action if necessary.
Pending CJEU Ruling
The question of whether the GDPR can be considered a market conduct rule under Section 3a UWG and whether its breach can give rise to a claim under the UWG has not yet been finally decided by the CJEU. The CJEU is expected to rule on this issue by the end of 2024 in the case C-21/23 dealing with the interpretation of data concerning health of an individual, following a referral from German Federal Court of Justice (BGH). The court will decide whether Chapter VIII of the GDPR, which regulates the remedies, liability, and penalties for data protection violations, precludes national laws that grant competitors the right to invoke the UWG on the grounds of GDPR breaches. Advocate General Szpunar delivered his opinion on this case in April 2024. He suggested that competitor lawsuits are not foreseen by the GDPR but are also not incompatible with it, as they could indirectly contribute to the harmonization and effectiveness of data protection law in the EU.
Transfer of GDPR considerations from Antitrust Law to UWG?
According to the CJEU’s decision in the antitrust case C-252/21, as mentioned in the introduction, the processing of personal data has become a significant factor in competition among businesses in a data-driven economy. The court stated:
“Therefore, excluding the rules on the protection of personal data from the legal framework to be taken into consideration by the competition authorities when examining an abuse of a dominant position would disregard the reality of this economic development and would be liable to undermine the effectiveness of competition law within the European Union.”
However, it's important to note that case law related to competition law enforcement in dominance cases may not necessarily apply to unfair competition law. Although both fall under the umbrella of competition law, the abuse of dominance is a part of antitrust law, while UWG pertains to unfair competition law. Despite both addressing market practices, they focus on different aspects of competition. Antitrust law aims to protect the freedom of competition, whereas unfair competition law is designed to address unfair business practices within the competitive landscape. Applying the CJEU's statement from antitrust law to unfair competition law would impact not only companies with a dominant market position but potentially all companies that process personal data. Additionally, granting competitors the right to sue under the UWG for data protection violations exposes companies to the risk of abusive legal action.
National Initiative
Meanwhile, there are also domestic efforts in Germany to resolve this legal uncertainty. In May 2024, the German Federal Council (Bundesrat) proposed a draft law to exclude GDPR violations from the scope of the UWG (PDF). However, the German government expressed its opposition to the proposal in a statement, saying that it does not see a need for such a change and that it would wait for the CJEU's judgment before proceeding with the legislative initiative.
Implications for Companies
Until the CJEU clarifies the relationship between the GDPR and the UWG, companies operating in Germany must navigate this legal uncertainty. They need to comply with the strict standards of the GDPR even more carefully because, as things stand, potential violations could be pursued not only by the authorities but also by their competitors. The repercussions of non-compliance with the GDPR are already serious, making it even more important for companies to be cautious and diligent in their data protection practices.
In summary, the interplay between GDPR and UWG in Germany remains an uncertain issue with relevant implications for businesses that are processing personal data. The forthcoming CJEU ruling will be crucial in determining whether competitors can continue to use the UWG to address GDPR violations, potentially reshaping the landscape of data protection enforcement in Germany.
/Passle/5db069e28cb62309f866c3ee/MediaLibrary/Images/5dcaad168cb6230d740f6dc1/2023-06-26-15-46-15-758-6499b2c7436bdee0ca01af9f.jpg)
/Passle/5db069e28cb62309f866c3ee/MediaLibrary/Images/2024-09-02-10-40-18-068-66d59612d26554bcbcfbc76a.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2024-09-12-14-52-29-093-66e3002d606007ce058bcf52.jpg)
/Passle/5db069e28cb62309f866c3ee/MediaLibrary/Images/65528f068d4bf94e028ce044/2023-11-27-13-16-39-068-656496b73b5a325baa156380.jpg)
/Passle/5db069e28cb62309f866c3ee/MediaLibrary/Images/2024-08-01-16-42-04-177-66abbadccb2110fd5cb790ba.jpg)