In a ruling delivered on October 4, 2024, the Court of Justice of the European Union (CJEU) clarified critical aspects of the General Data Protection Regulation (GDPR) concerning health data and the role of competitors in enforcing data protection rules. The ruling was sought by the German Federal Court of Justice (Bundesgerichtshof) in a case involving two competing pharmacists and raises important implications for businesses, particularly in the health and pharmaceutical sectors.
The Case Background
The case stemmed from a dispute between two online pharmacies over the handling of customer data. The defendant’s business involved selling over-the-counter (OTC) medicinal products online, requiring customers to provide personal information during the ordering process, such as their name, delivery address, and details about the purchased product. The claimant, a competing pharmacy, challenged this practice, invoking German legislation on unfair commercial practices. It argued that without prior consent from customers, the collection and processing of health-related data violated GDPR rules.
The lower courts ruled in favor of the claimant, stating that the defendant’s actions constituted the unlawful processing of health data under the GDPR, which could not proceed without explicit customer consent. As a result, they found the practice to be in breach of both the GDPR and the German Unfair Competition Act. Seeking clarity, the German Federal Court of Justice referred the case to the CJEU, asking whether the GDPR allows competitors to take legal action against alleged violations and whether the information gathered during the ordering process qualifies as health data under the GDPR.
CJEU Findings on Competitor Lawsuits
One of the pivotal questions raised was whether national laws could allow competitors to initiate legal proceedings against companies allegedly violating the GDPR. The CJEU’s judgment made it clear that the GDPR does not prevent competitors from suing over data protection breaches, provided national legislation supports such actions. This means that competitors can file lawsuits in civil courts, in addition to the remedies available to data subjects and enforcement powers held by data protection authorities.
Read more: FTC’s Latest Report Lays Groundwork for Stricter Data Regulations
The ruling underscores that the GDPR is not intended to fully harmonize the legal framework across the EU to the extent of excluding competitors from pursuing claims based on unfair commercial practices. In fact, the CJEU emphasized that such lawsuits serve the dual purpose of promoting fair competition and ensuring compliance with data protection rules, thereby enhancing the protection of individuals’ rights. As per White&Case, the court’s decision reinforces the idea that competitors, much like consumer protection associations, can play a role in preventing GDPR violations.
Health Data Classification Under GDPR
Another crucial aspect of the ruling concerned the classification of health data. The CJEU ruled that the information provided by customers when ordering OTC medicinal products online falls under the definition of health data according to the GDPR. This interpretation holds even when the products in question do not require a prescription. The CJEU explained that the mere connection between a customer and a medicinal product can reveal insights into the health status of an individual, thereby classifying it as sensitive data.
According to White&Case, this expansive interpretation of health data means that businesses engaged in online sales of OTC medicines need to be particularly cautious. Even when customers order products for others or for general health purposes, the data provided may still be subject to stringent GDPR rules.
Implications for Businesses
The CJEU’s judgment is expected to have wide-reaching effects on companies, particularly those operating in sectors where health data is processed. Online pharmacies and similar businesses handling OTC products will need to reassess their data collection and processing practices in light of this ruling. Per White&Case, the broad interpretation of health data set by the CJEU will likely necessitate stricter compliance measures, including obtaining explicit consent from customers before processing such information.
Moreover, the German Federal Court of Justice had assumed that violations of GDPR provisions concerning health data could be seen as violations of market conduct rules under the German Unfair Competition Act. This opens the door for more competitors to take legal action over data protection breaches, further raising the stakes for businesses operating in this space.
Source: White&Case
Featured News
Judge Appoints Law Firms to Lead Consumer Antitrust Litigation Against Apple
Dec 22, 2024 by
CPI
Epic Health Systems Seeks Dismissal of Antitrust Suit Filed by Particle Health
Dec 22, 2024 by
CPI
Qualcomm Secures Partial Victory in Licensing Dispute with Arm, Jury Splits on Key Issues
Dec 22, 2024 by
CPI
Google Proposes Revised Revenue-Sharing Limits Amid Antitrust Battle
Dec 22, 2024 by
CPI
Japan’s Antitrust Authority Expected to Sanction Google Over Monopoly Practices
Dec 22, 2024 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – CRESSE Insights
Dec 19, 2024 by
CPI
Effective Interoperability in Mobile Ecosystems: EU Competition Law Versus Regulation
Dec 19, 2024 by
Giuseppe Colangelo
The Use of Empirical Evidence in Antitrust: Trends, Challenges, and a Path Forward
Dec 19, 2024 by
Eliana Garces
Some Empirical Evidence on the Role of Presumptions and Evidentiary Standards on Antitrust (Under)Enforcement: Is the EC’s New Communication on Art.102 in the Right Direction?
Dec 19, 2024 by
Yannis Katsoulacos
The EC’s Draft Guidelines on the Application of Article 102 TFEU: An Economic Perspective
Dec 19, 2024 by
Benoit Durand