In a ruling delivered on October 4, 2024, the Court of Justice of the European Union (CJEU) clarified critical aspects of the General Data Protection Regulation (GDPR) concerning health data and the role of competitors in enforcing data protection rules. The ruling was sought by the German Federal Court of Justice (Bundesgerichtshof) in a case involving two competing pharmacists and raises important implications for businesses, particularly in the health and pharmaceutical sectors.
The Case Background
The case stemmed from a dispute between two online pharmacies over the handling of customer data. The defendant’s business involved selling over-the-counter (OTC) medicinal products online, requiring customers to provide personal information during the ordering process, such as their name, delivery address, and details about the purchased product. The claimant, a competing pharmacy, challenged this practice, invoking German legislation on unfair commercial practices. It argued that without prior consent from customers, the collection and processing of health-related data violated GDPR rules.
The lower courts ruled in favor of the claimant, stating that the defendant’s actions constituted the unlawful processing of health data under the GDPR, which could not proceed without explicit customer consent. As a result, they found the practice to be in breach of both the GDPR and the German Unfair Competition Act. Seeking clarity, the German Federal Court of Justice referred the case to the CJEU, asking whether the GDPR allows competitors to take legal action against alleged violations and whether the information gathered during the ordering process qualifies as health data under the GDPR.
CJEU Findings on Competitor Lawsuits
One of the pivotal questions raised was whether national laws could allow competitors to initiate legal proceedings against companies allegedly violating the GDPR. The CJEU’s judgment made it clear that the GDPR does not prevent competitors from suing over data protection breaches, provided national legislation supports such actions. This means that competitors can file lawsuits in civil courts, in addition to the remedies available to data subjects and enforcement powers held by data protection authorities.
Read more: FTC’s Latest Report Lays Groundwork for Stricter Data Regulations
The ruling underscores that the GDPR is not intended to fully harmonize the legal framework across the EU to the extent of excluding competitors from pursuing claims based on unfair commercial practices. In fact, the CJEU emphasized that such lawsuits serve the dual purpose of promoting fair competition and ensuring compliance with data protection rules, thereby enhancing the protection of individuals’ rights. As per White&Case, the court’s decision reinforces the idea that competitors, much like consumer protection associations, can play a role in preventing GDPR violations.
Health Data Classification Under GDPR
Another crucial aspect of the ruling concerned the classification of health data. The CJEU ruled that the information provided by customers when ordering OTC medicinal products online falls under the definition of health data according to the GDPR. This interpretation holds even when the products in question do not require a prescription. The CJEU explained that the mere connection between a customer and a medicinal product can reveal insights into the health status of an individual, thereby classifying it as sensitive data.
According to White&Case, this expansive interpretation of health data means that businesses engaged in online sales of OTC medicines need to be particularly cautious. Even when customers order products for others or for general health purposes, the data provided may still be subject to stringent GDPR rules.
Implications for Businesses
The CJEU’s judgment is expected to have wide-reaching effects on companies, particularly those operating in sectors where health data is processed. Online pharmacies and similar businesses handling OTC products will need to reassess their data collection and processing practices in light of this ruling. Per White&Case, the broad interpretation of health data set by the CJEU will likely necessitate stricter compliance measures, including obtaining explicit consent from customers before processing such information.
Moreover, the German Federal Court of Justice had assumed that violations of GDPR provisions concerning health data could be seen as violations of market conduct rules under the German Unfair Competition Act. This opens the door for more competitors to take legal action over data protection breaches, further raising the stakes for businesses operating in this space.
Source: White&Case
Featured News
Spanish Minister Defends Record as Flood Crisis Casts Shadow on EU Role
Nov 22, 2024 by
CPI
UK Antitrust Regulator Signals Flexibility in Merger Reviews to Boost Economic Growth
Nov 21, 2024 by
CPI
US Supreme Court Declines to Hear Appeal in Google Antitrust Records Dispute
Nov 21, 2024 by
CPI
Matt Gaetz Withdraws from Consideration for US Attorney General Amid Controversy
Nov 21, 2024 by
CPI
Morocco Fines US Pharma Firm Viatris Over Merger Notification Breach
Nov 21, 2024 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – Remedies Revisited
Oct 30, 2024 by
CPI
Fixing the Fix: Updating Policy on Merger Remedies
Oct 30, 2024 by
CPI
Methodology Matters: The 2017 FTC Remedies Study
Oct 30, 2024 by
CPI
U.S. v. AT&T: Five Lessons for Vertical Merger Enforcement
Oct 30, 2024 by
CPI
The Search for Antitrust Remedies in Tech Leads Beyond Antitrust
Oct 30, 2024 by
CPI