On 12 January 2023 the German Federal Supreme Court has issued decisions to refer two questions to the CJEU (decisions of 12 January 2023, I ZR 222/19 and I ZR 223/19) concerning the interpretation of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) and Directive 95/46/EC Data Protection Directive, DSRL).
At issue here is the question, which has been disputed for some time, of whether companies are entitled under Section 8 (3) no. 1 UWG to act against violations of data protection law in civil court proceedings on the basis of competition law or whether Chapter VIII of the GDPR represents a conclusive system of sanctions in this regard which supersedes the national regulations. In addition, there was a need for clarification as to how broadly the term "health data" within the meaning of Article 9 (1) of the GDPR should be interpreted, especially since special requirements must be placed on the processing of health data.
In a similar case on the question of the legal standing of consumer protection associations, the German Federal Court of Justice again referred unresolved legal questions to the CJEU following the CJEU's decision (judgment of April 28, 2022, Case C-3-19/20 - Meta Platforms Ireland) (decision of November 10, 2022, I ZR 186/17).
Facts and course of proceedings
The parties are both pharmacists. The defendant also has a mail order license and also sells pharmacy-only medicines outside its pharmacy, namely via the Internet platform "Amazon Marketplace". The plaintiff took legal action against his competitor on the basis of this distribution channel and is seeking an injunction against the further distribution of the drugs via Amazon. The plaintiff argued that the sale of pharmacy-only drugs via Amazon was unfair under Section 3a of the German Act against Unfair Competition (UWG) due to violations of data protection laws. According to the plaintiff, the data protection infringement lies in the lack of consent of affected customers of the defendant for the processing of their order data, which is to be regarded as a special category of personal data.
The Regional Court of first instance upheld the action. The Court of Appeal dismissed the defendant's subsequent appeal. The defendant is now pursuing its motion to dismiss the action with the appeal allowed by the Court of Appeal.
On the first question referred
According to the old legal situation, the plaintiff was substantively entitled under the DSRL as a competitor within the meaning of Section 8 (3) no. 1 UWG to pursue his request for an injunction based on the aspect of a breach of law pursuant to Section 3a UWG in conjunction with Section 4 (1), Section 4a (1) and (3), Section 28 (7) sentence 1 of the obsolet version of the German Federal Data Protection Act (BDSG 2009), by way of action before the civil courts. It was undisputed that, under the old legal situation, the plaintiff had the authority to assert a possible violation of the requirements for the processing of health data in court. It is now disputed whether the originally existing power to bring an action before the civil courts has ceased to exist with the entry into force of the GDPR, especially since Chapter VIII of the GDPR contains its own system of sanctions for asserting data protection violations.
One opinion therefore assumes that the provisions contained in the GDPR for enforcing the data protection provisions of the regulation are conclusive. Accordingly, a right of action under competition law on the part of competitors is to be denied. Arguments for this view can be found, for example, in the wording of Chapter VIII of the GDPR, in which competitors are not mentioned at any point. Another view, on the other hand, is that competitors should also be granted a right of action under competition law to enforce the data protection provisions of the GDPR, with the German legislator also being among the proponents of this view, as can be seen from Section 13 (4) no. 2 UWG.
According to the BGH, however, this question cannot be answered unambiguously. For example, the interpretation of the provisions of the GDPR relating to the enforcement of rights does not clearly indicate whether the EU legislator has standardized not only the provisions on the protection of personal data with this regulation - in contrast to the DSRL - but also those on the enforcement of the rights existing thereunder. The previous case law of the ECJ also does not contribute to clarifying the questions raised, especially since the CJEU expressly left open the legal standing of a competitor in its decision "Meta Platforms Ireland" of April 28, 2022 (GRUR 2022, 920).
The BGH therefore referred the following question to the CJEU for a preliminary ruling:
„Do the rules in Chapter VIII of the General Data Protection Regulation preclude national rules which - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the legal remedies available to data subjects - grant competitors the power to proceed against the infringer by way of an action before the civil courts for infringements of the General Data Protection Regulation from the point of view of the prohibition on engaging in unfair commercial practices?“
The second question referred
According to the former legal situation (§ 4 para. 1, § 4a para. 1 and 3, § 28 para. 7 sentence 1 BDSG 2009, with which Art. 8 para. 1, 2 lit. a and 3 DSRL were implemented into German law), the defendant was prohibited from collecting "health data ". There were exceptions to this principle (e.g., explicit consent pursuant to Art. 8(2)(a) DSRL, Sec. 4(1), Sec. 4a(1) and (3), first sentence, BDSG 2009). The previous regulations have been replaced as of May 25, 2018 by Art. 9 (1) and (2) (a) and (h) DSGVO, which now prohibits the processing of "health data" of natural persons. With Article 9 (2) of the GDPR, there are exceptions (e.g., explicit consent pursuant to Article 9 (2) (a) of the GDPR).
Against this background, however, it is questionable whether Art. 9 (1) GDPR applies at all, i.e. whether health data were processed at all in the present case. The special feature of the defendant's business model was that, in the case of the sale of non-prescription medicines, there is no medical prescription from which it is apparent to whom this medicine was prescribed and who is taking it. Therefore, it is not excluded that the buyer, whose order data (name of the customer, delivery address and the information necessary for the individualization of the ordered medicine) is processed by the defendant itself or on its behalf Amazon, is not the one who takes the ordered medicine, but that the buyer buys the medicine for third parties and passes it on to them.
Against this background, the BGH could not clearly answer whether information also constitutes health data if it cannot be assumed with certainty, but only with a certain degree of probability, that the person identifiable by the transmitted data will also take the ordered medication and thus that the order data in its entirety provides information about the health status of the person concerned.
The BGH therefore referred the following further question to the CJEU for a preliminary ruling:
„Are the data that customers of a pharmacist who acts as a seller on an internet sales platform enter on the sales platform when ordering medicines that are subject to a pharmacy requirement but not a prescription requirement (name of the customer, delivery address and information necessary for the individualization of the ordered medicine subject to a pharmacy requirement) health data within the meaning of Article 9(1) of the GDPR and data relating to health within the meaning of Article 8(1) of the GDPR?“
The Federal Court of Justice has suspended the proceedings pending the CJEU's decision on its reference for a preliminary ruling. It remains to be seen with interest how the CJEU will answer these fundamental questions. In view of the line taken by the CJEU to date (most recently judgment of August 1, 2022, Case C-184/20), it is to be expected that it will also attach particular importance to the increased protection of health data in the decision now pending.