The Court docket of Justice on GDPR enforcement (Case C-21/23, Lindenapotheke) – Tech Cyber Web

 

 

 

Alessandra Fratini and Giorgia
Lo Tauro, Fratini Vergano European attorneys

Picture credit score: by way of Wikimedia Commons

Introduction

On 4 October 2024, the Grand
Chamber of the Court docket of Justice of the European Union issued its judgment
in Lindenapotheke (Case C-21/23),
a case regarding the on-line sale of pharmacy-only medicinal merchandise and its
implications as regards GDPR
compliance. In its request for a preliminary ruling, the German Federal Court docket
of Justice (Bundesgerichtshof) raised two questions on the
interpretation of the GDPR. Whereas acknowledging the significance of the second query
on the which means of ‘knowledge regarding well being’, this put up focuses on the primary one,
regarding the compatibility of the system of treatments established in Chapter VIII
GDPR with different treatments below nationwide regulation. The paragraphs beneath, after a
brief overview of the details of the case and the preliminary questions, assessment the
essential findings of the Advocate Common and of the Court docket of Justice on the primary
query and conclude by inserting the judgment throughout the rising development of addressing
the challenges of digital markets by means of a broader enforcement of EU digital
regulation.

 

Details of the case and
questions referred

The principle proceedings concerned two
rivals working pharmacies in Germany, ND and DR. ND, which operates a
pharmacy below the commerce title ‘Lindenapotheke’, has been promoting pharmacy-only
medicinal merchandise by way of the ‘Amazon-Market’ on-line platform since 2017.

DR introduced an motion earlier than the German
Regional Court docket in search of an order for ND to stop promoting pharmacy-only medicinal
merchandise by way of the net market on the idea that such advertising
constituted an unfair business observe in as far as it was pursued in breach
of Article 9 GDPR, which requires that the info topic’s prior specific
consent be obtained for the processing of information regarding well being. In keeping with
the German regulation towards unfair competitors, in truth, “anybody who infringes a
statutory provision meant, inter alia, to control market conduct within the
curiosity of market gamers acts unfairly the place that infringement is able to
having an considerable adversarial impact on customers, different market gamers or
rivals”; such an infringement constitutes a prohibited unfair
business observe enabling any competitor to assert an injunctive reduction
(paras. 21-23 of the judgment). The Regional Court docket upheld the motion and the next
enchantment introduced by ND was dismissed by the Larger Regional Court docket, which held
that such an internet advertising was opposite to the nationwide regulation towards unfair
competitors. ND lodged an enchantment on a degree of regulation earlier than the German Federal
Court docket of Justice, which raised a request for a preliminary ruling on the
interpretation of Chapter VIII and Article 9(1) GDPR, but additionally Article 8(1) of
Directive 95/46 (the earlier knowledge safety Directive) earlier than the Court docket of
Justice.

Query 1

With its first query, the
referring court docket requested the Court docket of Justice whether or not a competitor, who will not be a
knowledge topic throughout the which means of Article 4(1) GDPR, has standing to carry an
motion earlier than the civil courts towards the alleged infringer of the GDPR, on
the idea that the alleged infringement falls throughout the prohibition of unfair
business practices. The referring court docket famous that the provisions of Chapter
VIII GDPR don’t point out, nor do they explicitly exclude, the chance for
rivals to carry an motion towards an enterprise, the place the infringement
of information safety regulation constitutes an unfair business observe (para. 35). The
referring court docket underlined the uncertainty of the scenario and highlighted
each the dangers of recognising such a risk for rivals, when it comes to
potential encroaching on the powers of the supervisory authorities and ensuing divergences,
and its potential advantages when it comes to ‘effet utile’ to make sure the very best
stage of information safety (paras. 36-39).

Query 2

With its second query, the
referring court docket requested the Court docket of Justice to make clear whether or not the info which
prospects should enter on the net gross sales platform when ordering medicinal merchandise
(akin to title, supply tackle and data required for individualising
the medicinal merchandise ordered) represent ‘knowledge regarding well being’ throughout the
which means of Article 8(1) of Directive 95/46 and Article 9(1) GDPR. In
specific, the doubts of the referring court docket involved non-prescription medicinal
merchandise, since these could also be meant not essentially for the purchasers however for
third events, who will not be identifiable (para. 41).

Within the opinion of the referring
court docket, the questions of a competitor’s standing to carry proceedings (para. 39)
and of the notion of ‘particular classes of non-public knowledge’ (para. 43) had not
been clarified by the case-law of the Court docket of Justice and warranted its
request for a preliminary ruling.

 

The Opinion

In his Opinion,
Advocate Common Szpunar first modified the order of the proposed questions, as
he thought of that if the reply to the second had been to be damaging, there
can be no must reply the primary one (para. 31 of the Opinion). Addressing the
second query on the outset, the AG urged to reply that “the info of
the purchasers of a pharmacist that are transmitted when an order is positioned on
an internet gross sales platform for pharmacy-only however non-prescription medicines do
not represent ‘knowledge regarding well being’ throughout the which means of Article 4(15) and
Article 9 of the GDPR, in as far as solely hypothetical or imprecise conclusions
as to the well being standing of the individual inserting the net order could also be drawn,
which it’s for the referring court docket to confirm” (para. 54).

Within the mild of that proposed damaging
reply, the primary query was handled within the Opinion just for the sake of
completeness. Having acknowledged that the GDPR confers no rights on
undertakings and their rivals, as that regulation grants rights solely to
knowledge topics (paras. 79-81), the AG assessed whether or not the GDPR system of
treatments needs to be seen as an exhaustive system, within the sense that it precludes
undertakings from counting on a GDPR infringement within the context of different
treatments supplied for by nationwide regulation (paras. 82-89).

First, he famous that the motion at
challenge in the principle proceedings was not primarily based on a GDPR infringement, however took
such an infringement under consideration in an incidental method. The Court docket already accepted,
in its judgment
in Meta Platforms and others (2023), that knowledge could also be taken under consideration
in an incidental method and that an infringement of the GDPR might represent an
infringement of competitors regulation (paras. 90-91), and the AG thought of that was relevant
to the current case (para. 91). Second, as regards the interplay between
nationwide actions wherein the GDPR will be invoked by the way and the GDPR system
of treatments, the AG noticed that the previous ought to be accepted solely on
situation that they don’t undermine the GDPR system of treatments or the
attainment of its goals (para. 95). Within the current case, since an motion
introduced by an enterprise towards a competitor will not be meant to make sure
respect for the info topics’ rights however pursues one other goal, the
actions made accessible to knowledge topics by the GDPR system of treatments are
preserved and should still be exercised in these circumstances (paras. 100-101).
Moreover, within the AG’s view, the goals pursued by the GDPR, such because the
excessive stage of safety of pure individuals and the constant and homogenous
utility of the info safety guidelines (recital 10), will not be threatened (however,
as for the excessive stage of safety, really strengthened) by the chance
afforded to an enterprise to carry an motion for an injunction towards a
competitor primarily based on the prohibition of acts of unfair competitors, in reliance on
a GDPR infringement by that competitor (paras. 103-104). Lastly, the AG famous
that, removed from being undermined, the effectiveness of the GDPR can be
strengthened by the truth that compliance with its provisions might also be enforced
in judicial proceedings distinct from these inside its system of treatments. Accordingly,
he concluded that such nationwide treatments might exist alongside the system
established by the GDPR (paras. 105-108).

 

The Judgment

The Court docket of Justice thought of the
questions within the order they had been raised by the referring court docket and departed
from the Opinion with regard to the reply to the second query.

To deal with the primary query,
the Court docket interpreted the related provisions of Chapter VIII GDPR by relying
on their wording, the context and the goals pursued by the GDPR (para. 52
of the judgment). As to the wording, the Court docket famous that not solely the
provisions of Chapter VIII don’t expressly rule out the chance for added
nationwide treatments, however the rights supplied for by Article 77(1), Article 78(1)
and Article 79(1) are ‘with out prejudice’ to another administrative, judicial
or non-judicial treatment (para. 53). With regards to the context, whereas it agreed
with the AG that solely knowledge topics are beneficiaries of the GDPR safety, the
Court docket famous as well as that the infringement of its substantive provisions is
additionally liable to adversely have an effect on third events (on this sense, it referred to
the correct to compensation supplied for by Article 82(1); para. 55). The Court docket recalled
that it had already held that the infringement of information safety guidelines might at
the identical time give rise to an infringement of guidelines on client safety or
unfair business practices (judgment
in Meta Platforms Eire, 2022, para. 78) and could also be “an important clue”
within the evaluation of an abuse of a dominant place (judgment in Meta Platforms
and others, 2023, para. 47) (para. 55). It additionally famous the significance of
entry to non-public knowledge and the power to course of such knowledge, which “have
change into a major parameter of competitors between undertakings within the
digital financial system”, in order that it could be crucial to contemplate guidelines on knowledge
safety when imposing competitors regulation and the principles on unfair business
practices (para. 56).

Curiously, whereas the above
would have been ample to interpret Chapter VIII within the mild of the
context, the Court docket went additional to contemplate the margin of discretion loved by
Member States within the implementation of the GDPR. On this respect, despite the fact that
the GDPR “seeks to make sure the harmonisation of nationwide laws on the
safety of non-public knowledge which is, in precept, full, the very fact stays that
a number of provisions of that regulation expressly make it potential for Member
States to put down extra, stricter or derogating nationwide guidelines, which
depart them a margin of discretion as to the style wherein these provisions
could also be applied (‘opening clauses’)”(para. 57). After referring to its judgment
in Meta Platforms Eire (2022, para. 57), which involved a provision
of the GDPR (Article 80) expressly containing a gap clause, the Court docket added:
“It’s true that the provisions of Chapter VIII of the GDPR don’t
particularly present for such a gap clause which might expressly enable
Member States to make it potential for a competitor of an enterprise which
allegedly infringes the substantive provisions of that regulation to carry an
motion with the intention to put an finish to that infringement. Nonetheless, it follows from
the wording and context of the provisions of Chapter VIII (…) that, by adopting
that regulation, the EU legislature didn’t intend to result in an
exhaustive harmonisation of the treatments accessible in respect of infringements
of the provisions of the GDPR and, particularly, didn’t want to rule
out the supply of such treatments to rivals of the individual allegedly
liable for an infringement of the legal guidelines defending private knowledge, on the
foundation of nationwide regulation referring to the prohibition of unfair business
practices” (paras. 59-60, emphasis added).

Within the Court docket’s view, that
interpretation was corroborated by the GDPR goals (i.e., making certain a
constant and excessive stage of safety of pure individuals with regard to the processing
of non-public knowledge and eradicating obstacles to the movement of such knowledge throughout the EU;
strengthening of the rights of information topics and of the obligations of these
who course of and decide the processing of information, in addition to equal powers
for monitoring and making certain compliance with the principles for the safety of
private knowledge and equal sanctions for infringements within the Member States;
offering pure individuals in all Member States with the identical stage of legally
enforceable rights and obligations and duties for knowledge controllers
and processors, and making certain constant monitoring of the processing of
private knowledge, and equal sanctions in all Member States) (para. 61). It
discovered subsequently that the potential for nationwide treatments like these at stake does
not undermine these goals however really enhances the effectiveness of the
GDPR provisions (para. 62). These nationwide treatments are along with these of
Chapter VIII and pursue an goal (honest competitors) which is totally different from
these pursued by the GDPR. On this context, because the German authorities noticed,
the uniform interpretation of the GDPR stays ensured by the preliminary
ruling process below Article 267 TFEU (paras. 65-67). Moreover, the Court docket held
that nationwide treatments geared toward making certain honest competitors undoubtedly
contribute to compliance with the GDPR and, subsequently, to strengthening the
rights of information topics: an utility for injunctive reduction filed by a
competitor might also show notably efficient in as far as it could forestall a
giant variety of infringements of information topics’ rights (paras. 69-70).

Within the mild of the above, the
Court docket concluded that Chapter VIII doesn’t preclude nationwide laws
offering for such treatments to the good thing about rivals, whereas leaving to the
referring court docket the evaluation of whether or not the alleged infringement of the GDPR,
in as far as it’s established, additionally constitutes a breach of the prohibition of
unfair business practices below the related nationwide regulation (paras. 71-72).

As to the second query, suffice
it to say that the Court docket, not like the AG, discovered that the knowledge which
prospects enter when ordering on-line pharmacy-only medicinal merchandise, the sale
of which doesn’t require a prescription, does represent ‘knowledge regarding
well being’ even the place it’s “solely with a sure diploma of likelihood, and never
with absolute certainty, that these medicinal merchandise are meant for these
prospects” (para. 90). This, nonetheless, doesn’t preclude it from being
processed, in particular contexts, if the circumstances for exemptions are met
(para. 92), i.e. doesn’t imply robotically that the processing is in breach
of the GDPR.

 

Concluding remarks

The judgment in Lindenapotheke,
so far as the primary query is anxious, offers an interpretation of the
GDPR system of treatments geared toward enhancing the effectiveness of information safety.
The outstanding level of the reasoning is the emphasis positioned on the margin of discretion
recognised to Member States in implementing the GDPR, with a view to enhancing the
safety afforded by it. Whereas in Meta Platforms Eire (2022) the
Court docket might depend on the wording of the availability involved (para. 59: “(…) Article
80(2) of the GDPR, which leaves the Member States a discretion with regard to
its implementation. (…) Member States should make use of the choice made
accessible to them by that provision to supply of their nationwide regulation for that
mode of illustration of information topics”), in Lindenapotheke it admitted
that Chapter VIII doesn’t expressly present for any opening clause permitting
Member States to make accessible additional treatments for actors apart from knowledge
topics invoking a GDPR infringement. Nonetheless, by counting on the wording and
context of Chapter VIII, in addition to on the legislator’s intention and the GDPR
goals, it got here to the conclusion that Member States could make accessible
such treatments to rivals of the individual allegedly liable for an
infringement of the legal guidelines defending private knowledge, since such a risk will not be
being dominated out by the GDPR system of treatments and its goals (paras.
60-61). The Court docket’s interpretation really appears to encourage Member States to
make extra treatments accessible below nationwide legal guidelines, insofar as they improve
the effectiveness of information safety (paras. 62 and 69).

From
this attitude, the Court docket’s conclusion is considerably related when positioned
within the context of the continued debate on the GDPR (below) enforcement (Gentile-Lynskey,
2022), the shortcomings of its composite enforcement system (Hofmann-Mustert,
2024) and the Fee’s Proposal
for a Regulation laying down extra procedural guidelines referring to the
enforcement of the GDPR (2023). With regards to the dealing with of complaints and
the function of complainants, it has been noticed that these differ considerably
amongst Member States, which in flip leads to a limitation of particular person
procedural rights (Hofmann-Mustert,
2024). In opposition to this background, some rightly worry, by evaluating this judgment
with earlier case regulation, that its “implications have the potential to be extra
disruptive” as regards the constant enforcement of the GDPR and introduce
“better potential dangers of interference between administrative and judicial
enforcement” (van den Poel,
2024).

Nonetheless, the implications of the judgment
are much less daunting when contemplating the GDPR enforcement within the broader context
of digital laws. The Fee
Second Report on the applying of the GDPR, revealed on 25 July 2024,
makes it clear that “the event of digital laws raises the necessity
for shut cooperation throughout regulatory fields. Such cooperation is all of the
extra crucial since knowledge safety points more and more intersect with
questions of, for instance, competitors regulation, client regulation, digital markets
guidelines, digital communications regulation and cybersecurity. (…) knowledge
safety authorities are taking steps to make sure their actions are
complementary and coherent with different regulatory fields”. In its assertion
of three December 2024 on the Fee Second Report, the EDPB additionally recognised
that it “would assist a holistic methodological strategy for the subsequent
analysis of the GDPR that explores the interaction between the GDPR and different
EU digital laws”.

The judgment suits into this
context of rising institutional consciousness of the necessity for a holistic and
coordinated strategy for the efficient safety of non-public knowledge, in line
with the “extra ‘collaborative strategy’” proposed by students for the enforcement
of information safety, competitors regulation and unfair competitors regulation (Vandendriessche,
2024). The Court docket insists on the seemingly enhanced efficient enforcement of the
GDPR by way of nationwide treatments aiming at different goals (Holtz,
2024), by proposing an interpretation the place the GDPR as such calls upon the
Member States for its efficient enforcement (once more, paras. 60-61). By stating
that “such an utility for injunctive reduction introduced by a competitor might
show, like that introduced by a client safety affiliation, to be
notably efficient in making certain such safety, in as far as it’s succesful
of stopping a lot of infringements of the rights of information topics by
the processing of their private knowledge” (para. 70), the Court docket recognises the
preventive impact of a possible “non-public enforcement” (Opinion, para.
93) by means of treatments allowed below nationwide legal guidelines, which has been learn as an ‘incentive’
for market gamers to contribute to GDPR compliance (Vandendriessche,
2024). On this sense, the judgment embraces an rising strategy within the EU
regulation of the digital atmosphere, which is geared toward involving within the
enforcement a number of actors of society as a complete. This strategy is obvious
with regards to making
the net world safer and fairer, particularly with the DSA:
for instance, so far as institutional actors are involved, within the cooperation required
between the Fee and the Digital Providers Coordinators with regard to
systemic threat mitigation measures (Peukert, 2024); even
extra, so far as non-institutional actors are involved, within the mechanisms
required to permit any person – particular person or entity – to inform unlawful content material
on-line, or within the required cooperation with “trusted flaggers” (Articles 16,
22, 35 DSA) (on this sense, see additionally Fee’s dialogue
with Civil Society Organisations for implementing the DSA).

It
stays to be seen whether or not such an strategy succeeds in changing into consolidated
by means of better coordination of EU establishments and nationwide authorities and
better consciousness of society at giant, alongside the required changes for the
efficient implementation of the treatments the GDPR grants to knowledge topics.