ECJ strengthens enforcement in data protection law
The European Court of Justice (ECJ) has answered two controversial questions with its decision of October 4, 2024 in case C-21/23:
- Competitors can take action against each other under competition law for data protection violations.
- Order data relating to non-prescription medicines is sensitive.
The background to the procedure is the action taken by a pharmacist against competitors due to the sale of pharmacy-only medicines that are not subject to prescription. In his opinion, their distribution via Amazon violates data protection regulations in particular.
In the appeal proceedings, the German Federal Court of Justice referred the questions now answered to the ECJ for a preliminary ruling. In detail:
Active legitimacy for data protection violations
The ECJ is very clear when it comes to the prosecution of data protection violations under competition law:
On the one hand, allowing competitors (also) to do so undeniably contributes to compliance with the applicable data protection regulations and thus to strengthening the rights of data subjects and guaranteeing them a high level of protection. On the other hand, this is particularly effective in ensuring this protection, as it could prevent numerous violations of the rights of data subjects affected by the processing of their personal data.
Sensitive order data
The ECJ also clarifies that order data relating to pharmacy-only medicinal products (names, delivery address, ordered medicinal products) are health data within the meaning of the GDPR, even if they are not prescription-only medicinal products. This data can therefore be used to infer the health status of an identified or identifiable natural person, as a link is established between this person and a medicinal product with its respective indication, regardless of whether this information relates to the customer or, if applicable, another person for whom the customer is placing the order. There is no need for “absolute certainty” regarding the link between the customer and the medicinal product; a “certain probability” of its existence is sufficient according to the ECJ.
Against this background, the data transfer from Amazon to the pharmacy supplying the order that was the subject of the initial dispute was unlawful, as it took place without the customer's consent.
Remarks
The ECJ's decision should not lead to false conclusions:
- There is no reason to fear that the now established active legitimacy of competitors will lead to abuse. On the one hand, the German legislator has already ruled out the possibility that, in the event of such infringements, the competitor who has been warned may be liable for reimbursement of expenses, provided that he generally has fewer than 250 employees. On the other hand, no contractual penalty can be demanded for the first warning in cases where fewer than 100 employees are regularly employed in accordance with Section 13a(2) of the Unfair Competition Act. Both aspects slow down national law enforcement.
- Not every processing of sensitive data requires a declaration of consent from the data subject. Article 9 GDPR contains a number of permissions that legitimize such processing without consent. In particular, pharmacies in direct contact with patients still do not require a declaration of consent from the customer when dispensing pharmacy-only medicines, regardless of whether they require a prescription or not. The ECJ ruling only concerns the transfer of data from the platform to the pharmacy. The subsequent data processing by the pharmacy is uncritically permissible.
21st October 2024