The Lindenapotheke judgment by the European Court of Justice (ECJ) marks a significant development in the interplay between data protection and unfair competition law. In this data protection case, a pharmacy filed an injunction before a national court against a competitor, operating under the name Lindenapotheke, to stop the latter’s online sale of pharmacy-only medicines. The plaintiff argued that the defendant’s failure to request explicit consent from its customers constituted a violation of the General Data Protection Regulation (GDPR), as the data entered when ordering medicines online should be considered health data under the regulation. Under the German Law Against Unfair Competition, such a data protection law infringement constitutes an unfair commercial practice, allowing competitors to initiate proceedings in such cases.
At its core, the ECJ’s preliminary ruling affirms that data protection infringements, specifically under the GDPR, can serve as grounds for unfair competition claims under national law. This decision aligns with recent trends in both literature and EU decisional practice and case law, underscoring the increasing relevance of data protection in assessing competitive conduct in the digital economy.
Key findings of the judgment
First, the ECJ held that the GDPR does not preclude national rules that empower competitors to bring proceedings before national courts for GDPR infringements based on a prohibition of unfair competition (para 73). This enables competitors to challenge data protection law violations via national rules on unfair competition.
Second, the ECJ affirmed that the data customers enter when ordering pharmacy-only medicines online constitutes health data, subject to a special protection regime under Article 9 of the GDPR. As such, the ECJ expanded the scope of health data through a ‘probabilities test’, where data may still be considered health data even if it only indicates, with a certain probability rather than absolute certainty, that medicines are intended for the purchaser (para 90). This interpretation could have significant implications for business models that involve broadly health-related data.
The remainder of this contribution, however, will focus on how the judgment might strengthen GDPR compliance and address data-related anticompetitive conduct in the digital economy, using both competition and unfair competition law.
On the interplay between data protection and competition law
Since the ECJ’s position in Asnef/Equifax (2006), where it held that data protection law, as such, is not a matter for competition law, data protection has increasingly been deemed relevant in competition assessments.
A well-established theory of harm involves the degradation of privacy as a competitive parameter, as seen in Microsoft/LinkedIn (2016) and later incorporated in the Commission’s revised Market Definition Notice. More debate arises about other data protection-related theories of harm, such as ‘concealed data practices’, where information and behavioural market failures are exploited to limit data protection offered in a market, or ‘data ecosystem building’, where big tech companies use data-driven acquisitions to expand their personal data ecosystems.
Notable cases such as the Bundeskartellamt’s Facebook decision in 2019, where a data protection law infringement was considered an exploitative abuse under competition law, and similar reasonings in other competition investigations involving big tech undertakings such as Google, reflect a more active attitude towards incorporating data protection considerations into competition assessments (see for example: Alba Ribera Martínez).
Towards a more collaborative public enforcement approach?
These cases have led scholars to propose a more ‘collaborative approach’ to enforcing data protection, competition law, and unfair competition law, aligning with the judgment’s recognition that a data protection law infringement, or privacy-enhancing conduct, may provide an unfair advantage relevant under (unfair) competition law.
In Meta Platforms (2023), the ECJ held that a GDPR infringement may affect the assessment of an abuse of dominance under EU competition law, and might even be a vital clue for its existence. The judgment highlights two substantive principles on the interplay, i.e., the compatibility of data-based conduct with the GDPR and the existence of a dominant position, which may be key factors in determining competition on the merits. While debate remains on how to practically include such considerations and how to manage potential conflicts between the two fields of law (see for example: Alba Ribera Martínez), Lindenapotheke now extends this “Meta Model” to unfair commercial practices under national rules on unfair competition, thereby broadening its scope.
Furthermore, Lindenapotheke recalled Meta Platforms and underscored the importance of ‘competition for personal data’ and the role of data protection law in regulating access to such data, requiring consideration of data protection law infringements in procedures under different bodies of law such as competition law (para 56). Rather than merely considering such conduct, competition law might also benefit from the normative contribution that data protection law can provide, especially in assessing non-price competition on quality, choice and innovation of data-related conduct. Digital undertakings may distort competition in data protection, which is increasingly recognised as an important competitive parameter. Consequently, competition assessments should examine how personal data is acquired and how this translates into market power. Data protection law, therefore, can enable the competition authority to assess other non-price competitive parameters, such as the extent and purposes of data collection or the user terms offered.
Private enforcement of unfair competition law as a complementary tool
Lindenapotheke also underscores the value of private enforcement alongside public enforcement of unfair competition law in the digital economy. As AG Szpunar rightfully remarked in his opinion, there is no reason to restrict the consideration of a GDPR infringement to public enforcement (para 93).
Given the GDPR’s underenforcement and the Commission’s limited resources for investigations under EU competition law and the Digital Markets Act, private enforcement could become a powerful complementary tool. Market players now have a clear incentive to contribute to GDPR compliance by filing injunctions to stop data-related (anticompetitive) conduct, relevant under unfair competition law, and seek remedies against competitors who gain an unfair advantage through non-compliance with data protection law. This may strengthen the rights of data subjects, particularly in the digital economy, where power imbalances combined with informational and behavioural market failures traditionally have disadvantaged consumers and undermined competition.
As such, the ECJ appears to be supportive of further alignment between data protection and (unfair) competition law to address GDPR infringements in the interest of (data-related) competition.
Conclusion
Data protection and competition authorities should fully leverage the “Meta Model,” as outlined in Meta Platforms (2023) and expanded by Lindenapotheke (2024), to pursue a more collaborative approach to the enforcement of data protection, competition law and unfair competition law Such an approach promotes the dual goals of protecting personal data and fostering competition in digital markets where the three intersect, without unlawfully expanding their material scope.
Public enforcement of competition law could benefit from the normative guidance that data protection law can provide, especially regarding non-price competitive parameters of data-related conduct. Additionally, private enforcement of unfair competition law might also be strengthened since market players now have a clear incentive to pursue data protection law infringements, pursuing remedies against competitors who gain an unfair advantage through their non-compliance with data protection law. Whether this potential will be fully realised, however, remains an open question.
Although the judgment involves a national law against unfair competition, multiple member states have similar unfair competition laws, aimed at ensuring fair play in commerce. Although the regulatory approach differs considerably, these rules essentially involve abuse without having a dominant position. Therefore, (digital) undertakings must carefully assess the extent to which their data protection law infringements could be considered abusive.
________________________
To make sure you do not miss out on regular updates from the Kluwer Competition Law Blog, please subscribe here.
