If competitors use unfair means to gain a competitive advantage, companies can usually send them a warning letter and work towards a cease-and-desist declaration with a penalty clause. But does this also apply to breaches of the General Data Protection Regulation (GDPR)? The Court of Justice of the European Union (CJEU) has now confirmed this at the highest court (judgment of 4 October 2024, ref.: C-21/23).
The case
This was preceded by court proceedings in which a pharmacy wanted to send a competitor a warning letter due to an alleged GDPR infringement and obtain a cease-and-desist declaration.
The German Federal Court of Justice then referred the question to the CJEU as to whether the GDPR permits a national regulation that allows companies to take action against competitors who they believe have violated the regulation – or whether the GDPR has a blocking effect in this regard.
The judgment
The CJEU judgment has caused quite a stir in some quarters. Since then, some data protection consultants have been conjuring up the end of the world and announcing the imminent destruction of companies’ existence.
It is high time to take a sober look at the judgment.
The answer to the first question referred in paragraph 73 is decisive: The General Data Protection Regulation, in particular Chapter VIII, does not preclude a national provision that allows competitors of an alleged infringer to issue a warning to the latter.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
Legal assessment
Data protection law and competition law
Anyone who is really surprised by this judgment has either not followed the discussion so far or has taken the opposite view, presumably for strategic reasons and for the benefit of their own clients.
Data protection law and competition law have two different approaches. The former protects the rights of data subjects, while the latter protects the market and explicitly also market participants from unfair competitive behaviour.
Why a provider should not be able to defend itself against a competitor who gains some kind of competitive advantage in violation of applicable law can only be justified in a rather flimsy manner. Whether it is ultimately a question of the infringing competitor saving costs or gaining and manipulating customers in an unauthorised manner is less relevant.
It is also irrelevant whether the data protection rights of a data subject have been violated at all. The only decisive factor is that the unfair behaviour disturbs fair competition.
If you look at the long history of competition law, there are various things that can land an entrepreneur with a warning letter. Most of them have nothing at all to do with data protection.
To summarise, it is therefore nothing new at all that not adhering to the rules of the game in competition and thereby gaining an unfair advantage can be a boomerang. It would have been rather strange if there had suddenly been an area of law in which unfair behaviour by competitors was simply acceptable.
So the oh-so-big surprise is not a surprise at all.
Consequences for companies
As for the doomsday scenarios now being described by various consultants, on closer inspection these turn out to be dull puffery.
Firstly: A warning does not threaten the existence of the company.
If the warning is justified, the only consequence is that you must first of all give an assurance that you will behave correctly in future and put an end to the breach of competition law. In other words, you do not have to do anything other than what you would have had to do anyway.
If you have to pay the costs of the opposing lawyer, this is certainly annoying, but such a training fee is certainly not even close to jeopardising your existence.
It only becomes expensive if you continue to commit the offence or commit it again. This is because the penalty payment typically agreed in connection with the cease-and-desist declaration is then due and this can indeed be substantial. After all, the penalty defence is intended to ensure that the obligation to cease and desist is complied with. The amounts are correspondingly high in order to be a real deterrent.
A wave of warnings is unlikely in Germany
In addition, concerns about the next wave of warnings (remember Google Fonts) are unfounded. This is ensured by § 8c of the German Unfair Competition Act (UWG), which is no longer entirely new and whose paragraph 2 puts a stop to the warning industry right from the start:
“An abusive assertion is to be assumed in case of doubt if the assertion of the claims primarily serves to give rise to a claim against the infringer for reimbursement of expenses or costs of legal action or the payment of a contractual penalty […]”
Of course it is unpleasant to receive a warning letter and to have to defend yourself against it if necessary. It costs time and money.
The better way would be to be demonstrably (!) compliant and, in particular, to observe data protection law.
