ARTICLE
5 November 2024

Competitors May Challenge GDPR Infringements As Unfair Commercial Practices

SJ
Steptoe LLP

Contributor

In more than 100 years of practice, Steptoe has earned an international reputation for vigorous representation of clients before governmental agencies, successful advocacy in litigation and arbitration, and creative and practical advice in structuring business transactions. Steptoe has more than 500 lawyers and professional staff across the US, Europe and Asia.
On October 4, 2024, the Court of Justice of the European Union (CJEU) issued a significant judgment (Case C-21/23) regarding the ability of competitors...
European Union Privacy

On October 4, 2024, the Court of Justice of the European Union (CJEU) issued a significant judgment (Case C-21/23) regarding the ability of competitors to bring proceedings against organizations that infringe the General Data Protection Regulation (GDPR) based on the prohibition of unfair commercial practices. This case originated from a German court, where a competitor filed a civil proceeding against an organization on the basis of the prohibition of unfair commercial practices, in respect of infringements by that organization of the provisions of the GDPR. The CJEU was asked to determine whether the GDPR prevents EU Member States from adopting laws that allow competitors to bring civil actions against organizations for GDPR infringements based on unfair commercial practices. In an era where data is increasingly viewed as a competitive asset and regulatory frameworks are becoming more stringent, this judgment is expected to have far-reaching implications and influence the business strategies of organizations operating in highly competitive markets.

Key Takeaways

  • The CJEU noted that the GDPR does not rule out the possibility for a competitor of an organization to bring an action before the civil courts against that organization on the basis of the prohibition of unfair commercial practices, in respect of the alleged infringement by that organization of the obligations laid down by the GDPR.
  • It further stated that while a GDPR infringement primarily affects the data subjects concerned, such an infringement is also likely to adversely affect third parties. Indeed, a GDPR infringement may give rise to violations of consumer protection rules or unfair commercial practices and may serve as a vital clue for assessing the existence of an abuse of a dominant position within the meaning of Article 102 TFEU.
  • According to the CJEU, access to and use of personal data have become significant parameters of competition between undertakings in the digital economy. It thus recalled that it may be necessary to consider the rules on the protection of personal data in the context of the application of competition law and the rules on unfair commercial practices to ensure fair competition.
  • The CJEU considered that the possibility for a competitor to bring an action before the civil courts on the basis of the prohibition of unfair commercial practices to put an end to a GDPR infringement enhances the effectiveness of the GDPR and, therefore, the level of protection of data subjects with regard to the processing of their personal data, as pursued by that regulation.
  • The CJEU thus concluded that the GDPR does not preclude national legislation that confers on competitors of an organization infringing the GDPR the standing to bring proceedings against that organization on the basis of the prohibition of unfair commercial practices.

Impacts on Businesses

  • The CJEU validated the possibility for competitors to file lawsuits against organizations for GDPR infringements under unfair commercial practices, provided that national laws permit such actions.
  • Businesses should evaluate their risk of facing such proceedings in EU Member States where they operate.
  • Conversely, businesses may also consider the feasibility and potential benefits of initiating actions against competitors for GDPR violations under unfair commercial practices.

Looking Forward

  • Although this judgment specifically addresses GDPR infringements, its principles could apply to violations of other EU laws.
  • The judgment underscores once again the interconnected nature of data protection and competition laws.
  • While the GDPR restricts the right to lodge complaints with data protection authorities to data subjects, the recently enacted AI Act broadens this right to any legal or natural persons, without requiring proof of legal standing. Given the significant competition issues in the AI market, this could affect organizations' compliance and business strategies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More