CJEU tightens data protection requirements for online shops

Does the GDPR preclude prosecution (under competition law) of data protection violations by competitors? Does order data when buying medicines online count as privileged health data? The CJEU ruled against the former and in favour of the latter in its landmark decision of 4 October 2024 (C-21/23). Operators of online shops and the like are now called upon to review their processes and take the necessary measures, including in view of the growing risk of claims being made against them.

A. Why is order data considered health data?

If a person orders a (non-prescription) medicine, this initially only means that this person wants to buy and receive a specific product.

Based on this, one might theoretically speculate that this person has one of the illnesses for which the medication is typically used. Of course, the person may just as easily have bought the medication for a third party or, for example, to stock up their own medicine cabinet.

The Advocate General understandably stated in his opinion that the mere possibility of making such health-related speculations is not sufficient. Rather, a ‘minimum degree of certainty’ regarding these sensitive inferences is required in order for the data to be categorised as health data. The Advocate General therefore rejected the categorisation of such order data as health data.

The CJEU’s decision is diametrically opposed to this. The CJEU followed its strict line of interpreting the term ‘health data’ broadly and also allowed for completely uncertain, purely hypothetical conclusions about illnesses to be sufficient, regardless of whether the controller intends to draw health-specific conclusions from the order data. The CJEU essentially justifies this by citing the high level of protection health data has under the GDPR. The CJEU did not appear to address the obvious question of whether that level of protection could have been maintained even without categorising such order data as health data, although there are certainly good arguments for doing so.

In this context, the question for online store operators and other controllers is what other order data and other data constitute sensitive data like health data. This could include medical aids (such as walking aids or wheelchairs).

B. What are the consequences of categorising data as health data?

While any processing of personal data requires a legal basis (Article 6 of the GDPR), there is a special prohibition on processing ‘special categories of personal data’ (which includes health data), which can only be circumvented with an additional authorisation under Article 9(2) of the GDPR.

While it is usually easy to find a legal basis for order processes involving ‘normal’, non-sensitive data, the situation is different for special categories of personal data. Article 9(2) of the GDPR does not generally allow such data to be processed for the performance of a contract or on the basis of a balancing of interests.

In many cases, consent will therefore be required, which store operators must obtain from their customers (Article 9(2)(a) of the GDPR). On the other hand, it seems likely in the case on which the decision of the CJEU is based that at least the defendant, as a pharmacist, may process health data for performing the contract on a legal basis (i.e. without consent), which the CJEU at least hints at in its decision (Article 9(2)(h) and (3) of the GDPR in conjunction with section 22(1)(1)(b) of the German Federal Data Protection Act (BDSG) in conjunction with section 203(1)(1) of the German Criminal Code (StGB)).

C. Can competitors now proceed against all data protection violations under competition law?

First of all, the CJEU ‘only’ ruled that the GDPR does not preclude actions by competitors on the basis of national competition law.

It is therefore up to the national courts to clarify in each individual case – such as the case on which the decision of the CJEU is based – whether competitors can invoke their own rights (e.g. for injunctive relief). In Germany, this opens up the option of competitors proceeding against a violation of the GDPR as an unfair breach of the law under section 3a of the German Unfair Competition Act (UWG) if the requirements of section 3a are met. The decisive question is whether the data protection provision that has been violated is a ‘market conduct rule’. According to the legal definition in section 3a of the German Unfair Competition Act, this is a legal provision that is also intended to regulate market conduct in the interest of market players and the breach of which is likely to have a tangible effect on the interests of consumers, other market players, or competitors. Even before the GDPR became applicable on 25 May 2018, there was controversy over the extent to which the data protection provisions of the then current versions of the German Federal Data Protection Act, the German Telemedia Act (TMG) and the German Telecommunications Act (TKG) could be regarded as market conduct rules. The Federal Court of Justice (Bundesgerichtshof) itself has not yet commented on the extent to which data protection provisions are also market conduct rules under the then current version of the German Federal Data Protection Act or under the GDPR. It has been argued in the legal literature and case law that the provisions of the then current version of the German Federal Data Protection Act only protect individual legal positions as an emanation of the right of personality and therefore do not constitute market conduct rules. Other experts have expressed the opinion that data protection regulations are market conduct rules simply because they also serve to protect consumers and therefore have a link to competition. According to what seems to be the prevailing opinion, the specific data protection provision being violated is decisive: if the data protection provision violated serves to protect personal data of substantial economic significance, whether in the form of customer data for personalised advertising and direct marketing or user data for product development based on customer needs, this supports categorisation as a ‘market conduct rule’.

Furthermore, the breach would also have to be capable of ‘significantly impairing the interests of consumers, other market players or competitors’ (section 3a of the German Unfair Competition Act). Even if the courts often tend to automatically affirm this ‘significance’ in unfair competition law, it still requires a critical examination of the individual case, especially under data protection law. This is because a significantly impairing effect appears questionable at least when, as in the case at issue, the data processing is clearly in line with the users’ clear wishes and they would therefore certainly willingly give their consent (after all, users want their order data to be processed so that they can be sent the desired product).

Given the CJEU’s decision, it is fair to assume that online store operators and the like will now run an increased risk of claims being made against them. Depending on the specific violation of data protection regulations, however, there are ways for them to defend against such claims, which need to be determined on a case-by-case basis.

In any case, companies should be vigilant in order to react appropriately if they receive a cease-and-desist letter. This includes considering whether it is advisable in the given case to file a protective pleading after receiving a cease-and-desist letter in order to reduce the risk of a temporary injunction being issued without a trial.

In this context, it will also be interesting to see whether the German legislators will expressly exclude data protection violations from section 3a of the German Unfair Competition Act (see the Bundesrat bill (German only)).

D. What can online store operators and other controllers conclude in general from the CJEU ruling?

The decision on health data shows that data protection issues are very complex and may ultimately be found in all areas of a company. It should be clear that internal data protection management and the data protection officer must definitely be involved when introducing new processing procedures, especially data-driven tools (such as cookie-based marketing tools in online shops), as well as when making changes to such processes. The ruling also makes it clear that this is not sufficient in every case, but that even changes to the product range (e.g. adding medical products to an online shop that previously only sold products from non-sensitive areas) may be highly relevant to data protection.

To get a handle on these issues, robust data protection governance (or ideally more comprehensive and robust data compliance governance) is needed. All employees must be made aware of these issues through regular training. And companies that have taken these necessary measures will be better prepared to face the growing risk of claims regarding data protection violations being made against them as a result of the CJEU ruling.

About the practice group: Data, Tech & Telecoms