The question as to whether breaches of data protection law can also constitute breaches of other legal provisions, in particular of provisions regulating the market such as competition (in the sense of antitrust) law or unfair competition law, has once again become relevant in recent days.
In a similar vein, the Higher Regional Court of Hamburg (Decision of 25.10.2018, 3 U 66/17) stated in a decision concerning an infringement of the Unfair Competition Act (Gesetz gegen unlauteren Wettbewerb, UWG) that certain provisions of the General Data Protection Regulation (GDPR) also regulate market conduct. A violation of these provisions can thus trigger claims for damages and injunctive relief, among other things.
These decisions and their possible consequences for other companies are illustrated below.
The Facebook decision
The BKartA imposed far-reaching provisions on Facebook’s processing of user data:
The BKartA based its decision on an alleged abuse of a dominant position by Facebook, which is prohibited under Sec. 19 para. 1 of the German Act Against Restraints of Competition (GWB).
The allegedly abusive behaviour is the collection of enormous amounts of user data outside the Facebook platform and the combination of this data with the Facebook user account. The data was collected on Facebook’s own websites and apps such as WhatsApp and Instagram as well as on third-party websites on the internet and on the smartphone. This was possible due to so-called „Facebook Business Tools“ such as the „like button“ or the „Facebook login“. Through this combination of data sources, Facebook was able to create a unique overall data set for each individual user.
According to the BKartA, this behaviour is exploitative towards the users. The exploitative abuse is indicated by an infringement of the GDPR. Facebook allegedly does not have an effective legal justification under the GDPR for this behaviour. In particular, there is no effective consent of the users, since Facebook makes the provision of its service Facebook.com dependent on the granting of such consent. In addition, Facebook’s behaviour also impedes competitors, because Facebook gains a significant competitive advantage by collecting and combining user data from different sources.
The Judgment of the Higher Regional Court of Hamburg (OLG)
The OLG’s decision essentially contains the following key messages:
- An infringement of data protection law can also constitute an infringement of unfair competition law.
- Neither Directive 95/46/EC (Data Protection Directive) nor the GDPR contain a final system of sanctions which would restrict the right of competitors to bring actions pursuant to the Unfair Competition Act (UWG).
- Certain data protection standards have a so-called “market conduct regulating” character and can thus trigger a breach of unfair competition law pursuant to Sec. 3a UWG.
However, the OLG also emphasises that not every data protection norm has such a market regulating character; rather, it has to be assessed for every norm if it indeed deals with a regulation of market conduct.
Consequences for companies
Compliance with data protection regulations is becoming increasingly important, now also in terms of competition law and unfair competition law. Companies are advised to set up a functioning structure that prevents data protection violations.
This is all the more true now that a further Higher Regional Court is of the opinion that data protection standards can have the character of regulating market conduct. This decision gives competitors of companies the option of suing under the UWG for violations of data protection laws. Of course, this is a motivation for competitors to closely monitor possible breaches of data protection.
Additionally, the BKartA’s involvement in monitoring compliance with data protection regulations is likely to send an important signal to the business world, as the BKartA has far-reaching sanction options for infringements of competition law. Possible fines of up to 10 percent of the company’s annual turnover by far exceed those sanctions which can be imposed by data protection authorities. Yet it has to be taken into account that only companies with a dominant or strong market position are addressees of the competition law rules on abusive conduct.
However, it still remains to be seen whether the Higher Regional Court of Düsseldorf will eventually agree with the BKartA’s approach that an infringement of the GDPR can also constitute an abuse of a dominant market position.