The Higher Regional Court of Hamburg has held that breaches of the General Data Protec-tion Regulation may indeed be pursued by competitors under German competition law on the basis of the German Unfair Competition Act Decision of the 25.10.2018 – Ref.: 3 U 66/17). This is one of the latest in a spate of decisions with differing outcomes as to whether the GDPR could give rise to liability to competitors under German national competition law. Recently, the Regional Court of Würzburg held that GDPR breaches were capable of being the basis of claims under competition law (Decision of the 13.09.2018 – Ref.: 11 O 1741/18 UWG), whereas the Regional Court of Bochum had previously held that this was not possible (Decision of the 07.08.2018 – Ref.: I-12 O 85/18).
German competition law allows private parties, including competitors, to bring actions against companies for breaches of the Unfair Competition Act. In accordance with Sec. 8(1) and Sec. 8(3) Nr. 1 of the Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb – UWG), competitors may begin proceedings for cease-and-desist or removal against a company for illegal commercial practices. They may also be awarded compensation for damages. As per Sec. 3a UWG, illegal commercial practices include the violation of statutory provisions which are also intended to regulate market conduct in the interest of market participants.
The central dispute in the cases regarding the applicability of the UWG to data protection law is twofold. Firstly, there is dispute as to whether data protection law is truly a provision intended to regulate market conduct, or whether the GDPR is instead intended to grant rights to individuals to control collection, usage and processing of their data. Particularly relevant for this argument could, for example, be that the GDPR is not just directed at private companies, but at anyone processing data, including public bodies and charities. Secondly, it is hotly contested whether this would breach the unwritten principle - developed in the literature and case law - that if a statute exhaustively regulates the possible civil claims, it cannot be the subject of additional claims under competition law. Examples of such exhaustively regulated provisions include certain regulations of antitrust law, as well as of intellectual property law. It was this second point which the OLG Hamburg most decisively ruled upon in the present case, arguing that the GDPR does not represent an exhaustively regulated system of sanctions, but rather that it merely stipulates a "minimum standard of sanctions".
The effects of this decision could be extremely far-reaching for businesses within Europe and for enforcement of the EU-wide GDPR. It could lead to a number of enforcement actions by companies in compliance with the Regulation, seeking to make sure their competitors also play by the rules. It further emphasizes the need for all companies operating within Germany to ensure compliance with the General Data Protection Regulation as soon as possible, or face being dragged to court by competitors seeking to exploit their non-compliance.