Data Protection vs Unfair Competition Law: Round 1

The question whether competitors or associations can bring a claim for violation of unfair competition law in case of infringements of the GDPR is currently on the agenda of the courts of numerous countries. In Austria, the Supreme Court recently addressed this question for the first time and answered it in the negative (OGH 26.11. 2019, 4 Ob 84/19k).

Data privacy as an exclusive right?

The reasoning of the decision is extremely brief and in our view raises more questions than it answers. It is noteworthy that the Austrian Supreme Court does not at all address the discussion whether the GDPR provides for a final sanctions regime and therefore has a blocking effect on the Act against Unfair Competition, which arose especially in Germany. Rather, the Supreme Court only refers to its case law, according to which a violation of the exclusive rights of third parties that does not entail official sanctions and does not concern protected interests of the general public, principally cannot be asserted as an unfair business practice. In the opinion of the Austrian Supreme Court, the right to data protection is such an exclusive right; violations can therefore only be asserted by the affected person.

The parallels drawn by the Supreme Court to its previous case law are not convincing. The Supreme Court compares violations of the right to data protection with those of exclusive rights, such as copyright, trademark, patent, or property rights. According to the case law of the Supreme Court, violations of such rights cannot be claimed by competitors because these rights do not constitute generally binding standards of conduct for everyone. A violation would only infringe individual interests of the directly affected party. Protected interests of the general public which entail official sanctions are not affected.

Why the decision of the Supreme Court is not convincing

The GDPR sets standards that are binding for everyone, the non-observance of which not only harms the interests of those affected, but can also give companies a considerable competitive advantage, e.g. by attracting a larger circle of customers, monetizing data or saving expenses. Violations of the GDPR are sanctioned with heavy fines and can be prosecuted by the data protection authorities ex officio in addition to the legal protection of the data subject in court.

Also, the right to data protection is not an exclusive right because, unlike for example trademark law, the data subject as the owner of rights does not necessarily have the power to prohibit the processing of his or her data. Indeed, in addition to the consent of the data subject, there are other legal grounds available for processing, in particular the legitimate interests of the data controller. Considering that data protection law is aimed precisely at protecting the interests of the general public, because all personal data of every natural person is protected under the GDPR, the reasoning of the Supreme Court cannot be followed. In addition, the numerous proceedings initiated ex officio by the data protection authority show that violations of data protection law are also prosecuted through official channels.

Contradicting existing precedent

Moreover, the recent ruling of the Supreme Court also contains a systematic contradiction to the previous rulings of the Supreme Court, which affirm a violation of unfair competition law in case of "cold calling" or "spamming". The provisions of the Telecommunications Act 2003 (TKG 2003) on protection against unwanted advertising calls and messages implement the ePrivacy Directive, which in turn is a lex specialis to the GDPR. This means that there is an inherent systematic contradiction in cases where rights under the GDPR are to be exclusive right which can only be asserted by the affected party, but where violations of the special provisions of the Telecommunications Act can be addressed by competitors according to established case law of the Austrian Supreme Court.

It is also interesting to note that in 2014 the Austrian Supreme Court still considered that a violation of the notification obligation under the Data Protection Act 2000 (DSG 2000) could be claimed under unfair competition law. However, in the specific case, the Supreme Court denied a violation of competition law due to the lack of appreciable effects on competition. In our opinion, appreciability should be the decisive delimitation criterion also in the case of violations of the GDPR, i.e. it should be possible to claim a violation of unfair competition law if the violation gives the infringer an advantage over companies that comply with the law.

Data Protection vs Unfair Competition Law: More decisions to come

It can be assumed that this is not the final say in this matter. Numerous German second-instance courts have already affirmed that violations of the GDPR can give rise to claims under unfair competition law. However, in the proceedings on I ZR 186/17 regarding a social platform's "App Centre" the German Federal Supreme Court (BGH) recently expressed doubts regarding the admissibility of unfair competition law claims for data protection violations. A press release of the German Federal Supreme Court states: "It is possible that the Data Protection Directive allows violations to be prosecuted solely by the data protection authorities and the affected persons and not by associations."

The BGH has suspended the proceedings until the decision of the European Court of Justice (ECJ) in the case "Fashion ID". This decision has now been issued but does not answer the question of whether competitors can claim data protection violations under unfair competition law either. It remains to be seen whether and how the BGH will answer this question. Although the proceedings relate to claims under the Data Protection Directive, the legal bases and data protection principles are very similar to the GDPR, which is why the decision would also be relevant under the currently applicable law.

The BGH is expected to deliver its ruling on April 11th, 2020.