- 332 reads
Abstract: On 4 October 2024, the Grand Chamber of the European Court of Justice (ECJ) issued a landmark judgment that adds significant depth to the interpretation of the GDPR, especially concerning its interplay with unfair competition law and the concept of “special categories of personal data”. After analysing the facts of the case and the ECJ’s reasoning, this Insight aims to highlight how the Lindenapotheke ruling, while aligned with the ECJ’s longstanding commitment to securing data subjects’ rights, represents a noteworthy advance: it reinforces the high level of protection afforded to data subjects by integrating GDPR safeguards – particularly those under art. 9 GDPR – with those established in other areas of EU secondary law. Finally, this Insight examines the critical aspects and practical implications of the ruling, especially for data controllers, as the ECJ’s approach may have an (excessive) deterrent effect on practices that risk infringing these enhanced data protection standards.
Keywords: Lindenapotheke – data protection law – unfair competition law – remedies – health data – GDPR.
I. Introduction
Since the entry into force of Regulation (EU) 2016/679 (GDPR),[1] the dialogue between national courts and the European Court of Justice (ECJ) on data protection law has intensified. This is reflected in the surge of preliminary references seeking clarity on key concepts, such as the definition of personal data and the lawful grounds for processing.[2] In interpreting these issues, the ECJ has consistently prioritised the data subjects’ rights over the interests of data controllers,[3] adopting a teleological approach that emphasises the GDPR’s primary objective of ensuring a high level of protection for individuals regarding the processing of their data.[4]
The recent Lindenapotheke ruling, issued by the Grand Chamber on 4 October 2024, while continuing along this trajectory, marks a significant step forward: it reinforces the high level of protection afforded to data subjects by integrating GDPR safeguards – particularly those in art. 9 – with those established in other areas of secondary EU law. After a brief overview of the facts of the case and the ECJ’s reasoning, this Insight argues that the integrated application of safeguards both “inside” and “outside” the GDPR enhances the protection for data subjects – even beyond the explicit meaning of its provisions – and may have unintended consequences for the data controllers’ processing activities, with far-reaching implications for the EU’s economic and social development.
II. Setting the facts of the case
The request for a preliminary ruling by the German Federal Court of Justice arose from a dispute concerning the online sale of non-prescription medicines. The operator of a pharmacy (DR) challenged a competitor (ND), who held a mail-order licence, for marketing its products on the Amazon Marketplace platform in alleged violation of art. 9 GDPR regarding the processing of “special categories of data”, including health data. When placing orders, platform users were required to provide various pieces of information (e.g. customer’s name, delivery address, and information needed to individualise the pharmacy-only medicine ordered) without being asked for explicit consent. According to DR, this form of marketing constituted an unfair commercial practice under art. 3a German Law against unfair competition (UWG), which states that “[a]nyone who infringes a statutory provision intended, inter alia, to regulate market conduct in the interest of market players commits an unfair act”.[5]
Starting from the premise that the GDPR provisions may be considered market conduct rules under art. 3a UWG, DR argued that the sale of pharmacy-only medicines constituted an unfair commercial practice due to non-compliance with the requirements of art. 9 GDPR on the processing of special categories of data.[6] Acting as a competitor, DR brought an action for an injunction under art. 8(3)(1) UWG, claiming that ND’s actions violated the GDPR. DR’s position was upheld at the first instance by the Regional Court and on appeal by the Higher Regional Court, which ruled that marketing the medicines on Amazon involved the processing of health data under art. 9 GDPR, for which customers had not given explicit consent.
III. The ECJ’s reasoning
Asked to rule on the dispute, the Federal Court of Justice noted that the interpretation of GDPR provisions regarding competitors’ standing to bring actions based on unfair commercial practices for GDPR violations and the understanding of health data is far from settled. Therefore, it referred two preliminary questions to the ECJ, which can be summarised as follows: (i) Do the remedies provided in Chapter VIII of the GDPR constitute an exhaustive system for addressing GDPR violations, or may national law supplement this system by granting competitors the right to act against the alleged GDPR infringer through a claim based on the prohibition of unfair commercial practices?; (ii) Does the definition of health data extend to data provided online when purchasing non-prescription medicines, which could relate to individuals other than the platform users?
iii.1. The nature of the GDPR remedies
The first preliminary question requires the ECJ to determine whether the remedies provided under arts 77-79 GDPR are exhaustive.[7] Notably, the ECJ needs to assess whether national law permits a competitor to bring a civil action based on the prohibition of unfair commercial practices for alleged GDPR violations by another undertaking. Indeed, the Federal Court of Justice noted that, although the remedies set out in Chapter VIII of the GDPR do not explicitly grant competitors the right to bring actions under competition law where GDPR violations constitute unfair commercial practices, they do not exclude this possibility either.
In addressing this issue, the ECJ concludes that the GDPR remedies are not exhaustive. This decision is based on three main arguments. Firstly, the Luxembourg judges emphasise that the GDPR does not exclude the standing of the competitor, as the remedies are explicitly stated to be “without prejudice” to any other administrative, judicial, or non-judicial remedies.[8]
Secondly, the ECJ points out that this standing is not excluded either by the absence of an explicit remedy for competitors in Chapter VIII of the GDPR or by the lack of an opening clause similar to that in art. 80(2) GDPR, whereby Member States can provide data subjects with the right to mandate a non-profit body, organisation or association to lodge a complaint with the competent supervisory authority and to exercise the rights under arts 78-79 if it considers that a data subject’s rights under the GDPR have been violated. Although only data subjects are the direct beneficiaries of the level of protection guaranteed by the GDPR, the Luxembourg judges highlight that a GDPR violation may harm third parties, who could seek to invoke it in judicial proceedings. As will be explained below, this interpretation is based on i) art. 82(1) GDPR, which allows national law to grant entities other than data subjects the right to invoke non-compliance with the substantive provisions of the GDPR and ii) the previous case-law, which establishes that a GDPR violation may constitute a breach of consumer protection or unfair commercial practices rules and serve as evidence in assessing potential abuse of dominant position.[9] Furthermore, the ECJ stresses the irrelevance of the absence of an opening clause similar to that in art. 80(2) GDPR to support the non-exhaustiveness of the GDPR remedies, as the wording and the context of Chapter VIII show that the EU legislator did not intend to harmonise the remedies for GDPR breaches comprehensively.[10]
Thirdly, the ECJ holds that granting competitors the standing to bring an injunction action not only aligns with the objectives of the GDPR, but also enhances its overall effectiveness “and thus the high level of protection of data subjects”.[11] On one hand, allowing such standing does not pose a threat to the uniform application of the GDPR, as it does not interfere with the remedies available under the regulation, which can always be exercised by the data subjects. Moreover, even if a Member State does not provide a similar remedy for competitors, this does not lead to fragmentation in the implementation of the GDPR, since its substantive provisions equally bind data controllers.[12] On the other hand, extending the ability to invoke the GDPR substantive provisions reduces the likelihood of violations of data subjects’ rights and, therefore, significantly strengthens the protection afforded to data subjects.[13]
iii.2. The breadth of the notion of health data
The second preliminary question allows the ECJ to confirm that the notion of “special categories of personal data”, and specifically health data, must be interpreted broadly in light of the GDPR’s objective of ensuring a high level of protection for individuals’ fundamental rights and freedoms concerning the processing of personal data.[14] Moreover, the ECJ clarifies that the definition of “data concerning health”[15] includes information that customers disclose when ordering online non-prescription medicines. According to the Luxembourg judges, this data can provide, through intellectual operation involving comparison or deduction, information about the health status of the person placing the order. This inference is possible because of the (albeit weak) link between “medicinal product, its therapeutic indications or uses, and a natural person identified or identifiable by factors such as that person’s name or the delivery address”.[16]
Despite the Federal Court’s doubts, the classification of this information as health data remains valid even if the medicines in question do not require a prescription and, therefore, can be purchased by individuals other than the end user. For the ECJ, when applying the protection regime under art. 9(1) GDPR, it is irrelevant whether the information relates to the platform user or to any other individual for whom the order was placed.[17] On the contrary, the Luxembourg judges argue that interpreting art. 9(1) GDPR by distinguishing between types of medicines sold or whether these medicines require a prescription would not be consistent with both the objective of ensuring a high level of protection for data subjects and the goal of providing enhanced protection for data processing activities that, due to the sensitive nature of the data involved, could constitute a serious interference with fundamental rights. Thus, the Court concludes that, given the potential impact on the rights and freedoms of data subjects, the data in question must be regarded as health data, even if there is only “a certain degree of probability” that the medicines ordered are intended for the platform’s customers. The individual to whom the data relate can still be identified by combining the data provided online.[18]
IV. Commentary
Having summarised the key points of the ECJ’s reasoning, I will now highlight how the answers provided by the Luxembourg judges represent a significant step forward in enhancing the protection of data subjects. In this section, I will also point out that this has been done by forcing the explicit meaning of the relevant GDPR provisions and that the innovative nature of this judgment, which integrates safeguards present “outside” and “inside” the GDPR framework, may raise certain critical considerations regarding its practical implications, especially for data controllers and online commerce.
iv.1. The safeguards “outside” the GDPR: what role for unfair competition law?
The finding that the GDPR’s system of remedies does not preclude a national law from allowing injunctions against a competitor suspected of GDPR violations is undoubtedly a significant development. Before the Lindenapotheke ruling, the possibility for a competitor to invoke a GDPR infringement based on national rules on unfair commercial practices had not been recognised. Indeed, in the Meta Platforms Ireland ruling, the Court merely stated that art. 80(2) GDPR does not prevent national law from empowering consumer protection associations to pursue representative actions to halt data processing practices contrary to the GDPR, regardless of whether there is an actual violation of a specific individual’s rights or a mandate from the affected party.[19]
While not intending to downplay the innovative scope of the judgment at stake, the ECJ’s reasoning appears unconvincing in several respects. Most notably, this section questions the choice to interpret the GDPR mainly in light of its primary aim to ensure the highest possible level of protection for data subjects. As will be argued, by adopting this perspective, the ECJ provides an interpretation of the GDPR that assigns meaning to the text that is neither explicitly stated nor necessarily intended by the EU legislator.
a) Stretching the safeguard clause of arts 77-79 GDPR
In analysing the text of arts 77-79 GDPR, there seem to be elements suggesting that, contrary to the ECJ’s position, the safeguard clause at the beginning of these provisions (“without prejudice to any other administrative or judicial remedy” or “non-judicial” remedy) should be interpreted as referring solely to remedies provided by the GDPR. One might counter this interpretation by pointing to art. 78(1) GDPR, which grants “any natural or legal person” (and not only data subjects) the right to an effective judicial remedy against a decision of the supervisory authority. However, a combined reading of arts 77-79 GDPR reveals an intention to structure these remedies as complementary. The ECJ itself, in the BE judgment, affirmed that arts 77 and 79 GDPR provide remedies for those claiming a GDPR violation, specifying that each remedy “must be capable of being exercised ‘without prejudice’ to the others”.[20]
Specifically, the provision of a right to an effective judicial remedy, established by art. 79(1) GDPR, aims to ensure access to a judge in line with art. 47 of the Charter of Fundamental Rights of the European Union (Charter), filling protection gaps left by the other remedies. First, a complaint to the supervisory authority under art. 77 GDPR does not constitute an effective judicial remedy, as the authority, though independent, remains an administrative body.[21] Additionally, the appeal against a decision of the supervisory authority provided by art.78 GDPR does not constitute a fully effective judicial remedy, as there are legal matters the supervisory authority cannot address.[22] Finally, the right to an effective judicial remedy under art. 78 does not extend to non-binding measures issued by the supervisory authority, such as opinions.
b) What art. 82(1) and the case law don’t say
Turning to the contextual analysis of the provisions in Chapter VIII of the GDPR, the ECJ primarily inferred the non-exhaustiveness of GDPR remedies from (i) art. 82(1) GDPR; and (ii) the previous case-law on the interplay between the GDPR and the consumer and competition law. However, neither arguments seem persuasive.
Concerning art. 82(1) GDPR, the Luxembourg judges adopted a particularly broad interpretation of this provision, based on a view of the GDPR as a regulation that, while primarily aimed at protecting the fundamental rights and freedoms of data subjects, also seeks to safeguard fair competition by preventing distortions arising from disparities in levels of data protection.[23] Conversely, a comprehensive reading of art. 82 GDPR and a systematic interpretation of the GDPR provisions do not indicate that art. 82(1) GDPR was intended to recognise that parties other than data subjects might suffer harm due to a GDPR violation. Firstly, art. 82(4) GDPR specifies that, where multiple data controllers or processors are involved, each is liable for the entire harm to ensure effective compensation for data subjects, with no reference to third parties. Secondly, Recital 146 GDPR refers exclusively to data subjects as the only parties entitled to obtain full and effective compensation for damages suffered.[24]
Regarding the second argument, the ECJ merely reaffirms its previous stance, recognising a close relationship of complementarity and convergence between data protection law and other areas, including consumer protection[25] and competition law.[26] However, this connection is not self-evident;[27] it would have been preferable for the ECJ, rather than simply citing past decisions, to clarify, for example, under what conditions parties who do not hold rights under the GDPR might resort to a national remedy to address a violation of this regulation. Such clarification would not only have helped to address some scholarly criticisms regarding the Court’s perceived correlation of the GDPR with other EU rules,[28] but would also have provided useful guidance to the referring court in assessing whether the alleged infringement of the GDPR substantive provisions also constitutes a breach of the prohibition on unfair commercial practices under relevant national law.
In the case at hand, for instance, for a commercial practice to be considered unfair, art. 3a UWG requires that the breached regulation “is also intended to regulate market behaviour in the interests of market participants” and that this violation “is likely to significantly impair the interests of consumers, other market participants or competitors”. Yet, opinions on the GDPR’s nature remain divided, with some scholars viewing it as solely focused on protecting data subjects’ rights, while others see it as also safeguarding digital markets.[29] Furthermore, there is no guarantee that a GDPR breach would necessarily and significantly harm consumer or competitor interests.
Lastly, in light of the preceding considerations, the last argument supporting the non-exhaustiveness of GDPR remedies – based on the supposed irrelevance of the absence of an opening clause like that in art. 80(2) GDPR – appears strained. Contrary to the Court’s assertion, a textual and contextual analysis of Chapter VIII does not clearly show that the EU legislator did not intend to harmonise the remedies available to data subjects. The very instrument chosen (a regulation instead of a directive) already illustrates that the legislator’s intention was precisely to harmonise the field of personal data protection.[30] Moreover, when the legislator meant to leave a margin of discretion to the Member States, it did so explicitly by inserting opening clauses.[31] Accordingly, if this intention had also existed in relation to remedies for GDPR breaches, the legislator would have made this intention more explicit by allowing Member States to introduce complementary remedies that enable parties other than data subjects to claim damages suffered as a result of GDPR breaches.
c) The GDPR’s objective left behind
The ECJ’s argument based on the teleological interpretation of arts 77-79 GDPR appears to be more convincing than the previous ones, at least regarding the GDPR’s aim of ensuring a high level of protection for data subjects. While an injunction brought by a competitor is primarily aimed at guaranteeing fair competition, it undoubtedly can also indirectly enhance data subjects protection by preventing violations of their rights. Arguing otherwise would contradict the ECJ’s established stance, which recognised that allowing consumer protection associations to take legal action against an alleged violator of the data protection law served its goals fully by strengthening data subjects’ rights and ensuring a high level of protection.[32]
Greater concerns arise regarding the ECJ’s interpretation of arts 77-79 GDPR in light of the GDPR’s objective to prevent disparities that could hinder the free movement of personal data.[33] In this respect, it is difficult to understand how the coexistence of remedies under both data protection law and unfair competition law would not pose risks to the uniform application of the GDPR. If the same provision were applied both by a supervisory authority or civil courts under arts 77-80, and by courts hearing competitor’s claims under the prohibition of unfair commercial practices for the same violation, there would be a risk of divergent interpretations of GDPR rules.[34]
The ECJ itself has repeatedly highlighted the risk of such interpretative inconsistencies. In the BE ruling, it emphasised that, to avoid contradictory decisions concerning the same personal data processing within a single Member State, and in the absence of a coordination mechanism under the GDPR, it is up to the Member States, based on the principle of procedural autonomy, to establish the necessary coordination mechanisms.[35] Similarly, in the Meta Platforms and Others case, the ECJ reiterated that, to prevent discrepancies between the interpretation of the GDPR provided incidentally by a competition authority assessing a company’s conduct and the interpretation given by a supervisory authority, the competition authority must adhere to the principle of sincere cooperation.[36] Therefore, if the uniform application of the GDPR may be compromised by contradictory decisions arising from the exercise of GDPR remedies, this risk is likely to increase with the broader invocation of GDPR provisions through remedies established under other legal frameworks.
Finally, as the ECJ has noted, while the direct applicability of the GDPR and the mechanism of preliminary references help mitigate the risks of fragmentation,[37] the possibility of unequal levels of protection for data subjects remains. This occurs when certain Member States allow parties other than the data subjects to enforce violations of the GDPR substantive provisions. In Germany, for example, data subjects can benefit from the fact that third parties are entitled to act, under unfair competition law, against a GDPR breach. This possibility is not available to Dutch data subjects. In the Avium Wearables case, indeed, the Dutch District Court – upholding the decisions of the Dutch supervisory authority and the Dutch Competition Authority – held that competitors could not rely on a breach of the GDPR in order to challenge unfair practices under the Dutch implementation of the Directive 2005/29/EC on unfair commercial practices.[38] Consequently, asserting that the GDPR does not prevent national legislations from extending the ability to invoke its substantive provisions to parties other than data subjects fails to prevent disparities that could hinder the free movement of personal data.
iv.2. The safeguards “inside” the GDPR: what (if any) limits to the notion of sensitive data
Compared to the conclusion reached in response to the first preliminary question, the one developed in relation to the second does not introduce any particularly new elements beyond what has already been extensively stated by the ECJ in its case law concerning “special categories of personal data”, including health data,[39] as well as by the European Data Protection Supervisor[40] and the Article 29 Working Party (now, European Data Protection Board).[41] However, by reaffirming the need to adopt a broad interpretation of such data to achieve the GDPR’s objective of ensuring a high level of protection for data subjects – and specifically, the goal set out in art. 9 GDPR to provide enhanced protection against processing that may constitute a serious interference with the fundamental rights enshrined in arts 7 and 8 of the Charter –,[42] the ECJ provides an additional interpretative contribution.
The “capability test” elaborated in the OT judgment, which holds that data falls within the special categories of personal data if it is “capable of revealing” sensitive information about an individual through an intellectual operation of comparison or deduction, is now complemented by a “probability test”. According to this test, in order to determine whether a piece of personal data belongs to the special categories or not, it must be assessed whether there is a “certain degree of probability” that, through the aforementioned intellectual operation, sensitive information could be inferred.[43] As previously stated in the Meta Platforms and Others ruling, it is irrelevant whether the inferred information is accurate or whether the data controller intends to derive sensitive data;[44] what matters is the likelihood that such an inference could occur. Consequently, for example, the purchase of a book about a political figure (even if made on behalf of another person) could be considered sensitive data, as it might suggest an alignment with the views held by that figure.
The practical implications of this interpretative approach are far from negligible, particularly for the online commerce sector. As Advocate General Szpunar pointed out, the fact that many types of data collected online could fall within the definition of “special categories of data” – since they may allow for the inference of sensitive information (e.g. a person’s health status or racial or ethnic origin) – imposes more stringent obligations on data controllers under art. 9 GDPR. This, in turn, risks making online transactions excessively complex and costly.[45] Legal scholars have already highlighted similar concerns in relation to the Meta Platforms and Others ruling, which established that if the data collected includes sensitive data and it is not possible to separate the two categories, the entire dataset must be processed in accordance with the regime set out in art. 9 GDPR.[46] This interpretation has raised concerns about the “potentially serious implications for digital market companies”,[47] which, by collecting large volumes of data, may often find themselves processing sensitive data.
Returning to the case at hand, in order to mitigate these risks without imposing excessive limits on the ECJ’s broad interpretation of “special categories of data”, the test proposed by Advocate General Szpunar is particularly persuasive. Based on the degree of certainty with which conclusions can be drawn,[48] this test would refine the definition of “special categories of data” by requiring consideration of both the content of the data and the specific circumstances surrounding their processing (e.g. the context of the processing and the identity of the data controller).[49] In this way, for example, data not processed in a medical context or by an entity with the specific expertise to interpret it might not be considered health data, as the surrounding circumstances would not allow for reliable or precise conclusions about an individual’s health status. Therefore, contrary to the ECJ’s conclusion, it would not be sufficient that sensitive information could, with a certain degree of probability, be inferred from the data; rather, such information must be accurate concerning an individual’s health or other specific conditions.
V. Conclusive remarks and broader implications
In commenting on the Lindenapotheke ruling, this Insight has sought to highlight that the ECJ has not only reaffirmed but strengthened its protective approach to personal data, emphasising the “subjective vocation” of the GDPR and the primary value this regulation places on safeguarding the data subjects’ rights. On the one hand, it was established that the remedies provided by the GDPR must be considered as a minimum set that can be supplemented by national law. In other words, the ECJ has, for the first time, recognised the possibility of using remedies “outside” the GDPR to indirectly safeguard the data subjects’ rights, thus opening new avenues for GDPR enforcement. On the other hand, a new standard for assessing “special categories of personal data”, including health data, was introduced, allowing for an expansion of these categories’ boundaries and, consequently, of the scope of the enhanced protection provided by art. 9 GDPR.
From a wider perspective, it is undeniable that such an interpretive approach has the advantage of ensuring an exceptional level of protection for data subjects, which is unique in the global regulatory landscape.[50] Guaranteeing this standard of protection is crucial, particularly in contexts characterised by significant informational asymmetries, where data subjects are at a disadvantage compared to data controllers, or where the processing of personal data may lead to discriminatory effects on the individuals from whom the data originate.
At the same time, however, this approach has significant implications for personal data processing activities within the Union, contributing to the spread of “data protection terrorism” among those operating in this field. Even the most diligent data controllers can rarely consider themselves safe from potential challenges to the lawfulness of their activities, whether from data subjects or supervisory authorities. They must demonstrate compliance with the GDPR by fulfilling numerous obligations,[51] which – especially when processing sensitive data – entail significant expenditure of resources, time, and expertise that may not always be readily available.[52]
Following the Lindenapotheke ruling, data controllers must now also consider the risk of their activities being challenged by competitors. The latter could take legal action for alleged GDPR infringements grounded on unfair competition law. In this scenario, a GDPR violation could first be contested by a competitor through an injunction based on competition law, and later by data subjects through a complaint to the supervisory authority or a civil court. If the data controller is penalised twice for the same breach, there is a risk of double fining and a violation of the ne bis in idem principle.[53] This could ultimately have an (excessive) deterrent effect on data processing, as controllers may, after a cost-benefit analysis, decide not to use the data at their disposal, effectively forgoing processing activities.[54]
--------------------
European Papers, Vol. 9, 2024, No 3, European Forum, Insight of 24 December 2024, pp. 852-864
ISSN 2499-8249 - doi: 10.15166/2499-8249/788
* PhD Candidate in European Law, University of Bologna, anna.fiorentini3@unibo.it.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
[2] See Curia, curia.europa.eu.
[3] F Ferri, Il bilanciamento tra diritti fondamentali nel mercato unico digitale (Giappichelli 2022) 213-214. Likewise, cf. P Bravo, Il “diritto” a trattare i dati personali nello svolgimento dell’attività economica (Cedam 2018) 180.
[4] On the ECJ’s extensive use of the teleological criterion, cf. M Tzanou, ‘Data Protection as a Fundamental Right Next to Privacy? Reconstructing’ a not so New Right’ (2013) International Data Privacy Law 94; M Tzanou, ‘Balancing Fundamental Rights: United in Diversity? Some Reflections on the Recent Case Law of the European Court of Justice on Data Protection’ (2010) Croatian Yearbook of European Law and Policy 53, 59-60; S Gutwirth, Y Poullet, P Hert, C Terwangne and S Nouwt (eds), Reinventing Data Protection? (Springer 2009); P Kuch, ‘Teleology: The Missing Piece to Solving the GDPR Puzzle’ (2021) Journal of Data Protection and Privacy 28, 30-31; S Lindroos-Hovinheimo, ‘Who Controls our Data? The Legal Reasoning of the European Court of Justice in Wirtschaftsakademie Schleswig-Holstein and Tietosuojavaltuutettu v. Jehovan todistajat’ (2019) Information and Commununications Technology Law 226.
[5] Art. 3a Gesetz gegen den unlauteren Wettbewerb of 3 July 2004 (BGB1. 2004 I, p. 1414).
[6] According to art. 9 GDPR, the processing of special categories of data is generally prohibited unless one of the conditions listed in the second paragraph of this provision (e.g. explicit consent) is met.
[7] These provisions give data subjects the right to lodge a complaint before a supervisory authority (art. 77 GDPR) or the right to an effective judicial remedy against a supervisory authority (art. 78 GDPR) or a data controller/processor (art. 79 GDPR). For the sake of completeness, please note that among the remedies provided for by Chapter VIII of the GDPR there is also the possibility for the data subjects to lodge a claim for damages (art. 82 GDPR) or, again, to mandate a non-profit association to lodge a complaint or to exercise, on their behalf, the rights conferred by the GDPR (art. 80(1) GDPR).
[8] Case C-21/23 Lindenapotheke ECLI:EU:C:2024:846 para. 53.
[9] Ibid. paras 54-55.
[10] Ibid. paras 59-60.
[11] Ibid. para. 62.
[12] Ibid. para. 68.
[13] Ibid. para. 70.
[14] Ibid para. 81. This had already been stated in Case C-184/20 Vyriausioji tarnybinės etikos komisija (OT) EU:C:2022:601 para. 125; and, concerning the directive 95/46/EC, in Case C-101/01 Lindqvist EU:C:2003:596 para. 50.
[15] Art. 4(15) and Recital 35 GDPR.
[16] Lindenapotheke cit. para. 84.
[17] Ibid. paras 86-88.
[18] Ibid. paras 89-91.
[19] Case C-319/20 Meta Platforms Ireland ECLI:EU:C:2022:322.
[20] Case C-132/21 Nemzeti Adatvédelmi és Információszabadság Hatóság (BE) ECLI:EU:C:2023 para. 34.
[21] Arts 55(3) and 83 GDPR.
[22] For instance, it lacks jurisdiction over alleged GDPR violations by judicial authorities (art. 55(3) GDPR) and cannot rule on issues related to the right to compensation (art. 58(2) GDPR).
[23] Recital 9 GDPR.
[24] C Cellerino, ‘Personal Data: Damages Actions between EU Competition Law and the GDPR’ in L Calzolari, A Miglio and F Croci (eds), Public and Private Enforcement of EU Competition Law in the Age of Big Data (Giappichelli 2024) 266.
[25] In the Meta Platforms Ireland judgment, the ECJ stated that it is possible to address GDPR breaches through rules aimed at consumer protection or the fight against unfair commercial practices (Meta Platforms Ireland cit. paras 78-79).
[26] In Meta Platforms and Others, the ECJ acknowledged the possibility of considering GDPR violations incidentally within public enforcement contexts – specifically, in the assessment of anti-competitive practices by a national competition authority. This approach allows data protection law to help ensure “the effectiveness of competition law within the European Union” (Case C-252/21 Meta Platforms and Others ECLI:EU:C:2023:537 para. 51).
[27] While acknowledging the interactions among data protection, competition, and consumer protection rules, these legal areas remain distinct, each pursuing autonomous goals that, in some cases, may even conflict. For example, competition law may require a company to share parts of its database with competitors to prevent it from maintaining a competitive advantage in the market. However, such data sharing would reduce data control, potentially compromising the protection of data subjects. Cf. M Botta and K Wiedemann, ‘The Interaction of EU Competition, Consumer, and Data Protection Law in the Digital Economy: The Regulatory Dilemma in the Facebook Odyssey’ (2019) Antitrust bulletin 428.
[28] For example, in commenting on the Meta Platforms and Others decision, Manzini expressed concerns about the effective equivalence drawn between a GDPR violation and an antitrust infringement. He emphasised, inter alia, that a GDPR violation should produce anti-competitive effects; otherwise, an antitrust infringement cannot be considered established. Cf. P Manzini, ‘Antitrust e privacy: la strana coppia’ (2023) I Post di AISDUE 204 ff.
[29] See, inter alia, C Cellerino, ‘Personal Data: Damages Actions between EU Competition Law and the GDPR’ cit.
[30] According to art. 288 TFEU, the regulation “shall be binding in its entirety and directly applicable in all Member States”, unlike directives, which, on the other hand, bind the States as to the result to be achieved, leaving “the national authorities the choice of form and methods”.
[31] See, inter alia, art. 9(4) GDPR on the processing of special categories of data. A full list of the opening clauses can be found in the Commission staff working document accompanying the document Communication from the Commission to the European Parliament and the Council, Data protection rules as a pillar of citizens empowerment and EU’s approach to digital transition - two years of application of the General Data Protection Regulation, SWD/2020/115 final 53.
[32] Case C-40/17 Fashion ID ECLI:EU:C:2019:629 para. 59. This was further reaffirmed in Meta Platforms Ireland with regard to the GDPR, where it was stated that enabling consumer protection associations to seek injunctions against processing activities that violate the GDPR helps to strengthen the rights of data subjects through collective remedies and to ensure a high level of protection for them (Meta Platforms Ireland cit. paras 73-74).
[33] Art. 1(3) and Recital 13 GDPR.
[34] On the risks of inconsistency in GDPR enforcement derived by this ruling, see also M van den Poel, ‘Case C-21/23 Lindenapotheke – Competitors Can Enforce GDPR-Based Unfair Commercial Practices, and a Broadening Concept of Health and Sensitive Data’ (14 November 2024) European Law Blog www.europeanlawblog.eu 5.
[35] BE cit. paras 45 and 48.
[36] Meta Platforms and Others cit. para. 57.
[37] Lindenapotheke cit. paras 67-68.
[38] Judgment of the District Court no. C/02/379795/KG ZA 20-652 of 3 February 2021, Leading Care Technologies BV and Lifewatcher BV v H.O.D.N. Avium Wearables, uitspraken.rechtspraak.nl para 3.15.
[39] OT cit. para. 123 and Lindqvist cit. para. 50 both draw on the well-established case law of the European Court of Human Rights, which emphasizes the confidentiality of health data as a fundamental principle across the legal systems of all parties to the Convention (ECtHR Z v Finland App n. 22009/93 [2 December 1995] para. 95; ECtHR M.S. v Sweden App n. 20837/92 [27 August 1997] para. 41; ECtHR I v Finland App n. 20511/03 [17 July 2008] para. 38).
[40] EDPS, ‘Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council on the Application of Patients’ Rights in Cross- Border Healthcare’, OJ 2009 C 128/ 03, para. 15: “health data normally includes medical data (e.g. doctor referrals and prescriptions, medical examination reports, laboratory tests, radiographs etc.), as well as administrative and financial data relating to health (e.g. documents concerning hospital admissions, social security number, medical appointments scheduling, invoices for healthcare service provision, etc.)”.
[41] WP29 2015, ‘Annex—Health Data in Apps and Devices’ (5 February 2015) which, among other things, points out that although the definition in the GDPR does not include “data from which no conclusions can be reasonably drawn about the status of a data subject” (e.g. data on the number of steps walked), even “[r]aw, relatively low privacy impact personal data can quickly change into health data when the dataset can be used to determine the health status of a person”.
[42] Lindenapotheke cit. paras 81-83.
[43] H Michael Holtz, ‘Breaches of the GDPR as an Unfair Commercial Practice and a New Assessment Standard for Inferred Special Category Personal Data: Lindenapotheke (C‑21/23)’ (4 November 2024) EU Law Live eulawlive.com.
[44] Meta Platforms and Others cit. para. 69.
[45] Case C-21/23 Lindenapotheke ECLI:EU:C:2024:354, opinion of AG Szpunar paras 45-46.
[46] Meta Platforms and Others cit. para. 89.
[47] P J van de Waerdt, ‘Meta v Bundeskartellamt: Something Old, Something New’ European Papers (European Forum Insight of 8 January 2024) www.europeanpapers.eu 1100.
[48] Applying this test, the AG concluded that the data in question does not qualify as health data for two main reasons. First, because such data allows only hypothetical or imprecise inferences about the health status of the person placing the order. Second, because categorizing this data as health data could, paradoxically, lead to the disclosure of more sensitive information: the requirement for explicit consent to process such data might ultimately prompt the buyer to reveal the identity of the product’s end user (paras 54-55).
[49] Lindenapotheke, opinion of AG Szpunar, cit. paras 46-49.
[50] In this respect, Pollicino believes that it is even possible to speak of a “European Personal Data Fortress” (O Pollicino, ‘Judges, Privacy and Data Protection from a Multilevel Protection Perspective’ (2022) Federalismi.it 820).
[51] Arts 24 ff. GDPR.
[52] Case C-77/21 Digi ECLI:EU:C:2022:248, opinion of AG Pikamäe, para. 46.
[53] Art. 50 Charter cit. and Protocol No. 7 to the Convention for the Protection of Human Rights and Fundamental Freedoms, Art 4. and Joined Cases C-204/00 P, C-205/00 P, C-211/00 P, C-213/00 P, C-217/00 P, C-219/00 P Aalborg Portland and Others v Commission ECLI:EU:C:2004:6 para. 338. On this principle, see, ex multis, C Amalfitano, Il Principio del ne bis in idem (Giappichelli 2017).
[54] Similar dissuasive effects were highlighted by AG Sánchez-Bordona concerning the possibility of obtaining compensation under art. 82 GDPR, irrespective of the existence of damage, but for the mere breach of the rules in question. He, indeed, stated that such a hypothesis “would, in all likelihood, encourage civil litigation, with proceedings that are perhaps not always justified, and, to that extent, could discourage data processing” (Case C-300/21 Österreichische Post AG ECLI:EU:C:2022:756, opinion of AG Sánchez-Bordona, para. 55).