About half a year after GDPR came into force, European data protection authorities have issued the first fines, ranging from just under 5,000 Euros (Illegal video surveillance in a local business in Austria) to 400,000 Euros (Insufficient protection of digital patient files in a hospital in Portugal).
Cooperation with authorities as a mitigating factor
The first German GDPR fine is on the low end of that range, amounting to “only” 20,000 Euros. It was issued in November against an online chat platform that had stored user passwords without encryption – a fact that came to light when a data leak made public the access credentials of around 2 million user accounts. Seeing how many users were affected, the fine may seem quite low. Public statements from the authorities indeed suggest that this fine is the absolute minimum, and is explained by a number of mitigating factors. In particular, the concerned company had fully cooperated with authorities and made significant investments into improving their data security measures.
Private enforcement of GDPR rules
While Germany has not seen a wave of individual damage claims (contrary to the expectations of some commentators), the question remains highly disputed whether competitors and non-profit watchdog groups can take private action to enforce GDPR compliance. This question has become particularly relevant in view of online privacy statements, since any mistakes and omissions in these documents are easy to spot for an interested public. Cease and desist letters from watchdog groups are not limited to the “usual suspects” such as social networks and large e-commerce platforms, but may be sent to essentially any company with an online presence targeting Europe.
German law considers most regulatory violations to also constitute unfair competition, based on the idea that where compliance is expensive or complicated, non-compliance translates into unfair competitive advantages. As a result, German businesses do not only have to fear enforcement action from (sometimes slow or understaffed) regulators, but also cease and desist letters and injunctions from competitors and watchdog groups.
One highly controversial question is whether GDPR violations are among those instances of non-compliance that can trigger such private enforcement. This would be the case if the GDPR had to be considered a “market conduct rule”, but it is not clear whether they are: Since the GDPR takes precedence over national law, it can be argued that its provisions on sanctions are exhaustive, and therefore also exclude the private enforcement mechanisms otherwise resulting from German fair competition laws. However, German courts and lawmakers currently cannot seem to agree on a uniform interpretation…
Disagreement between the courts
In particular, the court stated that it assumed, in accordance with older case law interpreting the pre-GDPR privacy rules that the violated provisions were also violations of competition law and thus could be the basis of the applicant’s cease and desist letter. However, in the very succinctly worded decision, the court did not further explain how this result was reached specifically on the basis of the GDPR and its (possibly) exhaustive system of sanctions, which does not give competitors according enforcement rights.
In contrast, the Bochum Regional Court ruled that Articles 77 to 84 of the GDPR contain exhaustive provisions excluding the claims of competitors. The obvious consequence is that a cease and desist letters from competitors are not possible.
The court recognises that this question is particularly controversial and puts forward arguments to support its view, emphasizing the fact that the GDPR contains a detailed regulation of the group of persons entitled to make claims: Aside from the concerned data subjects themselves, this right is granted only to certain non-profit institutions, organisations and associations, subject to further conditions. As a result, the court is of the opinion that the European Union legislator did not want to allow an extension of any standing to sue to competitors of non-compliant data controllers.
Enter the Higher Regional Court of Hamburg, which in a recent decision puts forward a middle ground opinion in some detail. According to the judges, GDPR violations may be subject to competitor cease & desist letters, but all depends on the precise nature of the violation. After a detailed analysis of the wording, the court comes to the conclusion that the sanctions of Art. 77 et sqq. GDPR are not exhaustive. However, it is still important whether the standard under consideration actually regulates market conduct, and this according to the court cannot be assumed across the board for all GDPR provisions. However, in the specific case, which concerned the design of order forms for pharmaceuticals and the related processing of patient data, the Higher Regional Court on appeal dismissed the competitor’s action because it saw no violation of a market conduct rule.
“Abusive cease & desist letters” and the solution of the legislator
The courts, therefore, have not added much clarity. Even if they adhere to the Higher Regional Court decision from Hamburg, businesses and lawyers are stuck with the case-by-case determination of which GDPR rules regulate market conduct and which do not.
Normally, one would now be waiting anxiously for clarification from the Federal Court of Justice, and ultimately the CJEU. A resolution of the dispute, however, may come from another direction, namely by intervention of the legislator. The German government coalition is currently discussing a draft legislation from the Federal Ministry of Justice, dubbed an act to “strengthen fair competition”, which basically wants to curb abusive cease & desist practices and could also specify additional requirements for such warning letters in the domain of the GDPR. However, there is still disagreement in the cabinet on this point in particular.
What this means
Currently, it cannot be ruled out that competitors may issue cease & desist letters for common GDPR violations such as insufficient privacy statements. Businesses with European customers who have not yet adapted their information documents to GDPR requirements would therefore be well advised to do so quickly. Even though in future there may no longer be any legal danger from competitors, it should not be forgotten that data protection authorities can and will also fine companies for data protection violations.