Skip to main content
SearchLoginLogin or Signup

Case C-21/23 Lindenapotheke – Competitors can enforce GDPR-based unfair commercial practices, and a broadening concept of health and sensitive data

This post discusses Case C-21/23 and analyses the potential risks that the Court's interpretation poses to consistent enforcement of the GDPR and to potential overexpansion of the concept of sensitive data.

Published onNov 14, 2024
Case C-21/23 Lindenapotheke – Competitors can enforce GDPR-based unfair commercial practices, and a broadening concept of health and sensitive data

Case 21/23 Lindenapotheke builds on an extensive catalogue of data protection case law, frequently citing prior rulings in Case C-319/20 Meta Platforms Ireland (‘Meta’), Case C-252/21 Bundeskartellamt (‘Bundeskartellamt’) and Case C-184/20 OT v Vyriausioji tarnybinės etikos komisija (‘OT’). In the absence of major deviations from these cases, its importance as a Grand Chamber decision largely stems from the implications that the combination of this existing case-law will bring to the concepts of health and sensitive data, and to possible GDPR-based actions by competitors. After this introduction, this blogpost will explore how the Court ruled to allow actions by competitors and to expand the concept of sensitive health data, before analyzing the potential risks this interpretation has to consistent enforcement of the GDPR and of overexpansion of the concept of sensitive data.

Facts – Lindenapotheke selling medicine via Amazon

The Lindenapotheke case borrows its name from a German pharmacy. As part of its commercial offerings, Lindenapotheke had been selling products on Amazon Marketplace. These products contain medicine which under German law can only be sold by pharmacies, but do not require a prescription. DR, the operator of a competing pharmacy, alleged that such sales constitute an unfair commercial practice, prohibited under German law, thus bringing an action to cease this marketing against the operator of Lindenapotheke before a German regional court. As argued by DR before the regional court and the higher regional court in appeals, the unfair nature of the marketing by Lindenapotheke lay in the absence of valid consent by the customers for the processing of their health data.

As the argument by DR was based on an infringement of data protection law, the appeals court based its analysis of the unfair nature on the relevant provisions in Regulation 2016/679 (‘GDPR’). In Article 9(1), the GDPR sets out a prohibition for the processing of certain special categories of personal data (also described as sensitive data), including health data. Article 9(2) GDPR contains a set of exceptions to this prohibition, which include explicit consent (Article 9(2)(a) GDPR). The higher regional court found that Lindenapotheke was processing health data, that it could not rely on explicit consent as an exception, and that this constitutes an unfair commercial practice. A final appeal before the German Federal Court lead to two preliminary questions before the Court of Justice.

Question 1 – Standing for a competitor based on a GDPR infringement?

The first question posed to the Court essentially concerns the exhaustive nature of the remedies provided in the GDPR, and their relationship with Member State law. Compared to the Directive 95/46/EC it replaced, the GDPR introduces a range of harmonised enforcement options in Chapter VIII. These include possibilities for administrative sanctions by data protection authorities, criminal penalties by national courts and a range of remedies available to data subjects. The latter include possible actions against data protection authorities, but also enable data subjects to bring a civil case before national courts to seek remedies (Article 79 GDPR). As the competitor of Lindenapotheke is clearly not a data subject, it could not rely on the remedies under Chapter VIII of the GDPR. Thus, DR brought an action based on unfair commercial practices. The Court was asked to clarify whether, in the absence of remedies provided to them in the GDPR, competitors could rely on a breach of its substantive provisions in the context of a national procedure on unfair commercial practices.

Some arguments could be made for such a preclusion of standing for competitors. The GDPR undoubtedly focuses on harmonised enforcement, exemplified by the choice for a regulation as an instrument, the stated goal of harmonisation, and the wide range of provisions on remedies (Recital 9 and 13 GDPR, para. 57). Adding to this, none of the several provisions in Chapter VIII of the GDPR containing opening clauses, explicitly enabling Member States to supplement or derogate certain provisions, allow for measures enabling standing for competitors (para. 57).

Despite this, the Court ruled that Chapter VIII GDPR does not preclude the action against Lindenapotheke. It did so by relying on the premise that the remedies provided by Chapter VIII GDPR are non-exhaustive, and on the rationale that allowing competitors standing would not undermine but instead strengthen the objectives of the GDPR.

Supporting the non-exhaustive nature of remedies, the Court uses a teleological approach with three main arguments. First, there is no wording expressly ruling out a possibility for competitors to bring actions (para. 53). Second, the context of the GDPR, where remedies are available for data subjects as the beneficiaries of data protection, explains the absence of provisions referring to competitors (para. 54). Third, the Court previously held that GDPR infringements can also affect third parties, confirming that they ‘may at the same time give rise to an infringement of rules on consumer protection or unfair commercial practices’ (para. 55; referring to Meta para 78) and ‘may be a vital clue for the purposes of assessing the existence of an abuse of a dominant position’ (para. 55; referring to Bundeskartellamt para. 47 and 62). This is further supported by highlighting the intrinsic links between data protection, the digital economy and competition (para. 56).

Considering whether allowing actions by competitors would undermine the system of remedies in the GDPR, the Court recalls that competition is not in itself a goal of the GDPR (para. 65). However, when such actions are allowed, they will supplement existing remedies (para. 66) while further strengthening compliance through additional enforcement (para. 69-70). This aids the goal of a high level of data protection set out by Article 8 of the Charter (para. 71). Concerns over potential divergences between Member States are refuted as the substantive provisions of the GDPR remain fully consistent, with doubt or divergence between data protection authorities and different Member State courts addressed by the possibility for preliminary rulings (para. 67).

Question 2 – Do all medicine orders contain health data?

The second question pertains to whether the data processed by Lindenapotheke should be considered as health data, and thus sensitive data under the qualified prohibition in Article 9 GDPR.

From the definition of personal and health data in Article 4(1) and 4(15) GDPR, the Court finds that health data should be understood as all personal data that allows ‘conclusions to be drawn as to the health status of an identified or identifiable person’ (para. 76-78), with all health data covered under the qualified prohibition in Article 9(1) GDPR (para. 80). Where Lindenapotheke processes an order, it is clear that they process personal data (para. 79). The Court was thus left to assess whether ordering medicine allows for conclusions to be drawn to an individual’s health status, and if yes, whether these conclusions relate to an identified or identifiable person.

To assess the possibility of inference of health data, the Court relied on its prior judgment in OT, where it ruled that for data to be sensitive, ‘it is sufficient that they are capable of revealing information about the health status of the data subject by means of an intellectual operation involving collation or deduction’ (para. 83; the wording in this definition slightly differs and clarifies what was previously held in OT para. 123). For Lindenapotheke, data on orders qualifies as health data where ‘that order entails establishing a link between a medicinal product, its therapeutic indications or uses, and a natural person identified or identifiable’ (para. 84; own emphasis). The Court confirms this to be the case, only offering further clarification by holding that distinguishing between prescription-only and pharmacy-only medicine would not be consistent with a high level of data protection (para. 89).

On the link between that data and natural persons, the Court goes into more detail. The referring court raised the question as to whether this link exists for medicine without prescriptions, and thus without an explicit link between a natural person and the medicine (para. 85). Yet again taking a strict approach, the Court found that when ordering, the ‘certain degree of probability’ that medicine is intended for the customer suffices for that data to qualify as health data (para. 90). Furthermore, it reiterated its holding in Bundeskartellamt that sensitive data need not relate to users of a platform for the qualified prohibition under Article 9 GDPR to apply (para. 86; referring to Bundeskartellamt para. 68). Where these medicine are not for the customer but for a third party, the possibility of identification through inference of addresses or family members is deemed sufficient to be health data for an identifiable person, thus covered under the qualified prohibition (para. 91).

As the Court finds that the order data processed by Lindenapotheke allows for conclusions to be drawn on the health of either the person identified in the order, or third parties which are identifiable, it considers that Lindenapotheke processes health data covered under the qualified prohibition in Article 9 GDPR (para. 94). Slightly nuancing the impact that this might have on the processing by Lindenapotheke, the Court uses obiter dicta to highlight that there are exceptions in Article 9(2) GDPR which might apply, such as when users give explicit consent or where such processing is necessary for the provision of healthcare (para. 92-93).

Competitors as another wrench in the GDPR procedural gears?

While the answer given by the Court to the first preliminary question on actions by competitors is in line with its prior case law, the implications have the potential to be more disruptive, by adding to the existing procedural complexity facing GDPR enforcement.

To explain why, it is important to note the different types of GDPR enforcement. The GDPR is enforced administratively, through judicial procedures, and using criminal penalties under Member State law. In Meta, the Court interpreted an opening clause to allow consumer protection authorities to initiate judicial proceedings based on GDPR infringements. In Bundeskartellamt, the Court expanded administrative enforcement to competition authorities. The impact of both rulings on enforcement complexity remains limited. The interpretation in Meta remained similar to existing possibilities within the GDPR that allow organizations to act on behalf of data subjects (Article 80 GDPR). In Bundeskartellamt, the Court could not rely on an opening clause in the GDPR but took due account of enforcement complexity. It prescribed cooperation requirements including deference to data protection authorities on GDPR matters, which makes inconsistencies between competition and data protection authorities highly unlikely (Bundeskartellamt para. 52-59, see also Hriscu).

The ruling in Lindenapotheke introduces greater potential risks of interference between administrative and judicial enforcement. While the GDPR foresees cooperation between data protection authorities, courts which are asked to rule on GDPR infringement can only rely on lengthy procedures before the Court of Justice for a consistent interpretation. Thus, before reaching the Court of Justice, parallel procedures before multiple Member State courts and cooperating data protection authorities could lead to divergent decisions on the same data processing activities. This and other risks of inconsistency in GDPR enforcement has been warned against by academia (see Hofmann and Gentile and Lynskey) and the EU legislature, which is debating further harmonization of enforcement. The length and difficulties associated with judicial proceedings under Article 79-82 GDPR have been evident where data subjects have pursued this type of enforcement, with a wide range of preliminary rulings on this topic (e.g. Case C-667/21 Krankenversicherung Nordrhein and Case C-456/22 Gemeinde Ummendorf). As a result, most data subjects have instead strongly preferred administrative enforcement through complaints (p.5), with this method of enforcement inherently less prone to inconsistencies due to the cooperation and consistency mechanisms in the GDPR. The same will not be true for competitors under the mechanism in Lindenapotheke.

Contrary to data subjects and their representatives, competitors will only be able to allege GDPR infringements before Member State courts in the context of unfair commercial practices, as they remain unable to file complaints before data protection authorities. Combined with the different goals pursued by them, and the comparably enormous means that companies are able to spend on procedures, it would be possible to see a wave of new judicial procedures following Lindenapotheke. If this materializes, there will be more potential for inconsistency between courts and administrative enforcement. Whereas preliminary rulings by the Court will always result in a prevailing interpretation and consistency (see para. 67), the potential for chaos in the interim years between a first decision and a final interpretation has enough potential for disarray in a fast-moving digital world. The Court does in my view not adequately address this issue, which risks undermining the harmonized rules in the GDPR and currently pursued by the legislature and creates additional divergences between Member States. 

Another step towards the sensitivity of all personal data?

In answering the second question on the scope of sensitive health data, the Court continues the path chosen with its rulings in OT and Bundeskartellamt. The broad definition distilled from both judgments was kept intact. Sensitive data is thus i) all personal data that reveals sensitive attributes of an identified or identifiable natural person, ii) either directly or indirectly through an intellectual operation involving deduction or cross-referencing, and iii) regardless of the intent of the controller and the correctness of the inference (see para. 82-87; OT para. 123; Bundeskartellamt para. 68-70). As identified by Advocate General Szpunar in his Opinion (‘AG’), this left open the question of how certain the link between the sensitive attribute and the underlying data should be. According to the Advocate General, there should be ‘a certain degree of certainty’, as where the existence of a mere link suffices, the concept of sensitive data would be overexpanded (AG para. 40-49; similar concerns are shared by Solove). Opining specifically on the processing by Lindenapotheke, the Advocate General found that link to be too hypothetical, imprecise and tenuous (AG para. 43).

The Court disagreed. Its first counterargument is reasonable, as for example orders placed for a family member and delivered at their address can be used to identify those persons (compare para. 91 with AG para. 52). Where the Court does paint with too broad of a brush is in establishing a link between medicine and health data. Recall para. 84, where the Court regards ‘a link between a medicinal product, its therapeutic indications or uses and a natural person’ enough for data to be considered sensitive, and para. 89, where it refuses to distinguish between medicinal products regardless of the need for a prescription. This negates that some pharmacy-only medicine can be ordered merely preventative or give no indication to the health status at all, such as paracetamol (AG para. 51). By foregoing specificity in its distinction between categories of medicine, and by instead opting to use generic wording such as ‘a link’, the Court risks overexpanding sensitive data when applied to other sensitive attributes.

To prevent overexpansion, the Court might deviate from Lindenapotheke at a later stage to define a standard of certainty for other sensitive attributes, as proposed by the Advocate General. If it does not, the concept of sensitive data will see significant expansion. As the Advocate General correctly warned, ordering a book by a politician entails an uncertain relation with a political opinion (para. 46). Now imagine a supermarket storing receipts of clients, with some receipts containing only purchases of halal or kosher food or an increased purchase of eggs before easter. With enough time or a proficient AI system performing an ‘intellectual operation’, uncertain links could be drawn between the customer and their religious beliefs. Without further clarification by the Court, it will remain uncertain how much detail is required to establish a link, and in what contexts such data should be considered sensitive. Thus, applying the standard in Lindenapotheke to other data linked to sensitive attributes might not be the best way forward, unless the Court considers that the high inference risks posed by large datasets and AI should lead to most personal data being afforded the additional protection under Article 9 GDPR.

Conclusion

In conclusion, the Court in Lindenapotheke adds a new layer to two ongoing evolutions in data protection law. First, after allowing competition authorities to take GDPR infringements into account in Bundeskartellamt and allowing consumer protection associations standing in Meta, the Court now allows competitors to allege unfair commercial practices based on GDPR infringements. Second, after concluding that personal data that could be used to infer sensitive attributes fall within the scope of Article 9 GDPR in OT, the Court went on to rule that ‘a link’ between medicine orders, their use and an identified or identifiable person suffices for that data to be considered as health data. The implications of this judgment thus add to a complex web of procedures in GDPR enforcement and can lead to an increase of data considered as sensitive.


Michaël Van den Poel is a Research Engineer at the EDHEC Augmented Law Institute, where he works on the Interdisciplinary Project on Privacy (IPoP). He is pursuing a PhD at the Law, Science, Technology and Society Research Group at VUB, where he is an executive team member at the Brussels Privacy Hub.

Comments
0
comment
No comments here
Why not start the discussion?