Case C-21/23 Lindenapotheke – Opponents can implement GDPR-based unfair business practices, and a broadening idea of well being and delicate knowledge – Tech Cyber Internet

Case 21/23 Lindenapotheke builds on an in depth catalogue of information safety case regulation, ceaselessly citing prior rulings in Case C-319/20 Meta Platforms Eire (‘Meta’), Case C-252/21 Bundeskartellamt (‘Bundeskartellamt’) and Case C-184/20 OT v Vyriausioji tarnybinės etikos komisija (‘OT’). Within the absence of main deviations from these instances, its significance as a Grand Chamber choice largely stems from the implications that the mixture of this present case-law will carry to the ideas of well being and delicate knowledge, and to potential GDPR-based actions by rivals. After this introduction, this blogpost will discover how the Courtroom dominated to permit actions by rivals and to broaden the idea of delicate well being knowledge, earlier than analyzing the potential dangers this interpretation has to constant enforcement of the GDPR and of overexpansion of the idea of delicate knowledge.

Info – Lindenapotheke promoting drugs through Amazon

The Lindenapotheke case borrows its title from a German pharmacy. As a part of its business choices, Lindenapotheke had been promoting merchandise on Amazon Market. These merchandise include drugs which below German regulation can solely be offered by pharmacies, however don’t require a prescription. DR, the operator of a competing pharmacy, alleged that such gross sales represent an unfair business observe, prohibited below German regulation, thus bringing an motion to stop this advertising towards the operator of Lindenapotheke earlier than a German regional court docket. As argued by DR earlier than the regional court docket and the upper regional court docket in appeals, the unfair nature of the advertising by Lindenapotheke lay within the absence of legitimate consent by the purchasers for the processing of their well being knowledge.

Because the argument by DR was based mostly on an infringement of information safety regulation, the appeals court docket based mostly its evaluation of the unfair nature on the related provisions in Regulation 2016/679 (‘GDPR’). In Article 9(1), the GDPR units out a prohibition for the processing of sure particular classes of non-public knowledge (additionally described as delicate knowledge), together with well being knowledge. Article 9(2) GDPR incorporates a set of exceptions to this prohibition, which embrace specific consent (Article 9(2)(a) GDPR). The upper regional court docket discovered that Lindenapotheke was processing well being knowledge, that it couldn’t depend on specific consent as an exception, and that this constitutes an unfair business observe. A remaining attraction earlier than the German Federal Courtroom result in two preliminary questions earlier than the Courtroom of Justice.

Query 1 – Standing for a competitor based mostly on a GDPR infringement?

The primary query posed to the Courtroom primarily considerations the exhaustive nature of the cures offered within the GDPR, and their relationship with Member State regulation. In comparison with the Directive 95/46/EC it changed, the GDPR introduces a variety of harmonised enforcement choices in Chapter VIII. These embrace prospects for administrative sanctions by knowledge safety authorities, prison penalties by nationwide courts and a variety of cures accessible to knowledge topics. The latter embrace potential actions towards knowledge safety authorities, but in addition allow knowledge topics to carry a civil case earlier than nationwide courts to hunt cures (Article 79 GDPR). Because the competitor of Lindenapotheke is clearly not an information topic, it couldn’t depend on the cures below Chapter VIII of the GDPR. Thus, DR introduced an motion based mostly on unfair business practices. The Courtroom was requested to make clear whether or not, within the absence of cures offered to them within the GDPR, rivals may depend on a breach of its substantive provisions within the context of a nationwide process on unfair business practices.

Some arguments could possibly be made for such a preclusion of standing for rivals. The GDPR undoubtedly focuses on harmonised enforcement, exemplified by the selection for a regulation as an instrument, the said purpose of harmonisation, and the big selection of provisions on cures (Recital 9 and 13 GDPR, para. 57). Including to this, not one of the a number of provisions in Chapter VIII of the GDPR containing opening clauses, explicitly enabling Member States to complement or derogate sure provisions, enable for measures enabling standing for rivals (para. 57).

Regardless of this, the Courtroom dominated that Chapter VIII GDPR doesn’t preclude the motion towards Lindenapotheke. It did so by counting on the premise that the cures offered by Chapter VIII GDPR are non-exhaustive, and on the rationale that permitting rivals standing wouldn’t undermine however as a substitute strengthen the targets of the GDPR.

Supporting the non-exhaustive nature of cures, the Courtroom makes use of a teleological strategy with three principal arguments. First, there is no such thing as a wording expressly ruling out a chance for rivals to carry actions (para. 53). Second, the context of the GDPR, the place cures can be found for knowledge topics because the beneficiaries of information safety, explains the absence of provisions referring to rivals (para. 54). Third, the Courtroom beforehand held that GDPR infringements can even have an effect on third events, confirming that they ‘might on the identical time give rise to an infringement of guidelines on shopper safety or unfair business practices’ (para. 55; referring to Meta para 78) and ‘could also be a significant clue for the needs of assessing the existence of an abuse of a dominant place’ (para. 55; referring to Bundeskartellamt para. 47 and 62). That is additional supported by highlighting the intrinsic hyperlinks between knowledge safety, the digital economic system and competitors (para. 56).

Contemplating whether or not permitting actions by rivals would undermine the system of cures within the GDPR, the Courtroom remembers that competitors isn’t in itself a purpose of the GDPR (para. 65). Nonetheless, when such actions are allowed, they may complement present cures (para. 66) whereas additional strengthening compliance by way of further enforcement (para. 69-70). This aids the purpose of a excessive degree of information safety set out by Article 8 of the Constitution (para. 71). Issues over potential divergences between Member States are refuted because the substantive provisions of the GDPR stay absolutely constant, with doubt or divergence between knowledge safety authorities and completely different Member State courts addressed by the likelihood for preliminary rulings (para. 67).

Query 2 – Do all drugs orders include well being knowledge?

The second query pertains as to whether the information processed by Lindenapotheke ought to be thought of as well being knowledge, and thus delicate knowledge below the certified prohibition in Article 9 GDPR.

From the definition of non-public and well being knowledge in Article 4(1) and 4(15) GDPR, the Courtroom finds that well being knowledge ought to be understood as all private knowledge that permits ‘conclusions to be drawn as to the well being standing of an recognized or identifiable particular person’ (para. 76-78), with all well being knowledge coated below the certified prohibition in Article 9(1) GDPR (para. 80). The place Lindenapotheke processes an order, it’s clear that they course of private knowledge (para. 79). The Courtroom was thus left to evaluate whether or not ordering drugs permits for conclusions to be drawn to a person’s well being standing, and if sure, whether or not these conclusions relate to an recognized or identifiable particular person.

To evaluate the potential for inference of well being knowledge, the Courtroom relied on its prior judgment in OT, the place it dominated that for knowledge to be delicate, ‘it’s ample that they’re able to revealing details about the well being standing of the information topic by way of an mental operation involving collation or deduction’ (para. 83; the wording on this definition barely differs and clarifies what was beforehand held in OT para. 123). For Lindenapotheke, knowledge on orders qualifies as well being knowledge the place ‘that order entails establishing a hyperlink between a medicinal product, its therapeutic indications or makes use of, and a pure particular person recognized or identifiable’ (para. 84; personal emphasis). The Courtroom confirms this to be the case, solely providing additional clarification by holding that distinguishing between prescription-only and pharmacy-only drugs wouldn’t be in line with a excessive degree of information safety (para. 89).

On the hyperlink between that knowledge and pure individuals, the Courtroom goes into extra element. The referring court docket raised the query as as to whether this hyperlink exists for drugs with out prescriptions, and thus with out an specific hyperlink between a pure particular person and the medication (para. 85). But once more taking a strict strategy, the Courtroom discovered that when ordering, the ‘sure diploma of chance’ that drugs is meant for the shopper suffices for that knowledge to qualify as well being knowledge (para. 90). Moreover, it reiterated its holding in Bundeskartellamt that delicate knowledge needn’t relate to customers of a platform for the certified prohibition below Article 9 GDPR to use (para. 86; referring to Bundeskartellamt para. 68). The place these drugs should not for the shopper however for a 3rd get together, the potential for identification by way of inference of addresses or members of the family is deemed ample to be well being knowledge for an identifiable particular person, thus coated below the certified prohibition (para. 91).

Because the Courtroom finds that the order knowledge processed by Lindenapotheke permits for conclusions to be drawn on the well being of both the particular person recognized within the order, or third events that are identifiable, it considers that Lindenapotheke processes well being knowledge coated below the certified prohibition in Article 9 GDPR (para. 94). Barely nuancing the influence that this may need on the processing by Lindenapotheke, the Courtroom makes use of obiter dicta to focus on that there are exceptions in Article 9(2) GDPR which could apply, reminiscent of when customers give specific consent or the place such processing is critical for the availability of healthcare (para. 92-93).

Opponents as one other wrench within the GDPR procedural gears?

Whereas the reply given by the Courtroom to the primary preliminary query on actions by rivals is consistent with its prior case regulation, the implications have the potential to be extra disruptive, by including to the prevailing procedural complexity dealing with GDPR enforcement.

To clarify why, it is very important observe the several types of GDPR enforcement. The GDPR is enforced administratively, by way of judicial procedures, and utilizing prison penalties below Member State regulation. In Meta, the Courtroom interpreted a gap clause to permit shopper safety authorities to provoke judicial proceedings based mostly on GDPR infringements. In Bundeskartellamt, the Courtroom expanded administrative enforcement to competitors authorities. The influence of each rulings on enforcement complexity stays restricted. The interpretation in Meta remained much like present prospects throughout the GDPR that enable organizations to behave on behalf of information topics (Article 80 GDPR). In Bundeskartellamt, the Courtroom couldn’t depend on a gap clause within the GDPR however took due account of enforcement complexity. It prescribed cooperation necessities together with deference to knowledge safety authorities on GDPR issues, which makes inconsistencies between competitors and knowledge safety authorities extremely unlikely (Bundeskartellamt para. 52-59, see additionally Hriscu).

The ruling in Lindenapotheke introduces better potential dangers of interference between administrative and judicial enforcement. Whereas the GDPR foresees cooperation between knowledge safety authorities, courts that are requested to rule on GDPR infringement can solely depend on prolonged procedures earlier than the Courtroom of Justice for a constant interpretation. Thus, earlier than reaching the Courtroom of Justice, parallel procedures earlier than a number of Member State courts and cooperating knowledge safety authorities may result in divergent choices on the identical knowledge processing actions. This and different dangers of inconsistency in GDPR enforcement has been warned towards by academia (see Hofmann and Gentile and Lynskey) and the EU legislature, which is debating additional harmonization of enforcement. The size and difficulties related to judicial proceedings below Article 79-82 GDPR have been evident the place knowledge topics have pursued one of these enforcement, with a variety of preliminary rulings on this matter (e.g. Case C-667/21 Krankenversicherung Nordrhein and Case C-456/22 Gemeinde Ummendorf). Consequently, most knowledge topics have as a substitute strongly most well-liked administrative enforcement by way of complaints (p.5), with this technique of enforcement inherently much less susceptible to inconsistencies because of the cooperation and consistency mechanisms within the GDPR. The identical won’t be true for rivals below the mechanism in Lindenapotheke.

Opposite to knowledge topics and their representatives, rivals will solely be capable to allege GDPR infringements earlier than Member State courts within the context of unfair business practices, as they continue to be unable to file complaints earlier than knowledge safety authorities. Mixed with the completely different targets pursued by them, and the comparably monumental implies that corporations are capable of spend on procedures, it could be potential to see a wave of recent judicial procedures following Lindenapotheke. If this materializes, there will likely be extra potential for inconsistency between courts and administrative enforcement. Whereas preliminary rulings by the Courtroom will all the time lead to a prevailing interpretation and consistency (see para. 67), the potential for chaos within the interim years between a primary choice and a remaining interpretation has sufficient potential for disarray in a fast-moving digital world. The Courtroom does for my part not adequately deal with this problem, which dangers undermining the harmonized guidelines within the GDPR and at the moment pursued by the legislature and creates further divergences between Member States. 

One other step in the direction of the sensitivity of all private knowledge?

In answering the second query on the scope of delicate well being knowledge, the Courtroom continues the trail chosen with its rulings in OT and Bundeskartellamt. The broad definition distilled from each judgments was saved intact. Delicate knowledge is thus i) all private knowledge that reveals delicate attributes of an recognized or identifiable pure particular person, ii) both instantly or not directly by way of an mental operation involving deduction or cross-referencing, and iii) whatever the intent of the controller and the correctness of the inference (see para. 82-87; OT para. 123; Bundeskartellamt para. 68-70). As recognized by Advocate Normal Szpunar in his Opinion (‘AG’), this left open the query of how sure the hyperlink between the delicate attribute and the underlying knowledge ought to be. In keeping with the Advocate Normal, there ought to be ‘a sure diploma of certainty’, as the place the existence of a mere hyperlink suffices, the idea of delicate knowledge could be overexpanded (AG para. 40-49; related considerations are shared by Solove). Opining particularly on the processing by Lindenapotheke, the Advocate Normal discovered that hyperlink to be too hypothetical, imprecise and tenuous (AG para. 43).

The Courtroom disagreed. Its first counterargument is cheap, as for instance orders positioned for a member of the family and delivered at their deal with can be utilized to determine these individuals (examine para. 91 with AG para. 52). The place the Courtroom does paint with too broad of a brush is in establishing a hyperlink between drugs and well being knowledge. Recall para. 84, the place the Courtroom regards ‘a hyperlink between a medicinal product, its therapeutic indications or makes use of and a pure particular person’ sufficient for knowledge to be thought of delicate, and para. 89, the place it refuses to differentiate between medicinal merchandise whatever the want for a prescription. This negates that some pharmacy-only drugs could be ordered merely preventative or give no indication to the well being standing in any respect, reminiscent of paracetamol (AG para. 51). By foregoing specificity in its distinction between classes of drugs, and by as a substitute opting to make use of generic wording reminiscent of ‘a hyperlink’, the Courtroom dangers overexpanding delicate knowledge when utilized to different delicate attributes.

To stop overexpansion, the Courtroom may deviate from Lindenapotheke at a later stage to outline an ordinary of certainty for different delicate attributes, as proposed by the Advocate Normal. If it doesn’t, the idea of delicate knowledge will see important enlargement. Because the Advocate Normal appropriately warned, ordering a e-book by a politician entails an unsure relation with a political opinion (para. 46). Now think about a grocery store storing receipts of purchasers, with some receipts containing solely purchases of halal or kosher meals or an elevated buy of eggs earlier than easter. With sufficient time or a proficient AI system performing an ‘mental operation’, unsure hyperlinks could possibly be drawn between the shopper and their spiritual beliefs. With out additional clarification by the Courtroom, it should stay unsure how a lot element is required to ascertain a hyperlink, and in what contexts such knowledge ought to be thought of delicate. Thus, making use of the usual in Lindenapotheke to different knowledge linked to delicate attributes won’t be one of the best ways ahead, until the Courtroom considers that the excessive inference dangers posed by massive datasets and AI ought to result in most private knowledge being afforded the extra safety below Article 9 GDPR.

Conclusion

In conclusion, the Courtroom in Lindenapotheke provides a brand new layer to 2 ongoing evolutions in knowledge safety regulation. First, after permitting competitors authorities to take GDPR infringements under consideration in Bundeskartellamt and permitting shopper safety associations standing in Meta, the Courtroom now permits rivals to allege unfair business practices based mostly on GDPR infringements. Second, after concluding that non-public knowledge that could possibly be used to deduce delicate attributes fall throughout the scope of Article 9 GDPR in OT, the Courtroom went on to rule that ‘a hyperlink’ between drugs orders, their use and an recognized or identifiable particular person suffices for that knowledge to be thought of as well being knowledge. The implications of this judgment thus add to a fancy internet of procedures in GDPR enforcement and may result in a rise of information thought of as delicate.

Michaël Van den Poel is a Analysis Engineer on the EDHEC Augmented Legislation Institute, the place he works on the Interdisciplinary Challenge on Privateness (IPoP). He’s pursuing a PhD on the Legislation, Science, Know-how and Society Analysis Group at VUB, the place he’s an government workforce member on the Brussels Privateness Hub.