The Violation of GDPR as Unfair Competition – Analysis of the European Court of Justice Ruling and its Relevance for Italian Law
Introduction
On October 4th, 2024, the Court of Justice of the European Union (Case C-21/23) ruled that violations of the General Data Protection Regulation (GDPR – Regulation EU 2016/679) may constitute an unfair commercial practice when they result in an unlawful competitive advantage. This interpretation allows competitors to pursue civil actions against GDPR violations that disrupt competitive dynamics.
The case originated in Germany, where a pharmacy challenged the online sale of medicines by a competitor, claiming that the sales were conducted in breach of GDPR requirements, as customers’ personal data, considered health-related data, were processed without the necessary explicit consent.
In this regard, the German Federal Court of Justice referred two preliminary questions to the Court of Justice of the European Union: (i) whether competitors can pursue GDPR violations as unfair commercial practices in civil proceedings, and (ii) whether information collected during the sale of medicines, such as customers’ names and addresses, constitutes health-related data even when the sale is not subject to a medical prescription.
Examination of the Preliminary Questions
On the first question, the Court stated that the GDPR does not prevent competitors from taking civil action against data protection violations, provided that such violations lead to an unfair commercial advantage. The Court acknowledged that a company not complying with GDPR requirements could gain a competitive advantage over competitors who do comply with these obligations. Therefore, if a business violates GDPR provisions and gains a competitive advantage, such conduct may be contested as unfair competition if the applicable national laws permit it. Consequently, affected competitors can take civil action to seek the cessation of the violations, as they represent not only an infringement of privacy rules but also of rules ensuring fair competition among businesses.
Regarding the second question, the Court ruled that information requested from customers when purchasing medicines should be considered health-related data under Article 9 of the GDPR, even when the medicines do not require a prescription. This is because such data can reveal potentially sensitive information about the buyers’ health conditions, thereby enhancing the protection provided by the GDPR in the context of online commerce. The Court also clarified that this classification applies even when the purchase is made on behalf of third parties; in such cases, although the purchaser does not directly provide the recipient’s data, the information collected may still make a person identifiable, such as when the medicines are delivered to a different address.
Relevance for Italian National Law
It is worth noting that the decision falls within a context where German law explicitly provides that a breach of legal provisions may constitute an act of unfair competition under certain conditions.
In contrast, Italian law does not have an equally explicit provision. In Italy, unfair competition is governed by Article 2598 of the Civil Code, which, in paragraph 3, penalizes conducts that are contrary to professional fairness and capable of harming a competitor’s business, serving as a general and abstract closing rule.
Italian case law has acknowledged that breaches of legal obligations can be considered as unfair competition under the above-mentioned provision when such violations result in an unjustified competitive advantage or affect market conditions. Specifically, Supreme Court decision no. 37659/2021 clarified that the breach of public law regulations can constitute unfair competition if it is accompanied by acts potentially harmful to competitors’ rights or if it produces an unjustified economic advantage that distorts fair competition.
It remains uncertain whether a GDPR violation of the kind submitted to the CJEU by the German court could indeed qualify as conduct contrary to professional fairness under Article 2598 of the Italian Civil Code. In particular, it is argued here that, since the GDPR is not a public law regulation in the strict sense (unlike tax laws, for example), the analysis should focus on the actual competitive advantage a company gains through the violation at the expense of competitors who comply with data protection regulations.
Conclusion
In this context, the European Court of Justice’s ruling sends a clear message to businesses, indicating that data protection is not only a matter of legal compliance but also of professional fairness and fair competition. The decision encourages market operators to seriously consider the implications of non-compliance with the GDPR, as it could expose them to challenges not only from regulatory authorities but also from affected competitors.