Case 21/23 Lindenapotheke builds on an in depth catalogue of information safety case legislation, continuously citing prior rulings in Case C-319/20 Meta Platforms Eire (‘Meta’), Case C-252/21 Bundeskartellamt (‘Bundeskartellamt’) and Case C-184/20 OT v Vyriausioji tarnybinės etikos komisija (‘OT’). Within the absence of main deviations from these circumstances, its significance as a Grand Chamber resolution largely stems from the implications that the mixture of this present case-law will deliver to the ideas of well being and delicate information, and to attainable GDPR-based actions by rivals. After this introduction, this blogpost will discover how the Court docket dominated to permit actions by rivals and to increase the idea of delicate well being information, earlier than analyzing the potential dangers this interpretation has to constant enforcement of the GDPR and of overexpansion of the idea of delicate information.
Info – Lindenapotheke promoting drugs through Amazon
The Lindenapotheke case borrows its title from a German pharmacy. As a part of its business choices, Lindenapotheke had been promoting merchandise on Amazon Market. These merchandise include drugs which beneath German legislation can solely be bought by pharmacies, however don’t require a prescription. DR, the operator of a competing pharmacy, alleged that such gross sales represent an unfair business apply, prohibited beneath German legislation, thus bringing an motion to stop this advertising and marketing towards the operator of Lindenapotheke earlier than a German regional court docket. As argued by DR earlier than the regional court docket and the upper regional court docket in appeals, the unfair nature of the advertising and marketing by Lindenapotheke lay within the absence of legitimate consent by the purchasers for the processing of their well being information.
Because the argument by DR was primarily based on an infringement of information safety legislation, the appeals court docket primarily based its evaluation of the unfair nature on the related provisions in Regulation 2016/679 (‘GDPR’). In Article 9(1), the GDPR units out a prohibition for the processing of sure particular classes of private information (additionally described as delicate information), together with well being information. Article 9(2) GDPR incorporates a set of exceptions to this prohibition, which embrace express consent (Article 9(2)(a) GDPR). The upper regional court docket discovered that Lindenapotheke was processing well being information, that it couldn’t depend on express consent as an exception, and that this constitutes an unfair business apply. A remaining attraction earlier than the German Federal Court docket result in two preliminary questions earlier than the Court docket of Justice.
Query 1 – Standing for a competitor primarily based on a GDPR infringement?
The primary query posed to the Court docket basically issues the exhaustive nature of the cures supplied within the GDPR, and their relationship with Member State legislation. In comparison with the Directive 95/46/EC it changed, the GDPR introduces a variety of harmonised enforcement choices in Chapter VIII. These embrace prospects for administrative sanctions by information safety authorities, felony penalties by nationwide courts and a variety of cures out there to information topics. The latter embrace attainable actions towards information safety authorities, but additionally allow information topics to deliver a civil case earlier than nationwide courts to hunt cures (Article 79 GDPR). Because the competitor of Lindenapotheke is clearly not an information topic, it couldn’t depend on the cures beneath Chapter VIII of the GDPR. Thus, DR introduced an motion primarily based on unfair business practices. The Court docket was requested to make clear whether or not, within the absence of cures supplied to them within the GDPR, rivals might depend on a breach of its substantive provisions within the context of a nationwide process on unfair business practices.
Some arguments could possibly be made for such a preclusion of standing for rivals. The GDPR undoubtedly focuses on harmonised enforcement, exemplified by the selection for a regulation as an instrument, the said purpose of harmonisation, and the wide selection of provisions on cures (Recital 9 and 13 GDPR, para. 57). Including to this, not one of the a number of provisions in Chapter VIII of the GDPR containing opening clauses, explicitly enabling Member States to complement or derogate sure provisions, enable for measures enabling standing for rivals (para. 57).
Regardless of this, the Court docket dominated that Chapter VIII GDPR doesn’t preclude the motion towards Lindenapotheke. It did so by counting on the premise that the cures supplied by Chapter VIII GDPR are non-exhaustive, and on the rationale that permitting rivals standing wouldn’t undermine however as a substitute strengthen the targets of the GDPR.
Supporting the non-exhaustive nature of cures, the Court docket makes use of a teleological method with three fundamental arguments. First, there isn’t any wording expressly ruling out a chance for rivals to deliver actions (para. 53). Second, the context of the GDPR, the place cures can be found for information topics because the beneficiaries of information safety, explains the absence of provisions referring to rivals (para. 54). Third, the Court docket beforehand held that GDPR infringements can even have an effect on third events, confirming that they ‘could on the identical time give rise to an infringement of guidelines on shopper safety or unfair business practices’ (para. 55; referring to Meta para 78) and ‘could also be an important clue for the needs of assessing the existence of an abuse of a dominant place’ (para. 55; referring to Bundeskartellamt para. 47 and 62). That is additional supported by highlighting the intrinsic hyperlinks between information safety, the digital economic system and competitors (para. 56).
Contemplating whether or not permitting actions by rivals would undermine the system of cures within the GDPR, the Court docket recollects that competitors will not be in itself a purpose of the GDPR (para. 65). Nonetheless, when such actions are allowed, they may complement present cures (para. 66) whereas additional strengthening compliance via further enforcement (para. 69-70). This aids the purpose of a excessive stage of information safety set out by Article 8 of the Constitution (para. 71). Issues over potential divergences between Member States are refuted because the substantive provisions of the GDPR stay totally constant, with doubt or divergence between information safety authorities and completely different Member State courts addressed by the chance for preliminary rulings (para. 67).
Query 2 – Do all drugs orders include well being information?
The second query pertains as to whether the information processed by Lindenapotheke needs to be thought of as well being information, and thus delicate information beneath the certified prohibition in Article 9 GDPR.
From the definition of private and well being information in Article 4(1) and 4(15) GDPR, the Court docket finds that well being information needs to be understood as all private information that enables ‘conclusions to be drawn as to the well being standing of an recognized or identifiable individual’ (para. 76-78), with all well being information coated beneath the certified prohibition in Article 9(1) GDPR (para. 80). The place Lindenapotheke processes an order, it’s clear that they course of private information (para. 79). The Court docket was thus left to evaluate whether or not ordering drugs permits for conclusions to be drawn to a person’s well being standing, and if sure, whether or not these conclusions relate to an recognized or identifiable individual.
To evaluate the opportunity of inference of well being information, the Court docket relied on its prior judgment in OT, the place it dominated that for information to be delicate, ‘it’s adequate that they’re able to revealing details about the well being standing of the information topic by the use of an mental operation involving collation or deduction’ (para. 83; the wording on this definition barely differs and clarifies what was beforehand held in OT para. 123). For Lindenapotheke, information on orders qualifies as well being information the place ‘that order entails establishing a hyperlink between a medicinal product, its therapeutic indications or makes use of, and a pure individual recognized or identifiable’ (para. 84; personal emphasis). The Court docket confirms this to be the case, solely providing additional clarification by holding that distinguishing between prescription-only and pharmacy-only drugs wouldn’t be in line with a excessive stage of information safety (para. 89).
On the hyperlink between that information and pure individuals, the Court docket goes into extra element. The referring court docket raised the query as as to whether this hyperlink exists for drugs with out prescriptions, and thus with out an express hyperlink between a pure individual and the medication (para. 85). But once more taking a strict method, the Court docket discovered that when ordering, the ‘sure diploma of likelihood’ that drugs is meant for the client suffices for that information to qualify as well being information (para. 90). Moreover, it reiterated its holding in Bundeskartellamt that delicate information needn’t relate to customers of a platform for the certified prohibition beneath Article 9 GDPR to use (para. 86; referring to Bundeskartellamt para. 68). The place these drugs will not be for the client however for a 3rd celebration, the opportunity of identification via inference of addresses or members of the family is deemed adequate to be well being information for an identifiable individual, thus coated beneath the certified prohibition (para. 91).
Because the Court docket finds that the order information processed by Lindenapotheke permits for conclusions to be drawn on the well being of both the individual recognized within the order, or third events that are identifiable, it considers that Lindenapotheke processes well being information coated beneath the certified prohibition in Article 9 GDPR (para. 94). Barely nuancing the affect that this might need on the processing by Lindenapotheke, the Court docket makes use of obiter dicta to spotlight that there are exceptions in Article 9(2) GDPR which could apply, resembling when customers give express consent or the place such processing is important for the availability of healthcare (para. 92-93).
Rivals as one other wrench within the GDPR procedural gears?
Whereas the reply given by the Court docket to the primary preliminary query on actions by rivals is according to its prior case legislation, the implications have the potential to be extra disruptive, by including to the prevailing procedural complexity going through GDPR enforcement.
To elucidate why, it is very important word the several types of GDPR enforcement. The GDPR is enforced administratively, via judicial procedures, and utilizing felony penalties beneath Member State legislation. In Meta, the Court docket interpreted a gap clause to permit shopper safety authorities to provoke judicial proceedings primarily based on GDPR infringements. In Bundeskartellamt, the Court docket expanded administrative enforcement to competitors authorities. The affect of each rulings on enforcement complexity stays restricted. The interpretation in Meta remained much like present prospects throughout the GDPR that enable organizations to behave on behalf of information topics (Article 80 GDPR). In Bundeskartellamt, the Court docket couldn’t depend on a gap clause within the GDPR however took due account of enforcement complexity. It prescribed cooperation necessities together with deference to information safety authorities on GDPR issues, which makes inconsistencies between competitors and information safety authorities extremely unlikely (Bundeskartellamt para. 52-59, see additionally Hriscu).
The ruling in Lindenapotheke introduces larger potential dangers of interference between administrative and judicial enforcement. Whereas the GDPR foresees cooperation between information safety authorities, courts that are requested to rule on GDPR infringement can solely depend on prolonged procedures earlier than the Court docket of Justice for a constant interpretation. Thus, earlier than reaching the Court docket of Justice, parallel procedures earlier than a number of Member State courts and cooperating information safety authorities might result in divergent selections on the identical information processing actions. This and different dangers of inconsistency in GDPR enforcement has been warned towards by academia (see Hofmann and Gentile and Lynskey) and the EU legislature, which is debating additional harmonization of enforcement. The size and difficulties related to judicial proceedings beneath Article 79-82 GDPR have been evident the place information topics have pursued any such enforcement, with a variety of preliminary rulings on this matter (e.g. Case C-667/21 Krankenversicherung Nordrhein and Case C-456/22 Gemeinde Ummendorf). Consequently, most information topics have as a substitute strongly most popular administrative enforcement via complaints (p.5), with this methodology of enforcement inherently much less liable to inconsistencies because of the cooperation and consistency mechanisms within the GDPR. The identical won’t be true for rivals beneath the mechanism in Lindenapotheke.
Opposite to information topics and their representatives, rivals will solely have the ability to allege GDPR infringements earlier than Member State courts within the context of unfair business practices, as they continue to be unable to file complaints earlier than information safety authorities. Mixed with the completely different objectives pursued by them, and the comparably huge signifies that firms are capable of spend on procedures, it might be attainable to see a wave of latest judicial procedures following Lindenapotheke. If this materializes, there shall be extra potential for inconsistency between courts and administrative enforcement. Whereas preliminary rulings by the Court docket will all the time end in a prevailing interpretation and consistency (see para. 67), the potential for chaos within the interim years between a primary resolution and a remaining interpretation has sufficient potential for disarray in a fast-moving digital world. The Court docket does in my opinion not adequately deal with this concern, which dangers undermining the harmonized guidelines within the GDPR and at the moment pursued by the legislature and creates further divergences between Member States.
One other step in direction of the sensitivity of all private information?
In answering the second query on the scope of delicate well being information, the Court docket continues the trail chosen with its rulings in OT and Bundeskartellamt. The broad definition distilled from each judgments was stored intact. Delicate information is thus i) all private information that reveals delicate attributes of an recognized or identifiable pure individual, ii) both immediately or not directly via an mental operation involving deduction or cross-referencing, and iii) whatever the intent of the controller and the correctness of the inference (see para. 82-87; OT para. 123; Bundeskartellamt para. 68-70). As recognized by Advocate Normal Szpunar in his Opinion (‘AG’), this left open the query of how sure the hyperlink between the delicate attribute and the underlying information needs to be. In response to the Advocate Normal, there needs to be ‘a sure diploma of certainty’, as the place the existence of a mere hyperlink suffices, the idea of delicate information could be overexpanded (AG para. 40-49; related issues are shared by Solove). Opining particularly on the processing by Lindenapotheke, the Advocate Normal discovered that hyperlink to be too hypothetical, imprecise and tenuous (AG para. 43).
The Court docket disagreed. Its first counterargument is affordable, as for instance orders positioned for a member of the family and delivered at their deal with can be utilized to determine these individuals (evaluate para. 91 with AG para. 52). The place the Court docket does paint with too broad of a brush is in establishing a hyperlink between drugs and well being information. Recall para. 84, the place the Court docket regards ‘a hyperlink between a medicinal product, its therapeutic indications or makes use of and a pure individual’ sufficient for information to be thought of delicate, and para. 89, the place it refuses to tell apart between medicinal merchandise whatever the want for a prescription. This negates that some pharmacy-only drugs will be ordered merely preventative or give no indication to the well being standing in any respect, resembling paracetamol (AG para. 51). By foregoing specificity in its distinction between classes of medication, and by as a substitute opting to make use of generic wording resembling ‘a hyperlink’, the Court docket dangers overexpanding delicate information when utilized to different delicate attributes.
To stop overexpansion, the Court docket may deviate from Lindenapotheke at a later stage to outline a normal of certainty for different delicate attributes, as proposed by the Advocate Normal. If it doesn’t, the idea of delicate information will see vital growth. Because the Advocate Normal appropriately warned, ordering a ebook by a politician entails an unsure relation with a political opinion (para. 46). Now think about a grocery store storing receipts of shoppers, with some receipts containing solely purchases of halal or kosher meals or an elevated buy of eggs earlier than easter. With sufficient time or a proficient AI system performing an ‘mental operation’, unsure hyperlinks could possibly be drawn between the client and their spiritual beliefs. With out additional clarification by the Court docket, it can stay unsure how a lot element is required to ascertain a hyperlink, and in what contexts such information needs to be thought of delicate. Thus, making use of the usual in Lindenapotheke to different information linked to delicate attributes won’t be one of the best ways ahead, except the Court docket considers that the excessive inference dangers posed by giant datasets and AI ought to result in most private information being afforded the extra safety beneath Article 9 GDPR.
Conclusion
In conclusion, the Court docket in Lindenapotheke provides a brand new layer to 2 ongoing evolutions in information safety legislation. First, after permitting competitors authorities to take GDPR infringements under consideration in Bundeskartellamt and permitting shopper safety associations standing in Meta, the Court docket now permits rivals to allege unfair business practices primarily based on GDPR infringements. Second, after concluding that private information that could possibly be used to deduce delicate attributes fall throughout the scope of Article 9 GDPR in OT, the Court docket went on to rule that ‘a hyperlink’ between drugs orders, their use and an recognized or identifiable individual suffices for that information to be thought of as well being information. The implications of this judgment thus add to a posh internet of procedures in GDPR enforcement and might result in a rise of information thought of as delicate.
Michaël Van den Poel is a Analysis Engineer on the EDHEC Augmented Regulation Institute, the place he works on the Interdisciplinary Challenge on Privateness (IPoP). He’s pursuing a PhD on the Regulation, Science, Know-how and Society Analysis Group at VUB, the place he’s an government crew member on the Brussels Privateness Hub.