Update (17 June 2020): ECJ to decide whether consumer protection associations can issue warnings against GDPR infringements

In its decision of 28 May 2020 (Ref. I ZR 186/17), the Federal Court of Justice (BGH) referred the question to the ECJ as to whether consumer protection associations are authorised to prosecute violations of data protection law.

In essence, the question is whether consumer protection associations are legitimised to issue warnings against GDPR infringements. While this was possible under the regime of the Data Protection Directive in the opinion of the ECJ (ruling of 29 July 2019, Case C-40/17, “Fashion ID”), it remains to be seen whether the ECJ will now continue its case law for the GDPR. Should the ECJ grant such a right to consumer associations, in addition to the supervisory review, the competition law warning in the case of GDPR infringements should also constitute a risk that should be taken into account in the context of data protection compliance.

The press release of the BGH can be found here.

Many operators of business websites are probably still familiar with the regularly recurring “waves” of legal warning letters from competitors under TMG, PAngVO and UWG: a missing imprint or a supposedly misleading price indication (e.g. without concrete shipping costs) easily provokes a strongly worded letter from a competitor’s lawyer’s, which is associated with costs of several hundred euros. In addition, there is the risk of having to pay a contractual penalty (together with additional lawyer’s fees) in accordance with the cease and desist declaration in case of repetition.

Changes to the UWG and UKlagG through the “Law against Dubious Business Practices” of October 2013 put an end to the “scam” of warning letters for the time being: The business model of “warning letters” was to be made unattractive, among other things by capping costs. This was apparently successful, and the topic of “warning notices” disappeared from the front pages of the feature pages and trade journals.

GDPR-related wave of warnings has so far failed to materialise – with a few exceptions

The innovations of the GDPR, which were perceived in many places as very far-reaching and far-reaching, then caused fears of the warning to flare up again shortly before its applicability in May 2018.

However, there has not yet been any news of a “massive wave of warnings” for violations of the GDPR. Even immediately after the regulation became applicable on May 25, 2018, the feared dam bursting did not occur at all, apart from a few individual cases: Strangely enough, it initially only affected hairdressers who had been warned by their competitors about the lack of data protection declarations on their websites.

Even just under a year ago, in May 2019, the Handelsblatt headlined: “Hardly any warnings because of new EU data protection rules”.

The legal situation remains unclear practically and dogmatically

The fact that the great wave of GDPR warnings has so far had to wait is probably also due to the considerable legal uncertainty as to whether GDPR infringements can be warned at all by competitors or competition centres under the principles of the UWG. This depends on the higher court’s assessment of the questions whether the GDPR contains a “closed system of sanctions” (and thus the UWG does not have any scope of application) and whether the respective violated GDPR norm constitutes a “market conduct rule”.

A clear line has not yet been discernible in the higher court rulings. However, the tendency seems to be in favour of a “warnability” of such offenses.

For example, in a much-noticed decision from 2018 (judgment of 25 October 2018, 3 U 66/17; ZD 2019, 33), the Hamburg Higher Regional Court (OLG Hamburg) did not consider Section 28 German Federal Data Protection Act (BDSG) – which provided the same scope of protection as now Art.9 GDPR – to be a market conduct rule. However, in stating that the GDPR did not constitute a self-contained system of sanctions and that its provisions may contain market conduct rules in individual cases, the court left open the fundamental possibility of “warnability” (due to other GDPR norms).

In doing so, the court took up the wording of Art. 77(1) GDPR: The fact that the right of appeal to the supervisory authority is granted to the person concerned “without prejudice to any other administrative or judicial remedy” is intended to indicate that Art. 77 et seq. is not conclusive. This is partly contradicted in the literature: the wording is only intended to clarify that “if necessary, other legal remedies of the person concerned should not be restricted” (Spittka, GRUR-Prax 2018, 561). But why then should competition law remedies such as a warning notice be limited? Dogmatically, the situation remains difficult.

OLG Stuttgart: Art. 13 GDPR is a “market conduct rule” and supersedes Section 13 TMG – warning notice based on GDPR possible

Most recently, the OLG Stuttgart (judgment of 27 February 2020, 2 U 257/19) ruled in favour of the OLG Hamburg and overturned a decision from the lower instance (LG Stuttgart). The latter still took the view that the GDPR – as a uniform regulatory concept – did not permit any warnings against unfair competition.

The Stuttgart Higher Regional Court, however, made it clear that Art. 80 GDPR does not contain a “conclusive regulation on the enforcement of rights” against the GDPR. Rather, in the court’s view, the GDPR also allows legal remedies under the UWG. The Higher Regional Court bases its reasoning on the principles of Union law: “Provisions of an EU regulation are not conclusive in themselves” (para. 42). This also applies to Art. 80 GDPR: in demarcation from “supervisory” control, the provision “does not contain any conclusive provision for private law enforcement” (para. 52).

The court also commented on the “competition” with the German Telemedia Act and is of the opinion that Section 13 of the German Telemedia Act has been superseded by the GDPR (see also the Hamburg Higher Regional Court, Order of 10 December 2019, 15 U 90/19). This follows from Article 288.2 TFEU and the principle of the primacy of application of Union law. Art. 13 GDPR and Section 13 (1) TMG partly have a similar regulatory content: both form the basis for data protection declarations on websites by obliging website operators to create transparency on data processing.

Conclusion: GDPR warnings are becoming more likely; legal situation remains unclear pending high-level court judgements

This is to be noted: The question of whether GDPR violations by competitors and “watchdogs” are admonishable can only be conclusively clarified by a ruling of the Federal Court of Justice and ultimately the European Court of Justice. The tendency of the higher courts, however, is towards the ability to issue warnings for GDPR infringements under the UWG as well.