We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

German Court: Missing, Wrong or Incomplete Privacy Policy Triggers Unfair Competition Claims

HL Chronicle of Data Protection

29 July 2013
In a recent decision, the Higher Regional Court of Hamburg (Oberlandesgericht Hamburg) held that a privacy policy on a website which is not compliant with the legal requirements under data privacy law constitutes a breach of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – "UWG") (decision dated 27 June 2013, case number 3 U 26/12). This decision may not only have consequences for German businesses but also for non-EU companies with German customers or subsidiaries in Germany.
German Court: Missing, Wrong or Incomplete Privacy Policy Triggers Unfair Competition Claims

Background

Under German data privacy law the requirement of a privacy policy for websites is based on section 13(1) of the German Telemedia Act (Telemediengesetz – "TMG"). According to this provision, providers of telemedia services (e.g., websites) must inform the user about the nature, scope and purpose of the collection and use of personal data as well as the processing of personal data in countries outside the scope of the EU Data Protection Directive (Directive 95/46/EC) at the beginning of the session in a generally understandable format. The content of this information must remain accessible by the user at any time. Section 13(1) of the TMG is violated by not informing the users of the service or by not informing the users accurately, completely or in due time.

The UWG prohibits unfair commercial practices. A commercial practice is inter alia considered unfair, if it infringes a statutory provision that is also intended to regulate market behavior in the interest of competitors (section 4 no. 11 UWG). In 2011, the Higher Regional Court of Berlin (Kammergericht Berlin) refused the classification of section 13(1) of the TMG as a provision intended to regulate market behavior and dismissed a case built on unfair competition law although the court held that the privacy policy in dispute was likely to be non-compliant with the legal requirements (decision dated 29 April 2011, case number 5 W 88/11). The Higher Regional Court of Berlin basically argued that the obligation to provide a privacy policy compliant with section 13(1) of the TMG is only intended to protect the website users' right to privacy but not the interests of competitors.

Privacy and Competition

In the case at hand, the Higher Regional Court of Hamburg—explicitly dissenting from the Higher Regional Court of Berlin's position—argued that section 13(1) of the TMG is a provision also intended to regulate market behavior in the interest of competitors because the provision implements the transparency and information requirements of article 10 of the EU Data Protection Directive into German law. The EU Data Protection Directive again is not only intended to protect the individuals' right to privacy with regard to the processing of personal data but also to ensure the free movement of such data within the EU (recitals 6, 7 and 8 of the Directive). Therefore, section 13(1) of the TMG is also intended to protect competitive activities of market participants by providing the same competitive conditions when collecting, processing and using personal data.

The application of competition law can result in the issuance of warning letters and injunctive reliefs as well as claims for rendering of accounts and damages by competitors or consumer protection organizations.

International Implications

According to the Higher Regional Court of Hamburg, German data privacy law is also applicable to websites operated by non-EU companies, if personal data is collected, processed or used inside the country, whether or not the controller makes use of equipment situated on the territory of Federal Republic of Germany (decision dated 2 August 2011, case number 7 U 134/10). Therefore, the recent judgment also affects companies located outside the EU.

 

Marcus Schreibauer, a partner in our Düsseldorf office, and Jan Spittka, an associate in our Düsseldorf office, authored this entry.

HL Chronicle of Data Protection

Future-Proofing Privacy: New and Stronger Rights

The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...

06 June 2016
Loading data