Hogan Lovells 2024 Election Impact and Congressional Outlook Report
In a recent decision, the Higher Regional Court of Hamburg (Oberlandesgericht Hamburg) held that a privacy policy on a website which is not compliant with the legal requirements under data privacy law constitutes a breach of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – “UWG”) (decision dated 27 June 2013, case number 3 U 26/12). This decision may not only have consequences for German businesses but also for non-EU companies with German customers or subsidiaries in Germany.
Under German data privacy law the requirement of a privacy policy for websites is based on section 13(1) of the German Telemedia Act (Telemediengesetz – “TMG”). According to this provision, providers of telemedia services (e.g., websites) must inform the user about the nature, scope and purpose of the collection and use of personal data as well as the processing of personal data in countries outside the scope of the EU Data Protection Directive (Directive 95/46/EC) at the beginning of the session in a generally understandable format. The content of this information must remain accessible by the user at any time. Section 13(1) of the TMG is violated by not informing the users of the service or by not informing the users accurately, completely or in due time.
The UWG prohibits unfair commercial practices. A commercial practice is inter alia considered unfair, if it infringes a statutory provision that is also intended to regulate market behavior in the interest of competitors (section 4 no. 11 UWG). In 2011, the Higher Regional Court of Berlin (Kammergericht Berlin) refused the classification of section 13(1) of the TMG as a provision intended to regulate market behavior and dismissed a case built on unfair competition law although the court held that the privacy policy in dispute was likely to be non-compliant with the legal requirements (decision dated 29 April 2011, case number 5 W 88/11). The Higher Regional Court of Berlin basically argued that the obligation to provide a privacy policy compliant with section 13(1) of the TMG is only intended to protect the website users’ right to privacy but not the interests of competitors.
In the case at hand, the Higher Regional Court of Hamburg—explicitly dissenting from the Higher Regional Court of Berlin’s position—argued that section 13(1) of the TMG is a provision also intended to regulate market behavior in the interest of competitors because the provision implements the transparency and information requirements of article 10 of the EU Data Protection Directive into German law. The EU Data Protection Directive again is not only intended to protect the individuals’ right to privacy with regard to the processing of personal data but also to ensure the free movement of such data within the EU (recitals 6, 7 and 8 of the Directive). Therefore, section 13(1) of the TMG is also intended to protect competitive activities of market participants by providing the same competitive conditions when collecting, processing and using personal data.
The application of competition law can result in the issuance of warning letters and injunctive reliefs as well as claims for rendering of accounts and damages by competitors or consumer protection organizations.
According to the Higher Regional Court of Hamburg, German data privacy law is also applicable to websites operated by non-EU companies, if personal data is collected, processed or used inside the country, whether or not the controller makes use of equipment situated on the territory of Federal Republic of Germany (decision dated 2 August 2011, case number 7 U 134/10). Therefore, the recent judgment also affects companies located outside the EU.
Marcus Schreibauer, a partner in our Düsseldorf office, and Jan Spittka, an associate in our Düsseldorf office, authored this entry.
Authored by Marcus Schreibauer and Jan Spittka.