Friday, 04 October 2024, was packed with GDPR-related decisions from the Court of Justice of the European Union (CJEU). Among these is the Lindenapotheke case, C-21/23, where the Court examined whether personal data provided in the course of online orders of non-prescription pharmacy-only products constitutes data concerning health. Contrary to the AG Opinion, the Court said it does – confirming the broad interpretation of “special category” data. It also concluded that the GDPR does not preclude national legislation which confers on competitors of a person allegedly infringing the GDPR, the right to bring an action against that person for such GDPR infringement on the basis of unfair commercial practices.
ND, operating a pharmacy under the trade name “Lindenapotheke”, had been selling pharmacy-only medicines through Amazon. A competitor, DR, brought an action before German courts seeking an order that ND ceases to sell such products on Amazon: they argued that ND processed health data in the context of these online orders without obtaining consent, in contravention of Art. 9 GDPR.
German unfair competition law allows a competitor to seek an injunction against a person who infringes laws which regulate market behaviour. DR relied on this provision to challenge ND’s alleged violation of the GDPR.
The CJEU concluded that the information that customers would provide when purchasing online pharmacy-only medicines constitutes “data concerning health” and so, its processing is subject to the additional restrictions for special category data under Art. 9 GDPR. This conclusion is contrary to the AG’s Opinion on this point.
The Court relied on the OT case1 and confirmed that the concept of “data concerning health” must be interpreted broadly, in light of the GDPR’s objective to ensure a high level of protection for individuals. The Court argued that there would be special category data here: the online order would allow data about health to be revealed since someone could establish a link between the medicine, its therapeutic use and an identified or identifiable individual.
Similar to the Court’s position and in line with OT, the AG had acknowledged that special category data includes not only inherently sensitive data, but also data revealing information of that nature indirectly. However, contrary to the Court, the AG had taken the view that the classification of such information as data concerning health depends on the circumstances of each case and the context in which the data is processed. In particular, where there is no prescription designating by name the person for whom the medicine is intended, the AG considered that it cannot be inferred that the product is only intended to be used by the purchaser – and therefore it’s not possible to reasonably draw a conclusion about the health status of the individual to whom the data relates. According to the AG, this information is not health data insofar as only hypothetical or imprecise conclusions as to the health status of the purchaser may be drawn – which should be for the referring court to verify.
Against this, the Court ruled that for the categorisation of information as data concerning health, it is immaterial whether or not the information is accurate and whether or not the controller has any intent of obtaining special category data. It is also immaterial that the medicines do not require a prescription; a different interpretation would go contrary to the objective of Art. 9 GDPR.
The Court concluded that this information has to be considered data concerning health whether it relates to the purchaser or any other person for whom this order is made. The Court notes that such data is health data even if there is only some likelihood, rather than absolute certainty, that the medicines are intended for the purchaser2. The Court also takes the view that, even if the medicines were intended for another individual, it may still be possible to identify them and draw conclusions on their state of health – for example, if a different delivery address is provided for those medicines or the customer refers to another person in their order.
The Court’s broad interpretation is premised on ensuring effective protection under Art. 9 GDPR. However, it is not obvious that treating this data as special category data in the specific context of an online order, and in effect requiring explicit consent for this processing, would actually provide enhanced protection to individuals – rather than reducing explicit consent to a tick-box exercise. Also, it is not entirely clear how such explicit consent can be validly obtained in practice where the ordered products are actually intended not for the purchaser but another (unknown to the seller) individual, and how the data minimisation principle can be respected in this context.
The specifics of this case concern pharmacy-only medicines; however, certain products may be pharmacy-only in some Member States and not in others. A consistent interpretation would require treating information relating to the same products in the same way across all Member States. In addition, some products that are pharmacy-only in some Member States may have various uses, so that it cannot be ascertained for which condition exactly they would be purchased. It would have been useful if the Court had taken into account these considerations.
The same reasoning that the Court followed could be relevant to other products more widely available that could potentially indirectly reveal information about e.g. health or religion (e.g. gluten-free or halal products in online supermarket orders). The AG had noted this in his Opinion – noting that this could mean that purchasers of a book about a political figure may involve processing of data about political opinions. He concluded that the vast extension of the concept of special category data that would result from this would be unmanageable and undesirable – and this was a key reason for his suggesting a more context and purpose specific approach. It is regrettable that the Court failed to address these implications; the conclusions of the Court could have far-reaching results.
The Court also concluded that the GDPR does not preclude national legislation which allows competitors of a person allegedly infringing the GDPR to bring an action against that person for such GDPR infringements, on the basis of the prohibition of unfair commercial practices. According to the Court, such national provisions not only remain compatible with Chapter VIII GDPR which provides remedies for individuals and their representatives regarding GDPR infringements, and do not affect the consistent level of protection of those persons across the EU; they also contribute to strengthening the rights of individuals and ensuring that they enjoy a high level of protection.
The CJEU press release is available here.
The full judgement – currently available only in FR, DE and DA – is here.
If you have any questions, please get in contact with the authors tagged above or your usual Bird & Bird contact.
1 In this case, the CJEU had ruled that the online publishing of information which may indirectly reveal sensitive information – in this case, information about a person’s spouse or cohabitant which was liable to disclose indirectly the individual’s sexual orientation – constituted processing of special categories of personal data.
2 The CJEU has not yet released an English translation of the judgement. Para 90 of the French version reads: “[…] même si c’est seulement avec unecertaine probabilité, et non avec une certitude absolue, que ces médicaments sont destinés à ces clients”, and the German version reads: “[…] nur mit einer gewissen Wahrscheinlichkeit und nicht mit absoluter Sicherheit für diese Kunden bestimmt sind”.