By bringing a cease and desist claim for unfair market practices, companies may have an important weapon at their disposal to teach a competitor that does not play by the rules a lesson in privacy, as shown by a Belgian judgment of November 4, 2019. A pending case before the European Court of Justice (“CJEU”) will provide additional guidance.
In the case at hand , ‘Company Y’ copied all addressees of a marketing email it had received from ‘Company X’, which were visible by accident, and started sending direct marketing emails itself. Company X issued a cease and desist claim on the basis that, by copying and processing the customer database, Company Y had infringed (i) fair market practices, (ii) the rules on advertising by e-mail, and (iii) the rules on processing personal data.
At the time of the events, the General Data Protection Regulation (“GDPR”) was not yet in force, and the court therefore analyzed the case on the basis of Belgium’s old Privacy Law. Nonetheless, as the GDPR greatly expands the protection of data subjects, it is interesting to see what judgments could follow in the future.
Three aspects will briefly be analyzed below, i.e.:
- Company X’s action of (accidently) disclosing its customer list;
- the use by Company Y of Company X's customer base for direct marketing; and
- the future of cease and desist actions based on privacy breaches as an unfair market practice.
Disclosing of the customer list by email
First off, the court established that Company Y could not be blamed for the unlawful acquisition of the personal data since Company X had, through its own carelessness, disclosed its customer database. Under the GDPR today, the action of Company X could be categorized as a data breach, which has to be notified within 72 hours (if there was a risk to the rights and freedoms of natural persons).
Use of the customer list for direct marketing
Regarding the use by Company Y of Company X's customer base for direct marketing per email, the court ruled that Company Y had indeed committed a breach of privacy legislation regarding the lack of consent of the data subjects. Under the GDPR, a similar judgment would most likely occur, as free consent of the data subject is needed in order to justifiably send direct marketing emails.
The only exception to the consent requirement for direct marketing is the ‘soft opt-in’ by the controller, i.e. emails to existing customers for the purposes of direct marketing of similar products or services, provided that such customers have clearly and explicitly been given the opportunity to object, free of charge and in an easy manner.
Cease and desist claims for privacy breaches as unfair market practice: in the hands of the CJEU
The third aspect the court examined was a possible breach of article VI.104 of the Code of Economic Law (“CEL”), which prohibits any act contrary to fair market practices by which a company harms or is likely to harm the professional interests of one or more other companies. A breach of Article VI.104 CEL requires an error, (potential) damage and a causal link between the error and the (potential) damage.
As the error was already proven, i.e. unlawful copying and the use of the customer list for direct marketing, Company X had to prove (potential) damages and a causal link. While the court did not exclude potential (commercial and reputational) damage, it found that Company X's own fault was at the basis of the potential damage and rejected the causal link.
Although the Court rejected the claim because it was of the opinion that the damages were a result of Company X’s own fault, we could expect to see a rise in combinations of a cease and desist claims and breaches of the GDPR.
An upcoming ruling of the CJEU (C-319/20) will most likely shed some light on the claim. On October 26, 2020, a German court asked a prejudicial question to the CJEU to verify whether the GDPR allows:
- national rules that empower (e.g.) competitors to bring proceedings for GDPR breaches against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices or breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions; but
- independent of the infringement of specific rights of individual data subjects and without being mandated to do so by that individual data subject.
It goes without saying that a positive ruling from the CJEU will have a massive impact on the future of these unfair market practice’s claims. Beware of your competitor!