Privacy Shield Act’s invalidation : why services providers can be accused of unfair competition ?
The decision to invalidate the Privacy Shield has been pronounced a few weeks ago, but some companies have not implemented the measures to guarantee an adequate level of protection. Can they be sanctioned for breach of the GDPR on the basis of Unfair Competition?
Invalidation of the privacy shield: The non-compliance of some services providers.
In July of this year, the Privacy shield, an adequacy ruling offering service providers storing their data in the U.S. the opportunity to benefit from an user-friendly data protection framework, was invalidated by the EU Court of Justice.
This EU Court ruling compels digital companies exporting the data of European users to the USA to cease all transfers to the USA or to find servers based in Europe or in countries offering a level of protection equivalent to that granted by the European Union to its citizens.
Problem? It’s September and some digital platforms have not put in place the means to comply with the decision to invalidate the privacy shield. Indeed, in the beginning of September, the French Data Protection Authority (FDPA) asked Facebook to stop all transfers to the U.S. In other words, to put all measures in place to provide adequate protection to its European users.
However, breaches by these platforms can lead to sanctions on the basis of the GDPR but also on the basis of unfair competition.
Unfair competition: a sanction to the violation of the GDPR?
Unfair competition corresponds to a set of abuses of commercial practice of one company in relation to another. There can be unfair competition when a company takes advantage of the notoriety of another reputable company (parasitism). In the same way, a company can be condemned on the basis of unfair competition if it does not observe the legislation in force in the sector of activity (market disorganization) and if the latter gets an abnormally favorable advantage over its competitors.
Thus, a company that does not comply with the new decision of the EU Court of Justice invalidating privacy must be respected by all the companies involved, in which case it could lead to sanctions for unfair competition if it provides a certain advantage.
For example, a company that does not comply with the new EU Court decision invalidating the Privacy Shield could be sanctioned for unfair competition if such a company gains an advantage.
The European Commission had admitted that a violation of the rules of the GDPR could be the subject of a sanction on European anti-competitive practices.
Indeed, the Spokesman of the commission had expressed himself on the issue and had announced that « it cannot be excluded that a behavior which violates the rules of data protection must be taken into account during an investigation on practices against the European law of competition“.
Following this reasoning, the French judges considered that a company could bring an action against a competing company and challenge its practices of non-compliance with the rules governing the processing of personal data
In 2017, a French Court of Cassation ruled that the failure of publishers to publish legal notices on their websites constitutes an act of unfair competition.