Can non-compliance with the GDPR constitute unfair competition? Yes, according to French courts

In recent years, French courts have made it clear that failing to respect the GDPR may not only trigger administrative sanctions from the CNIL but also harm your competitive position and expose you to civil claims.

GDPR compliance is no longer just a regulatory exercise, it has become an indispensable part of sound risk management. Any company that tends to treat personal data issues lightly and fails to ensure compliance with regulations must realise that it runs the risk of legal action and significant financial consequences.

​The CNIL consistently emphasizes that data protection is not just a regulatory obligation, but also a business and competitive concern. Compliance builds trust with clients and partners while providing companies with a tangible market advantage. French courts have begun to echo that reasoning. 

Where judges were once hesitant to turn regulatory breaches into causes of action between competitors, arguing that only natural persons, as the direct subjects of the regulation, could assert a breach of their rights, they are now increasingly willing to recognize unfair competition claims from competitors, based on GDPR non-compliance. 

In practice, the enforcement landscape is now three sided: the CNIL, data subjects, and competitors through the courts. Companies can face administrative sanctions, lawsuits or claims from data subjects, and civil claims brought by competitors who can show they were harmed by a non compliant situation. 

​Recent French court decisions demonstrate that GDPR non-compliance can now serve as a legitimate basis for unfair competition claims. This applies across the board: whether the competitor has already been sanctioned by the CNIL, lacks essential compliance documentation, or just displays GDPR policies and organization that are incomplete or insufficient.

A recent ruling of the Paris Court of Appeal illustrates the first scenario. In this case, a claimant alleged that a competitor had harmed its selective distribution network through acts of unfair competition, including violations of GDPR and Data Protection Act. The competitor had previously been fined €500,000 by the CNIL for multiple GDPR breaches, including sending marketing emails to clients without their consent. The court ruled that the competitor’s continued non-compliance while marketing the claimant’s products created an unfair advantage and damaged the network’s reputation, awarding €200,000 in damages (Paris Court of Appeal, 9 November 2022, No. 21/00180).

A 2022 decision by the Paris Judicial Court shows that courts also scrutinize GDPR compliance even in cases where no prior CNIL sanctions exist. In this case, the competitor was allegedly selling products that infringe patents and trademarks and failed to provide required legal notices, such as consumer mediator information, links to the EU Online Dispute Resolution platform and an online privacy policy. Nonetheless, the competitor collected names, emails, and phone numbers without providing proper information or obtaining consent. The court found that these regulatory breaches in commercial activity conferred an undue competitive advantage, awarding €15,000 in damages for unfair competition (Paris Judicial Court, 15 April 2022, No. 19/12628).

More recently, the Versailles Court of Appeal addressed a case where the issue was not the absence of a privacy policy but its insufficient compliance to GDPR obligations. Upon reviewing the privacy policy, the court identified multiple deficiencies, including: (i) consent that was neither freely given nor informed, (ii) a privacy policy that was unclear and internally contradictory, (iii) imprecise descriptions of the personal data processed, (iv) vague or incomplete legal basis, (v) excessive or unspecified retention periods, (vi) limited and conditional rights to object, and (vii) transfers of data to third countries without adequate safeguards. The court also noted the absence of evidence demonstrating that the company had implemented sufficient guarantees for transfers to the United States. It determined that, by failing to comply with these GDPR obligations, the competitor had gained an unfair advantage over compliant businesses – an advantage the court recognized as constituting unfair competition (Versailles Court of Appeal, 22 January 2025, No. 22/05851). 

Still not convinced? The 2022 decisions mentioned above align with, and reinforce, the established stance of the French Supreme Court. A few years ago, the Court held as a more general principle that a business that either fails to implement a regulation or fails to comply with it properly gains an unfair competitive advantage, since implementing and complying with the regulation necessarily entails a cost (French Supreme Court, 17 March 2021 n°19-10.414 ; 12 February 2020, n°17-31.614).

At the European level, the CJEU (Court of Justice of the EU) clarified in 2024 that the GDPR provisions should be interpreted so as not to prevent national legislation from allowing competitors of an alleged GDPR infringer to bring civil claims against them under the prohibition of unfair commercial practices, alongside the supervisory powers of the authorities responsible for monitoring and enforcing the GDPR, and the remedies available to data subjects (CJEU, 4 October 2024 (C-21/23 “Lindenapotheke”). 

These rulings underline that GDPR compliance is not merely a national legal requirement, but a strategic factor recognized at the European level, reinforcing the link between regulatory adherence and market competition.

Of course, any action for unfair competition clearly requires a clear definition of the criteria constituting tortious liability, which are strictly reviewed by the courts. In France, these criteria are (i) proof of fault (breach of the GDPR), (ii) proof of damage (commercial harm suffered by the competitor) and (iii) a causal link between the fault and the damage (the unfair advantage enjoyed by the defendant company over its competitors as a result of its failure to comply with the GDPR).

Should you require advice or assistance in GDPR compliance, data protection risk management, or related litigation matters, we are at your disposal to support you.​