It may not be ‘all about the money’, but there is some ‘price tag’ often associated with what we do online…. And that’s our data!
Updates on the incoming GDPR and the potential implications of the new E-Privacy Regulation dominate EU privacy and data protection discourse currently. Yet, there is another further (and potentially overlapping) regulatory regime being introduced that organisations active online need to be aware of, which was recently introduced into future legislative plans by the European Commission. This is the introduction of a new EU Directive (currently in draft form) concerning contracts for the supply of digital content. It was on this topic that the European Data Protection Supervisor (EDPS) published an Opinion on its data protection aspects this week.
The proposed Directive (officially, ‘Directive on certain aspects concerning contracts for the supply of digital content (COM/2015/0634)’) was officially introduced by the European Commission in December 2015 as part of its first legislative proposals package under its Digital Market Strategy to improve consumer rights and facilitate consistency (full harmonisation as far as possible). This introduction came in light of the fact that the majority of EU Member States have not adopted rules for the supply of digital content, in turn having a chilling effect on cross-border trade. [The other proposal for harmonised EU rules in the package relates to contracts for the online and other distance sales of goods].
The proposed Directive is aimed at addressing a perceived gap in EU (and national) legislation by creating a standard set of consumer and contract law rules – with aligned remedies – that apply equivalently offline and online. In particular, if brought into effect, it would extend legal consumer protection to the supply of digital content across the EU as the scope of the proposed Directive covers the provision of digital goods (e.g. films, music computer programs and e-books) and services (e.g. social media and Cloud services). Examples of obligations under the Directive include the fact that digital content would have to be delivered instantly, unless otherwise agreed, and the most recent version of the content must be supplied.
More importantly – and this is key – under the proposed rules, it does not matter if the transaction purchase was a monetary sum, or if the consumer actively provides “personal data or other data as counter-performance“. In other words, it would introduce consumer statutory rights and remedies for digital content including content supplied by businesses whose economic model is based on providing ‘free’ services – whereas, in fact, they derive transactional value from receiving information from consumers from which they can be identified or identifiable.
Drilling down, what might data as counter-performance” mean exactly? Unfortunately, this term remains undefined in the proposed Directive [and this is a point based upon which the EDPS recommends that its use be avoided]. However, we have some clues from draft Recital 14 as follows:
As regards digital content supplied not in exchange for a price but against counter-performance other than money, this Directive should apply only to contracts where the supplier requests and the consumer actively provides data, such as name and e-mail address or photos, directly or indirectly to the supplier for example through individual registration or on the basis of a contract which allows access to consumers’ photos. This Directive should not apply to situations where the supplier collects data necessary for the digital content to function in conformity with the contract, for example geographical location where necessary for a mobile application to function properly, or for the sole purpose of meeting legal requirements, for instance where the registration of the consumer is required for security and identification purposes by applicable laws. This Directive should also not apply to situations where the supplier collects information, including personal data, such as the IP address, or other automatically generated information such as information collected and transmitted by a cookie, without the consumer actively supplying it, even if the consumer accepts the cookie. It should also not apply to situations where the consumer is exposed to advertisements exclusively in order to gain access to digital content.
In other words, the proposed Directive creates a distinction between personal data actively provided (which is covered) and non-actively provided (something I will return to shortly – remember, this is not a distinction we find in data protection law).
So what does the EDPS say?
Overall, the EDPS Opinion supports the overall aim of the proposal, as it says that there are synergies to be gained by – and complementarities between – increasing consumer protection and enhancing personal data protection.
However, the EDPS also highlights concerns, focusing on personal data related issues and implications of the new Directive which are likely to impact supply contracts for digital businesses in the future. In particular, he is concerned about the formal introduction of the idea that individuals can ‘pay’ for things in the same way that they use money; moreover, this might lead some to draw an ultimate conclusion that individuals should be required to disclose personal data in ‘payment’ for an online service that does not involve money.
More specifically, in terms of a possible conceptualising (legally) of personal data as a currency or commodity, the EDPS finds this to be problematic because it would diminish the fundamental right to protection of personal data enshrined in the Charter of Fundamental Rights in the EU and could undermine the specific protection granted to these data under the EU data protection framework.
On a related note, the EDPS suggests that alternative approaches be used instead of the notion of “data as counter-performance”, which otherwise could cause confusion as to what exactly is the precise function of data proffered in any given online transaction. He refers, for example, to the E-Commerce Directive definition of “services” incorporates services where a price is not paid. Another example relates to the territorial scope provisions in the GPDR cover offering goods and services irrespective of whether payment is required.
A second area of EDPS concern relates to potential overlaps with the GDPR and the proposed E-Privacy Regulation (published on 10 January, discussed by Sophie on this blog here), a topic which the Opinion explores in detail. The EDPS says the introduction of the proposed Directive – in current draft form – could create regulatory fragmentation as well as legal uncertainty. In particular, the EDPS notes that the broad definition of personal data under the GDPR (in relation to which Sophie and I have devoted much blog space) could mean that all data within the scope of the proposed Directive would also be covered by the GDPR.
[While there is a distinction (mentioned above) drawn between personal data actively provided and that non-actively provided under the proposed Directive, the EDPS comments that this “contradicts” – not just data protection law – but also the proposed E-Privacy Regulation (and the existing E-Privacy Directive) “according to which those data should be in several instances only be obtained through user’s consent, i.e. actively”. In other words, not just practically but theoretically, legal terminology is being mixed and matched in ways that are liable to add confusion to (existing and future) rules on data protection/privacy. The EDPS’s suggestion is, therefore, to remove this distinction in the proposed Directive…something that would expand the impact of the proposed Directive significantly in terms of compliance obligations to be understood and followed].
In that context, the EDPS raises the possibility of confusion as to what regime would apply where personal data is concerned, as some rights in the proposed Directive appear to overlap with GDPR rights, including rights to data access, portability, erasure and the right to object. An example is an obligation under the proposed Directive that provides that – where non-monetary consideration, such as personal data, was provided by the consumer, on any termination the trader would have to refrain from further use of this, as well as of any content provided solely by the consumer. The trader would also have to give the consumer technical means to retrieve content provided or generated by the consumer. The potential for misunderstanding and mix-up is clear, says the EDPS:
[T]he proposed rights given to the consumers to obtain their data from the supplier at the termination of the contract and the obligation for the supplier to refrain from using data potentially overlap with the rights of access and to portability and with obligation of the supplier to refrain from using the data and data controller obligations under the GDPR.
[Indeed, the EU Article 29 Working commented in its recent guidelines on data portability that there are potential problems raised by the fact that the new right of portability (introduced by Article 20, GDPR to facilitate switching from one service provider to another) is similar to “other types of portability” already existing or being discussed “in other areas of legislation (e.g. in the contexts of contract termination, communication services roaming and trans-border access to services)”. The Working Party warns that “analogies should be treated cautiously” (Guidelines, p.4).]
Furthermore, while the proposed Directive appears to confirm that the use of personal data as a counter-performance is permissible, the GDPR already has provisions on determining when processing of personal data is legitimate, which covers, for example, whether or not consent is considered valid and freely given in the context of digital transactions.
Therefore, the EDPS encourages the addition of an explicit statement in the proposed Directive that data processed must be used in line with rules under the existing EU data protection framework that applies. And, remember, the GDPR will come into effect across the EU on 25 May 2018, repealing the Data Protection Directive and all implementing national data protection laws, such as the UK Data Protection Act 1998. The draft E-Privacy Regulation, once agreed, also looks like it may end up coming into effect in 2018.
In terms of next step, watch this space: the proposed Directive is being adopted under the ordinary legislative procedure, which means that both the European Parliament and the Council need to agree on the same final text. One thing is for sure – in light of this new and unsettled ‘melting pot’ of legal obligations (and remember we also have the new EU Copyright Directive potentially overlapping in the mix – see Sophie’s post here) – data protection/privacy specialists and their interpretational skills are going to be in high demand next year!