Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Document 52017XX0623(01)

Summary of the Opinion on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content

OJ C 200, 23.6.2017, p. 10–13 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

23.6.2017   

EN

Official Journal of the European Union

C 200/10

Summary of the Opinion on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2017/C 200/07)

The EDPS acknowledges the importance of the data-driven economy for the growth in the EU and its prominence in the digital environment as set out in the Digital Single Market strategy. We have argued consistently for the synergies and complementarity between consumer and data protection law. We therefore support the aim of the Commission’s proposal of December 2015 Directive on certain aspects concerning contracts for the supply of digital content to enhance the protection of consumers who are required to disclose data as a condition for the supply of ‘digital goods’.

However, one aspect of the Proposal is problematic, since it will be applicable to situations where a price is paid for the digital content, but also where digital content is supplied in exchange for a counter-performance other than money in the form of personal data or any other data. The EDPS warns against any new provision introducing the idea that people can pay with their data the same way as they do with money. Fundamental rights such as the right to the protection of personal data cannot be reduced to simple consumer interests, and personal data cannot be considered as a mere commodity.

The recently adopted data protection framework (the ‘GDPR’) is not yet fully applicable and the proposal for new e-Privacy legislation is currently under discussions. The EU should avoid therefore any new proposals that upset the careful balance negotiated by the EU legislator on data protection rules. Overlapping initiatives could inadvertently put at risk the coherence of the Digital Single Market, resulting in regulatory fragmentation and legal uncertainty. The EDPS recommends that the EU apply the GDPR as the means for regulating use of use of personal data in the digital economy.

The notion of ‘data as counter-performance’ - left undefined in the proposal — could cause confusion as to the precise function of the data in a given transaction. The lack of clear information from the suppliers in this regard may add further difficulties. We therefore suggest considering, as a way of resolving this problem, using the definition of services under the TFEU or the provision used by the GDPR to define its territorial scope.

This Opinion examines the proposal’s several potential interactions with the GDPR.

First, the broad definition of ‘personal data’ under data protection legislation may well have the effect that all data subject to the Proposed Directive be considered as ‘personal data’ under the GDPR.

Second, the strict conditions under which a processing can take place are already set down in the GDPR and do not require amendment or addition under the proposed directive. While the proposal seems to consider as legitimate the use of data as a counter-performance, the GDPR provides, for example, a new set of conditions to assess the validity of consent and to determine whether it can be considered as freely-given in the context of digital transactions.

Finally, the proposed rights given to the consumers to obtain their data from the supplier at the termination of the contract and the obligation for the supplier to refrain from using data potentially overlap with the rights of access and to portability and with obligation of the supplier to refrain from using the data and data controller obligations under the GDPR. This might unintentionally lead to confusion regarding the regime applicable.

1.   INTRODUCTION AND BACKGROUND

1.1.   The consultation of the EDPS by the Council

1.

On 9 December 2015, the European Commission presented two legislative proposals for new contractual rules for online sales. The proposed digital contract rules include two draft pieces of legislation:

a Proposal for a Directive on certain aspects concerning contracts for the supply of digital content (1);

a Proposal for a Directive on certain aspects concerning contracts for the online sales of (tangible) goods (2).

2.

The two proposals are to be seen as a package with common objectives, notably to remove the main obstacles to cross-border e-commerce in the EU (3). As regards more specifically the Proposal for a Directive on contracts for supply of digital content to consumers (hereinafter ‘the Proposal’), its intention is to have a single set of rules covering contracts for the sale and renting of digital content as well as contracts for digital services (4). At the time of the adoption of the Proposal, the EDPS was not consulted by the Commission.

3.

On 21 November 2016, the LIBE Committee issued an Opinion on the Proposal (5). The European Parliament Internal Market and Consumer Protection Committee (IMCO) and the Legal Affairs Committee (JURI) issued a draft joint report on the Proposal on 7 November 2016 (6).

4.

The Council is currently discussing the Proposal within the Working party on Civil Law Matters (Contract law). In this context, on 10 January 2017, the Council decided to consult the EDPS on the Proposal. The EDPS welcomes the initiative of the Council to consult the EDPS on this important legislative which raises many questions in relation to the Union law on the protection of personal data. The present Opinion is the EDPS’ response to the request of the Council.

1.2.   The Proposal

5.

Currently, the supply of digital content at EU level is partly regulated by the Consumer Rights Directive (7), Unfair Terms Directive (8) and e-Commerce Directive (9). The Consumer Sales Directive is not applicable, as the definition of ‘consumer goods’ in that Directive extends only to ‘tangible moving items’.

6.

Several Member States have already adopted specific rules for digital content, creating differences in scope and content between the national rules governing these contracts (10). The Proposal therefore intends to provide for a harmonised protection of the consumers so far as digital content is concerned. In this context, the Proposal envisages a maximum level of harmonisation.

7.

As to the scope of the Proposal, it would cover not only digital goods (such as films or music, computer programs, mobile applications, ebooks) but also digital services (such as social media platforms and cloud computing services). For a digital contract to fall within the scope of the proposed directive, it must either provide for a price to be paid by the consumer, or the consumer must ‘actively provide personal data or other data as counter-performance’ (11).

8.

The Proposal introduces a ‘hierarchy of remedies’ in case of lack of conformity of the digital content or service provided by the seller, and provides for the consumer’s right to retrieve the data at the termination of the contract in a ‘commonly used data format’ (12). The Proposal also imposes the obligation for suppliers to refrain from the use of the data provided as counter-performance after the termination of the contract (13).

9.

The Proposal refers to the concept of personal data in three situations:

the use of data (including personal data) as a ‘counter-performance other than money’ (14);

a reference to data which is ‘strictly necessary for the performance of the contract’ (15);

a reference to ‘other data produced or generated through the consumer’s use of the digital content’ (16).

10.

The reference to the concept of personal data creates a potential interaction between the Proposal and the data protection rules, as laid down, among others, in the Data Protection Directive 95/46/EC (17) and the GDPR (18). Furthermore, as stated in the Proposal, the Directive is intended to be without prejudice to the protection of individuals with regard to the processing of personal data (19). This Opinion will therefore address the interplay between the Proposal and the current and future EU data protection framework (20).

CONCLUSION

79.

The EDPS welcomes the initiative of the Commission which intends to give a broad protection to consumers in the EU, by extending this protection to ‘digital goods’, and by including the cases where consumers do not pay a price with money.

80.

The EDPS recognises the importance of having clear and up-to-date rules which can accompany and foster the development of the digital economy. In this respect, the EDPS continues to follow actively the initiatives of the Commission regarding the Digital Single Market since the importance of data as a source of growth and innovation is at the core of these initiatives.

81.

In this context, we welcome the initiative of the Council to consult the EDPS. This is for the EDPS an opportunity to address several recommendations and messages to the legislators, when discussing the Proposal submitted to the EDPS.

82.

On the interplay of the Proposal with data protection law:

the Proposal raises a number of issues given the fundamental rights nature of these data and the specific protection granted to these data under the EU data protection framework;

the Proposal should avoid including provisions which may impact the data protection framework, since the Proposal is based on Article 114 TFEU, which is no longer the appropriate basis to regulate data processing;

by no means should the Proposal change the balance found by the GDPR regarding the circumstances under which the processing of personal data may take place in the digital market.

83.

On the use of data as a counter-performance:

the EDPS considers that the term ‘data as a counter-performance’ should be avoided;

to this effect the EDPS offers alternatives:

the use of the notion of ‘services’ in EU law may be useful in considering how to encompass services where a price is not paid;

the GDPR scope covering the offering of goods and services irrespective of whether a payment is required may also be a useful consideration.

84.

On the interplay of the Proposal with the GDPR:

considering the broad definition of personal data, it is likely that almost all data provided by the consumer to the provider of the digital content will be considered as personal data;

the EDPS recommends avoiding referring to data (actively) provided by the consumer since it contradicts the existing and future rules on data protection;

the Proposal should state explicitly that data processed by the suppliers shall only be used insofar this is in line with the EU data protection framework, including the GDPR and the e-Privacy legislation;

the EDPS recommends that Articles 13 and 16 of the Proposal refer to the GDPR when it comes to the rights to erasure and the right to access one’s data, to the extent that personal data are concerned. Should non-personal data (‘other data’) be processed, the EDPS recommends that the provisions of Article 13 and 16 should be aligned with the regime provided in the GDPR for the sake of consistency.

Brussels, 14 March 2017.

Giovanni BUTTARELLI

European Data Protection Supervisor

(1)  Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content, COM/2015/0634, Available at http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1450431933547&uri=CELEX:52015PC0634

(2)  Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the online and other distance sales of goods, COM/2015/0635 final.

(3)  For more information, see http://ec.europa.eu/justice/contract/digital-contract-rules/index_en.htm

(4)  In this context, an attempts was already made by the Commission: see Proposal for a Regulation of the European parliament and of the Council on a Common European Sales Law, COM/2011/0635 final; this proposal was abandoned by the Commission.

(5)  Available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-582.370%2b03%2bDOC%2bPDF%2bV0%2f%2fEN

(6)  Available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-592.444%2b01%2bDOC%2bPDF%2bV0%2f%2fEN

(7)  Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council (OJ L 304, 22.11.2011, p. 64).

(8)  Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29).

(9)  Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).

(10)  See Explanatory Memorandum of the Proposal, page 3.

(11)  See Article 3(1) of the Proposal.

(12)  See Article 13(2)(c) of the Proposal.

(13)  See Article 13(2)(b) of the Proposal.

(14)  See Article 3(1) and (4), Article 13(2)(b), Article 15(2)(c) and Article 16(4)(a) of the Proposal.

(15)  See Article 3(4) of the Proposal.

(16)  Article 13(2)(b) and Article 16(4)(b) of the Proposal.

(17)  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

(18)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(19)  Article 3(8) of the Proposal.

(20)  Currently, in the context of the analysis of the Proposal, the main texts applicable are the Directive 95/46/EC which will be repealed and replaced by the Regulation (EU) 2016/679, and the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37) (also called ‘e-Privacy Directive’). The e-Privacy Directive should be repealed by the recent Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC, 10 January 2017, COM (2017) 10 final (Regulation on Privacy and Electronic Communications).

Top