We’ve previously commented in some depth on the EU’s Digital Single Market proposals, most of which are currently out to consultation. The European Commission today set out new plans for two proposals under this DSM strategy to better protect consumers who shop online across the EU and help businesses expand their online sales. There's more detail on the ecommerce issues at our sister Tech Blog.
The online context
In a nutshell, the EU is concerned that EU based online consumers enjoy a variety of different online rights country to country and this significantly complicates compliance for eVendors. This creates real difficulties for any eVendor looking to address all EU markets with their services. In particular, there are no consistent consumer rights around the supply of "digital content" (a term not even recognized in the laws of some Member States).
The EU proposal for a Digital Content Directive
One of today's proposals from the European Commission included a draft for a new Directive on the supply of digital content (e.g. streaming music, online games, apps or e-books (see text here)) (the "draft Directive"). We're told the “proposals will tackle the main obstacles to cross-border e-commerce in the EU: legal fragmentation in the area of consumer contract law and resulting high costs for businesses – especially SMEs- and low consumer trust when buying online from another country.”
But what's this got to do with "data"?
"That's all ecommerce" – "this is a data privacy blog" you say. Well, in today's digital economy, information about individuals is often as valuable as money. Digital content is often supplied in exchange for the consumer giving access to personal or other data. In this draft Directive this is somewhat clumsily termed "use of the counter-performance other than money". With this in mind, and with the desire to treat the exchange of data in the same way as the exchange of money, Articles 12 to 16 of the draft Directive address consumer rights in digital content contracts established in exchange for data.
An eVendor must cease data use upon contract termination
Importantly, under the draft Directive proposals, if an EU consumer has obtained digital content or a digital service, in exchange for data or personal data, the new rules clarify that the eVendor should stop using that data in case the contract is ended. What's more, the eVendor should return it!
In the cases of a lack of conformity with the contract, the consumer shall be entitled to have digital content they've "purchased" (or participated in the "use of the counter-performance other than money"!) brought into conformity with the contract free of charge. If this can't be done (and subject to some other provisions I'll spare you from here), the consumer may be either entitled to a proportionate reduction in price or to terminate the contract – Article 12.
There are similar proposals in the event termination rights are exercised in respect of digital content provided and then modified by the eVendor over a period of time. If a subsequent modification adversely impacts the access to, or use of the content, then the consumer has a termination right in certain prescribed circumstances - Article 15.
There are also similar termination rights proposed in respect of long-term contracts (lasting more than 12 months) – Article 16.
When a contract for digital content terminates
What's more, in any of the above circumstances, where the consumer terminates the contract for digital content that has been entered into in exchange for data instead of money:
- The eVendor "shall take all measures which could be expected" and cease use of (1) any data which the consumer has provided in exchange for the digital content and; (2) any other data collected by the eVendor in relation to the supply of the digital content (including any content provided by the consumer but with the exception of the content which has been generated jointly by the consumer and others who continue to make use of the content); and
- The eVendor shall provide the consumer with technical means to "retrieve all content provided by the consumer and any other data produced or generated through the consumer's use of the digital content to the extent that data has been retained by the eVendor". What's more the consumer "shall be entitled to retrieve the content free of charge, without significant inconvenience, in reasonable time and in a commonly used data format unless this is impossible, disproportionate or unlawful".
There is no distinction between personal data and data so the proposed rules are quite pervasive. The Recitals to the draft Directive state "[f]ulfilling the obligation to refrain from using data should mean in the case when the counter-performance consists of personal data, that the supplier should take all measures in order to comply with data protection rules by deleting it or rendering it anonymous in such a way that the consumer cannot be identified by any means likely reasonably to be used either by the supplier or by any other person." This reads as a positive obligation to delete and not purely a reactionary step should the consumer request it.
This is HUGE! For any eVendor, isolating and stopping the use of discrete data sets relating to an individual consumer is hard enough. Designing and perfecting a mechanism to trace and then return any and all data sets specific to a customer is something else. This is a data identification and portability conundrum of extreme proportions. As above, the draft expressly applies to any data (and not just personal data).
In context, say I download a free eBook in return for my personal details and perhaps the completion of an online survey. That book reads well, but at chapter 7, I can no longer advance the pages and the eVendor cannot cure this despite my demands. As a consumer, I'll have a right to terminate. At that point the eVendor of the book must stop using my details, cease using the data from my survey. Additionally, all that data must be identified and returned! Thankfully, the eVendor would not have to identify and cease to use certain meta-data relating to the how fast, when and on which devices I read the eBook (see below as it seems that's out of the draft Directive's scope). If I'm honest, for a free eBook, I'm not sure I care about the return of my data (but an Austrian student with a good legal background and time on his or her hands will!).
When would the rules apply?
This is a first draft proposal and will undoubtedly be subject to intense lobbying and debate in the coming months. Even once passed, as a directive, it would take up to 24 months to incorporate the rules into the local law of Member States.
The accompanying impact assessment stressed that in particular the draft Directive should cover services which allow the creation, processing or storage of data. "While there are numerous ways for digital content to be supplied, such as transmission on a durable medium, downloading by consumers on their devices, web-streaming, allowing access to storage capabilities of digital content or access to the use of social media, this Directive should apply to all digital content independently of the medium used for its transmission". The Directive does not cover services performed with a significant element of human intervention or contracts governing specific sectorial services such as healthcare, gambling or financial services.
For now, the draft Directive should apply only to contracts where the eVendor "requests and the consumer actively provides data, such as name and e-mail address or photos, directly or indirectly to the supplier for example through individual registration or on the basis of a contract which allows access to consumers' photos".
This Directive should not apply to situations where:
- the eVendor "collects data necessary for the digital content to function in conformity with the contract, for example geographical location where necessary for a mobile application to function properly, or for the sole purpose of meeting legal requirements, for instance where the registration of the consumer is required for security and identification purposes by applicable laws"; and
- data collected is "strictly necessary for the performance of the contract or for meeting legal requirements and the supplier does not further process them in a way incompatible with this purpose";
- the eVendor collects information, "including personal data, such as the IP address, or other automatically generated information such as information collected and transmitted by a cookie, without the consumer actively supplying it, even if the consumer accepts the cookie"; and
- the consumer is "exposed to advertisements exclusively in order to gain access to digital content".
What about other privacy rules (and presumably the GDPR)?
Article 3 of the draft Directive clarifies that in case of conflict between the Directive and another EU act, the other EU act takes precedence. In particular, it clarifies that the Directive is without prejudice to the rules on data protection.
In terms of general proposed scope, the draft Directive "covers the supply of all types of digital content". It also covers "digital content supplied not only for a monetary payment but also in exchange for (personal and other) data provided by consumers, except where the data have been collected for the sole purpose of meeting legal requirements".
You thought you had enough new law to deal with.
Mark Webber – Partner, Silicon Valley California email@example.com