Skip to main content

Advertisement

SpringerLink
Log in

The proposal for a directive on digital content: a complex relationship with data protection law

  • Article
  • Published:
ERA Forum Aims and scope

Abstract

While the EU is in the process of comprehensively reforming its data protection legal framework, another legislative proposal intends to address certain aspects of the digital economy, with a potential legal shift from the balance reached by the General Data Protection Regulation: the Proposal for a Digital Content Directive. This proposal introduces a heavily debated idea: the possibility to pay with personal data to access a service. This article analyses how data protection law and consumer law may interact for better or for worse.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L 201/37.

  2. Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM(2017) 10 final, hereinafter ‘ePrivacy Regulation’.

  3. Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1, hereinafter ‘GDPR’.

  4. Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content, COM(2015) 634 final, hereinafter ‘DCD’; the DCD is part of a package of two proposals, including another proposal regarding contracts for online sales and other distance sales of goods; Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the online and other distance sales of goods, COM(2015) 635 final.

  5. For a presentation of the DCD, see Schulze/Staudenmayer/Lohsse [12], pp. 11–30, Mak [5], Manko [9] and Metzger [10]. On the regime of digital content under EU consumer law, see Jacquemin [4].

  6. EDPS Opinion 4/2017 of 17 March 2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content, available at: https://edps.europa.eu/sites/edp/files/publication/17-03-14_opinion_digital_content_en.pdf.

  7. DCD, Recital 4; However we note that the DCD does not explicitly state that the provision of a service where data are given in exchange for the access to this service should qualify as a contract under national law. On this question, see Zech [14]. See Metzger [10], §§3–8, according to whom the DCD does not harmonise the rules on the formation of the contract.

  8. DCD, Art. 3(1).

  9. EDPS Opinion 4/2017, para. 14. See also Helberger/Zuiderveen/Reyna [3], pp. 1442–1449.

  10. Value might be created for instance when creating targeted advertising, selling users’ personal data or profiles to third parties, or improving the service or the product to reach a broader audience.

  11. DCD, Recital 13.

  12. EDPS Opinion 4/2017, para. 14.

  13. See Proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast), COM(2016) 590 final, specifically Recital 16 which acknowledges that ‘[e]lectronic communications services are often supplied against counter-performance other than money, for instance by giving access to personal data or other data’; Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM(2017) 10 final, specifically Recital 18 which does not mention explicitly the use of data but acknowledges that ‘[i]n the digital economy, services are often supplied against counter-performance other than money, for instance by end-users being exposed to advertisements’.

  14. Robert [11], p. 357.

  15. EDPS Opinion 4/2017, para. 17.

  16. EDPS Opinion 4/2017, para. 14. See also Manko [9], p. 15, para. 4.3.1 who thinks that the DCD proposal seems to go in the direction of the ‘propertisation’ of data. See also Victor [13], who thinks that the GDPR goes towards a property-rule-based approach.

  17. EDPS Opinion 4/2017, para. 17.

  18. GDPR, Recital 7.

  19. DCD, Art. 3(8).

  20. EDPS Opinion 4/2017, para. 25. Helberger/Zuiderveen/Reyna [3], p. 1446: “One may wonder to what extent it is in the interest of traders to characterize the provision of data as a counter-performance it that means that the contract would fall under the draft Digital Content Directive. It appears that the draft Directive would only apply to “free” services only if the trader explicitly acknowledges that it regards user data it collects as a counter-performance”.

  21. EDPS Opinion 4/2017, para. 25 to 27.

  22. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on the certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce) [2000] OJ L 178/1, specifically Art. 2(a): ‘services within the meaning of Article 1(2) of Directive 98/34/EC as amended by Directive 98/48/EC’.

  23. Proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast), COM(2016) 590 final, specifically Art. 2(4): ‘a service normally provided for remuneration via electronic communications networks, which encompasses “internet access service” as defined in Article 2(2) of Regulation (EU) 2015/2120; and/or “interpersonal communications service”; and/or services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting, but excludes services providing, or exercising editorial control over, content transmitted using electronic communications networks and services’.

  24. GDPR, Art. 3(2); EDPS Opinion 4/2017, para. 30 to 34; see also Clifford/Graef/Valcke [1], p. 27, who questions whether a service under the eCommerce Directive may be deemed distinct from a service contract.

  25. We also wonder whether the subject matter of the contract is not the personal data themselves but rather the tolerance of users for their processing; see Zoll [15], p. 184.

  26. DCD, Art. 3(8).

  27. All further references to provisions of the DCD in Sect. 3 relate to the Proposal of the Commission.

  28. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31.

  29. On the interaction between both texts, see Manko/Monteleone [6], p. 5.

  30. Manko/Monteleone [6], p. 4.

  31. EDPS Opinion 4/2017, para. 37.

  32. One of the reasons seems to be that the DCD does not intend to regulate the entire internet. Therefore, it would not apply to search engines or other services where data are not ‘actively’ provided. Since such business models are also based on the use of data to make profit, we believe that the DCD arbitrarily excludes them from the scope of the DCD; see Schulze/Staudenmayer/Lohsse [12], p. 16.

  33. See Clifford/Graef/Valcke [1], p. 27 according to whom ‘despite being deliberate, the proposal, rather than representing an informed legislative choice, instead manifests an ill-informed understanding of data protection and privacy legislation and is a result of the complex legislative history related to the attempted harmonization of contract law formation at the EU level’.

  34. See ePrivacy Directive, Art. 5(3); The use of non-functional cookies or cookie-like technologies is subject to consent.

  35. For instance, cookies are passively collected and may be used by suppliers to create value. Therefore, we do not see why the Proposal excludes cookies from the data triggering the application of the DCD.

  36. EDPS Opinion 4/2017, para. 39.

  37. Cookies and cookie-like technologies are even more strictly regulated under the current ePrivacy Directive—and will be soon by the ePrivacy Regulation—than under the GDPR. This proves that they are even more privacy-sensitive; see Clifford/Graef/Valcke [1], pp. 24–27.

  38. Article 6(1) lays down the exhaustive list of cases where data processing may take place, including when ‘processing is necessary for the performance of a contract to which the data subject is party’ according to Article 6 (1)(b) and ‘processing is necessary for compliance with a legal obligation to which the controller is subject’ according to Article 6(1)(c).

  39. GDPR, Art. 5; Charter of Fundamental Rights of the EU, Art. 8.

  40. The vital interest (Article 6(1)(d)) and the public interest (Article 6(1)(e)) would not work in this case. For further developments, see EDPS Opinion 4/2017, pp. 13–17 and Manko/Monteleone [6], pp. 7–10.

  41. Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of the Directive 95/46/EC, p. 16, available at: http://collections.internetmemory.org/haeu/20171122154227/http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf. Article 29 Working Party Guidelines on consent under Regulation 2016/679, as last revised and adopted on 10 April 2018, p. 8, available at http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51030.

  42. See Clifford/Graef/Valcke [1], p. 33, who underlines: ‘it also remains to be seen how far consent will stretch but also how processing that is necessary for the contract will be delineated from additional activities as required by Article 7(2) GDPR’.

  43. That being said, the question remains whether consent under Article 6(1)(a) of the GDPR can still trigger the formation of a contract since, in those circumstances, data are not the counter-performance of the contract, and hence, not necessary for its performance according to Art. 6(1)(b) GDPR.

  44. GDPR, Art. 4(11).

  45. In this regard, Art. 7(4) of the GDPR provides that ‘[w]hen assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract’. Recital 43 further specifies this idea and provides that ‘[c]onsent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance’. Therefore, in our view, the GDPR creates a presumption that the consent is not freely given when it is a conditional to receive the provision of a service. See Article 29 Working Party Guidelines on consent under Regulation 2016/679, as last revised and adopted on 10 April 2018, p. 9: ‘As the wording of Article 7(4) is not construed in an absolute manner, there might be very limited space for cases where this conditionality would not render the consent invalid. However, the word “presumed” in Recital 43 clearly indicates that such cases will be highly exceptional’.

  46. EDPS Opinion 4/2017, para. 62; for a further analysis of this rebuttable presumption, see Clifford/Graef/Valcke [1], pp. 36–44. Metzger [10], §12, and Article 29 Working Party Guidelines on consent under Regulation 2016/679, as last revised and adopted on 10 April 2018, p. 7, 3.1.2.

  47. EDPS Opinion 4/2017, para. 42.

  48. Case C-131/12 Google Spain, EU:C:2014:317, para. 81, 97 and 99.

  49. Clifford/Graef/Valcke [1], p. 27.

  50. DCD, Art.13(2)(b) and 16(4)(a).

  51. EDPS Opinion 4/2017, para. 76.

  52. GDPR, Art. 17(1)(b); Manko/Monteleone [6], p. 10.

  53. GDPR, Art. 17(1); EDPS Opinion 4/2017, para. 76.

  54. GDPR, Art. 20.

  55. Article 15 of the GDPR provides for the right of access, which entails the right to receive a copy of all personal data processed by the controller.

  56. Article 29 Working Party Guidelines of 5 April 2017 on the right to data portability, WP 242 rev. 01, available at: http://ec.europa.eu/newsroom/document.cfm?doc_id=44099.

  57. Robert [11], p. 358.

  58. Council General approach of 1 June 2017 on Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content (First reading), available at: http://data.consilium.europa.eu/doc/document/ST-9901-2017-ADD-1/en/pdf, hereinafter ‘Council General Approach’.

  59. Parliament Report of 27 November 2017 on the proposal for a directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content, Committee on the Internal Market and Consumer Protection Committee on Legal Affairs, Rapporteurs Evelyne Gebhardt and Axel Voss, available at: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A8-2017-0375+0+DOC+PDF+V0//EN, hereinafter ‘Parliament Report’.

  60. For a broader view on both positions of the Council and the Parliament, see Manko [8].

  61. Manko [7], p. 9.

  62. Council General Approach, Art. 2(6a).

  63. Council General Approach, Art. 2(6).

  64. European Law Institute Statement on the European Commission’s Proposed Directive on the Supply of Digital Content to Consumers, p. 15: ‘More importantly, it is difficult to see why the consumer should not be protected where the information is collected by means of a cookie (which Recital (14) states does not amount to active provision of data) or where the supplier’s collection and use of the consumer’s data for commercial purposes is more or less clandestine’.

  65. We should note that the text explicitly mentions the conditions of existence and not the conditions of validity.

  66. Surprisingly enough, whereas the existence of a contract is a condition sine qua non for the application of the DCD, the text never mentions this explicitly; see Clifford/Graef/Valcke [1], p. 30, according to whom: ‘the Council construction (in addition to their intention to retain the “passive”-“active” distinction) appears to reflect the fear that a positive acknowledgement of personal data as counter-performance in an EU legislative text (even if implicit) would have an impact on this tightly guarded aspect of national contract law’.

  67. Council General Approach, Art. 3(8).

  68. Council General Approach, Art. 13a(3).

  69. Council General Approach, Art. 13a.

  70. Parliament Report, Recital 14; We note that Recital 13 leaves to national law the question of validity of contracts for the supply of a digital content or a digital service where personal data are provided or accessed. This differs slightly from the wording of the Council General Approach that refers to the requirements for the existence of a contract under national law. We see that there could be another source of confusion here and another sign of the difficulty to harmonise national laws in this respect.

  71. Parliament Report, Art. 3(1).

  72. Article 3(4) also excludes data provided by the consumer or collected by the trader exclusively for improving the digital content or service. Similarly to the European Consumer Organisation (BEUC), we think that this wording is too vague and gives the possibility to service providers to bypass the rules of the DCD by simply stating in the terms of services that the data are necessary to improve its services; see BEUC Key recommendations on the Digital Content Directive for the trialogue negotiations, available at: http://www.beuc.eu/publications/beuc-x-2018-003_digital_content_directive.pdf.

  73. Parliament Report, Recital 13; Recital 13 states that ‘[t]his Directive should, in no way, give the impression that it legitimises or encourages a practice based on monetisation of personal data, as personal data cannot be compared to a price, and therefore cannot be considered as a commodity’

  74. See Clifford/Graef/Valcke [1] pp. 29–30.

  75. Parliament Report, Art. 3(1).

  76. See Clifford/Graef/Valcke [1], p. 28.

  77. Parliament Report, Art. 3(4); in terms similar to those of Article 3(1) of the Council’s General Approach, the text of the Parliament would ‘not apply where personal data are exclusively processed by traders either for supplying, maintaining the conformity or improving the digital content, or for meeting legal requirements to which traders are subject provided that they do not process these data for any other purpose’.

  78. Parliament Report, Recital 55.

  79. Parliament Report, Art. 3(7).

  80. Parliament Report, Art. 13a(2) and 16(4).

  81. Parliament Report, Art. 13a(3) and (4).

  82. See EDPS Opinion 8/2016 of 23 September 2016 on coherent enforcement of fundamental rights in the age of big data, available at: https://edps.europa.eu/sites/edp/files/publication/16-09-23_bigdata_opinion_en.pdf.

  83. See ‘German court rules Facebook use of personal data illegal’, https://www.euractiv.com/section/data-protection/news/german-court-rules-facebook-use-of-personal-data-illegal/. About this decision, see Helberger/Zuiderveen/Reyna [3], pp. 1454–1456.

  84. See also Parliament Report, Art. 6(5a): ‘In order to be in conformity with the contract, the digital content or digital service shall respect the principles of “privacy by design” and “privacy by default” set out in Article 25 of Regulation (EU) 2016/679’.

  85. The EU legislator seems to struggle in delineating the interaction between the payment of a price, the existence of a contract and the explicit acceptance of a contractual agreement. For another example, see Commission, DG Justice Document concerning Directive 2011/83/EU on consumer rights (2014) who considers that ‘contracts for online digital content are subject to the Directive even if they do not involve the payment of a price by the consumer’. However, the Commission considers that ‘since the Directive applies to “contracts concluded between consumers and traders” (Article 1), it should not apply to online digital content provided by means of broadcasting of information on the internet without the express conclusion of a contract’.

  86. In the Facebook case, the Berlin Court did not consider as deceptive the statement of Facebook according to which ‘Facebook is and will always be free’, dismissing the argument of the German Consumer Association that consumers pay with their data.

  87. Helberger/Zuiderveen/Reyna [3], p. 1445: “Including data as a counter-performance could open up the application of the provisions about unfair contracts and possibly consumer sales law”.

  88. Manko [7], p. 6.

  89. EDPS Opinion 4/2017, para. 37; for a comprehensive analysis of the interaction between competition, consumer and data protection law, see Graef [2], pp. 1–23.

  90. And the future ePrivacy Regulation.

References

  1. Clifford, D., Graef, I., Valcke, P.: Pre-Formulated Declarations of Data Subject Consent—Citizen-Consumer Empowerment and the Alignment of Data, Consumer and Competition Law Protections (2018). Available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3126706

  2. Graef, I.: Blurring Boundaries of Consumer Welfare: How to Create Synergies between Competition, Consumer and Data Protection Law in Digital Markets (2016). Available at: https://ssrn.com/abstract=2881969

  3. Helberger, N., Zuiderveen Borgesius, F., Reyna, A.: The perfect match? A closer look at the relationship between EU consumer law and data protection law. Common Mark. Law Rev. 54, 1–28 (2017)

    Google Scholar 

  4. Jacquemin, H.: Digital content and sales or service contracts under EU law and Belgian/French law. JIPITEC 1, 27–38 (2017)

    Google Scholar 

  5. Mak, V.: The new proposal for harmonised rules on certain aspects concerning contracts for the supply of digital content. European Parliament Research Service In-depth analysis PE 536.494, 1–28 (2016)

  6. Manko, R., Monteleone, S.: Contracts for the supply of digital content and personal data protection. European Parliament Research Service, Briefing PE 603.929, 1–12 (2017)

  7. Manko, R.: Contracts for supply of digital content. European Parliament Research Service, Briefing PE 608.748, 1–12 (2017)

  8. Manko, R.: Contracts for supply of digital content. European Parliament Research Service, Briefing PE 614.707, 1–12 (2018)

  9. Manko, R.: Contracts for supply of digital content: A legal analysis of the Commission’s proposal for a new directive. European Parliament Research Service, In-depth analysis PE 582.048, 1–36 (2016)

  10. Metzger, A.: Data as counter-performance. What rights and duties do parties have? JIPITEC 1, 2–8 (2017)

    Google Scholar 

  11. Robert, R.: Peut-on payer avec ses données personnelles ? – La proposition de directive « contenu numérique » introduit le ver dans le fruit. J. Droit Eur. 384, 356–358 (2017)

    Google Scholar 

  12. Schulze, R., Staudenmayer, D., Lohsse, S.: Contracts for the supply of digital content: regulatory challenges and gaps—an introduction. In: Schulze, R., Staudenmayer, D., Lohsse, S. (eds.) Contracts for the Supply of Digital Content: Regulatory Challenges and Gaps. Munster Colloquia on EU Law and the Digital Economy II, Nomos, pp. 9–30 (2017)

    Google Scholar 

  13. Victor, J.: The EU general data protection regulation: toward a property regime for protecting data privacy. Yale Law J. 123, 513–528 (2013)

    Google Scholar 

  14. Zech, H.: Data as a Tradeable Commodity—Implications for Contract Law (2017). Available at: https://ssrn.com/abstract=3063153

  15. Zoll, F.: Personal data as remuneration in the proposal for a directive on supply of digital content. In: Schulze, R., Staudenmayer, D., Lohsse, S. (eds.) Contracts for the Supply of Digital Content: Regulatory Challenges and Gaps. Munster Colloquia on EU Law and the Digital Economy II, Nomos, pp. 179–188 (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. European Data Protection Supervisor, Brussels, Belgium

    Romain Robert & Lara Smit

Authors
  1. Romain Robert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lara Smit
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Romain Robert.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Robert, R., Smit, L. The proposal for a directive on digital content: a complex relationship with data protection law. ERA Forum 19, 159–177 (2018). https://doi.org/10.1007/s12027-018-0506-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12027-018-0506-7

Keywords

Search

Navigation