Locations
As part of its 2015 Digital Single Market Strategy[1], the European Commission proposed modernising the rules applicable to sales of goods and introducing similar rules for the supply of digital content (such as digital films, music, e-books, applications) and digital services (such as social media platforms, on-line games, pay-per-view access to films, cloud computing, etc.).
After more than 3 years of negotiations, the EU adopted a package comprising a directive on contracts for the supply of digital content and services[2] ("DCD") and a directive on contracts for the sale of goods[3] ("SGD"), both applicable in B2C relations. Member States will have two years to transpose these directives into their national law.
The primary objective of the two directives is to modernise the rules dating from directive 1999/44/EC on certain aspects of the sale of consumer goods and associated guarantees. While the latter was a minimum-harmonisation directive leaving Member States the right to maintain or adopt more consumer-friendly implementing provisions, the two new instruments aim at maximum harmonisation although they sometimes still leave some leeway to the Member States.
The instruments mainly deal with the legal guarantee, the concept of conformity of the good or digital content, while also providing for remedies in the event of a failure to supply or of non-conformity. As there are two instruments, one issue was related to the fate of digital content embedded in goods. The legislator finally decided that this growing category (think of all connected objects) would fall within the scope of the SGD. A major innovation of the DCD lies in its scope of application, as it does not only apply where the consumer pays a price but also when he/she provides personal data as a counter-performance.
The two instruments will enhance consumer protection and allow businesses to rely on a more unified set of contractual rules across the EU. However, the recognition of the provision of personal data as a counter-performance for the supply of digital content/services raises concerns on interactions with data protection law (I). Though, recent European Data Protection Board ("EDPB") Guidelines may help businesses to comply better with data protection law while processing data they intend to receive as a counter-performance (II).
I. Clash with data protection law?
As far as personal data as counter-performance is concerned, the directive applies "where the trader supplies or undertakes to supply digital content or a digital service to the consumer and the consumer provides or undertakes to provide personal data to the trader". It does not apply "where the personal data provided by the consumer is exclusively processed by the trader for supplying of the digital content or digital service [...] or for the trader to comply with legal requirements to which the trader is subject, and the trader does not process this data for any other purpose". As a consequence, this enlarged scope of application will extend consumer contract law protection to many (misleadingly) so called "free services".
The question arises: As far as data protection law is concerned, can a trader take advantage of the recognition of personal data as a counter-performance in order to extensively process personal data in exchange of digital content/services?
The answer partly lies in the directive itself, as it directly refers to the GDPR for the definition of personal data, and for the obligations on the trader in case of termination of a contract. Article 3 DCD also states that the directive is without prejudice to the provisions of the GDPR, as well as the e-Privacy Directive (2002/58/EC) and that in case of conflict between the provisions of the DCD and EU law on the protection of personal data, the latter should prevail.
Therefore, companies supplying digital content or services in exchange of data will have to articulate their practice with data protection law requirements. The fact that data may be a counter-performance in a contract does not allow data controllers to process data unlawfully. They will therefore need to conduct an analysis to ensure they rely on a proper legal ground when processing personal data provided in exchange of digital content or services.
This being said, it might at first sight be tempting for a trader to consider that the legal basis for processing personal data which constitutes the counter-performance of his/her service lies in the necessity for the performance of the contract entered into with the consumer. If the above-mentioned article 3 of the DCD was not sufficient, recent EDPB guidelines might help determine the legal basis on which the processing of personal data may take place under GDPR.
II. DCD provision on data as counter-performance read through the eyes of EDPB guidelines
The recent EDPB guidelines on the processing of personal data under article 6(1)(b) GDPR in the context of the provision of online services to data subjects[4] recall some previous guidance and provide useful indications on the available legal basis under GDPR to process personal data in the context of the provision of online services to data subjects. While it does not make any direct reference to the DCD, the EDPB insists on the fact that purpose limitation[5] and data minimisation principles[6] are particularly relevant in contracts for online services which are typically not negotiated on an individual basis.
Following the EDPB reasoning, as far as article 6(1)(b) GDPR is concerned, it can only be used as a legal basis where the processing is "objectively necessary for the performance of a contract with a data subject" or "objectively necessary in order to take pre-contractual steps at the request of a data subject". The EDPB explains that "the concept of what is necessary for the performance of a contract is not simply an assessment of what is permitted by or written into the terms of the contract" and that "assessing what is necessary involves a combined, fact-based assessment of the processing for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal". Thus, "merely referencing or mentioning data processing in a contract is not enough to bring the processing in question within the scope of article 6(1)(b)".
In this regard, the EDPB explicitly mentions that although "contracts for digital services may incorporate express terms that impose additional conditions about advertising, payments or cookies, amongst other things" it is not possible to "artificially expand the categories of personal data or types of processing operation that the controller needs to carry out for the performance of the contract within the meaning of article 6(1)(b)".
As a consequence, there might be limited examples where the underlying contract will actually be a lawful basis for the processing of personal data which would be the counter-performance for the supply of digital content/services.
For instance, article 6(1)(b) is a potential legal basis for an online retailer to process the email address of a consumer in order to fulfil its contractual obligations (i.e. supply the digital content). This processing would anyway fall outside the scope of the DCD directive as the personal data provided by the consumer is exclusively processed by the trader for delivering the digital content. However, if the retailer wants to build a profile of his/her customer and has mentioned this in the contract, this mere indication does not make this specific processing "necessary for the performance of the contract" in data protection law terms and the retailer will need to rely on a different legal basis to conduct the profiling activity.
EDPB examples confirm that the necessity for the performance of a contract will rarely be an appropriate legal basis when personal data is processed in the context of the provision of online services to data subjects. In this regard, processing for "service improvement" or "fraud prevention" are likely to go beyond what is objectively necessary for the performance of a contract. Processing for "online behavioural advertising, and associated tracking and profiling of data subjects […], although [it] may support the delivery of the service, [it] is separate from the objective purpose of the contract between the user and the service provider, and therefore not necessary for the performance of the contract at issue". The EDPB however acknowledges that "processing for personalisation of content […] may constitute an essential or expected element of certain online services, and therefore may be regarded as necessary for the performance of the contract with the service user in some cases". Yet, "where personalisation of content is not objectively necessary for the purpose of the underlying contract, for example, where personalised content delivery is intended to increase user engagement with a service but is not an integral part of using the service, data controllers should consider an alternative basis".
The EDPB suggested another important distinction to be made by data controllers when providing online services to data subjects: "between entering into a contract and giving consent within the meaning of article 6(1)(a), as these concepts are not the same and have different implications for data subject's rights and expectations". Furthermore, according to the EDPB and following the rules under the GDPR, the processing of special categories of personal data (sensitive data) cannot be legitimised by the "necessity for the performance of a contract". Therefore, data controllers will likely need to seek explicit consent in accordance with the GDPR conditions when processing sensitive data (provided none of the exceptions under article 9(2) apply).
As a conclusion, businesses/data controllers should pay particular attention when considering processing personal data from customers. They need to make a case-by-case assessment of the types of personal data and purposes of the envisaged processing. The fact that the processing of personal data would be a counter-performance received in exchange of the supply of digital content/services is not necessarily connected to the choice of the legal ground for the processing which is subject to GDPR/e-Privacy requirements.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2015%3A192%3AFIN
[2] Directive on certain aspects concerning contracts for the supply of digital content and digital services (to be published in the Official Journal of the European Union)
[3] Directive on certain aspects concerning contracts for the sale of goods, amending Regulation (EU) 2017/2394 and Directive 2009/22/EC, and repealing Directive 1999/44/EC (to be published in the Official Journal of the European Union)
[4] Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (under public consultation while writing this article)
[5] See article 5(1)(b) GDPR and Article 29 Working Party Opinion 03/2013 on purpose limitation, p. 15-16
[6] See article 5(1)(c) GDPR