EDPS Opinion 8/2018 on the legislative package “A New Deal for Consumers” notes that
The European Data Protection Supervisor (EDPS) is an independent institution of the EU, responsible under Article 41(2) of Regulation 45/2001 ‘With respect to the processing of personal data... for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Community institutions and bodies’, and ‘...for advising Community institutions and bodies and data subjects on all matters concerning the processing of personal data’. Under Article 28(2) of Regulation 45/2001, the Commission is required, ‘when adopting a legislative Proposal relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data...’, to consult the EDPS.
He was appointed in December 2014 together with the Assistant Supervisor with the specific remit of being constructive and proactive. The EDPS published in March 2015 a five-year strategy setting out how he intends to implement this remit, and to be accountable for doing so. This Opinion relates to the EDPS' mission to advise the EU institutions on the data protection implications of their policies and foster accountable policymaking - in line with Action 9 of the EDPS Strategy: 'Facilitating responsible and informed policymaking'. The EDPS considers that compliance with data protection requirements will be key to the success of EU consumer protection law in the Digital Single Market.
This Opinion outlines the position of the EDPS on the legislative package entitled: “A New Deal for Consumers” that is composed of the Proposal for a Directive as regards better enforcement and modernisation of EU consumer protection rules and the Proposal for a Directive on representative actions for the protection of the collective interests of consumers.
The EDPS welcomes the intention of the Commission to modernise existing rules in an area whose goals are closely aligned to those of the recently modernised data protection framework. He recognises the need to fill the gaps in the current consumer acquis in order to respond to the challenge presented by predominant business models for digital services which rely on massive collection and monetisation of personal data and on the manipulation of people’s attention through targeted content. This is a unique opportunity to improve consumer law to redress the growing imbalance and unfairness between individuals and powerful companies in digital markets.
In particular, the EDPS supports the aim to extend the scope of Directive 2011/83/EU in order to allow the consumers, who receive services not rendered against a monetary price, to benefit from the protection framework offered by this Directive, as this reflects today’s economic reality and needs.
The Proposal took into account the recommendations of the EDPS Opinion 4/2017 and refrains from using the term “counter-performance” or distinguishing between data “actively” or “passively” provided by consumers to suppliers of digital content. However, the EDPS notes with concern that the new definitions envisaged by the Proposal would introduce the concept of contracts for the supply of a digital content or digital service for which consumers can “pay” with their personal data, instead of paying with money. This new approach does not solve the problems caused by using the term “counter-performance” or by making an analogy between the provision of personal data and the payment of a price. In particular, this approach does not sufficiently take into consideration the fundamental rights nature of data protection by considering personal data as a mere economic asset.
The GDPR already laid down a balance regarding the circumstances under which the processing of personal data may take place in the digital environment. The Proposal should avoid promoting approaches that could be interpreted in a way inconsistent with the EU commitment to fully protect personal data as laid down in the GDPR. To provide broad consumer protection without risking to undermine the principles of data protection law, an alternative approach could be envisaged, such as based on the broad definition of a “service” from the e-commerce Directive, the provision defining the territorial scope of the GDPR or Article 3(1) of the Council General Approach on the Digital Content Proposal. The EDPS therefore recommends refraining from any reference to personal data in the definitions of the “contract for the supply of digital content which is not supplied on tangible medium” and the “digital service contract” and suggests to rely instead on a concept of a contract under which a trader supplies or undertakes to supply specific digital content or a digital service to the consumer “irrespective of whether a payment of the consumer is required”.
Furthermore, the EDPS draws attention to several potential interferences of the Proposal with the application of the EU data protection framework, in particular with the GDPR and provides recommendations.
First of all, the EDPS stresses that the processing of the personal data can only be done by the traders in accordance with the EU data protection framework, in particular the GDPR.
Second, the EDPS is concerned that if the concept of “contracts for the supply of a digital content or digital service for which consumers provide their personal data, instead of paying with money” were introduced by the Proposal, it could mislead service providers who would be led to believing that the processing of data based on consent in the context of a contract is legally compliant in all cases, even where the conditions for valid consent set out in the GDPR are not fulfilled. This would undermine legal certainty.
Third, the complex interplay between the right of withdrawal from the contract and the withdrawal of the consent for processing of personal data, as well as the obligation of the trader to reimburse the consumer in the event of withdrawal demonstrates the difficulties of reconciling the concept of “contracts for the supply of a digital content or digital service for which consumers provide their personal data, instead of paying with money” introduced by the Proposal with the fundamental right nature of personal data and the GDPR.
Also, the EDPS considers that the Proposal should amend Article 3 of Directive 2011/83/EU and introduce a provision that clearly states that in case of a conflict between the Directive 2011/83/EU and the data protection legal framework, the latter prevails.
Furthermore, the EDPS also welcomes the new Proposal on collective redress, which intends to facilitate redress for consumers where many consumers are victims of the same infringement, in a so-called mass harm situation. The EDPS assumes that the redress mechanism envisaged in the Proposal on collective redress aims to be complementary to the one in Article 80 of the GDPR on representation of data subjects.
Nevertheless, to the extent personal data protection-related matters would be included in the scope of the collective action under the Proposal, the EDPS considers that “the qualified entities” that will be able to bring the representative actions in this field under the Proposal should be subject to the same conditions as set out in Article 80 GDPR.
Along the same lines, the Proposal on collective redress should clarify that the representative actions regarding data protection issues can only be brought before administrative authorities that are the data protection supervisory authority within the meaning of Articles 4(21) and 51 GDPR.
In conclusion, the EDPS considers that the application of two different mechanisms on collective redress, to the GDPR and to the future e-Privacy Regulation, alongside other substantive points of interaction between consumer and data protection, requires more systematic cooperation between the consumer protection and data protection authorities that could be done, for instance, within the already existing voluntary network of the enforcement bodies from competition, consumer and data protection areas - the Digital Clearinghouse.
Finally, the EDPS welcomes the initiative to update the enforcement of consumer rules: the revision of the Consumer Protection Cooperation Regulation. In this context, the EDPS considers that it is important to further explore the synergies between the data protection and consumer law. The cooperation between the consumer protection and data protection authorities should become more systematic wherever specific issues that are of interest for both side arise, in which consumer welfare and data protection concerns appear to be at stake.'The Proposed Australian Consumer Data Right: A European Comparison' by Samson Esayas and Angela Daly in (2018) 3 European Competition and Regulatory Law Review comments
This article examines the new Australian consumer Comprehensive right to access and use data, also known as the Consumer Data Right, recently proposed by the Australian Productivity Commission, and adopts a comparative analysis with data protection, competition and consumer developments in the European Union (EU). Firstly, a brief overview is given of the legal context and relevant Big Data developments in Australia. Then, current EU developments, particularly the data portability right under the General Data Protection Regulation (GDPR), and recent proposals from the Commission aiming at fostering access and transfer of data including the data producer’s right to use and authorise the data and the portability of non-personal data for professional users are considered. This is followed by an explanation of the Australian Productivity Commission’s proposed Consumer Right to access and use data, before an analysis is conducted to understand the extent to which this proposed right accords with the European situation. Given the coming into force of the GDPR and its extraterritorial reach, and the EU-Australia Free Trade Agreement currently under negotiation, as well as the transnational reach of Big Data and Cloud services, standardisation across the two jurisdictions is desirable. In this regard, the article examines to what extent the recent initiatives contribute to such standardisation and their implications for the extent to which Australia’s legal framework for data may be considered ‘adequate’ by the EU.