On December 3rd 2014, the French Unfair Terms Commission published recommendations relating to Terms and Conditions provided by social networks (“Recommendation n°2014-02”).
In addition to Consumer law issues, the Commission addresses under these recommendations a number of privacy and data protection related provisions, which is unusual.
The Unfair Terms Commission is in charge of scrutinizing templates and agreements usually proposed by professionals and may recommend the withdrawal or modification of terms which create at the expense of non-professional or consumer, a significant imbalance between the rights and obligations of the parties to a contract i.e. qualifying as unfair term.
These recommendations are not mandatory, and the judge is not bound by them. They are intended to encourage professionals to modify or remove unfair terms from their agreements and to inform consumers about the risks of such provisions.
Courts may however rely on the Commission’s recommendations to rule on the unfairness of a contractual term.
The recommendations analysed below are intended as a principle for social networks operators but they can serve as guidance for drafting terms and conditions of other websites providing services to consumers.
In this regard, the following provisions should be withdrawn from the terms and conditions of the social network services, if the provisions:
- “Do not provide for the explicit consent of a minor’s legal representative regarding the processing of his/her data”, and “To presume the consent of a minor’s legal representative” from the mere registration by the minor on a social network.
In the absence of specific provisions in the French Data Protection Act addressing minors data collection, the Unfair Terms Commission refers to general provisions of French civil law according to which a minor does not have legal capacity to provide valid consent, except in specific cases provided by law; the consent of the legal representative (i.e. parents) is hence required. The position taken by the Commission is thus in line with the CNIL’s well-established guidance on minor’s data collection, which requires a data controller to obtain the parent’s prior and explicit consent for the collection and processing of personal data on minors.
- “Lead the consumer or non-professional to believe that the professional may use all the information provided by him/her, without any obligation for the professional relating to the processing of such data”.
The Commission aims more specifically to address under this section, provisions that refer to tracking data related to a web user’s online navigation - such as cookies, location data or IP addresses - and that exclude such data from the protections afforded by data protection regulations while some of such data may qualify as personal data according to the Commission.
- “Provide, without complying with the provisions of the French Data Protection Act, an implied consent to the processing of personal data of the consumer or non-professional by the professional”.
The Commission also adds that such clauses generally cover a very wide range of processing without clearly specifying the purposes for which data is processed. In this context, the Commission concludes that the provisions do not allow carrying out a lawful and fair processing of personal data as required under the French Data Protection Act.
- “Provide that by merely browsing the social website, the consumer or the non- professional gives consent to the processing of his/her sensitive data”.
Article 8 of the French Data Protection Act, to which the Commission refers, sets out a general prohibition to the processing of sensitive data (i.e. data relating to racial or ethnic origins, politic, philosophical or religious opinions, data relating to trade union membership or data relating to health or sex life) subject to specific exceptions. Among these exceptions, a data controller may be allowed to process sensitive data with the prior and explicit consent of the concerned individual and provided that the collection of such data is necessary for the purpose of the processing. The Commission however does not refer to this criterion of “necessity” while it is an explicit requirement to be met in accordance with the French Data Protection Act for a processing of sensitive data to be allowed.
- Lead the consumer or non-professional to believe that his/her personal data may be disclosed to non-identified third parties, without his/her prior consent or his/her right to object later to such disclosure”, especially when the provision do not even specify the purpose of such disclosure.
The Unfair Terms Commission deems that such provision should be removed, since it gives consumers the impression that the disclosure is not subject to the conditions for the lawfulness of the data processing laid down by law, and that they are not entitled to exercise their right to object to such disclosure.
- “Provide for the retention of the personal data of the consumer or non-professional, for an unlimited time period or for a time period longer than necessary for the purposes of the data processing”.
Under the French Data Protection Act, the professional data controller is not legally required to provide data subjects with the length of time during which data are retained, in the terms and conditions of its services. However, the Unfair Terms Commission specifies that if the professional wishes to contractually provide for such a length of time, it cannot be unlimited or longer than necessary for the purposes: the terms and conditions accepted by the consumer cannot be used as a way to circumvent such a legal requirement.
- “Provide that personal data will be transferred abroad, without specifying the countries where the transfer can take place, and (i) without asking for the express consent of the consumer or non-professional if such consent is required by law, or (ii) when such consent is inferred from the acceptance of the terms and conditions of the service”;
The Unfair Terms Commission adopts a surprising position, since consent appears to be considered as a lawful and basic requirement for transferring data outside of the EU, whereas the French Data Protection Authority has always favoured an approach based on prior information and contractual guarantees rather than consent. The French Data Protection Authority’s approach is also consistent with Article 29 Working Party’s, which deemed that consent does not provide an adequate long-term framework for data controllers in cases of repeated or even structural transfers for the processing.
Another interesting element in this statement is the fact that the Unfair Terms Commission confirms that each countries where the transfer may take place must be expressly specified in the terms and conditions.
- “Lead the consumer or non-professional to believe that he/she is responsible for the obligations to ensure the security of the personal data, while such obligations fall on the professional data controller”.
The Unfair Terms Commission takes here the opportunity to remind professional data controllers that, as such, they are responsible for ensuring the security of the data. Contrary to the usual provisions found in Business-to-Business agreements, the service provider cannot discharge itself of its obligation to ensure the protection, back-up and security of the personal data.
Thus, the consumer should at the very least be granted the right to terminate the agreement or to object to the processing. Also, the terms and conditions should specify that changes will be applicable as from the date of entry into effect of such changes. Consumers must not be lead to believe that changes may apply retrospectively.