Spain has just passed the law transposing Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services ("Directive 2019/770"). This Directive has updated and brought more specific protection for consumers that enter into agreements with traders in relation to digital services or digital content (e.g. apps, e-games, SaaS, e-Books, some medical devices, etc. ). It will be applicable from January 2022. However, the applicability of Directive 2019/770, and its implementation in practice needs to be carefully assessed. This law also has relevant data protection implications, as it regulates digital contracts where the service / content is provided in exchange of personal data (and not money).
When will the law be enforceable?
The new provisions (that have been incorporated to the Spanish Consumer Act) will be applicable from January 2022. Therefore, companies still have time to implement their procedures and policies in line with the Spanish transposition of Directive 2019/770.
Who is affected by these new provisions?
Directive 2019/770 is intended to expand and improve accuracy of protection for consumers that acquire content or services with inherent digital content. The concept of consumer for the purposes of Directive 2019/770 is comparable to the concept of consumer under current EU laws.
On the other hand, the entities bound by the obligations of Directive 2019/770 are any natural or legal person, irrespective of whether privately or publicly owned, that acts for purposes relating to that person's trade, business, craft, or profession.
What are the goods / services covered by Directive 2019/770?
Directive 2019/770 applies to the supply of digital content or digital services to consumers. For instance, it covers:
"inter alia, computer programmes, applications, video files, audio files, music files, digital games, e-books or other e-publications, and also digital services which allow the creation of, processing of, accessing or storage of data in digital form, including software-as-a-service, such as video and audio sharing and other file hosting, word processing or games offered in the cloud computing environment and social media".
It should be noted that Directive 2019/770 also applies to the provision of services by tangible medium, such as DVDs, CDs, USB sticks and memory cards, as well as to the tangible medium itself, provided that the tangible medium serves exclusively as a carrier of the digital content.
Therefore, Directive 2019/770 applies to an extremely broad range of digital products. For instance, it applies to contracts where the consumer is provided with tailor-made software, electronic files required in the context of 3D printing of goods and medical devices, such as health applications (if they can be obtained by the consumer without being prescribed or provided by a health professional).
Directive 2019/770 does not apply to:
- Tangible goods with digital elements or connected to digital services (where the digital factor is essential for the purposes of the product). For instance, it will not apply to the pre-determined apps of a smartphone or smart TV, but it will apply to the apps that consumer downloads afterwards.
- Contracted services where the digital factor is not essential in the transaction with the consumer. For instance, the provision of professional services, such as translation services, architectural services, legal services…
- Digital content / services provided to a public audience, as part of an artistic performance or event, gambling services, financial services, software under a free and open-source license…
The Directive does cover contracts where the consumer does not pay money as consideration, but it provides personal data to the trader in exchange of the services. There are a few examples in Directive 2019/770:
- "where the consumer opens a social media account and provides a name and email address that are used for purposes other than solely supplying the digital content or digital service, or other than complying with legal requirements".
- Situations "where the consumer gives consent for any material that constitutes personal data, such as photographs or posts that the consumer uploads, to be processed by the trader for marketing purposes".
However, the Directive shall not apply to cookies or similar tracking technologies, except where the use of these technologies can be considered within the framework of a contract under national laws.
Please see the data protection section below for further information for the relevant implications.
How do the new measures protect consumers?
Delivery of the services
The content / digital services will need to be supplied to the consumer without undue delay once the contract is in force. This obligation will be complied with when the consumer has the possibility to download / access the content, physically or virtually.
If the trader does not comply without undue delay, the consumer will need to make a request for the content / service to be provided immediately or within an additional deadline agreed by both parties. Should this not happen, the consumer has the right to terminate the contract.
The conformity of digital content or a digital service with the contract
There are several requirements for conformity:
- Subjective requirements, which includes (among others) that the digital services /content shall correspond to the technical characteristics, quality, functionality, etc., and be supplied with all accessories, instructions, including on installation, and customer assistance, as described in the contract;
- Objective requirements. The Directive includes a very comprehensive description of objective requirements, which mainly involves that the service / content shall comply with market and technical standards that the consumer may reasonably expect, and that are normal given the nature of the service / content. This covers the existence of instructions, updates (e.g. security, functionalities, etc.)
Lack of conformity can be remedied by the consumer by requesting the trader to solve the situation, requesting a discount, or terminating the contract. In addition, the consumer is allowed to request additional compensation of any damages, where applicable. The consumer is allowed to stop paying any pending amount until the trader resolves issues arising from its lack of conformity.
There are some exceptions to consumer rights to request remedies due to the lack of conformity. For instance, if remedies would involve disproportionate efforts / resources where the digital content / service has insignificant / low value, or where the lack of conformity is not significant.
Besides, "where the digital content or digital service is not supplied in exchange for a price but personal data are provided by the consumer, the consumer should be entitled to terminate the contract also in cases where the lack of conformity is minor".
Period of protection for consumers
The period of protection for consumers under Spanish law implementing Directive 2019/770 is two years from the time of supply, unless a longer period of time is stipulated in the contract. In the case of digital content / services provided continuously over a period of time, the protection covers the duration of the contract.
The period of protection will be suspended in the case of lack of conformity, and will resume at the moment of proper conformity.
Data protection implications
Directive 2019/770 expressly states that its content shall be construed without prejudice of data protection laws (i.e. Data Protection Regulation – "GDPR" – and national laws "implementing" GDPR). In the same sense, it also states that the content of the Directive does not change or affect any data protection principle or provision, including GDPR. In fact, in the event of conflict between Directive 2019/770 and GDPR, GDPR will prevail.
Besides, the Directive "fully recognizes" that personal data is a fundamental right and that therefore personal data cannot be considered as a commodity. This has also been the opinion of the European Data Protection Supervisor ("EDPS") when analysing the proposal of Directive 2019/770.
In spite of this, the Directive still accepts that in the market of digital services / content, it happens that those services / content are often provided in exchange for personal data, and that the Directive "should ensure that consumers are, in the context of such business models, entitled to contractual remedies". In this vein, the Spanish transposition of Directive 2019/770 expressly recognizes that "this modality is getting more and more common" and that "it is urgent and necessary to cover this vacuum".
It is a very precarious balance, as personal data in exchange for content / services will only apply when the processing of personal data is not mandatory to provide the service / content, nor mandatory to comply with any law. According to the opinion of the EDPS, consent and legitimate interest would be options as available legal bases under art. 6 GDPR (although in addition to these, other legal bases could arguably also be suitable):
- Consent: in the opinion of the EDPS, compatibility of consent (under GDPR) and the rules under Directive 2019/77, may give rise to some challenges. As a rule of thumb, under the GDPR, consent can be withdrawn at any moment, without negative consequences for the data subject. Similarly, according to the Guidelines 05/2020 on consent of the European Data Protection Board, lack of consent / withdrawal of consent does not generally allow the data controller to terminate a contract or to forbid the use of a service.
However, Directive 2019/770 itself contains a provision allowing EU Members to regulate the consequences for contracts covered by the Directive in the event that the consumer withdraws the consent for the processing of his/her personal data. The Spanish transposition of Directive 2019/770 expressly envisages that the trader / data controller is allowed to terminate the contract in the event the data subject withdraws consent.
- Legitimate interest: it may also be problematic, as the data controller needs to have previously confirmed (through a legitimate interest assessment, as envisaged in Opinion 06/2014 on the notion of legitimate interests), that data controllers' legitimate interest prevails over the rights and freedoms of the data subject. According to the EDPS in its opinion, in this context it may not be an easy task to accomplish, as the legitimate interest will be generally only economic.
Besides, if the processing of personal data is based on the legitimate interest, in principle this would involve that the processing is not necessary to perform the agreement. Therefore, terminating the agreement or forbidding the use of a web / app would need to be carefully assessed. However, the Spanish transposition of Directive 2019/770 expressly envisages that the trader / data controller is allowed to terminate the contract in the event the data subject objects to the processing.
It should also be noted that under Directive 2019/770 "the trader should be entitled to continue to use the content provided or created by the consumer in cases where such content either has no utility outside the context of the digital content or digital service supplied by the trader, only relates to the consumer's activity, has been aggregated with other data by the trader and cannot be disaggregated or only with disproportionate efforts".
Here, Directive 2019/770 seems to accept a reality that the regulators need to be aware of. However, its acceptance is not fully committed, and has not brought legal certainty to companies and to data subjects / consumers. It’s not clear how data supervisory authorities will react in practice, because in the event of conflict between Directive 2019/770 and the GDPR, GDPR will prevail.
This could lead to an unwanted consequence. The enforcement of GDPR could potentially undermine the applicability in practice of the provisions of Directive 2019/770 if data protection supervisory authorities adopt a strict approach. However, should this happen, Directive 2019/770 would be devoid of substance, which is obviously not the intention of the legislator. This is a passionate legal challenge that all stakeholders will need to address soon.
As the Spanish implementation of Directive 2019/770 will be enforceable as of January 2022, we still have time to obtain the guidance of EU regulators (including the Spanish data Protection Agency) in order to align compliance with both the Directive 2019/770 and the GDPR.
- If your company offers digital services / content to consumers in Spain (and the European Union), you should consider assessing whether Spanish law implementing Directive 2019/770 is applicable.
- Should this law be applicable, your company should consider amending the T&Cs in order to include the new rights of consumers, and making sure that internal policies are aligned with said rights.
- If your company provides digital services / content in exchange of personal data, you should consider making sure that this practice is complaint with Spanish law implementing Directive 2019/770 and with data protection laws.
- As Spanish law implementing Directive 2019/770 will be applicable from January 2022, there is still time to take into account the guidance of regulators in relation to vague provisions.
- Due to the difficulty and uncertainty of Directive 2019/770 and the potential consequences of breach of GDPR, you should rely on legal expert advice. Please get in touch with the contacts listed in this publication for further assistance.