In an Opinion published on 5 October 2018, the European Data Protection Supervisor has raised concerns and made some significant recommendations on one of the key planks of the EU's New Deal for Consumers legislative reforms.
As we reported in April, the EU has conducted a major revaluation of EU consumer law directives. As a consequence, the EU has proposed a series of amendments to the existing regime which is being described as a “New Deal for Consumers”. The proposals, if implemented, would result in significantly increased liability for breach of consumer law in the EU, and would extend consumer rights to contracts where digital services are provided for free. This would mean that users of social media, cloud-based storage for personal photos and many other digital services would need to review their compliance with consumer law.
One of the key legislative reforms being proposed is a new directive on “better enforcement and modernisation of EU consumer protection rules”. The European Data Protection Supervisor has now published his opinion on the proposed directive, and has made some significant recommendations on how the proposals should be amended to ensure they do not conflict with GDPR.
What about Brexit?
Although the current Brexit timetable means it is unlikely that the UK will be required to implement the New Deal for Consumers into domestic law, many companies will wish to take a consistent approach across Europe to consumer rights. If so, they will need to consider the implications of these new proposals in relation to their UK operations, as well as those in the EU. It is also at least possible that any UK trade deal with the EU will require some alignment on consumer rights, so the directive may well still be implemented into UK law in one way or another.
Opinion of the European Data Protection Supervisor
On 5 October 2018, the European Data Protection Supervisor published an Opinion on the draft directive on better enforcement and modernisation of EU consumer protection rules. It is significant because the supervisor has identified some inconsistencies with GDPR and suggested that it has the potential to undermine the GDPR.
The Supervisor is particularly concerned about the impact of the plan to extend consumer protection rights to contracts where digital services are effectively offered in exchange for consumers’ personal data, such as social media platforms and search providers. The current drafting of the directive arguably suggests that personal data can be used as payment for these types of services. The Supervisor is concerned that this has the effect of legitimising the idea that personal data is an acceptable form of payment for such services.
This legitimisation risks encouraging social media providers and others to claim that their processing of data is “necessary for the performance of a contract with the data subject”, which would allow them to avoid the onerous requirements of obtaining GDPR-compliant consent. It also deprives EU citizens of the rights that flow from processing of data obtained with consent, such as the right to be forgotten and the right to withdraw consent at any time.
The Supervisor is also concerned that permitting this kind of use of “necessary for the performance of the contract” as the lawful ground for processing enables companies to access more personal data about a data subject than is strictly necessary to provide the services. The concern is that this undermines the very purpose of GDPR.
The Supervisor considers that processing on the lawful ground of, “necessary for performance of a contract” is already being abused and the new deal for consumers has the potential to legitimise and extend this activity.
Why this matters
First and foremost, this matters because the Supervisor’s opinion will be influential and therefore the drafting of the proposal is likely to change to address his concerns.
In the meantime, the Supervisor’s analysis gives us an insight into the potential in future for processing personal data on the lawful ground of “necessary for the performance of a contract”. The mere suggestion by the EU that it would regulate contracts where consumers pay for digital services with personal data suggests that there is tacit acceptance of this arrangement – albeit not by the Supervisor himself. However, it also suggests that regulators will not look kindly on companies that rely on “necessary for performance of a contract” as the lawful ground for processing data not strictly necessary to provide the service; or that use it as a mechanism to avoid needing to obtain consent. This would suggest that any company seeking to rely on this ground for processing data would need to carefully the contract in question. It would be wise where doing so to consider some of Supervisors concerns, such as the need to be upfront and honest about the use of personal data.