Reg comments3

Contracts trading personal data for digital content: Rights to remedy, redress required

So say Europe's Parliamentarians

shutterstock_213172012

Opinion Consumers should not have had to actively provide their personal data in return for digital content to be supplied to them to benefit from consumer protection rights relating to the supply of that content, a committee of MEPs has said.

A new directive on contracts for the supply of digital content was proposed by the European Commission late last year and is currently being scrutinised by committees within the European Parliament.

The Civil Liberties, Justice and Home Affairs (LIBE) Committee at the Parliament has published a new opinion (29-page / 586KB PDF) outlining recommended amendments to the Commission's plans. They include broadening the scope of consumers' rights of remedy and redress to all cases where consumers give up access to their personal data to digital content suppliers in return for their access to that content.

Under the Commission's proposals, the consumer rights would only apply to cases where a consumer pays to access digital content or otherwise "actively provides" a counter-performance other than money in the form of personal data or other data.

The LIBE Committee said the draft directive should apply to a broader range of circumstances in which personal data is exchanged for digital content.

It said the directive should "apply to any contract where the supplier supplies digital content or a digital service to the consumer or undertakes to do so and, in exchange, a price is to be paid or the consumer makes available his or her personal data or any other data instead of a payment in money, in so far this is possible in line with [the General Data Protection Regulation]". The Committee said contracts for the supply of digital content should have to "explicitly indicate which personal data are to be exchanged for the content supplied".

The Committee had said that, under the Commission's draft, digital content suppliers could have a "perverse incentive" not to ask for consumers' consent to collect their personal data. It has recommended that 'personal data' be defined within the proposed new legislation as it is defined within the GDPR, which was finalised earlier this year and comes into effect in May 2018.

Under the UK's Consumer Rights Act most of the consumer rights and remedies provided for do not apply where consumers exchange personal data in return for access to digital content. The UK government has previously said it has "no fundamental objection" to consumer rights being extended in cases where consumers trade their personal data for access to 'free' digital content but that it is concerned about the effect there could be on businesses of doing so.

Under the Commission's plans to harmonise the law on contracts for the supply of digital content across the EU, digital content providers would need to ensure the content they supply conforms to the information they provided about the content to consumers, such as in relation to its quality, interoperability, accessibility and security. Digital content might also be said to lack conformity if it is "incorrectly integrated into the consumer's digital environment".

Where there has been a "lack of conformity" consumers will have qualified rights to require digital content providers to "bring the digital content in conformity", receive refunds or even terminate contracts and obtain damages "for any economic damage to the digital environment of the consumer caused by a lack of conformity with the contract or a failure to supply the digital content".

The onus would be on businesses to demonstrate the conformity of the digital content they supplied with the information they disclosed to consumers in advance of a contract being agreed for that supply, according to the draft directive.

The LIBE Committee said, though, that technical standards or consumers' legitimate expectations should also be benchmarks for determining whether or not digital content has been supplied in conformity under the proposed new rules.

The Committee has also recommended changes that would increase the circumstances in which suppliers of digital content could be held liable for damages.

"The supplier shall be liable to the consumer for any economic damage to the consumer caused by a lack of conformity with the contract or a failure to supply the digital content," according to the LIBE Committee's proposed amendment. "Damages shall put the consumer as nearly as possible into the position in which the consumer would have been if the digital content had been duly supplied and been in conformity with the contract."

EU countries would be given freedom to "provide for a reduced or increased degree of liability for damages based on objective criteria for assessing the efforts made by the supplier to avoid non-conformity of the digital content and the occurrence of the damage, such as best practices in relation to security or state-of-the-art technology", under the LIBE Committee plans.

Under the Commission's proposals, suppliers' liability would be limited to any economic damage to "the digital environment of the consumer" caused by a lack of conformity with the contract or a failure to supply the digital content.

In seeking to justify its proposed change, the LIBE Committee said: "There might be cases where a consumer suffers serious economic or immaterial loss quite apart from any damage to its digital environment (for example if software contains a bug that allows hackers to gain access to a consumer's computer and steal his password for his bank account). It might therefore be advisable to broaden the scope for damages to include all damage done to the consumer."

"Furthermore, it might be interesting to allow member states, in setting the detailed rules on damages, to make a differentiation between those suppliers that did everything in their power to limit the possibility of damages (e.g. by compliance to a certain IT security baseline or standards) and those that did not have 'their house in order' (e.g. did not fix security vulnerabilities in their products/services that were known or reported to them) in order to encourage a stronger sense of responsibility and accountability among suppliers," it said.

Copyright © 2016, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Biting the hand that feeds IT © 1998–2017