DATA PROTECTION
European Data Protection Supervisor: personal data cannot be a counter-performance to receive free digital contents.
The EDPS acknowledges the importance of the data-driven economy for the growth in the EU and its prominence in the digital environment as set out in the Digital Single Market strategy. We have argued consistently for the synergies and complementarity between consumer and data protection law. We therefore support the aim of the Commission’s proposal of December 2015 Directive on certain aspects concerning contracts for the supply of digital content to enhance the protection of consumers who are required to disclose data as a condition for the supply of ‘digital goods’.
However, one aspect of the Proposal is problematic, since it will be applicable to situations where a price is paid for the digital content, but also the where digital content is supplied in exchange for a counter-performance other than money in the form of personal data or any other data. The EDPS warns against any new provision introducing the idea that people can pay with their data the same way as they do with money. Fundamental rights such as the right to the protection of personal data cannot be not be reduced to simple consumer interests, and personal data cannot be considered as a mere commodity.
The recently adopted data protection framework (the “GDPR”) is not yet fully applicable and the proposal for new e-Privacy legislation is currently under discussions. The EU should avoid therefore any new proposals that upset the careful balance negotiated by the EU legislator on data protection rules. Overlapping initiatives could inadvertently put at risk the coherence of the Digital Single Market, resulting in regulatory fragmentation and legal uncertainty. The EDPS recommends that the EU apply the GDPR as the means for regulating use of use of personal data in the digital economy. The notion of “data as counter-performance” - left undefined in the proposal - could cause confusion as to the precise function of the data in a given transaction.
The lack of clear information from the suppliers in this regard may add further difficulties. We therefore suggest considering, as a way of resolving this problem, the definition of services under the TFEU and the provision used by the GDPR to define its territorial scope may assist in. This Opinion examines the proposal’s several potential interactions with the GDPR. First, the broad definition of “personal data” under data protection legislation may well have the effect that all data subject to the Proposed Directive be considered as “personal data” under the GDPR. Second, the strict conditions under which a processing can take place are already set down in the GDPR and do not require amendment or addition under the proposed directive. While the proposal seems to consider as legitimate the use of data as a counter-performance as legitimate, the GDPR provides, for example, a new set of conditions to assess the validity of consent and to determine whether it can be considered as freely-given in the context of digital transactions.
Finally, the proposed rights given to the consumers to obtain their data from the supplier at the termination of the contract and the obligation for the supplier to refrain from using data potentially overlap with the rights of access and to portability and with obligation of the supplier to refrain from using the data and data controller obligations under the GDPR. This might unintentionally lead to confusion regarding the regime applicable.
However, one aspect of the Proposal is problematic, since it will be applicable to situations where a price is paid for the digital content, but also the where digital content is supplied in exchange for a counter-performance other than money in the form of personal data or any other data. The EDPS warns against any new provision introducing the idea that people can pay with their data the same way as they do with money. Fundamental rights such as the right to the protection of personal data cannot be not be reduced to simple consumer interests, and personal data cannot be considered as a mere commodity.
The recently adopted data protection framework (the “GDPR”) is not yet fully applicable and the proposal for new e-Privacy legislation is currently under discussions. The EU should avoid therefore any new proposals that upset the careful balance negotiated by the EU legislator on data protection rules. Overlapping initiatives could inadvertently put at risk the coherence of the Digital Single Market, resulting in regulatory fragmentation and legal uncertainty. The EDPS recommends that the EU apply the GDPR as the means for regulating use of use of personal data in the digital economy. The notion of “data as counter-performance” - left undefined in the proposal - could cause confusion as to the precise function of the data in a given transaction.
The lack of clear information from the suppliers in this regard may add further difficulties. We therefore suggest considering, as a way of resolving this problem, the definition of services under the TFEU and the provision used by the GDPR to define its territorial scope may assist in. This Opinion examines the proposal’s several potential interactions with the GDPR. First, the broad definition of “personal data” under data protection legislation may well have the effect that all data subject to the Proposed Directive be considered as “personal data” under the GDPR. Second, the strict conditions under which a processing can take place are already set down in the GDPR and do not require amendment or addition under the proposed directive. While the proposal seems to consider as legitimate the use of data as a counter-performance as legitimate, the GDPR provides, for example, a new set of conditions to assess the validity of consent and to determine whether it can be considered as freely-given in the context of digital transactions.
Finally, the proposed rights given to the consumers to obtain their data from the supplier at the termination of the contract and the obligation for the supplier to refrain from using data potentially overlap with the rights of access and to portability and with obligation of the supplier to refrain from using the data and data controller obligations under the GDPR. This might unintentionally lead to confusion regarding the regime applicable.
