It is your right to know the actual identity of recipients to whom your personal data have been or will be disclosed (C-154/21 Österreichische Post)

The General Data Protection Regulation (GDPR) provides individuals (data subjects) with a number of rights. These are listed in Chapter III of the GDPR and include, inter alia, the right to be informed of the processing of personal data (Articles 13 and 14 of the GDPR), right of access (Article 15 of the GDPR), right to rectification (Article 16 of the GDPR), right to erasure (Article 17 of the GDPR) etc. In mid-January 2023, the Court of Justice in Case C-154/21 Österreichische Post answered a question concerning one of those rights, namely the right of access.

As stated in Article 15(1) of the GDPR „the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: […]

(c)  the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; […].

The dispute concerned the fact that the data subject requested from the controller the actual identity of the recipients to whom he was disclosing his personal data. However, the controller did not reveal the identity of the recipients, but informed the data subject of the "categories of recipients", indicating that they were „customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties” (para. 20). 

Indeed, doubts arise when applying Article 15(1) of the GDPR in practice. The main question is whether it is necessary to inform about the particular recipients of the data, or would it be enough to notice about general categories of these recipients? Similar doubts arise in the context of Articles 13(1e) and 14(1e) of the GDPR, which oblige the controller, as part of its information obligations performed at the time of data collection, to inform about "the recipients or categories of recipients of the personal data, if any".

In the Court's view, Article 15(1) of the GDPR gives the right to be informed about the specific recipients of personal data and thus to know their actual identity. The Court cites several arguments in this regard:

(1) The data subjects should be guaranteed the right to know and be informed about the processing of their personal data, in particular about the recipients to whom the data are made available. This is emphasised in Recital 63 of the GDPR, which, nota bene, does not refer to the right to information about "categories of recipients of data", but generally to the right to information about "recipients of personal data" (para. 33).

(2) The controller must process personal data in accordance with the principle of transparency, which from the data subject's perspective means that information on how his or her personal data is processed should be easily accessible and comprehensible (para. 35).

(3) „Article 15 of the GDPR lays down a genuine right of access for the data subject, with the result that the data subject must have the option of obtaining either information about the specific recipients to whom the data have been or will be disclosed, where possible, or information about the categories of recipient” (para. 36).

(4) The right of access is often exercised to verify the accuracy of the data or the lawfulness of the processing. In this sense, the right of access frequently determines further actions of the data subject, i.e. the exercise of other rights under the GDPR, e.g. the right to erasure or the right to object to processing. Therefore, the complete and diligent exercise of the right of access is essential to guarantee the effectiveness of the data subject's rights (para. 38).

However, the Court reminded that the right to the protection of personal data is not an absolute right and is subject to limitations. The controller, despite an express request by the data subject, does not have to provide information on the identity of the recipients of the data if "in specific circumstances it is not possible to provide information on specific recipients" (e.g. when it is not possible to identify those recipients - para. 51), and furthermore when the data subject's request is unjustified or excessive in nature [as stated in Article 12(5b) GDPR].

In practice, this means that each request will have to be carefully analysed. It is certainly easier for controllers to provide general information on the categories of recipients rather than precise information on the identity of the recipients. For controllers with large datasets, who share data with many entities and receive many requests of data access, a detailed examination of data flows may be cumbersome. What the judgment lacks, in my view, is a clarification of what the 'special circumstances' that would justify a refusal to disclose the identity of data recipients could consist of. 

It appears from the CJ's reasoning that such a special circumstance may be the lack of knowledge of the future recipients (para. 48). The question is whether such a circumstance could be the difficulty of stating all data recipients due to their large number. In practice, this is a common problem for controllers. Yet, such an interpretation does not seem to be acceptable. It can be said that the Court has spread a protective umbrella over data subjects, obliging controllers to be more accurate, transparent in their processing and to provide reliable and complete information to data subjects. This is a good signal for data subjects, especially consumers of various online services, as the judgment provides clear grounds for demanding detailed information about the processing of personal data. 

Evaluating the unfairness of immediate repayment clauses in loan contracts: the CJEU in Case C-600/21 (QE v Caisse régionale de Crédit mutuel)

Case C-600/21

Facts 

In 2006, QE was granted a loan to purchase immovable property from Caisse régionale de Crédit mutuel de Loire-Atlantique et du Centre Ouest to be repaid over 20 years. The contract established that Caisse was entitled to accelerated and immediate repayment of the outstanding amount in case of a delay in the payment of more than 30 days by QE. According to the agreement, this repayment could be triggered without the need for the bank to present a formal written demand. QE could however ‘request an amendment to the payment schedule’ to avoid non-payment (para 7). In late January 2013, the bank triggered accelerated repayment, without any formal written demand, when QE did not pay the instalments of December 2012 and January 2013. In 2015, QE’s home was repossessed by Caisse régionale and the former brought an action before the court during the enforcement proceedings lamenting irregularities of the report of repossession. In 2019, the Court of Appeals of Versailles, rejecting QE’s claim, denied that the term establishing that the accelerated repayment procedure did not require a formal written demand was unfair in light of the criteria established in CJEU’s ruling Banco Primus. 

Questions 

The referring Court de cassation presented five questions, three of which are most relevant. It asked whether: .

1. Under Articles 3(1) and 4 of Directive 93/13/EEC (UCTD) it is necessary to have a formal written demand even when the contract expressly excluded it 
2. Under Banco Primus the 30 days of delay can be considered serious non-compliance, in light of the term and amount of the loan 
3. The same provisions prohibit the accelerated repayment clause when national law ‘which requires a formal written demand (…) permits the parties to dispense with that step, in which case reasonable notice is required’ (para 18) 

Ruling 

It shall be recalled that Banco Primus (at 66) laid down four non-exhaustive criteria to determine if ‘a term in a contract causes a significant imbalance to the detriment of the consumer’ (para 29 of QE). The national court must consider whether: 

1. The right of the bank to request the totality of the loan depends on whether the non-compliance by the consumer concerns an obligation of essential importance within the contract 

2. The right ‘is provided for in cases in which such non-compliance is sufficiently serious in the light of the term and amount of the loan’ (para 29) 

3. The right, absent a specific contractual provision, derogates from the ordinary law 4. national law establishes ‘adequate and effective means’ which enable the consumer to ‘remedy the effects of the loan being called in’ (para 29). 

Because in Banco Primus the Court also ruled that Article 3(1) and 4 of UCTD must be interpreted as meaning that the unfairness of a term must be assessed considering all the circumstances which surround the conclusion of the contract, the criteria cannot be interpreted as being either cumulative or alternative. 

Coming to the substance of the ruling, the Court answers by observing that – as it is evident from Banco Primus’ second criterion – determining the seriousness of the non-compliance depends on the overall evaluation of the terms and amount of the specific loan at issue. Since a debtor’s failure to comply with her obligation needs to be evaluated in the context of her contract, Articles 3(1) and 4 of the UCTD must be interpreted as meaning that a delay of more than 30 days in the payment ‘may, in principle (…) constitute, in itself, sufficiently serious non-compliance’ (para 41). 

The first and third questions of the French supreme court then concerned whether Articles 3(1) and 4 of the UCTD must be interpreted as preventing the parties from inserting into their contract a term which allows automatic accelerated repayment once a certain period of time is over. The court asked, in essence, whether the term would be subjected and would fail the unfairness test. The CJEU first noted that the unfairness test aims to verify whether there exists a significant imbalance in the parties’ rights and obligations to the detriment of the consumer and that such test applies whenever a term has not been individually negotiated. Further, because, pursuant to Article 4(2), a term would escape the unfairness review exclusively if considered related to the main subject matter of the contract, the question is whether the term under analysis does relate to it or can be rather considered ancillary. The CJEU noted that a term relates to the main subject matter of an agreement whenever it lays down the essential obligations of the contract and thus characterises it. While this evaluation is for the referring court to carry out, the Court also observed that the clause at issue does not appear to fall within that definition. The answer to the questions is therefore that the provisions must be interpreted as precluding the parties from inserting such a term wherever the term a) does not concern the essential obligations of the contract; b) has not been individually negotiated; c) creates an imbalance to the detriment of the consumer. 

With QE v Caisse régionale the CJEU essentially reiterates those which are the fundamental principles related to the so called ‘unfairness test’. Relevantly, it provided guidance as to the interpretation that a national court should give of what constitutes an ‘essential obligation’ in a loan contract.

We read *that* preliminary ruling request so you don't have to

Dear readers, 

as many others, I was mesmerised yesterday when a twitter user shared a preliminary reference (Italian version here - the English translation contains some mistakes so it's not super reliable right now) from the Italian Consiglio di Stato (that is the highest court in administrative matters, competent for final decisions on actions of the Italian Competition and consumer authority) bluntly asking the CJEU to renege on the UCPD definition of "average consumer". 

This is the bit from the reference that almost got viral: 

Should the concept of ‘average consumer’ referred to in Directive 2005/29/EC, understood as a consumer who is reasonably well informed and reasonably observant and circumspect — given that it is vague and flexible — be worded according to the best science and experience and thus refer not only to the classic concept of homo economicus, but also to the findings of the latest theories on bounded rationality, which have shown how people often act by limiting the information they need through decisions which appear ‘irrational’ when compared with those that would be taken by a hypothetically observant and circumspect person; findings that impose a need for greater consumer protection where — as is increasingly the case in modern market dynamics — there is a risk of cognitive influence?

Now, of course one could wonder whether the CJEU would want to venture into theoretical debates on appropriate consumer images. Utrecht colleague Catalina Goanta has suggested that the Court could answer the question in typical CJEU style, by referring to the margin of appreciation for national courts (+ statement that average consumer is not a statistical test) in the Directive's recital 18 and somehow quoting own case-law. 

One could also expect the Court to go around the question, depending on the underlying issue. What was it, then? Based on the preliminary reference, which contains four more questions, it seems that the following has happened: 

- the authority has ordered Compass Banca, a credit institution offering jointly some consumer credit and an unrelated insurance, to grant consumers a 7-day "cooling off period" between signing the two contracts;

- this on the assumption/theory that selling the two products together would make consumers falsely believe that entering the insurance contract is a mandatory requirement for obtaining the desired credit;

- the Authority thus considers the practice as always unfair because, in essence, it appears to exploit a cognitive bias that the Authority has connected to "framing" - whereby the presentation of a product alongside a different one gives the consumer a different impression compared to a situation in which the product would be offered on its own (see question 2);  

- it seems that in this case the Authority has claimed that the bundling as such would be an aggressive practice, which the defendant company must have challenged, claiming that the contracts being signed at the same time should be consider as unproblematic considered that consumers get the express opportunity to withdraw from the insurance contract or confirm their choice during a devoted phone call (see the authority decision - in Italian - here); the defendant company's actions (hinted to at question 4) to limit the potential effects of the practice were not considered sufficient commitments to prevent the issuance of a fine;

- hence the Consiglio di Stato seems unsure whether the prohibition needs to be seen as a move akin to "blacklisting" the bundling practice, without considering whether the concrete practice at hand should be considered aggressive, or whether indeed the specific form of bundling - combining insurance and credit - can be considered as so bad that it would be for the company concerned to show that it does not concretely affect the autonomy of the average consumer (see question 5). Should it be seen as blacklisting, the Authority would have gone beyond the space left to national authorities under the Directive's maximum harmonisation standard. 

Looking at the case, it seems that there could be several ways for the CJEU to answer the question without entering into the specifics of the debate hinted to in the first preliminary question that caught all our attention yesterday - also depending on the submissions by the parties during the preliminary ruling proceedings. 

Concern with the overall "environment" in which consumers make decisions concerning, in particular, distance credit contracts is something that is really not specific to the Italian AGCM - the Dutch financial markets authority for instance has been for years advocating for a responsible "choice environment" in the provision of credit to consumers (see eg here), with a specific focus on framing effects. 

At the same time, should we wish for the CJEU to embrace "bounded rationality" as "best science" and "most recent insights"? Current debates in consumer psychology and social sciences seem to have already gone far beyond the idea of bounded rationality to account not only for cognitive limitations but also for social constraints, habits, motivations... not to mention, as Martijn Hesselink has observed in passing, of reinforcing the idea that when no obvious exploitation of cognitive bias is at stake, "homo oeconomicus" could actually be a viable standard. 

Opening 2023 in style: CJEU C‑395/21, transparency of hourly fees in contracts for legal assistance

Dear readers, 

you may have noticed this already if your social media feed looks anything like mine: the CJEU has issued a decision on the transparency of lawyers' fee under Directive 93/13, which is all but sure to make us talk in the coming times. While the most remarkable element in the decision concerns the application of transparency to a new - and potentially quite ripe for expansion! - set of circumstances, the decision also further testifies to the CJEU's struggle to deal with its own strict approach to the consequences of unfairness under the Directive. 

So, to start with the facts: the case arose between a Lithuanian consumer and their lawyer and concerned several contracts concluded between the two. Each of the contracts included a relatively unsophisticated remuneration clause, according to which the client stood to pay 100 EUR per hour of work by the lawyer. 

After several years and a series of partial payments, it appears that a dispute had arisen between lawyer and client as to the amount of the overall fee - with the former asking for roughly double, in total, of what the client had paid until then. This controversy led to a court case, during which successive Lithuanian courts found the remuneration term unfair for its failure to provide the consumer sufficient clarity on the likely significance of their financial commitment. To make things worse for the lawyer, Lithuanian law (article 6.2284(6) of the Civil Code)  has implemented the transparency requirement "the German way", that is by specifying that terms can be deemed unfair for the sole fact that they are not transparent. The Lithuanian supreme court, thus, turned to the CJEU to know, in particular: a) whether indeed a term only indicating an hourly fee should be considered as lacking transparency; b) whether indeed they should follow the letter of Lithuanian law and consider that the term should be invalidated; c) what the consequences should be in such case, given the fact that the contract would obviously not stand without the unfair term. [other questions need not be addressed here]

As to the first question, which is also the most interesting, the Court [para 41] ]had to acknowledge that identifying and indicating with certainty what the final cost of legal services will be poses serious hurdles and cannot be expected of lawyers (interesting to think: what other professions could this apply to and how?); at the same time, it concludes, there can be several ways for the professional to provide the consumer, before concluding the contract, ways to estimate future expenses or anyway know how they can expect to be able to keep them under their purview. A mere indication of an hourly fee, without information as to the rough expected amount of hours to be invested or as to ways in which the consumer will be kept informed of the hours worked and fees due, does not comply with the transparency requirement. This is, according to the Court, necessary in order to allow the consumer to take a prudent decision. [paras 44-45]

As to the second question, it should surprise no-one that indeed, opting for a higher level of consumer protection is expressly allowed under the Directive and hence – while the Directive itself does not require terms lacking transparency to be declared unfair, it certainly allows for this consequence when so established under national law. [see paras 51-52]. This means that the court did not elaborate, in this case, on how courts in systems that do notautomatically connect lack of transparency and unfairness would have to go and investigate whether the term caused a significant imbalance, contrary to good faith, under the Directive’s article 3. 

As to the third question, finally, the Court reiterated its standpoints articulated in a vast (if complex) body of case-law: an unfair contract must be disapplied; when a contract cannot survive without the unfair term, the concerned court must consider whether the contract’s ocverall invalidity would cause a significant disadvantage for the consumer. Only in that case, the term can be replaced by “a supplementary provision of national law or a provision of national law applied by mutual agreement of the parties to those contracts. ”The provision in question, however, must be “intended to apply specifically to contracts concluded between a seller or supplier and a consumer and […] not so general in scope that its application would be tantamount to allowing the national court, in essence, to set, on the basis of its own estimate, the remuneration due for the services provided” [para 63]. Otherwise, the court says, it is ultimately to be accepted that the contract may be invalidated, even though that may entail some “legal uncertainty” – which I understand to open to an action for unjustified enrichment? In the case at hand, it appears that the national court may be able to identify a suitable provision, which leads me to close with an appeal to our Lithuanian readers: please keep an eye on this and let us know what the final bill was!

Trivia and curiosity aside, it seems to me (but I may be biased as I have argued it elsewhere) that the decision marks a new step towards transparency as determinacy or at least some constraint on uncertainty and arbitrariness. This move is enabled in particular by the Court’s relatively nonchalant use of parameters originally articulated in the specific context of variation clauses (Invitel, RWE, foreign currency loans etc) outside of their original context – see for instance para 37 in the decision, where the court recalls how transparency entails that the contract (in context) must set out transparently “the specific functioning of the mechanism to which the relevant term relate” – which in those old cases were all variation mechanisms, not at hand in this case.

This my first take of course – I must admit to not having checked AG Szpunar’s opinion yet, so there may be more to be said as to the first answer has come about, also in particular with reference to this last point. To be continued!

 

December wrap-up of data protection cases (Google, Österreichische Datenschutzbehörde and Pankki S)

The end of the month (and the end of the year as well) is a good moment for summaries. This time we are taking a closer look at events in the area of data protection law. December was a month with a couple of interesting events, so here is a brief recap. 

Dereferencing allegedly inaccurate content (C-460/20 Google)

The case concerned two executives of a group of investment companies (a board member and a proxy) who asked Google to remove search results linking their names to certain articles criticising the group's investment model. They exercised the so-called right to be forgotten, guaranteed under Article 17(1) of the GDPR, claiming that the information presented contained false claims and defamatory opinions. They also wanted Google to remove their thumbnail images from the search results. Google rejected these requests, arguing that it does not know whether the information contained in the articles is true or not.

In cases involving the erasure of data from a search engine operator's search results, two rights usually collide: the public's right of access to information (especially about persons holding public positions) and the individual's right to protection of his or her personal data, including the right to erasure, protection of his or her good name, image, etc. The same problems were considered in this case, as we wrote about when reporting on the AG's opinion issued in the proceedings. In the ruling of 8th December 2022 the Court held that the person requesting the deletion of data is obliged to show that the information is manifestly inaccurate. "However, in order to avoid imposing on that person an excessive burden which is liable to undermine the practical effect of the right to de-referencing, that person has to provide only evidence that, in the light of the circumstances of the particular case, can reasonably be required of him or her to try to find in order to establish that manifest inaccuracy" (para. 68). It means that such a person cannot be required to present a judicial decision made against the publisher of the website in question, even in the form of a decision given in interim proceedings, since it would be an unreasonable burden imposed on such a person. At the same time "the operator of the search engine concerned cannot be required to investigate the facts and, to that end, to organise an adversarial debate with the content provider seeking to obtain missing information concerning the accuracy of the referenced content" (para. 71). Therefore, if the person who made a request for de-referencing submits relevant and sufficient evidence showing the manifest inaccuracy of the information found in the referenced content, the operator of the search engine is required to accede to that request for de-referencing. But an operator should not grant a request if the inaccurate character of the information is not obvious in the light of the evidence presented (para. 72&73). 

As regards the thumbnails the Court concluded that "a separate weighing-up of competing rights and interests is required depending on whether the case concerns, on the one hand, articles containing photographs which are published on an internet page and which, when placed into their original context, illustrate the information provided in those articles and the opinions expressed in them, or, on the other hand, photographs displayed in the list of results in the form of thumbnails by the operator of a search engine outside the context in which they were published on the original internet page" (para. 101). The Court also stated that the informative value of those images should be taken into account independently of the context of their publication on the website from which they originate, nevertheless taking into account all the content that directly accompanies the display of those images in the search results and that can explain the informative value of those images (para. 108).

The concept of a "copy of personal data" under the Article 15(3) of the GDPR. AG Pitruzzella opinion on Österreichische Datenschutzbehörde case (C‑487/21)

The dispute arose over the interpretation of Article 15(3) of the GDPR, which provides that a data subject, as part of the right of access to one's personal data, may obtain a copy of that data. The complainant requested an exact copy of the data processed by the controller, including full copies of documents containing his personal data. However, the controller provided only some of the requested information as an aggregate that reproduced the stored personal data of the data subject in a table broken down by name, date of birth, street, postal code, and place, and in a statement summarising corporate functions and powers of representation. As part of the proceedings, the national court decided to refer several questions concerning the interpretation of Article 15(3) of the GDPR to the Court. 

On 15 December 2022, the AG delivered an opinion stating that the concept of “copy” referred to in Article 15(3) of the GDPR must be understood as "a faithful reproduction in intelligible form of the personal data requested by the data subject, in material and permanent form, that enables the data subject effectively to exercise his or her right of access to his or her personal data in full knowledge of all his or her personal data that undergo processing – including any further data that might be generated as a result of the processing, if those also undergo processing – in order to be able to verify their accuracy and to enable him or her to satisfy himself or herself as to the fairness and lawfulness of the processing so as to be able, where appropriate, to exercise further rights conferred on him or her by the GDPR". The AG underlined that this provision does not, in principle, entitle the data subject to obtain a full copy of documents containing the personal data, but, at the same time, does not exclude the need to provide that person with extracts from documents, whole documents or extracts from databases if that is necessary to ensure that the personal data undergoing processing are fully intelligible.

Right to know the identity of the persons who had access to one's personal data. AG Campos Sánchez-Bordona on Pankki S case (C-579/21)

The third case also concerned the right of access to personal data, but from a different perspective. Data subject wanted to know who exactly (among the employees of the financial institution) had access to his personal data at the time when he was a customer of that institution and an employee thereof. The controller refused to provide names of the employees arguing that Article 15 of the GDPR does not apply to log data of the institution's data processing system and that the information requested does not relate to personal data of the data subject, but to the personal data of the employees. 

The AG approved the controller's view and stated that Article 15(1) of the GDPR "does not give the data subject the right to know, from among the information available to the controller (where applicable, through records or log data), the identity of the employee or employees who, under the authority and on the instructions of the controller, have consulted his or her personal data". In justifying his opinion, he pointed out that "the identity of individual employees who have handled the processing of customer data is particularly sensitive information from a security point of view, at least in certain economic sectors" (para. 76). Disclosure of employees' data could expose them to attempts by customers of the banking institution to exert pressure and influence. Nevertheless, the AG noted that if a data subject has reasonable doubts about the integrity or impartiality of an individual who has participated on behalf of the controller in the processing of his or her data, this could justify the interest of that customer in knowing the identity of the employee in order to exercise the customer's right to take an action against that employee (para. 78; nb. in the relevant case the data subject made his request, in particular, in order to clarify the reasons for his dismissal).

Pre-contractual information in multi-party settings: mobilizing legitimate interests to restrict consumer protection? (C-179/21 absoluts-bikes)

Today we come back to the judgment in C-179/21, absoluts-bikes, issued by the Court of Justice earlier this year. The decision may have passed under many radars, particularly as it was not preceded by the opinion of the Advocate-General. However, it is worth taking a closer look at it, as the judgment is not just interesting at the theoretical level, but also quite alarming in its implications. 

 

Facts of the case

 

The judgment was triggered by a dispute between two German traders offering consumer goods for sale online: the-trading-company and absoluts-bikes. According to the former, the latter failed to provide sufficient information about the products which it sold with help of Amazon. More specifically, the dispute concerned the listing of a pocket knife of the Swiss manufacturer Victorinox. In that listing, under the subheading labelled “Further technical information”, the consumers could find a link described as “Operating instructions”. The link led to a two-page information sheet, drafted by the knife’s manufacturer and referring, among others, to the ‘Victorinox guarantee’, describing the damage covered and the relevant time period. 

 

The claimant argued that the information provided by the defendant was not sufficiently specific. In particular, absoluts-bikes failed to inform the consumers that the manufacturer’s guarantee did not affect their statutory rights, neither did it describe the territorial scope of the guarantee. This – following the claimant – constituted an infringement of the German act on unfair competition. Since the relevant provisions had their background in the EU law, namely the Consumer Rights and Consumer Sales Directives, the national court decided to stay the proceedings and refer preliminary questions to the Court of Justice.

 

Guarantees in the Consumer Rights Directive

 

The Court began its analysis by turning to Directive 2011/83/EU on consumer rights and I will also limit this blog post to this part, as it is most developed and most consequential.

 

To recall, Article 6(1)(m) of the CRD requires traders to inform the consumers before concluding distance contracts, where applicable, about “the existence and the conditions of after sale customer assistance, after-sales services and commercial guarantees”. The relevant question in the present case was whether the information requirement arises “merely through the existence of that guarantee or whether it is only in certain circumstances that the trader is required to inform the consumer of the existence and conditions of such a guarantee” (para. 24).

 

The Court began its reasoning by recalling the purpose of pre-contractual information duties laid down in the Directive. The relevant provision, it remarked, “seeks to ensure the communication to consumers, before the conclusion of a contract, both of information concerning the contractual terms and the consequences of that conclusion, allowing consumers to decide whether they wish to be contractually bound to a trader, and of information necessary for proper performance of that contract and, in particular, for the exercise of their rights” (para. 26). It follows that the information duties aim to allow consumers to, firstly, make informed decisions about the contracts they wish to enter into and, secondly, effectively exercise their rights after contract conclusion.

 

These two main functions of information duties have previously been remarked upon in the scholarship and testify to the importance of mandatory disclosure beyond the moment of the contract conclusion. Indeed, the paradigm of consumer protection that focuses primarily on allowing consumers to make informed decisions has long been questioned in the light of behavioural findings showing that consumers may suffer from information overload and take account only of certain details communicated to them by the traders. Such details may nonetheless prove rather valuable at a later stage, e.g. when a problem related to the contract arises. This also seems to be the case for the producer’s guarantees, discussed in the present context.

 

Against this background, the attention paid by the Court to the two functions of information duties is be welcomed. Unfortunately, it is not subsequently translated to the remaining part of the judicial reasoning. Instead, the Court appears to focus primarily on the influence of pre-contractual disclosure on consumers’ decisions to enter into contracts, and views it through a particularly narrow lens, namely the lens of a possible deception. This lens, however, is not an obvious one in the context of the Consumer Rights Directive, but rather seems aligned with the perspective of (certain provisions of) the Unfair Commercial Practices Directive.

 

How then, did the Court proceed with its analysis? First, rather typically, it attempted the decode the meaning of Article 6(1)(m) of the CRD by looking at its wording, context and objectives. Referring to Article 2(14) of the CRD it concluded that the concept of a ‘commercial guarantee’, within the meaning of Directive 2011/83/EU, covers both commercial guarantees offered by traders (sellers) and by manufacturers. The trader is thus required, at least in certain circumstances, to provide the consumer with details concerning not only its own commercial guarantee, but also that of the manufacturer. So far, so good.

 

Turning to the objectives of the CRD the Court understandably referred to establishing “a high level of consumer protection”, also pointing to Article 169 TFEU and Article 38 of the Charter of Fundamental Rights (para. 38).  Having said that, however, the Court went on to emphasizing the need of ensuring “the right balance between a high level of consumer protection and the competitiveness of enterprises, while respecting the enterprise’s freedom to conduct a business”, as also set out in the Charter (para. 39). The Charter was thus invoked primarily to set the scene as one in which competing interests must be balanced.

 

Focusing on the interests of traders, the judgment concluded that an unconditional obligation to provide information about commercial guarantees, in all circumstances, “seems to be disproportionate, in particular in the economic context of the functioning of certain undertakings, in particular small undertakings” (para. 40). This seems rather uncontroversial: it would indeed be burdensome for traders to have to continuously collect and update information about any potential guarantees, when they are not the ones providing them, nor pointing at them in their offer. However, according to the Court, the balancing exercise should go even one extra step in favour of the traders. And interestingly, the Court did so by referring to the notion of legitimate consumer interests – and mobilizing it to the consumers’ disadvantage. 

 

To illustrate this point consider the following passage of the judgment:

In those circumstances, the weighing up of a high level of consumer protection and the competitiveness of enterprises, as set out in recital 4 of Directive 2011/83, must lead to the conclusion that the trader is required to provide the consumer with pre-contractual information on the manufacturer’s commercial guarantee only where the legitimate interest of the average consumer, who is reasonably well informed and reasonably observant and circumspect to a high level of protection must prevail in the light of his or her decision whether or not to enter into a contractual relationship with that trader. (para. 41)

As is apparent from the cited passage, the Court seems to forget about the double function of information duties referred to earlier in the judgment. This is additionally harsh for consumers considering the subsequent reasoning, whereby the Court considers a legitimate interest in being informed about producers’ guarantees to exist “where the trader makes the manufacturer’s commercial guarantee a central or decisive element of its offer” (para. 44). The latter is supposedly the case “where the trader expressly draws the consumer’s attention to the existence of a manufacturer’s commercial guarantee for sales or advertising purposes and, accordingly, to improve the competitiveness and attractiveness of its offer in comparison with its competitors’ offers” (para. 45). When this is not the case, the information on the guarantee is not likely to mislead the consumer, and thus their legitimate interest does not seem to exist.

 

In so doing, the Court essentially limits consumer protection not only to the pre-contractual phase and to the contested idea of informed decision-making, but also to the protection from being “misled by unclear, ambiguous or incomplete information”. As mentioned, that seems to rather be the domain of the Unfair Commercial Practices Directive, in which a link with the CRD is indeed established (cf. Article 7(5) UCPD). Moreover, the way in which the “average consumer” notion is constructed in the case at hand appears at least debatable. As a reference point for undertaking the balancing exercise the Court refers to the consumer, “who is reasonably well informed and reasonably observant and circumspect with respect to the different rights which he or she may exercise under a guarantee or to the real identity of the guarantor” (operative part). However, information about those very factors is precisely what the consumer should be equipped with by means of mandatory disclosure. Overall, it can be questioned, in my view, whether the reading adopted by the Court in the case at hand corresponds with the requirement of a “high level” of consumer protection.

 

 

EU Commission consultation on digital fairness

The Commission has just announced a public consultation on digital fairness. The intitative comes within the New Consumer Agenda and it aims to analyse whether additional action is needed to ensure an equal level of fairness online and offline.

This fitness check (evaluation) will look at the following pieces of EU consumer protection legislation to determine whether they ensure a high level of protection in the digital environment:

• the Unfair Commercial Practices Directive 2005/29/EC
• the Consumer Rights Directive 2011/83/EU
• the Unfair Contract Terms Directive 93/13/EEC

All stakeholders are invited to respond until 20 February 2023.

Right of withdrawal, leisure activities and intermediaries - CJEU in Eventim (C-96/21)

Earlier this year in C-96/21 CTS Eventim the CJEU delivered another interesting judgment on the interpretation of Directive 2011/83/EU on Consumer Rights (CRD). As with most cases on CRD, this case tackles the matter of the right of withdrawal by providing an interpretation of Article 16(l) that exempts  'services related to leisure activities if the contract provides for a specific date or period of performance' from the right of withdrawal. 

Facts

The consumer ordered tickets through an online booking platform operated by CTS Eventim, an intermediary selling concert tickets organized by third parties. The concert that was due to take place in Germany was cancelled because of German administrative restrictions amid the COVID-19 pandemic, with a possibility to be held at a later date. In accordance with German legislation, CTS Eventim, acting on behalf of the concert organizer, sent the consumer a voucher in the value of the ticket price. The consumer however asked CTS Eventim for reimbursement of the ticket price and costs incurred and thus, according to the referring court, implicitly asked to withdraw from the contract.

Question

The question referred to the CJEU was: Would a situation where the trader (an intermediary acting in its name and on behalf of the organizer of the leisure activity) does not directly provide the consumer with a service related to leisure activity but sells the consumer a right of access to such service fall under the exception of Article 16(l)?

Ruling

The CJEU noted that the contract for the transfer of a right falls within the concept of a ‘service contract’ under Article 2(6) CRD, and insofar as Article 16(l) covers all services provided in the leisure sector, due to the word ‘related’, the provision is not limited solely to services directly relating to the pursuit of leisure activity (para 38). The transfer of a right of access to a leisure activity constitutes, in itself, a service related to a leisure activity (para 39). In this regard, it is irrelevant that a service is provided by the intermediary and not by the organizer of a leisure activity itself (para 43). 

However, CJEU looked at the objective of Article 16(l), and referring to Recital 49 noted that the objective is to protect traders against the risk associated with the setting aside of some capacity which, if a right of withdrawal were exercised, the trader may find difficult to fill, inter alia, in the case of cultural or sporting events (para 44); and referred to its previous case-law where it was established that the aim of Article 16(l) is to protect the interest of the providers of certain services against disproportionately suffering from consequences of the right of withdrawal (para. 45). The CJEU concluded that as long as the risk falls on the organizer of the activity, the transfer of a right of access to that activity by an intermediary will constitute a service related to that activity. It is irrelevant whether, on the date on which the consumer invokes the right of withdrawal, it is possible for the trader to fill in the empty capacity, in particular by means of the resale of the ticket. ‘The application of Article 16(l) of Directive 2011/83 cannot depend on such an assessment of the circumstances of each case' (para 48).

The CJEU also considered the second part of the exemption and concluded that a contract for the transfer of a right of access to a leisure activity must be regarded as providing for a specific date or period of performance since that activity is scheduled to take place on a specific date or within a specific period (para 53).

The CJEU concluded that the exception from the right of withdrawal may be relied on against the consumer, if, first, the termination of the obligation to perform that contract vis-à-vis the consumer by means of withdrawal would place the risk linked to the setting aside of the capacity thus released on the organizer of the activity concerned and, second, the leisure activity to which that right gives access is scheduled to take place on a specific date or within a specific period.

Further thoughts

This case provides an important interpretation of the CRD in distance contracts concluded via intermediaries, given that the CRD is silent on regulating contracts concluded via intermediaries.

The CJEU provides a good explanation of the rationale for the exception. It is expected of traders, not of intermediaries, to fill in capacities that are created by the right of withdrawal, e.g. resell the ticket that is for a specific date to avoid loss. 

The CJEU also provides substantiated reasoning why the exception should apply in the same way when contracts are concluded directly with service providers and indirectly, with intermediaries. The rule does not change whether or not the ticket is sold by an intermediary or the direct service provider, as long as the risk is born by the direct service provider, in this case, the organiser of the concert. 

However, the present case does not give full guidance on how Article 16(l) CRD should apply in other, similar settings. The present case defines intermediaries as those acting in their own name but on behalf of their principal. Given the emphasis of the risk being on the organiser of the event, the same solution would probably apply with intermediaries acting in the name and on behalf of their principal. However, the situation is less clear when the risk is not on the direct service provider, the organiser of the event, but on the online seller who sells tickets via its website. This would occur in a situation when the tickets are bought for resell. Although in this case online sellers would probably not be classified as intermediaries in law, from a consumer's point of view, there may be confusion and the two kinds of sellers might be considered to both be intermediaries. For instance, consumers would consider Skyscanner an intermediary whereas it is a travel agent. We could argue that the regime should again be the same because the rationale for the exemption seems to be the inability of traders to fill in the capacities that are created by the right of withdrawal. For example, just like organisers, intermediaries might struggle to resell tickets for a particular date and as a result, suffer loss. Overall though, this interpretation cannot easily be deducted from the reasoning in the present case.

Since this case and the earlier Tiketa C-536/20 case, the case law seems to move in a direction of considering including intermediaries within the scope of CRD; in the next case on this topic, the CJEU should take the opportunity to express views on the classification of various (intermediary) sellers and the legal regime(s) applicable to them.

Can we seek compensation for a GDPR breach if it caused great upset or inner discomfort? The AG Opinion in C-300/21, Österreichische Post

According to Article 82(1) of the GDPR any person who has suffered material or non-material damage as a result of an infringement of the Regulation has the right to receive compensation from the controller or processor for the damage. It turns out that the exercise of this right in practice raises some questions, especially if the damage caused by the infringement would consist of a "great upset" or a "loss of confidence". Recently, the Advocate General Campos Sánchez-Bordona commented on this issue (see: case C-300/21 Österreichische Post). 

Facts of the case

The case concerns the processing of personal data by an Austrian postal company (Österreichische Post AG). The company had been collecting personal data on the Austrian public's affinities for political parties since 2017. Information on political preferences was inferred based on various socio-demographic characteristics. Such processing did not please "UI" (that's how the data subject is called by the AG in the opinion). More specifically, he did not like the way the company classified him as a person sympathizing with one of Austria's political parties. UI therefore entered into a dispute with the company, pointing out, for instance, that he had not consented to the processing of his personal data. As we read in the opinion, UI „was upset by the storage of his party affinity data and angered and offended by the affinity specifically attributed to him by Österreichische Post” (para. 10). What is more, he claimed that such a „political affinity attributed to him is insulting and shameful, as well as extremely damaging to his reputation” (para. 11). Therefore he demended compensation of EUR 1 000 in respect of non-material damage (inner discomfort).

Both the court of first instance and the appellate court rejected his claim. However, following an appeal to the Oberster Gerichtshof (Supreme Court, Austria), the court raised several doubts, referring the following questions to the Court of Justice for a preliminary ruling:

"1. Does the award of compensation under Article 82 of the GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?

2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?

3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?"

Opinion of the AG

The AG presented an interesting analysis of Article 82 of the GDPR, taking into account different types of interpretation (literal, historical, contextual and purposive). There are several important statements that deserve attention: 

1. Assuming that under Article 82 of the GDPR a data subject could be awarded compensation for a breach of the Regulation, despite the absence of any damage, would be inconsistent with the fundamental purpose of civil liability. This purpose is to compensate for the damage suffered by the data subject. If the damage could not be identified, the compensation then awarded would not fulfil the aforementioned function, but would be more like a punishment and a sanction for the infringer (paras 29-30). It is true that punitive damages may exist in both EU and national law, but the GDPR does not contain this type of reference (paras 39, 44, 49-50).

2. The AG's position is that a mere breach of the GDPR does not give rise to a presumption of automatic harm to the data subject (paras 56-59). As can be inferred from the Opinion, this is the presumption made by the parties to the proceedings, indicating that a breach leads to a loss of control over the data and thus causes harm to the data subject. However, the AG considers that not every loss of control over data necessarily leads to harm (para. 62) and, furthermore, that giving data subjects as much control over data as possible may not necessarily be derived from the GDPR provisions (para. 74). He states: „where a data subject does not consent to processing and processing is carried out without another legitimate legal basis, that is not a ground for the data subject to receive financial compensation on account of the loss of control over his or her data, as though that loss of control itself amounted to damage that is eligible for compensation” (para. 77).

3. The compensation for non-material damage regulated by Article 82 of the GDPR does not cover the mere upset that a person may feel due to a breach of Regulation 2016/679. It is up to the national courts to determine when, due to its characteristics, a subjective feeling of displeasure can be considered as a non-material damage in a given case (conclusion - para. 117).

Given the facts of the case, the AG's answers to the preliminary questions do not seem surprising. Nonetheless, some views are arguable, such as that „it is not straightforward to conclude from the GDPR that its objective is to grant data subjects control over their personal data as a right in itself” (para. 74). 

In my view, one of the primary objectives of the GDPR is precisely to give individuals control over their data, or even to 'restore' that control. This conclusion can also be drawn based on the provisions of other data flow regulations in the EU, such as the Data Governance Act* or the Data Act proposal**. It is clear that the opinion was given based on the GDPR provisions, but I guess they should not be interpreted without regard to the broader regulatory context. That said, we eagerly await the Court's final verdict.

* For instance, in recital 5 of the DGA it is stated that it "is necessary to increase trust in data sharing by establishing appropriate mechanisms for control by data subjects". A similar idea is expressed in recital 30 in the context of data intermediation services: "data intermediation services providers seek to enhance the agency of data subjects, and in particular individuals’ control over data relating to them". Maybe it is not directly indicated that the purpose of the DGA is to "grant control over data", but still this can be deduced from both the content and the particular objectives of the legal instruments adopted in the DGA. 

** See, for example, recital 78 of the proposal: "To foster further trust in the data, it is important that safeguards in relation to Union citizens, the public sector and businesses are implemented to the extent possible to ensure control over their data". Again, it is not stated expressly, but without ensuring control over data, the other objectives of the regulation will not be achieved. From this perspective, granting control over data may appear as one of the purposes. 

Second Annual Digital Consumer Law Event

On the 21st of November 2022, the European Commission organised its second Annual Digital Consumer Event to reflect with the general public, academics, consumer and business associations, as well as authorities, on the problems consumers currently face in the digital transition.

The expert panels focused on the following topics: 

• Online consumer vulnerabilities: shedding light on dark patterns, personalisation, and structural asymmetries
• Online consumer purchases: challenges raised by digital subscriptions, virtual items, and the addictive use of digital products
• Online consumer contracts: mapping unfair contract terms and the lack of transparency, our Professor Luzak was one of the participants of this panel.

Our readers may be interested to know that the recording of the event is available to watch (see the link here).