Sunday, 29 January 2017

Payment service providers to actively inform consumers - CJEU in BAWAG (C-375/15)

As we have previously reported (Provision of information on a durable medium...), the BAWAG case (C-375/15) presented interesting questions for the CJEU to answer, namely, as to the notion of a 'durable medium' and the scope of the payment service providers' obligation to provide consumers with information. This week, on January 25, the CJEU issued the judgment in this case, following the reasoning presented by AG Bobek previously. This means that the 'durable medium' could only be considered as such when it allows users access to and a possibility of reproduction of the information it stores, during an adequate period of time. During this time the service provider may not be able to unilaterally modify this information. Moreover, 'active behaviour on the part of the provider' is required to draw 'the user's attention to the existence and availability of that information' if this information has been placed online (on a website). 

The final part of the conclusions of the CJEU is interesting, as it states that when there is no active behaviour on the part of the provider, the information is merely 'made available' instead of being 'provided' or 'given' to consumers. The Court by making this crucial distinction may have made it easier for online traders to provide information to consumers concluding distance selling contracts under the Consumer Rights Directive, which allows traders to just make the information available to consumers (deviating from the previous language of the Distance Selling Directive and its interpretation in Content Services judgment). We could expect the Court to uphold this understanding of the traders' and service providers' obligation to 'make information available' to consumers beyond the area of payment services, i.e. in distance selling contracts, even though in the area of payment services this interpretation is based on recital 27 to the Payment Services Directive:
"(...) it should be noted that, as stated in recital 27 to that directive, two methods of transmitting information by the payment service user should be distinguished: either the information concerned should be provided, i.e. actively communicated by the payment service provider without further prompting by the payment service user, or the information should be made available to the payment service user, taking into account any request he may have for further information. In the latter case, the payment service user should take some active steps to obtain the information, such as requesting it explicitly from the payment service provider, logging into a bank account online or inserting a bank card into a printer for account statements." (para. 47) 

Another interesting tidbit is the CJEU's shared opinion with the AG Bobek that it cannot be expected of payment service users "to regularly consult all e-communication services that they are signed up to" (para. 49). If this observation would apply to other areas of consumer protection, it could feasibly broaden the scope of protection offered so far to average consumers online, potentially also requiring more active behaviour on the side of the professional party to the transaction.

Wednesday, 11 January 2017

More privacy protection?

Yesterday, the European Commission published its proposal (COM(2017) 10 final) for a Regulation on Privacy and Electronic Communications, which is meant to repeal the e-Privacy Directive (2002/58/EC). The Commission, on the basis of the conducted REFIT exercise, evaluates the current framework as still sound as to its objectives and principles. The need for review comes from the technological changes in the market, mostly the popularity of Over-the-Top communications services, which are not currently subject to regulation in e-Privacy Directive. The new Regulation is meant to be lex specialis to General Data Protection Regulation 'and will particularise and complement it as regards electronic communications data that qualify as personal data'. (p. 2 of the Proposal)

Some of the interesting provisions in the new draft Regulation (see more here):
  • it will apply also to provision of e-communications for free;
  • it uses the same definitions as GDPR and European Electronic Communications Code;
  • it protects both data and metadata (incl. traffic and location data);
  • conditions for consent are the same as in GDPR
  • consent may be expressed by 'using the appropriate technical settings of a software application enabling access to the internet' - for the purpose of consenting to processing and storage of personal data through terminal equipment of end-users 
  • withdrawal of consent needs to be possible - with reminders about this option being sent every 6 months, as long as the processing continues
  • software needs to offer the option to prevent 3rd parties from storing information on the terminal equipment of an end-user or processing information already stored there
  • upon installation end-users will need to be prompted to choose and consent to a privacy setting; with already installed software such consent will be required during the first update thereof - not later than 25 August 2018
  • right to compensation for material and non-material damage
  • administrative fines of up to 4% of global turnover
First concerned reactions of the press worried about the industry (!):
"Will this EU privacy proposal lead to a more trustworthy internet or a more annoying one?"
"WhatsApp, Facebook and Google face tough new privacy rules under EC proposal"