Monday, 24 April 2017

GDPR, e-Privacy and beyond (part 2): the struggle over privacy and data protection continues

The European Union has traditionally aimed to set comparably high standards of privacy and personal data protection. Indeed, the protection of personal data constitutes a fundamental right, enshrined in Article 8 of the Charter of Fundamental Rights and in Article 16(1) of the Treaty on the Functioning of the European Union. This part of the picture is also closely linked to the protection of privacy set out in Article 7 of the Charter. Therefore, it is not surprising that the question of personal data was already addressed in 1995, in a dedicated instrument, while the importance of confidentiality and anonymity was consequently underlined in the first "e-directives": on e-privacy and on e-commerce. At the same time, processing of personal and non-personal data is an element of the freedom to conduct a business and its free flow is crucial from the point of view of the internal market and international trade. All of these dimensions are, of course, highly relevant to the European consumers and have gained even more prominence in the era of digitalisation. 

Last year brought several major developments in that regard, with General Data Protection Regulation as a top highlight. While the GDPR is certainly a quantum leap, it is by no means the only measure which had spurred heated debates. Let us summarise the state of play. 

GDPR and e-Privacy 

Five years after first consultations about the need for a legal reform of personal data protection framework in Europe had been launched, a new instrument - General Data Protection Regulation - was finally adopted on 27 April 2016 and will soon replace the existing Directive 95/46/EC. The regulation entered into force on 24 May 2016 and will become directly applicable in all Member States from 25 May 2018 (see also our earlier post on this topic here). 

One of the important novelties concerns the act's extraterritorial reach. Applicablity of the European regime will no longer depend on “the use of equipment” situated in a Member State, but rather on the context and effects of the processing of personal data. The content of the GDPR largely builds upon the existing Data Protection Directive. The instrument strengthens the conditions for a valid consent and defines an age threshold for the consent of a child. More emphasis in placed on the rights of data subjects such as the right to information and access to one’s personal data as well as to rectification and restriction of the processing. Article 22 reiterates the right not to be subject to a measure based on automated data processing and explicitly clarifies that this includes profiling. Furthermore, the GDPR introduces a widely cited right to be forgotten and an equally important right of data portability. Rights of data subjects are correlated with respective obligations of data controllers and data processors, in accordance with the newly formulated principles of data protection ‘by design’ and ‘by default’. 

Throughout 2016 preparatory works on the review of the Directive 2002/58/EC on privacy and electronic communications were also carried out in order to ensure the consistency of this sector-specific instrument with the overall framework enshrined in the GDPR. As we have already reported, the proposed e-Privacy Regulation was eventually tabled on 10 January 2017. 

Apart from the shift in the legal form (from a directive to a directly binding regulation), the proposal provides for a number of substantive changes. A major difference concerns the scope of the measure, which would be extended to all electronic communications providers, i.e. not only telcos, but also over-the-top players. Requirements relating, among others, to the confidentiality of electronic communications, would therefore also apply to providers of services such as voice over IP or instant messaging (Skype, Whatsapp, Messenger). The proposal also clearly refers to machine-to-machine communications - a circumstance which, together with a broad definition of personal data in the GDPR, has not been warmly welcomed by the tech companies. Other novelties include an updated approach to cookies and enhanced protection against spam. With respect to the former, the Commission eventually opted against the principle of 'privacy by default' - a reason for relief for the industry. Emphasis is now placed on the availability of privacy settings in the relevant software applications (such as internet browsers) and not on the ubiquitous pop-up windows. The reform should further ensure terminological consistency not only between the GDPR and the e-Privacy Regulation, but also with the updated telecom framework. In the proposed e-Privacy Regulation itself, the concept of ‘electronic communications data’ was introduced, covering both content data and metadata. As before, electronic communications which remain under protection may contain both personal and non-personal data, for example data related to a legal person. From the Commission’s perspective, the new framework should ideally apply from the same day as the GDPR. 

As for now, preparatory works at the Council appear to be at a very early stage. The responsible committee in the European Parliament is the Civil Liberty, Justice and Home Affairs (LIBE). Two weeks ago the committee held a hearing to discuss the proposal. The plenary vote on the committee’s report is expected in October. 

Transatlantic dimension 

Further notheworthy developments refer to data transfers between the EU and the United States. This strand of the debate clearly shows that there is no single, universally recognised approach to data protection and privacy online. As seen from the efforts to ensure extraterritorial application of both GDPR and the proposed e-Privacy regulation, the European legislator would like to see its framework applied also where data of European citizens are processed outside the Union. A similar approach is observed with respect to cross-border data transfers. According to an established rule, dating back to the 1995 Data Protection Directive, personal data of the European citizens may only be transfered to third countries that ensure “an adequate level of protection”. In the United States, home country to the thriving tech industry, the European approach is often regarded as paternalistic. The importance of transatlantic data flows for the international trade forces European and American decision-makers to meet halfway. 

Until October 2015, transfers of personal data between the EU and the U.S. had been governed by the so-called Safe Harbour Decision. Following the Snowden revelations, the decision was, however, successfully challenged before the Court of Justice. In the widely cited Schrems case, the Court confirmed that the Commission's decision, and therefore the underlying agreement with its U.S. counterparts, failed to ensure that the level of personal data protection in the United States was “essentially equivalent” to the one guaranteed within the EU. After renegotiations a new agreement was reached and, in the decision of 12 July 2016, the European Commission reconfirmed the adequacy of the American framework. The so-called EU-U.S. Privacy Shield provides for a number of new safeguards, including the entirely new Ombudsperson mechanism, the functioning of which shall be monitored annually. 

As expected, a few months after the decision came into force, the Privacy Shield was challenged by privacy advocacy groups before the General Court. The Commission is naturally defending its compromise, but the stance taken by the new U.S. administration is not helping its case. Only last week the European Parliament adopted a resolution  voicing its concerns about new U.S. laws allowing National Security Agency to share diverse personal data with other agencies and criticising the rejection of the rules preventing unrestricted sharing of customers’ browsing data. While in the current resolution these issues are discussed only in the context of the Privacy Shield, one may wonder if similar concerns cannot be raised with respect to the Umbrella Agreement - another transatlantic agreement adopted last year, this time in the field of law enforcement. 

Have your say 

As seen from above, the wealth of issues and regulatory approaches to privacy and data protection as well as the pace of new developments are astonishing. Even where new rules have already been developed with all these needs and concerns in mind, they are likely to face criticism and require further modifications. Sceptics argue that the GDPR will be out-dated from day one. For what it's worth, European policy-makers appear to be aware that the struggles over privacy and data protection are bound continue. Most recently, the European Commission launched a series of public consultations as part of its Next Generation Internet Initiative. Over the coming weeks a number of questionnaires will be available online, allowing everyone to share their views. The first questionnaire, entitled “New technologies for disrupting the economy: business, employment and skills”, is available here. We invite our readers to have a say.

Friday, 7 April 2017

Liability and limitation periods - AG Szpunar in Ferenschild (C-133/16)

AG Szpunar issued his opinion today in the case Ferenschild (C-133/16) concerning interpretation of liability and limitation periods in the Consumer Sales Directive.

Mr Ferenschild bought a second-hand car (what else?) in Belgium, which inevitably concluded with him raising non-conformity claims. Somewhat less common is the fact that the non-conformity claim would in some Member States classify as a legal defect of the purchased goods, as the car could not be registered for 6 months after the delivery (and, therefore, could not be used for its normal purpose), due to its documents being used as a cover for a stolen vehicle. Mr Ferenschild claimed this non-conformity and as remedies demanded price reduction, as well as compensation for the replacement goods (renting another car prior to the registration) and damages resulting from this non-conformity. The preliminary question addresses the issue whether this claim has been raised timely. 


The Consumer Sales Directive in its article 5(1) introduces two deadlines: a two year period for the liability of the seller for the lack of conformity of the goods with the contract (first sentence) and a two year limitation period for raising such liability claims (second sentence). AG Szpunar distinguishes between these two periods and considers them independent of one another. The justifications to keep these periods separate are: linguistic (par. 65), structural and historical. The structural argument is based on the fact that the limitation period for raising the claim does not start running from the moment consumers find out about the lack of conformity of the goods. Instead, it starts running already from the moment of the delivery of goods, limiting sellers' exposure (par. 53-54). The historical argument looks into the inspiration for this provision - provisions in the CISG (par. 57-58) - as well as the original draft of the directive (par. 67-69).

It is important to differentiate between these two periods because the Directive allowed in its Article 7(1) for the Member States to facilitate contractual limitation of the period for the liability of the seller of second-hand goods. If these two periods can, therefore, be kept apart, as AG Szpunar suggests, then the Member States would only be able to allow parties to limit the period of liability of the seller for non-conforming goods to one year, but consumers could continue to raise such claims within two years from the moment of the delivery (par. 72). This is the interpretation that the AG Szpunar prefers in order to 'safeguard the minimum model of consumer protection guaranteed by EU law' (par. 104). This seems consistent with the general aim of the CSD to balance consumers' and sellers' interests (par. 81). The nature of second-hand goods suggests the need to narrow down the period for the liability of the seller for non-conforming goods (par. 98), but that should not then also impact consumers' legal remedies (par. 87, 92).

Other interesting comments from the opinion pertain to: CSD not introducing a clear distinction between liability for non-conforming with the contract goods and liability for hidden defects, with both classifying as non-conformity (par. 36); high probability of the CSD applying also to legal defects (par. 38-40).

Tuesday, 4 April 2017

Online sales platforms as consumer information providers - CJEU in Verband Sozialer Wettbewerb (C-146/16)

Misleading omissions are always problematic to define, as it needs first to be decided whether the information that is missing classifies as 'material information'. The case Verband Sozialer Wettbewerb (C-146/16) addressed the issue of misleading omissions, with an additional complication of information being provided within the sharing economy (understood as involving the use of online sales platforms).

DHL Paket has an online sales platform 'MeinPaket.de' (in the meantime it changed its name to de.allyouneed.com) facilitating conclusion of contracts between traders and purchasers, some of whom might be consumers. DHL Paket does not sell any of its own products there, which means that no sales contracts are concluded between them and consumers. In December 2012 DHL Paket took out an advertisement in a weekly newspaper Bild am Sonntag, in which advert they presented five different products available for purchase on their platform and mentioned providing access to over 5 million products and more than 2500 traders. Any person interested in the purchase of these five products could visit the online platform, enter the code corresponding to the product, as referred to in the advert. Only upon entering the product's code on the platform the consumer would be transported to a separate website, which would identify the trader selling this product. Under the heading 'Supplier information' further details of the trader, such as geographical address and the trading name, would be mentioned.

Competitors of DHL Paket complained that the identity of traders and their geographical address should be mentioned already in the advertisement, in order for it not to mislead consumers, on the basis of Article 7(4)(b) Unfair Commercial Practices Directive ("UCPD"). Therefore, they claimed that material information was missing from the advertisement and that the DHL Paket engaged in misleading omissions. One of the arising questions is, however, whether if the advertisement is printed but the product may only be purchased online, it would not suffice to provide this information on the website instead of in print, provided the printed advertisement refers to the website and it was easy to find this information on it. This would depend on whether consumers should receive material information pre-contractually (entering a website does not oblige consumers to conclude a contract) or prior to taking any transactional decision at all (entering a website counts as taking a transactional decision).

The CJEU confirms that an advertisement as mentioned above, clearly identifying the product and its price, should be seen as an invitation to purchase pursuant Article 2(i) UCPD (para 25). This means that it should contain all the material information necessary for consumers to make transactional decisions, provided, however, that there is space to present such information considering the medium used to give it to consumers, pursuant to Article 7(1) UCPD and previous CJEU's case Ving Sverige (paras 26-27). The CJEU confirms in this case that in the sharing economy sphere, where an online sales platform offers many products on sale by different traders and this is advertised in a print medium, there may be limitations of space within the meaning of Article 7(3) UCPD (para 29). In such a case thus, it may suffice for the online sales platform to refer to the website on which the material information will be provided to consumers, rather than to place this information already in the print advertisement (para 30). However, it is for the national court to determine whether the context of the invitation to purchase and the means of communication used for the advertisement justified this delay in providing material information to consumers. The CJEU confirms, however, the obligation of the online sales platform to provide information to consumers on the name and address of the supplier of individual products (para 31). Finally, the online sales platform needs to ensure that the material information on its websites is provided to consumers simply and quickly (para 32). This refers back to the transparency principle, adding a new requirement to the traditional ones, namely of 'quick' provision of information to consumers.