Thursday 24 December 2020

Merry Christmas!

Merry Christmas Dear Readers!

We hope you are enjoying this festive time with your families and/or friends, as much as the restrictions in the place you live at, allow for this. 

Stay safe and let us hope for the 2021 to be nicer to all of us!



Tuesday 15 December 2020

Who is on the nice or naughty list?: Digital Markets Act and Digital Services Act

European Commission published today two potentially game-changing proposals for the digital market: Digital Services Act (see here) and Digital Markets Act (see here). For those of our readers who have not heard about the works on the proposals for these two regulations, the Digital Services Act aims to 'comprehensively' regulate the obligations of digital service providers towards users of their services as well as enforcement authorities, whilst the Digital Markets Act sets out the rules for the digital market, e.g. defining its largest participants as so-called 'gatekeepers' and providing for additional obligations for them. These proposals will now be discussed further by the European Parliament and the Council. Below we provide a summary of the proposals.

Digital Markets Act

The advantage of the Digital Markets Act for consumers lies definitely in the environment this regulation aims to promote: more competitive, encouraging consumers to seek for, access and conclude the best possible deal, not locking them into digital services contracts they conclude. The gatekeepers to the market are companies located anywhere in the world, provided they offer their core platform services to business users in the EU or end users in the EU (Article 1(2)). The end users do not have to be consumers (Article 2(16)) as they may be legal persons, as well as natural persons.

Core platform services could be (Article 2(2)): online intermediation services, online search engines, online social networking services, vide-sharing platform services, number-independent interpersonal communication services, operating systems, cloud computing services, advertising services. 

Gatekeepers are defined (Article 3) as providers of core platform services who have a significant impact on the internal market (e.g. annual EEA turnover exceeds EUR 6.5 billion in the last 3 financial years and they provide the core platform service in min 3 Member States), operate a core platform service which serves as an important gateway for business users to reach end users (e.g. more than 45 million monthly active end users located in the EU and more than 10.000 yearly active business users established in the EU), and enjoy an entrenched and durable position in its operations (or could do so) (e.g. where it was an important gateway for the last 3 financial years). These thresholds are just an example, as the Commission has the power to designate other providers as gatekeepers (Article 3(6)). Generally, it is the gatekeeper who should notify the Commission that they have reached such a position (Article 3(3)).

Articles 5 and 6 specify the main obligations of the gatekeepers. These seem to focus on: limiting the scope in which platforms use personal data, not limiting a possibility for business users to offer the same products or services to end users on different platforms under different conditions, not restricting communication of business and end users outside the platform, allowing end users to un-install any pre-installed software applications on the platform, as well as facilitate installation of third party software applications, not prioritise in ranking products or services offered by the gatekeeper, limit bundling of services, facilitate switching of services, transparency obligations.

Further provisions of the proposal for this regulation are devoted mainly to various monitoring obligations, review processes and consequences for non-compliance (mainly fines).

Digital Services Act 

The main advertised advantage of this act for consumers is that the provisions of the regulation will offer them 'more choice, lower prices', 'less exposure to illegal content' and 'better protection of fundamental rights' (see here). These benefits are to result if the aims of the Regulation as defined in its Article 1(2) are achieved. Similarly to DMA this Act also will apply to providers of intermediary services regardless of their place of establishment, as long as the services are provided to recipients established or located in the EU (Article 1(3)). A recipient of the service again does not need to be a consumer, as it may be a legal person (Article 2(b)).

The obligations imposed by this Act are to bind providers of intermediary information society services (Article 2(f)), that is services where providers are either a: 'mere conduit' (transmitters of information provided by recipients or providing access to the communication network, e.g. Internet access providers), 'caching' service (where they temporarily store the transmitted information to make its transmission more efficient), 'hosting' service (where they store the information provided for and as requested by the recipient of the service, e.g. cloud services).

Articles 3-5 specify when providers of various information society services in the above-mentioned categories may be exempted from the liability for the content of that information, i.e. when it is illegal content. These provisions aim then to ensure that consumers (citizens) are indeed exposed to less illegal content (will they suffice? that is the question that goes beyond providing a short summary here!).

Importantly, if a provider conducts a voluntary own-initiative investigation that does not change the status of their exemption from the liability as determined in Articles 3-5 (Article 6). Thus self-checks are to be encouraged. However, there remains no general obligation to monitor the information which providers transmit or store (Article 7), similarly to the current E-Commerce Directive provision.

Articles 8-9 regulate how providers are to comply with orders about removing illegal content and providing information about users, respectively.

Other interesting for us provision may be:

- Article 12 - which obliges providers to transparently outline any content moderation procedures and tools in their terms and conditions;

-  Article 13 - requiring providers to publish an annual report on past year's content moderation; Article 23  adds also an obligation to provide reports on the number of disputes submitted to ADR, number of suspensions (Art 20) and any use of automatic means for the purpose of content moderation;

- Article 14 - providers of hosting services are required to facilitate users notifying them about illegal content and allowing them to act upon such notifications (notice and action);

- Article 15 - requires hosting services providers to notify, in a reasoned and transparent manner, users if their content is removed/disabled/etc as illegal;

- Article 17 - sets out rules on an internal complaint-handling system for online platforms, which they are to provide to recipients of services for min 6 months following either removal or disabling of access to the information provided by recipients, suspension or termination of the service, suspension or termination of the account;

- Article 17(4) and Article 18 - recipients of services should be informed about and have access to ADR;

- Article 19 - specifies rules for processing of notifications of trusted flaggers;

- Article 20 - determines when providers could suspend users' accounts due to misuse, i.e. frequent posting of illegal content;

- Article 22 - specifies that online platforms are required to obtain information from traders allowing to trace identity and location of such traders and should check the reliability of this information;

-  Article 24 - online advertising has to be clearly displayed as such, together with parameters used to determine the recipient to whom the advertisement is displayed;

- Articles 26-33 - contain obligations for very large online platforms, in the same categories as described above, but with stricter provisions.

Further provisions pertain to various enforcement and penalties issues, as well as the plans to encourage adoption of standards and codes of conduct.

Thursday 10 December 2020

The New Consumer Protection Agenda 2020-25

Last month, on November 13 2020 the EU Commission adopted its new Consumer Protection Agenda 2020-25 that will provide the strategic framework of consumer protection policy  for the next five years. The Agenda identified 5 key priority areas:

1) Green transition: empower consumers to behave 'green' to purchase sustainable and circular products.

2) Digital transformation: increase online consumer protection; this aim will entail the revision of several well established directives: General Product Safety Directive, Consumer Credit Directive and Distance Marketing of Financial Services Directive.

3) Effective enforcement and redress: places emphasis on the CPC Regulation. 

4) Consumer vulnerability: means addressing the needs of different groups, including debt advice and safety of products designed for children.

5) Consumer protection in the global context: aims to promote overall high level of protection, including the safety of products sold online. 

The strategy seems to have addressed the most pressing consumer protection issues of our everyday lives. Not surprisingly it is significantly influenced by the COVID pandemic and the ways in which it reshaped our lives.

Sunday 6 December 2020

CJEU agrees with the AG in the Uber follow-up case - Star Taxi App

Last week the Court of Justice delivered its judgment in another case highly relevant to the platform economy - C-62/19 Star Taxi App. The English version of the judgment is not available at the time of this writing, yet the analysis of other language versions shows that the Court largely followed the opinion of the Advocate General Szpunar, on which we reported earlier this year (see AG opinion in Star Taxi App...). Like in several other judgments on online platforms analysed on this blog - from Uber Spain and Uber France to Airbnb Ireland - the focus remained on the classification of services provided by platform operators and its regulatory implications. The Court continued to rely on the analytical framework developed in the Uber cases, but - similarly to the Airbnb ruling - applied it more favourably to the platform provider. The judgment confirms that the classification of services of platform operators as activities falling outside of the scope of Directive 2000/31/EC on electronic commerce is not to be made too promptly. Moreover, the judgment addressed several other aspects of the EU regulatory framework - in a way which was not as favourable to the platform providers as they may have hoped.

Facts of the case and the questions referred

As we recounted in our previous post, the case involved a provider of a mobile application connecting drivers and passengers in urban transport. The business model of Star Taxi App was, however, not identical to the Uber platform. Firstly, the provider did not automatically select two parties for a ride, but rather displayed a list of drivers available for a journey, from whom the passenger was free to choose a party. Secondly, the fare was not set by and collected through the app, but was paid directly to the driver. Thirdly, only taxi drivers authorised and licensed to provide taxi services were allowed on the platform and no additional steps were taken to control the quality of the vehicles and drivers. Finally, unlike Uber, Star Taxi App was a Romanian platform, operating on the Romanian market.

The operation of the platform was considered to be in violation of applicable national rules, most notably as regards prior authorisation. The provider contested the sanctions imposed on him, arguing that the relevant norms were contrary to the EU law. Against this background, the Regional Court in Bucharest decided to stay the proceedings and ask the Court of Justice for an interpretation of the notions of "information society services" under Directive 2000/31/EC and "technical regulations" under Directive 2015/1535 on the provision of information in the field of technical regulations. Moreover, the reference provided the Court with an opportunity to clarify specific norms on freedom of establishment, contained in Directive 2000/31/EC (principle excluding prior authorisation) and Directive 2006/123/EC on services (conditions for establishing authorisation schemes and for granting authorisations).

Judgment of the Court

Finding 1: Star Taxi App provides information society services

Like the AG, the Court found that services provided Star Taxi App fulfil the criteria of "information society services", to which Directive 2000/31/EC applies (para. 42-48), and cannot be seen as "inherently linked" to the underlying transport services. Key to the latter finding was the fact that Star Taxi App did not create a new market for non-professional drivers, but was limited to licensed taxi drivers, i.e. a market for services which existed before (para. 52), and did not organise the general functioning of underlying transport services, as it did not select the drivers, set or charge prices or control vehicles or drivers (para. 53). Consequently, unlike in Uber cases, classification as "information society services" remained available.

Finding 2: Notification requirements under Directive 2015/1535 do not apply

The Court then reversed the order of the questions referred and moved to the assessment of notification requirements under Directive 2015/1535. Like the AG, the Court concluded that the Romanian requirements imposed on operators of taxi "dispatching" services did not constitue technical regulations as they were not specifically aimed at information society services. Whether or not this finding remains in line with the Court's previous case law can be a matter of debate. To recall, the Court was not equally generous to the national regulator in VG Media, where it found that the German copyright rules (introducing publisher rights) were aimed, at least in part, at regulating information society services (the use of snippets on search engines). In Star Taxi App, the Court was satisfied with the fact that "taxi dispatching" have long been defined more broadly and referred to the activity consisting in receiving customer bookings by telephone "or other means" and forwarding them to a taxi driver. The fact that more recent local rules in Bucharest explicitly mentioned "IT applications" among those "other means" was deemed irrelevant. To support this conclusion the Court observed that the analysed requirements, for example to obtain a two-way radio, applied equally to all types of dispatching services (para. 65). The latter argument seems rather shaky, considering that the Court later (rightly) argues that such a requirement, applied to the providers of information society services, could, in fact, be contrary to Directive 2006/123/EC. An alternative reading of Directive 2015/1535 could, however, be difficult to reconcile with the subsequent interpretation of Article 4(2) of Directive 2000/31/EC, which was likely a consideration in this part of judgment.

Finding 3: Article 4 of Directive 2000/31/EC does not apply to the scheme at hand, but Articles 9 and 10 of Directice 2006/123/EC do

The last part of the judgment concerns the applicability of the principle excluding prior authorisation in Article 4(1) of Directive 2000/31/EC to the case at hand. Similarly to the AG, the Court found that the analysed scheme was not covered by this provision and instead fell under the exception set out in the subsequent paragraph. To recall, pursuant to Article 4(2) of Directive 2000/31/EC, the principle excluding prior authorisations for information society services remains without prejudice to authorisation schemes which are not specifically and exclusively targeted at such services. Like the AG, the Court observed that a mere clarification (extension?) of the scope of pre-existing rules to dispatching services relying on IT applications does not consistute an authorisation scheme which is specifically and exclusively targeted at such services (paras. 81-82). Accordingly, a conflict between Directives 2000/31/EC and 2006/123/EC did not arise and provisions of the latter were deemed applicable.

The Court then moved to the interpretation of Articles 9 and 10 of Directive 2006/123/EC on freedom of establishment, referring numerously to its recent judgment in Cali Apartments. Like in the Cali case, the Court underlined that a separate and consecutive assessments must be made of, firstly, whether the very principle of establishing that scheme is justified, and, secondly, the criteria for granting the authorisations provided for by that scheme (para. 87). Since the information provided by the referring court in this regard was not sufficient (e.g. so as to assess if the scheme could be justified by reasons of consumer protection), the Court limited itself only to brief observations regarding the criteria apparent from the file. Most notably, it shared the view expressed by the AG that an obligation, imposed on service providers, to comply with technical requirements which are not appropriate for the service in question and thus generate unjustified burdens and costs for service providers could not be deemed compatible with Article 10(2) of Directive 2006/123/EC (para. 90). This could be the case for the requirement to obtain a two-way radio, which was nonetheless for the referring court to verify (paras. 91-92).

Concluding thoughts

Overall, the judgment in Star Taxi App is a reasonable ruling, seeking to strike a balance between the internal market goals and the public interest goals pursued by national regulators. One cannot fail to note, however, that the Court has taken a long way to arrive at this outcome. As apparent from the Star Taxi case, the EU rules at hand provide for significant safety vaults, which Members States can rely upon to regulate the provision of information society services in the public interest. The principle excluding prior authorisation in Article 4(1) of Directive 2000/31/EC does not apply to authorisation schemes which are not specifically and exclusively targeted at information society services and notification requirements in Directive 2015/1535 do not apply to rules which are not specifically aimed at this kind of services. Also the country of origin principle, which is laid down in Article 3(1) of Directive 2000/31/EC and was analysed in the Airbnb Ireland case, is not without limitaitons. Admittedly, the development of the platform economy has pushed some of these norms to its boundaries and a case could be made, for example, for making Article 4(1) of Directive 2000/31/EC less categorical. This, however, is a task for the EU legislature and a potential subject for the Digital Services Act. For the time being, the judgment in Star Taxi App shows, together with Airbnb Ireland, that classification of services of platform operators as activities falling outside of the scope of Directive 2000/31/EC should not be made too lightly and that EU free movement rules are to be reckoned with.

* The author carries out a research project on consumer protection in the collaborative economy, financed by the National Science Centre in Poland on the basis of decision no. DEC-2015/19/N/HS5/01557.

Monday 30 November 2020

New Digital Markets Unit in the UK - putting (some/few) platforms on notice

Another interesting piece of news from the past few days is the UK government announcing the setting up of the Digital Markets Unit ('New competition regime for tech giants to give consumers more choice and control over their data, and ensure businesses are fairly treated') within the Competition and Markets Authority (CMA). The Unit's main task will be to introduce and enforce 'a new code to govern the behaviour of platforms that currently dominate the market'. Is the UK attempting to follow the example of the German Federal Cartel Office (Bundeskartellamt) that has been cracking the whip against the potential abuses of the dominant position on the market of such digital service providers like Facebook (see The Facebook Decision: First Thoughts by Podszun)?

Perhaps, the government's announcement draws attention to the risks associated with the concentration of power in the tech sector, bluntly giving notice to the dominant players on the digital marketplace that they will be under enhanced surveillance in the foreseeable future. They will be expected to follow the new rules for behaviour set out in the code, which will likely require more transparency (as to the use of consumer data?), opt-in options for personalised advertising (the issue that was at play in the German Facebook case), facilitating users' swapping to use any rival platforms.

The DMU is to start their work in April and is supposed to be able to 'suspend, block and reverse decision of tech giants, order them to take certain actions to achieve compliance with the code, and impose financial penalties for non-compliance'. What is of interest to us, of course, is to what extent this new unit will be able to benefit consumer protection in the UK? This is uncertain at the moment, but it seems that any consumer protection benefits may be coincidental rather than intentional here. First, the Guardian reported that the new unit will have oversight only over platforms funded by digital advertising and having 'strategic market status' (Digital Market Unit: what powers will new UK tech regulator have?). This would limit the unit's purview, possibly even only to Facebook's and Google's activities. Second, the DMU will focus on preventing damage to news media... which suggests that the interests of UK news outlets may play out more centrally, over consumers' interests.

A lot will depend on the new code of conduct set by/for the DMU. We will then definitely let our readers know when the new code for the behaviour of these digital platforms is adopted!

GDPR complaints v Google: Will the (long) wait be worth it?

The European Consumer Organisation (BEUC) drew attention in the last week to the fact that when the national consumer organisations file complaints for infringements of the GDPR rules, the procedure is loooooong (Commercial surveillance by Google. Long delay in GDPR complaints). 
 
We have reported back in 2018 that several national consumer organisations have filed a complaint about Google's deceptive design (the use of dark patterns) to acquire their users' consent to constant tracking of their 'location history' (Google tracks every step you take). The complaints were lodged in various national data protection authorities in November 2019. It took until July 2019 for the decision to be made that the Irish Data Protection Commission will lead the investigation into the complaints. After another six months, in February 2020, we have found out that the Irish Data Protection Commission have also opened an investigation of their own motion (own volition inquiry). This means that there are two separate, but interlinked as they pertain to the similar reported infringements, procedures ongoing at the moment. 
 
Why? That is a very good question. What is the benefit of the opening up of a new procedure with/by the same authority? Supposedly, the own inquiry of the data protection authority will provide insights necessary to further resolve the submitted complaints. The date of any decision/report is unknown at the moment. Which raises the question whether submitting the GDPR complaints actually makes sense from the perspective of consumer protection. After all, whilst the procedure is ongoing and the complaints are pending, the reported practices have not been suspended.

Thursday 26 November 2020

Restoring an effective balance through court-guided negotiations? CJEU in Banca B.SA v A.A.A (C-269/19)

 Dear readers, 

if you were hoping for some inspiring CJEU news to keep your mind away from pandemics, impending festivities and other disasters, we may this week have just what you were looking for - or not, but only time will tell :)

Yesterday, the CJEU's first chamber delivered a judgement sparked by the creativity of Romanian courts which could make courts in other Member States take a closer look at their potential role in unfair terms dispute. To understand the case, it is useful to take a small step back.

As you may remember, in a string of cases culminating famously in the Dziubak decision, the court had established that unfair terms may not be replaced unless two+1 conditions are fulfilled:

a) the contract must, under the applicable national law, not be capable of existence without the unfair term 

and

b) the invalidity must be to the consumer's disadvantage. 

If these two conditions apply, the term may be replaced with otherwise applicable non-mandatory rules - the existence of which is a third condition. What if there are no otherwise applicable rules?

In the case at stake, Romanian courts were struggling with exactly this problem. While on occasion, as in Dziubak, a consumer may actually prefer the whole contract to be invalidated, in several Romanian cases courts were left alone with the prospect of invalidating contracts or facing a stalemate. Some courts had sought to apply non-mandatory rules which had entered in force at a later stage and were thus not applicable to the contentious contracts, but other courts had decided to instate "regulated" negotiations between the parties. In its decision, the CJEU endorses - and, to a certain extent, even requires, this approach, making space for a new wave of procedural innovation in unfair terms adjudication. To what extent this will materialise, though, will of course depend on a number of factors, including importantly national legislation. Let's see what the court says. 

According to the CJEU, the Directive's article 6 does not seek to "prescribe uniform solutions" after a term has been declared unfair [see para 39]. However, once it has found a term unfair, the national court invested with the dispute must, "while taking into account all of its national law, take all the measures necessary to protect the consumer from the particularly unfavourable consequences which could result from the annulment of the loan, notably the fact that the seller or supplier could immediately claim the debt from the consumer" [para 41]. 

The above means that, in circumstances such as the ones at stake, nothing precludes a court from instating negotiations between the parties in order to establish a viable method for calculating the interest rate "provided that it sets out the framework for those negotiations" and that the negotiations themselves seek to establish "an effective balance" between the parties' rights an obligations, considering in particular the objective of consumer protection underlying the Unfair Terms Directive [see para 42]. In doing so, however, they should keep in mind that their intervention should not go beyond "what is strictly necessary to restore the contractual balance", which in turn means "to protect the consumer from the particularly unfavourable consequences" that annulment would bring about. A more substantive intervention would undermine the achievement of the paramount objectives pursued by the directive, namely restoring equality between the parties and deterring professionals from using unfair terms [para 44, para 38] 

Combined, the elements in the reasoning seem to suggest not only that the Directive does not preclude the instigation of "regulated" negotiations, but even that courts are required to take action in this way when this is allowed [or not prohibited] under the applicable national rules. While the CJEU's caveat against substantive intervention leaves open questions as to what courts should do in case negotiations stall, the decision seems mainly aimed at moderating the possibly harsh effects of the case-law which came to be epitomised in Dziubak while preventing consumer-unfriendly readings which some MS courts may be a bit too eager to embrace. 


Wednesday 18 November 2020

Professional assignees of consumer claims may rely on the UCTD - CJEU in DelayFix (C-519/19)

The CJEU issued a judgment today in DelayFix case (C-519/19), which pertained to a dispute under Polish law involving aspects of both substantive and procedural consumer protection. Namely, a flight from Milan (Italy) to Warsaw (Poland) was cancelled and the passenger who was due compensation from the operating air carrier (Ryanair) for this cancellation assigned their claims to DelayFix. When DelayFix filed this claim in a Polish district court, Ryanair invoked a jurisdiction clause from their terms and conditions, which assigned the jurisdiction to Irish courts instead. The questions this situation raises are twofold, really: 1. whether the assignee of the passenger's claim for compensation is bound by a clause from the air carrier's terms and conditions that were incorporated in a contract of carriage between the passenger and the air carrier; 2. if yes, could the assignee invoke the unfairness of such a clause?

Assigning of claims and jurisdiction clauses
The CJEU reminds in this judgment that "(...)in principle, a jurisdiction clause incorporated in a contract may produce effects only in the relations between the parties who have given their agreement to the conclusion of that contract" (para 42). This results from the need to protect third parties who have not consented to such specific clauses. However, if, and only if, national law provides that when a third party, not privy to the original contract, succeeds the original contracting party in all their original rights and obligations, then that third party could be bound by the jurisdiction clause (para 47).

Validity of jurisdiction clauses
The CJEU reminds again that the validity of a jurisdiction clause needs to be assessed in light of the law of the country whose courts are designated in that clause, i.e. Irish law in this case (paras 49-50). This, of course, means that the UCTD remains applicable, as well, as it applies to the contracts concluded in the air transport sector (para 52). The interesting observation of the CJEU comes from paras 53-54, where the CJEU invokes a previous judgment in the Lexitor case (see our comment here) as setting a precedent to apply EU consumer law regardless the identity of the parties in the dispute, but on the basis of the capacity of the parties to the agreement. The CJEU further states that this should be applicable to the UCTD. The following parts of the judgment are unsurprising, as the CJEU reminds that jurisdiction clauses are likely to be considered unfair as they may hinder the consumers' rights to take legal action (paras 55-59).


Monday 16 November 2020

Interpretations of PSD2 in C-287/19 DenizBank AG

On November 11th the CJEU delivered a judgment in C-287/19 DenizBank AG v Verein für Konsumenteninformation on the interpretation of  Directive 2015/2366 on Payment Services (PSD2).

The facts

VKI an Austrian consumer protection organization brought proceeding for a prohibitory injunction infront of Handelsgericht Wien asking the court to prohibit DenizBank from using several clauses in their standard terms with consumers on grounds that they are null and void. The validity of these clauses were questions in relation to the card’s NFC (Near Field Communication) functionality that enables customers to use contactless payment for low value transactions. The case provided an opportunity to the CJEU to provide interpretation on several aspects of PSD2.

Validity of tacit consent to contract variation

With the first question the Austrian Supreme Court asked whether Article 52(6)(a) of Directive 2015/2366, read in conjunction with Article 54(1), should be interpreted to mean that the payment service providers may agree with the payment service users (who are in this case also consumers) in the framework contract to include a presumption that when the conditions laid down in the contract are satisfied, the payment service users tacitly consented to contract variation.

The CJEU reminded that the tacit consent that is provided for and thus agreed between the parties in advance at the point of contract conclusion of the framework contract is only valid if the change in terms and conditions is of minor importance to the contract. The court emphasized that in case of changing any of the essential terms that would result in a new contract, tacit consent would not be enough. Although the CJEU does not specify, it might be important to note that a framework contract here should be the contract that provides the card, in case of debit cards, this would be the bank account.

The CJEU confirmed that the provision indeed provide for a freedom of payment service providers and users to include these kind of clauses into their contracts, because PSD2 does not lay down restrictions regarding the status of the user or the type of contractual terms that may be the subject of such tacit consent. In principle therefore the validity of tacit consent could not be ruled out. However, in transactions with consumers, the clause should also be subject to an independent review under the Directive 1993/13/EC on unfair terms and may thus be removed from the contract for being unfair.

Meaning of a ‘payment instrument’

With the second question the referring national court asked for clarifying meaning of payment instrument in Article 4(14). More specifically, whether the NFC functionality of personalised multifunctional bank cards by means of which low-value payments are debited from the bank account associated with that card constitutes a ‘payment instrument’.

Under Article 4(14) a ‘payment instrument’ is ‘a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order’.

According to the CJEU, the NFC functionality of a multifunctional bank card associated with a specific bank account does not constitute a ‘personalised device’, since the use of that function, in itself, does not allow the payment service provider to verify that the payment order was initiated by a user authorised for that purpose, unlike the other functions of that card which require the use of personalised security data, such as a PIN code or a signature. However, the NFC functionality is capable of constituting, in itself, a non-personalised ‘set of procedures’, within the definition and can thus be considered a ‘payment instrument’ for the purposes of the application of PDS2.

Meaning of ‘anonymous’ use

Further on, the CJEU also had an opportunity in this case to interpret the meaning of ‘anonymous’ within Article 63(1)(b), specifically, whether contactless low-value payment using the NFC functionality of a personalised multifunctional bank card constitutes ‘anonymous’ use of the payment instrument.

Article 63 allows for contracting parties to agree to several important derogations from the protective framework of PDS2 for low value  individual payment transactions not exceeding EUR 30 or which either have a spending limit of EUR 150, or store funds which do not exceed EUR 150 at any time. These include derogation from Article 72 which requires the provider to prove the authentication and execution of payment transactions; from Article 73 which establishes the principle that the service provider is liable for unauthorised payment transactions; and from Article 74(1) and (3) which enables the parties to confer some responsibility for unauthorised payments on the payer for up to EUR 50. These derogations are only possible under Article 63(1)(b) where ‘the payment instrument is used anonymously’ or where ‘the payment service provider is not in a position for other reasons which are intrinsic to the payment instrument to prove that a payment transaction was authorised’.

The CJEU held that despite the facts that the card itself is personalized, connected to a bank account of a particular customer, the use of the NFC functionality for the purpose of making low-value payments constitutes ‘anonymous’ use, within the meaning of Article 63(1)(b). The payment service provider is objectively unable to identify the person who paid using that functionality and thus unable to verify, or even prove, that the transaction was duly authorised by the account holder.

Consequently, contactless low-value payment using the NFC functionality of a personalised multifunctional bank card constitutes ‘anonymous’ use of the payment instrument in question, within the meaning of Article 63(1)(b).

The ways to prove impossibility to block or prevention of future use of payment instrument

Article 63(1)(a) allows the payment service provider and the user to agree on further derogations from the protecting framework of PDS2, that is, from Article 69(1)(b) which requires the user to inform the provider without delay of the loss, theft, misappropriation or any unauthorised use of the payment instrument concerned; from Article 70(1)(c) and (d) of which requires the provider to make available to the user means to make that notification free of charge or to request unblocking of that instrument; and from Article 74(3) which relieves the payer, except where he or she has acted fraudulently, from the financial consequences of any use of the lost, stolen or misappropriated instrument that takes place after that notification.
These derogations are possible to achieve if
the payment instrument does not allow its blocking or prevention of its further use. So the question infront of the CJEU was whether payment service providers may simply declare that it is impossible to block the payment instrument concerned or to prevent its continued use, where, in the light of the objective state of available technical knowledge, that impossibility cannot be established.

The CJEU concluded that this is not the case. The ‘payment service provider wishing to exercise the option provided for in Article 63(1)(a) … may not, in order to relieve itself from its own obligations, simply state, in the framework contract relating to the payment instrument concerned, that it is unable to block that instrument or to prevent its further use. That service provider must establish, with the burden of proof being on that provider in the event of a dispute, that that instrument in no way allows, on account of technical reasons, its blocking or prevention of its further use. If the court hearing those proceedings considers that it would have been physically possible to carry out such blocking or to prevent such use, having regard to the objective state of available technical knowledge, but that the provider did not make use of that knowledge, Article 63(1)(a) may not be applied to the benefit of that provider’ (para 98).

Friday 13 November 2020

Dark patterns and conditions for a valid consent to data processing - judgment of the CJEU in C‑61/19 Orange Romania

Earlier this week, the Court of Justice delivered a judgment in case C-61/19 Orange Romania, concerned with the conditions for a valid consent to the processing of personal data under EU data protection law (the Data Protection Directive 95/46/EC and the General Data Protection Regulation 2016/679, which remains in effect as of May 2018). The case follows up on the previous ruling in C-673/17 Planet49, on which we commented last year (see also: Planet49: Pre-Ticked Checkboxes Are Not Sufficient...). Aside from confirming the importance of an "active" consent, the Court elaborates on the requirement for consent to be informed, specific, unambiguous and freely given, building bridges to important categories known from consumer law, such as transparency and misleading practices.

Facts of the case

The dispute goes back to a fine imposed by the Romanian data protection authority on the provider of mobile telecommunications services, Orange România, for an allegedly unlawful storage of the copies of customers' identity documents. In particular, the authority argued, the data controller failed to demonstrate that the data subjects had given their valid consent to the contested processing. What makes the case interesting is that the storage of ID cards was, in fact, explicitly mentioned in the contracts which Orange concluded with its customers. Specifically, the following wording is cited:

"The customer states that: ... (ii) Orange România has provided the customer with all the necessary information to enable him or her to give his or her unvitiated, express, free and specific consent to the conclusion and express acceptance of the contract; (iii) he or she has been informed of, and has consented to [numerous types of processing, including the storage of copies of documents containing personal data for identification purposes]."

As seen from above, both the declaration of "consent" and the confirmation of having received the associated information were pre-forumlated by the trader. At least in certain cases they were also already "pre-ticked". In fact, however, consent to the storage of the copies of ID cards was not necessery for entering into a contract and customers, who refused to consent, were not prevented from the contract conclusion. Data subjects who did not wish their ID cards to be copied, though, were asked to go through additional steps, most notably confirm their refusal in a specific form, which, like pre-ticked checkboxes, can be regarded as an example of dark patterns in action (or, in this case, "sludge"). 

Against this backgroud, doubts have been raised, among others, as to whether the clauses on data processing were sufficiently distinct from the remaining parts of the documents, whether the data subjects were not misled about the possibility of refusing consent to the storage of ID cards and, if so, whether this could have an impact on the validity of their consent.

Legal provisions

Even though the contested fine was imposed on Orange România prior to the date of application of the GDPR, the Court of Justice decided to provide guidance on both Directive 95/46/EC and Regulation 2016/679. Key norms subject to the analysis where those laying down conditions for a valid consent. Focusing on the GDPR, attention should be drawn to its Article 6(1)(a), listing data subject's consent among the grounds for the lawful professing of his or her personal data, and to Article 4(11), which defines "consent" as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Of relevance are further the associated information duties in Article 13 as well as (non-binding) clarification of the above in recitals 32 and 42.

Judgment of the Court

While the specific assessment of the case at hand has been left to the national court (in line with the nature of preliminary reference procedure), the judgment provides important guidance on the legal provisions to be applied. In particular:

  • The Court recalls that for consent to be validly expressed (by the data subject) and later demonstrated (by the controller), the corresponding wish of the data subject should be reflected in his or her active behaviour. In particular, unambiguous and informed consent cannot be inferred from the fact that the data subject did not deselect a pre-ticked checkbox (paras. 35-37, 45-46; on the burden of proof, see also paras. 42, 51).
  • The judgment goes on to discuss the definition of consent as a "specific" indication of data subject wishes, highlighting the requirements of Article 7(2) (presentation of the request for consent in a manner which is clearly distinguishable from the other matters) and recital 42 of the GDPR (presentation of pre-formulated declarations in an intelligible and easily accessible form, using clear and plain language). The latter is especially worth highlighting, as it directly refers to Directive 93/13/EEC on unfair terms in consumer contracts. Transparency of declarations is also considered relevant for establishing whether consent so expressed has been informed. What is more, corresponding information provided by the controller "must enable the data subject to be able to determine easily the consequences of any consent he or she might give", which again brings to mind the requirements for substantive transparency known from consumer law stricto sensu (paras. 38-40, 47-48). The latter may have significant impliactions for the validity of consent to the processing of personal data in the context of automated decision-making.
  • Finally, an important part of the judgment concerns the requirement for consent to be freely given (and again informed). In para. 41, the Court observes that "in order to ensure that the data subject enjoys genuine freedom of choice, the contractual terms must not mislead him or her as to the possibility of concluding the contract even if he or she refuses to consent to the processing of his or her data" (similarly para. 49). This brings to mind the notions of misleading actions and ommissions, known from Articles 6 and 7 of Directive 2005/29/EC on unfair commercial practices (note that the Directive refers directly to the "freedom of choice" only in the subsequent provision on aggressive practices). At a later point of the judgment, the Court also questions the free nature of consent in the case at hand in view of the additional burden (sludge) imposed by the controller on the data subjects who wish to refuse consent (para. 50). As in the other instances, however, an assessment is ultimately left to the referring court. 

Concluding thoughts

Overall, the judgment provides for a range of important reference points, which may help to increase the level of consumer and data protection in the EU. Worth noting are the recurring references to the requirement of an "informed" consent, which appears to complement and reinforce all other conditions. The judgment underlines the close connection between data protection and consumer law stricto sensu, which has long been observed in the literature. Recognition of the role of (substantive) transparency and of potentially misleading practices in assessing consent validity is also to be welcomed. Both seem especially relevant in the digital market, where the consequences of consent are often difficult to determine and where dark patterns remain prevalent.

Monday 2 November 2020

(Non-)Existence of right of withdrawal must be unconditional – CJEU in C‑529/19

In Case C529/19 (here), the CJEU interpreted the Consumer Rights Directive, particularly the right of withdrawal and its exceptions (Article 16). In this case, the consumer bought a fitted kitchen from Möbel Kraft (a German furniture company) at a trade fair. Later, the consumer communicated to Möbel Kraft its wish to withdraw from the contract. Consequently, the consumer refused to accepted delivery of the kitchen. In response, Möbel Kraft sued for breach of contract. Möbel Kraft had not yet started to manufacture the kitchen parts at issue when the consumer withdrew from the contract.

While Article 9 of the Consumer Rights Directive gives consumer the right to withdraw from an off-premises or distance contract, Article 16 lists several situations where that right does not apply. One of those situations is when the consumer buys goods made to the consumer’s specifications or clearly personalized (Article 16(c)). Given Article 16(c), the referring court asked the CJEU whether the consumer’s right to withdraw from an off-premises contract is also excluded in case where goods are made according to the consumer’s specifications, but the seller has not yet begun to produce the goods and therefore does not incur in any (or few) costs in case of the consumer’s withdrawal.

The CJEU starts by clarifying that the contract in question can only be considered an off-premises contract if it was not concluded at the trade fair stand, which can be seen as ‘business premises’ according to Article 2(9) of the Consumer Rights Directive. Then, the CJEU states that there is nothing in the Consumer Rights Directive that indicates that the exception of Article 16(c) is dependent on the occurrence of any event after the conclusion of the off-premises contract (para 24). In fact, the CJEU states that this exception is inherent to the subject matter of such a contract. In other words, the application of this exception is independent from the stage of performance of the contract (or the stage of production of the products in question) (para 24). Consequently, the CJEU determines that the exception to the right of withdrawal in off-premises contracts where the consumer acquires personalized goods applies from the outset of the contract. The CJEU extracted this conclusion not only from the literal element of Article 16(c) but also from its systematic element, since Article 6(1)(h) and (k) of the Consumer Rights Directive impose a pre-contractual duty on the trader to inform the consumer of the existence or absence of a right of withdrawal (para 25). If the existence of a right of withdrawal would be dependent on a decision of the trader (namely when to start performing the contract), the goal of providing the mandated pre-contractual information would be frustrated (para 27). Finally, to allow the right of withdrawal to depend on the moment in time where the trader starts to produce the goods would be contrary to legal certainty (para 28).

With this decision, the CJEU establishes the inflexible character not only of the right of withdrawal but also of its exceptions. The CJEU’s decision opts for legal certainty over consumer protection considering that, in practice, this means that every time that a consumer acquires a personalized product she can never withdraw from that contract, regardless of the actual costs suffered by the business. Therefore, the CJEU directly contradicts national case law from, for example, the Bundesgerichtshof, which previously determined that the right of withdrawal is not excluded if the goods can be restored at a low cost to the condition they were in prior to the personalization.

Thursday 22 October 2020

Consumers' income and mortgage loans: the CJEU in C-778/18

Last week the CJEU delivered its judgment in C-778/18 Association francaise des usagers de banque v Ministre de l'Economie et des Finances, interpreting Directive 2007/64 on Payment Services as repealed by Directive 2015/22366, Directive 2014/17 on Mortgage Credit and Directive 2014/19 on Payment Accounts.

This judgment answers a very interesting question on a practice that may be common in some Member States: is it compliant with EU law to require the transfer of consumers' income to the mortgage provider as a condition for approving their mortgage loan applications? 

The facts

This claim was initiated by a consumer association representing banking clients. It sought annulment of the relevant French law implementing the above directives on grounds of misuse of power. The organization explained that the law disregards the objective of customer mobility pursued by the directives because it authorizes credit institutions to require consumers to deposit their salaries or other income with them and fixes the maximum period of 10 years for which consumers can ripe advantage of such deposited money irrespective of the amount, maturity and duration of the loan they were applying for.

The scope of Art. 12(2)(a) Directive 2014/17/EU

The CJEU was in effect faced with interpretation of the scope of Art. 12(2)(a) Directive 2014/17/EU. This provision provides an exception from the general rule of the Directive in Art. 12 that prohibits tying practices. The exemption in Art. 12(2)(a) provides creditors with an option to request from consumers or their family members to 'open or maintain a payment or a savings account, where the only purpose of such an account is to accumulate capital to repay the credit, to service the credit, to pool resources to obtain the credit, or to provide additional security for the creditor in the event of default'. Given this exemption, the CJEU noted that the obligation to deposit income is in principle consistent with the Directive (para. 54). However, the CJEU goes on to clarify that the exemption must comply with the requirements of proportionality, that is, it should provide account of the characteristics of the loan concerned, its amount, maturity and duration (para 56). Any different interpretation would jeopardize the achievement of the objectives of the Directive to provide a high level of protection for consumers, and to secure consumer mobility between banks, especially in circumstances when consumers wish to conclude a number of loans with different lenders. Tying them to a single bank would stand on the way of having an opportunity to shop around and  make informed decisions for better deals. The CJEU therefore concluded that Art. 12(2)(a) must be interpreted to preclude national legislation that allows lenders to grant loans conditional on the deposit of all borrowers income on the payment account opened with the creditor (para 58).  In regard to the duration of this obligation to have the account opened with the mortgage lender, the CJEU highlighted that the Directive does not provide  any limitations as to the duration of the loan, and in principle therefore, this requirement is not inconsistent with the Directive, as long as the purpose of the deposit/account complies with the requirements set out in Art. 12(2)(a) (para. 61).

The meaning of ‘charges’ or ‘fees’ in Directive 2007/64, Directive 2015/2366 and Directive 2014/92 

The second question raised in this case related to the meaning of 'charges' and 'fees' within Directive 2007/64, Directive 2015/2366 and Directive 2014/92. To promote consumer mobility and account switching, these rules provide consumers with a freedom to terminate framework contracts such as a current account contract without being liable to pay compensation in the form of fees or charges. French law however provides that if borrowers case to satisfy the income deposit requirement, lenders may terminate for remainder of the duration of the mortgage loan any individual advantages that were conferred on consumers, for instance, a better interest rate. The question infront of the CJEU was whether this denial of the benefit can be understood as a fee or charge within the meaning of the above directives. The CJEU ruled that it cannot.

Our evaluation 

This judgment tackles a very interesting legal question. However, in addition to the bank account being extra security for the provided loan, another important aspect of transferring income in the mortgage provider bank is not considered in the judgment. Namely, not only that consumers' incomes provides additional security for banks that loans are going to be or at least they can be repaid, it also provides banks with additional data on customers. This enables banks to pull on a larger amount of data for profiling customers and monitoring their behavior. On the one hand, this may be beneficial for consumers, data could help banks to identify problems in repayment and income stream of the customer and address this with early intervention measures such as payment holidays. On the other hand, this additional information can help banks to provide new products to consumers that are tailored to their behavior and needs, that are arguably more likely to be taken by consumers than any products or services that does not suit them as much. The use of big data in banking is still in its infancy but having a bank account certainly provides extra opportunities for banks to get to know their customer, and represent a potential for extra profit. Perhaps this aspect could have also been taken into account in shaping the concept of fees and charges in the present context.

Thursday 15 October 2020

Retail Payments Strategy: faster payments for the connected world

As mentioned in our previous post on the Digital Finance Package (see here) on the September 24 the EU Commission also published a renewed Retail Payments Strategy as part of the Digital Finance Package. 

The logic behind the need for a renewed strategy is the ever-increasing importance of payments for EU financial markets. Payments are the lifeblood of European economy. This is a very dynamic market, highly innovative and fast changing raising new opportunities and risks that needs to be dully mitigated. As the Commission notes: 

"Innovation and digitalisation will continue to change how payments work. Increasingly payment service providers will abandon old channels and traditional payment instruments and develop new ways to initiate payments, such as ‘wearables’ (watches, glasses, belts etc.) or parts of the body, sometimes even eliminating the need to carry a payment device, building on advanced authentication technologies such as those relying on biometrics. As the internet of things further evolves, devices such as fridges, cars and industrial machinery will increasingly connect to the internet and become conduits for economic transactions".

The renewed strategy sets out the EU Commission's vision of payments market: 

  • Citizens and businesses in Europe benefit from a broad and diverse range of high-quality payment solutions, supported by a competitive and innovative payments market and based on safe, efficient and accessible infrastructures;
  • Competitive home-grown and pan–European payment solutions are available, supporting Europe’s economic and financial sovereignty; and
  • The EU makes a significant contribution to improving cross-border payments with non-EU jurisdictions, including remittances, thereby supporting the international role of the euro and the EU’s ‘open strategic autonomy’.

The vision will be achieved by following four strategic aims set out in detail; some of the key points would be the following:

1) Increasingly digital and instant payment solutions with pan-European reach

The development of instant payment systems is the top priority or is envisaged as the 'new normal'. Instant payments make payment immediately available- the framework should result in payment solutions that are efficient and work cross-border. Consumer trust is also of key importance here, and instant payments can create instant fraud. It is therefore crucial that payment service providers have in place appropriate and real-time fraud and money laundering/terrorist financing prevention tools.

Further in this context and within the upcoming revision of PSD2 the Commission will assess the extent to which the EU’s existing consumer protection measures (e.g. rights to refunds) can provide consumers with the high level of protection offered by other payment instruments. The Commission will assess the impact of charges levied on consumers for instant payments and, if relevant, require that they are no higher than those levied for regular credit transfers.

Finally, the Commission is keen on supporting European or home-grown payment solutions that will withstand competition from foreign big-tech companies that increasingly penetrate the payments market. Payments is a network industry yet at EU level there is no trend of fintech companies scaling up in the internal market to become global players. 

2) Innovative and competitive retail payments market

Within this strategic aim the Commission is strongly in favour of fully supporting open banking. Again, open banking will come under scrutiny within the review of PSD2 and interestingly the Commission also plans to present a legislative proposal for open finance that would include a broader range of providers in data sharing than only banks. 

Further, within this strategic pillar the Commission needs to make sure the regulatory parameter is working well and that it is coupled with efficient supervision. As the Strategy notes, "big payments conglomerates may include both regulated and unregulated entities. Problems encountered by unregulated entities providing technical services to support some of the Group’s affiliates could potentially have a spill-over effect."

The payments market should also secure a fair level playing field, as "the world increasingly dominated by digital platforms, large technology providers are taking advantage of their vast customer base to offer front-end solutions to end-users."

3) Efficient and interoperable retail payment systems and other support infrastructures

For a retail payment market to fully function it is necessary that there is efficient interoperability between clearing and settlement mechanisms. Payment service providers now must connect to several (national and/or European) clearing and settlement mechanisms.

In addition, it is also crucial to secure access for all payment service providers for necessary technical infrastructure, hardware and software for developing and offering innovative payment solutions.

Developing this pillar will require a cooperative approach of DG FISMA with at least the European Central Bank, DG Competition and DG Connect 

4) Efficient international payments, including remittance 

The EU being not just a regional market but also an important global market player and to this effect, the Commission highlights the importance of supporting the development of payment solutions with third countries. Payments across the EU’s external borders are slower, costly, opaque and complex. The objective therefore is to have faster and more efficient payments systems set up with third countries. The Commission aims to help this by supporting the use of payment standards such as ISO 20022 and SEPA-like initiatives across the globe.

Friday 9 October 2020

Online dating sites and the right of withdrawal - CJEU in PE Digital (C-641/19)

Yesterday, the CJEU issued a judgment - PE Digital (C-641/19) - regarding the interpretation of Articles 14(3) and 16(m) of the Consumer Rights Directive. Both these provisions regulate some aspects of the consumer's right of withdrawal. Article 14(3) CRD addresses the situation where a consumer explicitly requested the service provider to start performing a service during the cooling-off period. When the consumer then still decides to withdraw from a contract, this provision entitles the service provider to demand a part payment, 'in proportion to what has been provided'. Article 16(m) CRD specifically excludes the right of withdrawal from distance or off-premises contracts for the supply of digital content, not supplied on a tangible medium, where the performance of the contract begun during the cooling-off period upon consumer's explicit consent (following the consumer being informed about losing the right of withdrawal in such a case).

In PE Digital the issue arose from a contract concluded between a consumer and a German dating website - Parship - operated by PE Digital. This dating website allowed consumers to either enter into a free contract, with very limited opportunities to contact other persons on the site, or into a paid 'premium' contract for a period of 6, 12 or 24 months. The premium membership made it possible to contact any other premium member - ca 186000 users in Germany. The consumer in the case at hand concluded a 12 month membership contract for a high price of over 500 Euro, which was more than twice as high price as that which PE Digital charged other consumers for this contract duration (para 16). The consumer was informed about their right of withdrawal, but requested PE Digital to begin to supply the services during the cooling-off period. After 4 days, the consumer withdrawn from the contract and was charged almost 400 Euro for the provided services. The dispute arose from the consumer questioning this reimbursement.

The national court adjudicating the case asked the following questions:
1. Whether the proportional reimbursement awarded to consumers withdrawing from a partially performed contract should be calculated on the basis of how much time consumers have been bound to the contract or considering the value of the already performed services? (these were two questions answered jointly, see para 26)
2. On what basis should the national court examine whether the total contract price was excessive?
3. What consequences, if any, should be attached to the fact that under the concluded contract the consumer has received also, but not exclusively, digital content to which Article 16(m) CRD applies?

Proportional reimbursement 
The CJEU advises the national court that in general the proportional reimbursement should be calculated on a pro rata temporis base. This means that a consumer who was only bound by an agreement for 4 days out of a 1 year contract, could legitimately expect to recover the majority of the contract price he had paid. However, if the contract expressly stipulated that one or more services would not only be provided to consumers in full from the beginning of the performance of the contract, but also separately, which means that consumers were given a price to be paid for these services, separate from the total contract price, then the full price for such services could be seen as owed to the trader (para 32). Only when the consumers had the information that a particular service will be provided in full at the beginning of the contract's performance and knew its price, could they make an informed decision about asking the trader to start providing the services during the cooling-off period (knowing then of the reimbursement risk) (para 29). This was not the case with the dating site contract, as it did not specify a separate price e.g. for the personality test/report that would be delivered to a client upon the conclusion of the membership agreement.

Excessive price
Article 14(3) CRD specifies that if the contract price was excessive then the proportionate amount should be calculated on the basis of the market value of what has been provided to a consumer. Recital 50 further states that the market value should be identified by comparing the price of an equivalent service performed by other traders at the time of contract's conclusion (para 35). Therefore, the CJEU advises the national court to take into account both the price charged for the same services to other consumers by a given trader, but also the price charged by equivalent service providers (para 37).

Digital content
As part of the membership contract in the dating site, the consumer was issued with a personality report, which could classify according to the national court as digital content. Article 2(11) CRD defines digital content as 'data which are produced and supplied in digital form'. Recital 19 gives further examples of digital content to which the CRD applies. Article 16(m) CRD excludes the application of the right of withdrawal to contracts for the supply of digital content when the consumer has consented to the performance starting in the cooling-off period. As an exception, this provision requires strict interpretation (para 43). This leads the CJEU to decide that neither the provision of an online dating service to consumers, which allows them to 'create, process, store or access data in digital form and allows the sharing of or any other interaction with data in digital form uploaded or created by the consumer or other users of that service', nor the generation of a personality report, could be perceived as supply of digital content that qualifies for the application of Article 16(m) CRD... Why though? The CJEU does not further expand its reasoning on this point. Is it because the provided digital content is a part of a bigger digital service? This might be, but it would be good to have this clarification as that would exclude the application of Article 16(m) CRD to most contracts for the supply of digital content that would be part of a relational contract.

Wednesday 7 October 2020

The New EU Digital Finance Package: the Digital Finance Strategy

In addition to the new Action Plan on Capital Markets Union (see our report here),  on the very same day, the 24 September 2020, the EU Commission also presented its Digital Finance Package. This very board package consists of: 1) the Digital Finance Strategy; 2) the Retail Payments Strategy; 3) the legislative proposal for an EU regulatory framework for digital operational resilience and 4) the legislative proposals for crypto-assets.

The package aims to improve Europe's global competitiveness in financial services and products provision not only by boosting consumer choice but also by ensuring consumer protection and financial stability. With the coronavirus pandemic and the rise in the use of digital services more than before, these sorts of initiatives from the Commission are more than welcome. Embracing digital innovation should not only create consumer choice, but also widen access to financial services for consumers, increase business opportunities for firms, especially SMEs, and thus facilitate Europe’s economic recovery.

The package is complex and far reaching. The strategies are necessarily general providing high level overall strategic aims, but some of the legislative proposals are concrete and ground-breaking. Most importantly, the package of proposals has been drafted based on careful consultation and intensive cooperation with business stakeholders and consumer advocates through public consultations and the innovative Digital Finance Outreach programme of DG FISMA over the summer (on which we reported here) that enabled anyone interested to get involved in shaping the solutions. DG FISMA continues its public approach, it is now holding biweekly seminars on the Digital Finance Package and these are open for attendance for anyone interested (see here). The first seminar focused on the Digital Finance Strategy and so does this post.

The first and broadest element of the Digital Finance Package is the Digital Finance Strategy. It provides for the overall strategic objective to embrace digital innovation and the ways in which the more concrete proposals and the existing legislative framework fits within the picture. As the Commission rightly states: 'The future of finance is digital: consumers and businesses are more and more accessing financial services digitally, innovative market participants are deploying new technologies, and existing business models are changing.' To reflect this the strategy is focused around four key priority areas:

1) Tackle fragmentation in the Digital Single Market: this is the most general aim that intended to enable consumers to access financial services and products fully remotely. 

To this effect, on the one hand, the strategy recognizes that the key to achieving this is the fitness of onboarding process (the recruitment of new customers) for digital age for which a crucial element is the interoperability of digital identities. Digital identification of customers remotely will be enabled with a review of the current regulatory framework provided by Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transaction. In addition to securing a framework for the development and use of digital identities, this regulation should also enable data sharing between providers to facilitate the advantages of open finance. Taking identification fully online also requires the strengthening of the anti-money laundering and terrorism financing legislation. 

The other aspect of having access to digital financial services and product is passporting of firms. Passporting enables consumers and businesses to have access to cross-border services provided by firms established and supervised in another Member State in line with commonly agreed rules.  Although passporting currently may work for mainstream providers, it does not seem to work well for fintech companies that comprise the bulk of the digital finance ecosystem. To overcome this, the Commission is planning a one-stop-shop licensing system for these firms that combined with passporting rules should help their operation throughout the EU. In addition, special passporting rules for areas of particular interest such as crowdfunding are also being considered. Finally, the Commission proposed the establishment of a new EU Digital Finance Platform to facilitate cooperation and communication between firms and supervisory authorities. 

2) Adapt the EU regulatory framework to facilitates digital innovation: this aim relates to the creation and the review of the existing regulatory framework to fit the requirements of digital age. Within this aim, the EU Commission presented a legislative proposal on crypto-assets and placed as a strategic aim  for a technology-neutral regulatory framework. It also pledges for clarifying the supervisory standards on the application of this legislative framework to artificial intelligence applications.  

3) Create a European financial data space to facilitate data driven innovation: this dimension is connected to the European strategy for data and aims to facilitate access to data and data sharing within the EU, creating broader access to public and private data and real time data sharing. As part of these efforts, the Commission aims to set up a common financial data space through a number of more specific measures: promote innovative IT tools to promote supervision and promote business to business data sharing in EU financial sector and beyond. It is important to note that this open finance initiative is not going follow the UK's approach in mandating data sharing for firms (see our report here). Participation will be voluntary.  The Commission will therefore propose legislation on a broader open finance framework that will build on the upcoming initiative focusing on data access, including the upcoming Data Act, and the Digital Services Act. Finally, the Commission is also reviewing its competition approach and the upcoming review of PSD2 is also going to be part of this framework.  

4) Address new challenges and risks that come with digital innovation: with this aim, the EU Commission aims to work on future-proofing EU prudential and conduct supervision and regulation that should be fit to address both traditional firms as well as new entrants, especially technology companies that are increasingly present on financial markets. The objective will be proportionate regulation and supervision, based on the principle of “same activity, same risk, same rules” and pay particular attention to the risks of significant operators.