Monday 24 February 2020

Cancellation of connecting flights: whom to sue and where? Case C-606/19 flightright

On 13 February the Court of Justice delivered an order in case C-606/19 flightright concerning jurisdiction over the claim for compensation brought against an air carrier in charge of the final leg of the journey divided into several legs, confirmed in a single booking.

The case involved two passengers who booked a journey from Hamburg (Germany) to San Sebastian (Spain) via London and Madrid, comprising of connecting flights operated by different carriers. The problem faced by the passengers was cancellation of the third flight of the journey, operated by Iberia. The question to be addressed was whether a claim against Iberia could be brought before the court in Hamburg. Pursuant to Article 7(1)(a) of Regulation No 1215/2012 (Brussels I bis) in matters relating to a contract, a person domiciled in a Member State may be sued in another Member State in the courts for the place of performance of the obligation in question. The subsequent provision explains that in the case of the provision of services the place of performance of the obligation in question is generally the place in a Member State where, under the contract, the services were provided or should have been provided.

It was already clear from the previous case law that both the place of departure and that of arrival must be considered as the principal places of the provision of services under a contract for carriage by air, which in turn gives the person bringing a claim for compensation on the basis of Regulation No 261/2004 a choice of jurisdiction. This is the case for both direct flights and, mutatis mutandis, situations in which the journey with connecting flights consisting of a confirmed single booking for the entire journey comprises two legs. In the latter case, the passenger can also choose to bring the claim before the court or tribunal which has territorial jurisdiction over the place of departure of the first leg or one having jurisdiction over the place of arrival of the second leg.

The present case dealt with a similar legal matter yet with relation to a multi-leg flight, operated by different carriers. According to the Court none of this affected the procedural position of the passenger experiencing a cancellation or delay. First of all, the Court stressed that a contract for carriage by air consists of a confirmed single booking for a three-leg journey establishes the obligation for an air carrier to carry a passenger from a point A to a point D. The place of performance, within the meaning Article 7(1) of Regulation No 1215/2012, can therefore be the place of departure of the first leg of the journey (point A).

What is more, the rule of special jurisdiction for matters relating to a contract set out in that provision does not require the conclusion of a contract between two persons, but the existence of a legal obligation freely consented to by one person in respect of another on which the claimant’s action is based.  This is the case for an air carrier performing obligations under Passenger Rights Regulation No 261/2004 on behalf of another carrier having a contract with a passenger, in line with Article 3(5) of that regulation. Consequently, even though there were no complications on the first leg of the trip and the Hamburg-London flight was not operated by Iberia, the claim against the carrier could be brought in the Hamburg court.


Friday 21 February 2020

‘Paying’ with personal data – what rights do consumers have?

The recently approved Directive on the modernization of consumer protection rules (available here) explicitly extended the scope of the Consumer Rights Directive to contracts where the consumer ‘pays’ with data, or contracts where the consumer provides personal data in exchange for a digital content product or a digital service. This extension means that consumers who ‘pay’ with their personal data have specific information rights stemming from Article 6 and the new Article 6a of the Consumer Rights Directive, such as the right to get information on the possibility of recourse to a complaint mechanism. Furthermore, these consumers are now entitled to the right to withdraw from the contract, even if they do not pay a monetary price. The advantage of this right when it comes to contracts where consumers ‘pay’ with data is evidently more limited than when consumers pays with money. Nevertheless, this is the latest move by the EU to better protect consumers’ personal data.

In fact, the Digital Content Directive (also recently approved and available here) was the first to 'innovate' in this area, by acknowledging the need for consumer protection in contracts where the consumer ‘pays’ with data. The Digital Content Directive extended the remedies already provided by the Consumer Sales Directive (applicable to the sale of goods and now replaced by the Sale of Goods Directive) to digital content contracts, both where the consumer pays a monetary price and where the consumer ‘pays’ with personal data. According to Article 14, in case of lack of conformity, consumers who provide their personal data in exchange for a digital content product or a digital service are entitled to have the product or service brought into conformity (for example, through an update). Furthermore, consumers are entitled to terminate the contract in case of any lack of conformity (regardless of how minor). In case of termination, the rights in the GDPR must be respected, particularly when it comes to the right to be forgotten (Article 17 GDPR) and the right to data portability (Article 20 GDPR).  

The increasing efforts by the EU to protect the consumer who ‘pays’ with data are an acknowledgement of the importance that similar data-based business models will play in the contracts of the future. However, the treatment of personal data as a contractual counter-performance is not uncontroversial. For example, although the (previous) European Data Protection Supervisor welcomed the protection of data subjects through consumer law, the EDPS also vocally opposed the treatment of data as a counter-performance. Nevertheless, given the increase in the number of contracts concluded in exchange of (personal) data (think of Spotify, Facebook and other similar platforms that provide digital services), it seems important to develop (and adjust) a general contract law framework applicable to these contracts. This must be done alongside – and not in opposition to – the data protection framework.


Monday 17 February 2020

500 online businesses do not comply with consumer rights

Recently, the European Commission released the results of a screening (or ‘sweep’) of 481 retail e-shops (press release available here). The main finding was that more than 2/3 of the screened online businesses do not comply with EU consumer rights legislation (particularly the Consumer Rights Directive). This number means that consumers are not properly informed on their rights in 2 out of 3 shops.  

Article 6 of the Consumer Rights Directive establishes that in distance contracts consumers should be given a long list of information, including on the withdrawal right, on the legal guarantee and on the total price of the product. Furthermore – and most importantly -, this information must be given in a clear and comprehensible manner. However, according to the screening, more than 1/4 of the analyzed websites did not inform consumers about how to withdraw from a contract. This breaches Article 6(1)(h) of the Consumer Rights Directive. Furthermore, nearly 1/2 of the analyzed websites did not provide such information in a clear manner (particularly regarding the 14 days’ time limit). This breaches Article 6(1) of the Consumer Rights Directive. The failure to inform the consumer about the right to withdrawal is ‘punished’ by the Consumer Rights Directive with an extension of the period of withdrawal from 14 days to 14 days and 12 months (Article 10(1)).

The sweep also found a frequent breach of the pre-contractual duty to inform on the total price of the purchase. In fact, in over 1/5 of the consulted websites the price initially shown did not include additional charges such as delivery or postal charges. This breaches Article 6(1)(e) of the Consumer Rights Directive. Other findings show that over 1/3 of the analyzed businesses did not inform consumers about the 2-year legal guarantee to have a good repaired, replaced or reimbursed in case of a defect at the moment of delivery. This breaches Article 6(1)(l) of the Consumer Rights Directive.

The lack of adequate pre-contractual information is one of the biggest challenges faced by consumers, and one that the EU legislator has spent quite some time working on. Of course, one of the main problems of the information paradigm in EU consumer law is its lack of enforceability. Even though businesses often breach their duty to provide information in a clear way, it is (ironically) unclear what the legal and practical consequences for such a breach are. The Commission, however, promises an ‘in-depth investigation of the above-mentioned irregularities’ at national level and the subsequent request for traders to correct and improve the information they provide to consumers.

Tuesday 4 February 2020

From the news: Amazon and unsolicited shippings

As sustainable - and unsustainable! - consumption becomes increasingly topical in consumer law and policy, news from the UK suggest Amazon is not ready to change their game to face their responsibility viz the climate emergency. Incidentally, in doing so they also provide quite bad consumer service. 

What is the story? According to reporting by the Guardian, Amazon uk has more than once been in controversies with customers over unsolicited deliveries. While some mistakes can happen when a company arranges millions of shipments per year, several customers have been met by refusal when asking Amazon to take back what had been wrongly delivered - with the company suggesting that the consumers simply dispose of the (new, perfectly functioning) goods. 

In the latest news item, the mistaken delivery concerned an excercise bike weighting 28 kilos. An elderly customer from Bristol received the bike after having ordered a completely different product. 

"After finding his way through the maze of the Amazon website he says he eventually found a number to call where a very helpful person agreed to replace his missing logs. But when these arrived the second driver also refused to take the bike away." 
When Amazon instructed him to dispose of the particularly bulky good as he liked, the customer approached the Guardian. Amazon changed their mind after the newspaper got involved, accepting to take back the bike and sending amenities to the puzzled customer.

The company's original reply is broadly in line with article 28 of the Consumer Rights Directive - providing that in case of unsolicited supply of goods or services consumers are not required to pay (but, the rule implies, may keep what has been delivered). However, in case of numerous wrong deliveries or bulky items such as a training bike, inviting consumers to dispose of the good is both highly questionable in terms of sustainability and oblivious of consumer interest. As the Bristol consumer observes in the Guardian article, if he was instructed to keep the bike, this likely means that another customer, who had originally ordered the bike, was probably delivered another widget. 

Can we really not do better than this?






Sunday 2 February 2020

Data protection (violations) by default: stakeholder views and new developments in enforcement

Last weeks brought some interesting new developments in the implementation of the EU rules on data protection, such as the conditions for a valid consent to the processing of personal data and the principles of data protection by design and by default. As we observed numerously on this blog, the developments in data protection are of direct relevance to consumer law and policy, considering that business practices in the digital economy are often connected to the processing of consumer data and, as such, can come within the purview of both fields.

One of the major topic in the ongoing data protection debate concerns default settings. As readers may recall, several months ago we reported on the judgment of the Court of Justice in case C-673/17 Planet49 (CJEU confirms stricter requirements for valid cookie consent...). The case confirmed that - just like in the GDPR - consent referred to in Articles 2(f) and 5(3) of the E-Privacy Directive cannot validly be obtained by way of a pre-ticked checkbox, which the user must deselect to refuse his or her consent. 

Pre-ticked checkboxes and similar mechanisms of collecting consumers' "consent" by default are unfortunately still very present in the digital market. Furthermore, by applying the so-called dark patterns businesses can steer consumer behaviours in the direction they desire, even without the use of default settings (for an illustration see: Google tracks every step you take). Fortunately, practices of this kind not only attract attention of consumer organisations, but are also gradually engaged with by the law enforcers. Last week a higher regional court in Germany - Kammergericht Berlin - ruled on the case brought against Facebook by the national association of consumer organisations (vzbv). The case concerned a total of 26 alleged violations of consumer and data protection law, many of which were confirmed by the court. Default "consent" to location tracking, sharing a link to the users’ profile with search engines and the use of name and profile picture for commercial purposes have all been found to violate the applicable rules on data protection. By contrast, Facebook’s marketing claims that its services "are free and always will be" have not been considered misleading under national provisions implementing the UCPD.

On the latter point, one which turns around the question whether or not personal data constitutes a price, the emerging court practice is not entirely coherent. Just two weeks before the Berlin ruling, the Administrative Court in Lazio (Tribunale Amministrativo Regionale) partially upheld the decision of the Italian Competition and Market Authority (Autorità Garante della Concorrenza e del Mercato, AGCM) which considered an analogous slogan, directed at Italian users, to qualify as an unfair commercial practice. The AGCM has meanwhile launched proceedings against Facebook for the company's non-compliance with the prior decision.

All of this comes at a time of a broader discussion about the interplay of data protection law and consumer law and the application of the - often broadly framed - provisions of both the GDPR and the UCPD. A certain convergence of views appears to be forming between consumer organisations and data protection bodies, even if the relevant overlap is not always complete. It seems that consumer organisations are willing to accept the economic role of data whenever it is beneficial to consumers (like in the case of potentially misleading "free" claims). The European Data Protection Supervisor, however, has been arguing against any direct analogies between data and price, as illustrated by his position on the recent modernisation of the EU consumer rules (and previously on the digital content directive). When it comes to the data protection by design and by default the alignment between the two stakeholder groups seems even stronger. Last November the European Data Protection Board published Guidelines 4/2019 on Article 25 GDPR, which have largely been supported by the association of European consumer organisations - BEUC. The organisation welcomes the operationalisation of both principles, including through the proposed selection of performance indicators as well as the illustrative case studies. Nonetheless, the achievement of effective protection of consumer data in the digital economy has still a long way to go. Limited personal scope of Article 25 GDPR, which only imposes an obligation on controllers, and the lack of clarity on the role and responsibility of developers/processors have been mentioned as the major gaps to be filled.