The
recently approved Directive on the modernization of consumer protection rules (available
here) explicitly
extended the scope of the Consumer Rights Directive to contracts where the
consumer ‘pays’ with data, or contracts where the consumer provides personal
data in exchange for a digital content product or a digital service. This
extension means that consumers who ‘pay’ with their personal data have specific
information rights stemming from Article 6 and the new Article 6a of the Consumer
Rights Directive, such as the right to get information on the possibility of recourse
to a complaint mechanism. Furthermore, these consumers are now entitled to the
right to withdraw from the contract, even if they do not pay a monetary price.
The advantage of this right when it comes to contracts where consumers ‘pay’
with data is evidently more limited than when consumers pays with money.
Nevertheless, this is the latest move by the EU to better protect consumers’
personal data.
In fact, the Digital Content Directive (also recently approved
and available here)
was the first to 'innovate' in this area, by acknowledging the need for consumer protection in contracts where the consumer ‘pays’ with data. The Digital Content Directive extended the remedies
already provided by the Consumer Sales Directive (applicable to the sale of
goods and now replaced by the Sale of Goods Directive) to digital content
contracts, both where the consumer pays a monetary price and where the consumer
‘pays’ with personal data. According to Article 14, in case of lack of
conformity, consumers who provide their personal data in exchange for a digital
content product or a digital service are entitled to have the product or service
brought into conformity (for example, through an update). Furthermore, consumers
are entitled to terminate the contract in case of any lack of conformity (regardless
of how minor). In case of termination, the rights in the GDPR must be
respected, particularly when it comes to the right to be forgotten (Article 17
GDPR) and the right to data portability (Article 20 GDPR).
The
increasing efforts by the EU to protect the consumer who ‘pays’ with data are an
acknowledgement of the importance that similar data-based business models will
play in the contracts of the future. However, the treatment of personal data as
a contractual counter-performance is not uncontroversial. For example, although
the (previous) European Data Protection Supervisor welcomed the protection of data
subjects through consumer law, the EDPS also vocally opposed the treatment of data as a counter-performance. Nevertheless, given the increase in the number of contracts concluded
in exchange of (personal) data (think of Spotify, Facebook and other
similar platforms that provide digital services), it seems important to develop
(and adjust) a general contract law framework applicable to these contracts.
This must be done alongside – and not in opposition to – the data protection framework.
