Monday, 30 November 2020

New Digital Markets Unit in the UK - putting (some/few) platforms on notice

Another interesting piece of news from the past few days is the UK government announcing the setting up of the Digital Markets Unit ('New competition regime for tech giants to give consumers more choice and control over their data, and ensure businesses are fairly treated') within the Competition and Markets Authority (CMA). The Unit's main task will be to introduce and enforce 'a new code to govern the behaviour of platforms that currently dominate the market'. Is the UK attempting to follow the example of the German Federal Cartel Office (Bundeskartellamt) that has been cracking the whip against the potential abuses of the dominant position on the market of such digital service providers like Facebook (see The Facebook Decision: First Thoughts by Podszun)?

Perhaps, the government's announcement draws attention to the risks associated with the concentration of power in the tech sector, bluntly giving notice to the dominant players on the digital marketplace that they will be under enhanced surveillance in the foreseeable future. They will be expected to follow the new rules for behaviour set out in the code, which will likely require more transparency (as to the use of consumer data?), opt-in options for personalised advertising (the issue that was at play in the German Facebook case), facilitating users' swapping to use any rival platforms.

The DMU is to start their work in April and is supposed to be able to 'suspend, block and reverse decision of tech giants, order them to take certain actions to achieve compliance with the code, and impose financial penalties for non-compliance'. What is of interest to us, of course, is to what extent this new unit will be able to benefit consumer protection in the UK? This is uncertain at the moment, but it seems that any consumer protection benefits may be coincidental rather than intentional here. First, the Guardian reported that the new unit will have oversight only over platforms funded by digital advertising and having 'strategic market status' (Digital Market Unit: what powers will new UK tech regulator have?). This would limit the unit's purview, possibly even only to Facebook's and Google's activities. Second, the DMU will focus on preventing damage to news media... which suggests that the interests of UK news outlets may play out more centrally, over consumers' interests.

A lot will depend on the new code of conduct set by/for the DMU. We will then definitely let our readers know when the new code for the behaviour of these digital platforms is adopted!

GDPR complaints v Google: Will the (long) wait be worth it?

The European Consumer Organisation (BEUC) drew attention in the last week to the fact that when the national consumer organisations file complaints for infringements of the GDPR rules, the procedure is loooooong (Commercial surveillance by Google. Long delay in GDPR complaints). 
 
We have reported back in 2018 that several national consumer organisations have filed a complaint about Google's deceptive design (the use of dark patterns) to acquire their users' consent to constant tracking of their 'location history' (Google tracks every step you take). The complaints were lodged in various national data protection authorities in November 2019. It took until July 2019 for the decision to be made that the Irish Data Protection Commission will lead the investigation into the complaints. After another six months, in February 2020, we have found out that the Irish Data Protection Commission have also opened an investigation of their own motion (own volition inquiry). This means that there are two separate, but interlinked as they pertain to the similar reported infringements, procedures ongoing at the moment. 
 
Why? That is a very good question. What is the benefit of the opening up of a new procedure with/by the same authority? Supposedly, the own inquiry of the data protection authority will provide insights necessary to further resolve the submitted complaints. The date of any decision/report is unknown at the moment. Which raises the question whether submitting the GDPR complaints actually makes sense from the perspective of consumer protection. After all, whilst the procedure is ongoing and the complaints are pending, the reported practices have not been suspended.

Thursday, 26 November 2020

Restoring an effective balance through court-guided negotiations? CJEU in Banca B.SA v A.A.A (C-269/19)

 Dear readers, 

if you were hoping for some inspiring CJEU news to keep your mind away from pandemics, impending festivities and other disasters, we may this week have just what you were looking for - or not, but only time will tell :)

Yesterday, the CJEU's first chamber delivered a judgement sparked by the creativity of Romanian courts which could make courts in other Member States take a closer look at their potential role in unfair terms dispute. To understand the case, it is useful to take a small step back.

As you may remember, in a string of cases culminating famously in the Dziubak decision, the court had established that unfair terms may not be replaced unless two+1 conditions are fulfilled:

a) the contract must, under the applicable national law, not be capable of existence without the unfair term 

and

b) the invalidity must be to the consumer's disadvantage. 

If these two conditions apply, the term may be replaced with otherwise applicable non-mandatory rules - the existence of which is a third condition. What if there are no otherwise applicable rules?

In the case at stake, Romanian courts were struggling with exactly this problem. While on occasion, as in Dziubak, a consumer may actually prefer the whole contract to be invalidated, in several Romanian cases courts were left alone with the prospect of invalidating contracts or facing a stalemate. Some courts had sought to apply non-mandatory rules which had entered in force at a later stage and were thus not applicable to the contentious contracts, but other courts had decided to instate "regulated" negotiations between the parties. In its decision, the CJEU endorses - and, to a certain extent, even requires, this approach, making space for a new wave of procedural innovation in unfair terms adjudication. To what extent this will materialise, though, will of course depend on a number of factors, including importantly national legislation. Let's see what the court says. 

According to the CJEU, the Directive's article 6 does not seek to "prescribe uniform solutions" after a term has been declared unfair [see para 39]. However, once it has found a term unfair, the national court invested with the dispute must, "while taking into account all of its national law, take all the measures necessary to protect the consumer from the particularly unfavourable consequences which could result from the annulment of the loan, notably the fact that the seller or supplier could immediately claim the debt from the consumer" [para 41]. 

The above means that, in circumstances such as the ones at stake, nothing precludes a court from instating negotiations between the parties in order to establish a viable method for calculating the interest rate "provided that it sets out the framework for those negotiations" and that the negotiations themselves seek to establish "an effective balance" between the parties' rights an obligations, considering in particular the objective of consumer protection underlying the Unfair Terms Directive [see para 42]. In doing so, however, they should keep in mind that their intervention should not go beyond "what is strictly necessary to restore the contractual balance", which in turn means "to protect the consumer from the particularly unfavourable consequences" that annulment would bring about. A more substantive intervention would undermine the achievement of the paramount objectives pursued by the directive, namely restoring equality between the parties and deterring professionals from using unfair terms [para 44, para 38] 

Combined, the elements in the reasoning seem to suggest not only that the Directive does not preclude the instigation of "regulated" negotiations, but even that courts are required to take action in this way when this is allowed [or not prohibited] under the applicable national rules. While the CJEU's caveat against substantive intervention leaves open questions as to what courts should do in case negotiations stall, the decision seems mainly aimed at moderating the possibly harsh effects of the case-law which came to be epitomised in Dziubak while preventing consumer-unfriendly readings which some MS courts may be a bit too eager to embrace. 


Wednesday, 18 November 2020

Professional assignees of consumer claims may rely on the UCTD - CJEU in DelayFix (C-519/19)

The CJEU issued a judgment today in DelayFix case (C-519/19), which pertained to a dispute under Polish law involving aspects of both substantive and procedural consumer protection. Namely, a flight from Milan (Italy) to Warsaw (Poland) was cancelled and the passenger who was due compensation from the operating air carrier (Ryanair) for this cancellation assigned their claims to DelayFix. When DelayFix filed this claim in a Polish district court, Ryanair invoked a jurisdiction clause from their terms and conditions, which assigned the jurisdiction to Irish courts instead. The questions this situation raises are twofold, really: 1. whether the assignee of the passenger's claim for compensation is bound by a clause from the air carrier's terms and conditions that were incorporated in a contract of carriage between the passenger and the air carrier; 2. if yes, could the assignee invoke the unfairness of such a clause?

Assigning of claims and jurisdiction clauses
The CJEU reminds in this judgment that "(...)in principle, a jurisdiction clause incorporated in a contract may produce effects only in the relations between the parties who have given their agreement to the conclusion of that contract" (para 42). This results from the need to protect third parties who have not consented to such specific clauses. However, if, and only if, national law provides that when a third party, not privy to the original contract, succeeds the original contracting party in all their original rights and obligations, then that third party could be bound by the jurisdiction clause (para 47).

Validity of jurisdiction clauses
The CJEU reminds again that the validity of a jurisdiction clause needs to be assessed in light of the law of the country whose courts are designated in that clause, i.e. Irish law in this case (paras 49-50). This, of course, means that the UCTD remains applicable, as well, as it applies to the contracts concluded in the air transport sector (para 52). The interesting observation of the CJEU comes from paras 53-54, where the CJEU invokes a previous judgment in the Lexitor case (see our comment here) as setting a precedent to apply EU consumer law regardless the identity of the parties in the dispute, but on the basis of the capacity of the parties to the agreement. The CJEU further states that this should be applicable to the UCTD. The following parts of the judgment are unsurprising, as the CJEU reminds that jurisdiction clauses are likely to be considered unfair as they may hinder the consumers' rights to take legal action (paras 55-59).


Monday, 16 November 2020

Interpretations of PSD2 in C-287/19 DenizBank AG

On November 11th the CJEU delivered a judgment in C-287/19 DenizBank AG v Verein für Konsumenteninformation on the interpretation of  Directive 2015/2366 on Payment Services (PSD2).

The facts

VKI an Austrian consumer protection organization brought proceeding for a prohibitory injunction infront of Handelsgericht Wien asking the court to prohibit DenizBank from using several clauses in their standard terms with consumers on grounds that they are null and void. The validity of these clauses were questions in relation to the card’s NFC (Near Field Communication) functionality that enables customers to use contactless payment for low value transactions. The case provided an opportunity to the CJEU to provide interpretation on several aspects of PSD2.

Validity of tacit consent to contract variation

With the first question the Austrian Supreme Court asked whether Article 52(6)(a) of Directive 2015/2366, read in conjunction with Article 54(1), should be interpreted to mean that the payment service providers may agree with the payment service users (who are in this case also consumers) in the framework contract to include a presumption that when the conditions laid down in the contract are satisfied, the payment service users tacitly consented to contract variation.

The CJEU reminded that the tacit consent that is provided for and thus agreed between the parties in advance at the point of contract conclusion of the framework contract is only valid if the change in terms and conditions is of minor importance to the contract. The court emphasized that in case of changing any of the essential terms that would result in a new contract, tacit consent would not be enough. Although the CJEU does not specify, it might be important to note that a framework contract here should be the contract that provides the card, in case of debit cards, this would be the bank account.

The CJEU confirmed that the provision indeed provide for a freedom of payment service providers and users to include these kind of clauses into their contracts, because PSD2 does not lay down restrictions regarding the status of the user or the type of contractual terms that may be the subject of such tacit consent. In principle therefore the validity of tacit consent could not be ruled out. However, in transactions with consumers, the clause should also be subject to an independent review under the Directive 1993/13/EC on unfair terms and may thus be removed from the contract for being unfair.

Meaning of a ‘payment instrument’

With the second question the referring national court asked for clarifying meaning of payment instrument in Article 4(14). More specifically, whether the NFC functionality of personalised multifunctional bank cards by means of which low-value payments are debited from the bank account associated with that card constitutes a ‘payment instrument’.

Under Article 4(14) a ‘payment instrument’ is ‘a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order’.

According to the CJEU, the NFC functionality of a multifunctional bank card associated with a specific bank account does not constitute a ‘personalised device’, since the use of that function, in itself, does not allow the payment service provider to verify that the payment order was initiated by a user authorised for that purpose, unlike the other functions of that card which require the use of personalised security data, such as a PIN code or a signature. However, the NFC functionality is capable of constituting, in itself, a non-personalised ‘set of procedures’, within the definition and can thus be considered a ‘payment instrument’ for the purposes of the application of PDS2.

Meaning of ‘anonymous’ use

Further on, the CJEU also had an opportunity in this case to interpret the meaning of ‘anonymous’ within Article 63(1)(b), specifically, whether contactless low-value payment using the NFC functionality of a personalised multifunctional bank card constitutes ‘anonymous’ use of the payment instrument.

Article 63 allows for contracting parties to agree to several important derogations from the protective framework of PDS2 for low value  individual payment transactions not exceeding EUR 30 or which either have a spending limit of EUR 150, or store funds which do not exceed EUR 150 at any time. These include derogation from Article 72 which requires the provider to prove the authentication and execution of payment transactions; from Article 73 which establishes the principle that the service provider is liable for unauthorised payment transactions; and from Article 74(1) and (3) which enables the parties to confer some responsibility for unauthorised payments on the payer for up to EUR 50. These derogations are only possible under Article 63(1)(b) where ‘the payment instrument is used anonymously’ or where ‘the payment service provider is not in a position for other reasons which are intrinsic to the payment instrument to prove that a payment transaction was authorised’.

The CJEU held that despite the facts that the card itself is personalized, connected to a bank account of a particular customer, the use of the NFC functionality for the purpose of making low-value payments constitutes ‘anonymous’ use, within the meaning of Article 63(1)(b). The payment service provider is objectively unable to identify the person who paid using that functionality and thus unable to verify, or even prove, that the transaction was duly authorised by the account holder.

Consequently, contactless low-value payment using the NFC functionality of a personalised multifunctional bank card constitutes ‘anonymous’ use of the payment instrument in question, within the meaning of Article 63(1)(b).

The ways to prove impossibility to block or prevention of future use of payment instrument

Article 63(1)(a) allows the payment service provider and the user to agree on further derogations from the protecting framework of PDS2, that is, from Article 69(1)(b) which requires the user to inform the provider without delay of the loss, theft, misappropriation or any unauthorised use of the payment instrument concerned; from Article 70(1)(c) and (d) of which requires the provider to make available to the user means to make that notification free of charge or to request unblocking of that instrument; and from Article 74(3) which relieves the payer, except where he or she has acted fraudulently, from the financial consequences of any use of the lost, stolen or misappropriated instrument that takes place after that notification.
These derogations are possible to achieve if
the payment instrument does not allow its blocking or prevention of its further use. So the question infront of the CJEU was whether payment service providers may simply declare that it is impossible to block the payment instrument concerned or to prevent its continued use, where, in the light of the objective state of available technical knowledge, that impossibility cannot be established.

The CJEU concluded that this is not the case. The ‘payment service provider wishing to exercise the option provided for in Article 63(1)(a) … may not, in order to relieve itself from its own obligations, simply state, in the framework contract relating to the payment instrument concerned, that it is unable to block that instrument or to prevent its further use. That service provider must establish, with the burden of proof being on that provider in the event of a dispute, that that instrument in no way allows, on account of technical reasons, its blocking or prevention of its further use. If the court hearing those proceedings considers that it would have been physically possible to carry out such blocking or to prevent such use, having regard to the objective state of available technical knowledge, but that the provider did not make use of that knowledge, Article 63(1)(a) may not be applied to the benefit of that provider’ (para 98).

Friday, 13 November 2020

Dark patterns and conditions for a valid consent to data processing - judgment of the CJEU in C‑61/19 Orange Romania

Earlier this week, the Court of Justice delivered a judgment in case C-61/19 Orange Romania, concerned with the conditions for a valid consent to the processing of personal data under EU data protection law (the Data Protection Directive 95/46/EC and the General Data Protection Regulation 2016/679, which remains in effect as of May 2018). The case follows up on the previous ruling in C-673/17 Planet49, on which we commented last year (see also: Planet49: Pre-Ticked Checkboxes Are Not Sufficient...). Aside from confirming the importance of an "active" consent, the Court elaborates on the requirement for consent to be informed, specific, unambiguous and freely given, building bridges to important categories known from consumer law, such as transparency and misleading practices.

Facts of the case

The dispute goes back to a fine imposed by the Romanian data protection authority on the provider of mobile telecommunications services, Orange România, for an allegedly unlawful storage of the copies of customers' identity documents. In particular, the authority argued, the data controller failed to demonstrate that the data subjects had given their valid consent to the contested processing. What makes the case interesting is that the storage of ID cards was, in fact, explicitly mentioned in the contracts which Orange concluded with its customers. Specifically, the following wording is cited:

"The customer states that: ... (ii) Orange România has provided the customer with all the necessary information to enable him or her to give his or her unvitiated, express, free and specific consent to the conclusion and express acceptance of the contract; (iii) he or she has been informed of, and has consented to [numerous types of processing, including the storage of copies of documents containing personal data for identification purposes]."

As seen from above, both the declaration of "consent" and the confirmation of having received the associated information were pre-forumlated by the trader. At least in certain cases they were also already "pre-ticked". In fact, however, consent to the storage of the copies of ID cards was not necessery for entering into a contract and customers, who refused to consent, were not prevented from the contract conclusion. Data subjects who did not wish their ID cards to be copied, though, were asked to go through additional steps, most notably confirm their refusal in a specific form, which, like pre-ticked checkboxes, can be regarded as an example of dark patterns in action (or, in this case, "sludge"). 

Against this backgroud, doubts have been raised, among others, as to whether the clauses on data processing were sufficiently distinct from the remaining parts of the documents, whether the data subjects were not misled about the possibility of refusing consent to the storage of ID cards and, if so, whether this could have an impact on the validity of their consent.

Legal provisions

Even though the contested fine was imposed on Orange România prior to the date of application of the GDPR, the Court of Justice decided to provide guidance on both Directive 95/46/EC and Regulation 2016/679. Key norms subject to the analysis where those laying down conditions for a valid consent. Focusing on the GDPR, attention should be drawn to its Article 6(1)(a), listing data subject's consent among the grounds for the lawful professing of his or her personal data, and to Article 4(11), which defines "consent" as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Of relevance are further the associated information duties in Article 13 as well as (non-binding) clarification of the above in recitals 32 and 42.

Judgment of the Court

While the specific assessment of the case at hand has been left to the national court (in line with the nature of preliminary reference procedure), the judgment provides important guidance on the legal provisions to be applied. In particular:

  • The Court recalls that for consent to be validly expressed (by the data subject) and later demonstrated (by the controller), the corresponding wish of the data subject should be reflected in his or her active behaviour. In particular, unambiguous and informed consent cannot be inferred from the fact that the data subject did not deselect a pre-ticked checkbox (paras. 35-37, 45-46; on the burden of proof, see also paras. 42, 51).
  • The judgment goes on to discuss the definition of consent as a "specific" indication of data subject wishes, highlighting the requirements of Article 7(2) (presentation of the request for consent in a manner which is clearly distinguishable from the other matters) and recital 42 of the GDPR (presentation of pre-formulated declarations in an intelligible and easily accessible form, using clear and plain language). The latter is especially worth highlighting, as it directly refers to Directive 93/13/EEC on unfair terms in consumer contracts. Transparency of declarations is also considered relevant for establishing whether consent so expressed has been informed. What is more, corresponding information provided by the controller "must enable the data subject to be able to determine easily the consequences of any consent he or she might give", which again brings to mind the requirements for substantive transparency known from consumer law stricto sensu (paras. 38-40, 47-48). The latter may have significant impliactions for the validity of consent to the processing of personal data in the context of automated decision-making.
  • Finally, an important part of the judgment concerns the requirement for consent to be freely given (and again informed). In para. 41, the Court observes that "in order to ensure that the data subject enjoys genuine freedom of choice, the contractual terms must not mislead him or her as to the possibility of concluding the contract even if he or she refuses to consent to the processing of his or her data" (similarly para. 49). This brings to mind the notions of misleading actions and ommissions, known from Articles 6 and 7 of Directive 2005/29/EC on unfair commercial practices (note that the Directive refers directly to the "freedom of choice" only in the subsequent provision on aggressive practices). At a later point of the judgment, the Court also questions the free nature of consent in the case at hand in view of the additional burden (sludge) imposed by the controller on the data subjects who wish to refuse consent (para. 50). As in the other instances, however, an assessment is ultimately left to the referring court. 

Concluding thoughts

Overall, the judgment provides for a range of important reference points, which may help to increase the level of consumer and data protection in the EU. Worth noting are the recurring references to the requirement of an "informed" consent, which appears to complement and reinforce all other conditions. The judgment underlines the close connection between data protection and consumer law stricto sensu, which has long been observed in the literature. Recognition of the role of (substantive) transparency and of potentially misleading practices in assessing consent validity is also to be welcomed. Both seem especially relevant in the digital market, where the consequences of consent are often difficult to determine and where dark patterns remain prevalent.

Monday, 2 November 2020

(Non-)Existence of right of withdrawal must be unconditional – CJEU in C‑529/19

In Case C529/19 (here), the CJEU interpreted the Consumer Rights Directive, particularly the right of withdrawal and its exceptions (Article 16). In this case, the consumer bought a fitted kitchen from Möbel Kraft (a German furniture company) at a trade fair. Later, the consumer communicated to Möbel Kraft its wish to withdraw from the contract. Consequently, the consumer refused to accepted delivery of the kitchen. In response, Möbel Kraft sued for breach of contract. Möbel Kraft had not yet started to manufacture the kitchen parts at issue when the consumer withdrew from the contract.

While Article 9 of the Consumer Rights Directive gives consumer the right to withdraw from an off-premises or distance contract, Article 16 lists several situations where that right does not apply. One of those situations is when the consumer buys goods made to the consumer’s specifications or clearly personalized (Article 16(c)). Given Article 16(c), the referring court asked the CJEU whether the consumer’s right to withdraw from an off-premises contract is also excluded in case where goods are made according to the consumer’s specifications, but the seller has not yet begun to produce the goods and therefore does not incur in any (or few) costs in case of the consumer’s withdrawal.

The CJEU starts by clarifying that the contract in question can only be considered an off-premises contract if it was not concluded at the trade fair stand, which can be seen as ‘business premises’ according to Article 2(9) of the Consumer Rights Directive. Then, the CJEU states that there is nothing in the Consumer Rights Directive that indicates that the exception of Article 16(c) is dependent on the occurrence of any event after the conclusion of the off-premises contract (para 24). In fact, the CJEU states that this exception is inherent to the subject matter of such a contract. In other words, the application of this exception is independent from the stage of performance of the contract (or the stage of production of the products in question) (para 24). Consequently, the CJEU determines that the exception to the right of withdrawal in off-premises contracts where the consumer acquires personalized goods applies from the outset of the contract. The CJEU extracted this conclusion not only from the literal element of Article 16(c) but also from its systematic element, since Article 6(1)(h) and (k) of the Consumer Rights Directive impose a pre-contractual duty on the trader to inform the consumer of the existence or absence of a right of withdrawal (para 25). If the existence of a right of withdrawal would be dependent on a decision of the trader (namely when to start performing the contract), the goal of providing the mandated pre-contractual information would be frustrated (para 27). Finally, to allow the right of withdrawal to depend on the moment in time where the trader starts to produce the goods would be contrary to legal certainty (para 28).

With this decision, the CJEU establishes the inflexible character not only of the right of withdrawal but also of its exceptions. The CJEU’s decision opts for legal certainty over consumer protection considering that, in practice, this means that every time that a consumer acquires a personalized product she can never withdraw from that contract, regardless of the actual costs suffered by the business. Therefore, the CJEU directly contradicts national case law from, for example, the Bundesgerichtshof, which previously determined that the right of withdrawal is not excluded if the goods can be restored at a low cost to the condition they were in prior to the personalization.