The long-awaited Data Act proposal finally (officially) published

For several years, the European Union has been developing a new digital policy framework that aims to comprehensively regulate the data space in the EU. One of the EU's policy objectives is to make the data generated by humans nad machines, especially in the context of IoT devices, more accessible, thereby unlocking the enormous but still under-used potential of this data. According to the European Strategy for Data released in 2020, this objective is to be achieved, inter alia, through the adoption of a so called Data Act - a regulation on harmonised rules on fair access to and use of data. A leaked version of this act had been circulating on the Internet since the beginning of February, but it was not until 23.02.2022 that it was officially published by the European Commission. 

Although Data Act is mostly focused on business-to-business and business-to-government data sharing, it is also important for consumer protection in the digital environment. As we can read in the proposal’s explanatory memorandum:

a high level of consumer protection is reinforced with the new right to access user generated data in situations previously not covered by Union law. The right to use and dispose of lawfully acquired possessions is reinforced with a right to access data generated from the use of an Internet of Things object. This way, the owner may benefit from a better user experience and a wider range of, for example, repair and maintenance services. In the context of consumer protection, the rights of children as vulnerable consumers deserve specific attention and the rules of the Data Act will contribute to clarity about data access and use situations. [p. 13]

and

The proposal facilitates the portability of the user’s data to third parties and thereby allows for a competitive offer of aftermarket services, as well as broader data-based innovation and the development of products or services unrelated to those initially purchased or subscribed to by the user. [p.13]

Freepik.com

These assumptions are reflected mainly in the Chapter II of the proposal, which introduce a.o: 

• obligation to make data generated by the use of products or related services accessible (Article 3);
• the right of users to access and use data generated by the use of products or related services (Article 4);
• right to share data with third parties (Article 5);
• obligations of third parties receiving data at the request of the user (Article 6).

The proposal will now be further debated under the legislative path before the European Parliament and the Council. It will certainly be discussed among the scientific community and consumer organisations. The EC proposals, although at first glance reasonable and necessary, require an in-depth analysis in particular from the perspective of already existing data protection and consumer law. Let us just remind that under the GDPR, data subjects have the right of access to their data (Article 15 GDPR) and the right to data portability (Article 20 GDPR). The effective exercise of these rights is sometimes problematic in practice, for example due to the lack of actual control by the controller over data flows or the lack of interoperability between devices/services, making it impossible to transfer data from one provider to another. It is also important to remember that devices that we use every day as consumers may generate not only data containing personal information (and therefore qualifying as personal data), but also non-personal data of a technical nature, containing valuable information about how the devices function or are used by consumers. At the same time, due to the large volumes of data that are produced in IoT devices and services, the differences between personal and non-personal data are increasingly difficult to grasp. For these reasons, the Data Act is a piece of EU legislation that has been long awaited and much anticipated. We can therefore expect the debate surrounding this act to be very lively and interesting.

Fascinating judgment of CJEU in Tiketa (C-536/20): Intermediaries share responsibility under CRD, Transparency: Cinderella before the ball

The CJEU issued another judgment today in the Tiketa case (C-536/20), which interpreted provisions of the Consumer Rights Directive, focusing on information obligations and the principle of transparency in a pre-pandemic scenario of consumers making expenses to attend events, which they have not been informed had been cancelled. 

A Lithuanian consumer in this case purchased online a ticket to an event from a ticket distributor - Tiketa. Information on the website and on the ticked delivered upon purchase to the consumer let him know that the event organiser was 'Baltic Music', their contact information and that they bear full responsibility for the event. Terms and conditions on the ticket mentioned also that if the event was cancelled, event organiser would be responsible in full for the ticket price. The entitlement to a refund of the ticket price was not contested here, but rather whether consumer could claim further damages and if yes, from whom - event organiser and/or ticket distributor? After all, the consumer made expenses to travel to the event site to only days later receive information about the event's cancellation. 

Traders and persons acting on their behalf

The first question inquired about the application of the notion of a 'trader' from Article 2(2) CRD. Could this notion apply to two subjects in one case scenario: to a trader and a person acting on their behalf, and could it then mean that they both could be held liable by consumers for breach of their obligations? This is a very relevant question in the era of digitalisation, whether we consider digital influencers or online platforms as potentially acting on behalf of traders whose products they promote.

Lithuanian case drew attention to the difference between language versions of the CRD, which could result in intermediaries being considered 'traders' only in some Member States (e.g. France), as others (e.g. Lithuania) recognised a person acting on behalf of a trader as a 'trader' only if they were acting for purposes relating to their own trader, business, craft or profession. Unsurprisingly, the CJEU, following purposive construction rules - supports a broad interpretation of the notion of a 'trader', encompassing also intermediaries (paras 31-32).

More importantly, the CJEU considers that both a trader and an intermediary could be held jointly responsible for the performance of information obligations under the CRD towards consumers, even if they both facilitate provision of the same service. The Court highlights the purpose of CRD as ensuring that consumers are being informed by traders, broadly defined in Article 2(2), rather than by their contractual counterparties. Hence, if a consumer does not receive mandatory information, the intermediary cannot escape liability for breach of CRD provisions by clearly indicating their intermediary position in the transaction (contrarily, to intermediaries liability for non-conformity, pursuant to Wathelet case) (paras 33-34) (see our case note here).

Comment

What does this judgment mean in practice for the online environment is the key question here? A lot of online webshops - distributing products of other traders - could likely be seen as acting on their behalf, and thus would now have either additional due diligence duties, i.e. checking what information these traders share with consumers, or will need to start providing mandatory information themselves. 

What about online platforms and digital influencers? If they were seen as acting on behalf of traders, as well, this information duty would include them, too.

Mandatory information in standard T&Cs

The answer to the second question was long awaited by the academic community: Could online traders provide mandatory information to consumers only by including it in their standard terms and conditions and asking consumers to tick a box that they have accepted these? Was that transparent provision of mandatory information?

Disappointingly, the CJEU does not condemn this standard online market practice. The CJEU focuses its reasoning on the fact that the CRD does not prescribe a method for communication of pre-contractual information to consumers in Article 6(1) or Article 8. The Court distinguishes this situation from a clearly prescribed method for communicating information after the contract was concluded - on a durable medium (para 46).

Comment

What is a missed opportunity by the Court in this case is the elaboration on the principle of transparency and its role in assessing the adequacy and effectiveness of the form in which information is given to consumers. The CJEU does not even mention transparency: whether information provided in standard terms and conditions could be perceived as provided not in a 'clear and comprehensible manner' due to it being less visible or less accessible to consumers? It seems that the answer provided on this point hinged on a technicality, rather than examine broader principles of consumer protection and its aims. Transparency remains a Cinderella before the ball, waiting for her godmother to dust her off.

Connection in EU insufficient for compensation of delayed flights - CJEU in Airhelp (C-451/20)

Today the CJEU issued a judgment in Airhelp case (C-451/20 - not yet in English) regarding interpretation of air passengers rights and Regulation 261/2004. You may check our previous post on the AG's opinion in this case here. The CJEU evaluated the applicability of the Regulation 261/2004 to the factual scenario presented by this case differently than the AG, which means that it found the operating air carrier not liable. 

A brief reminder: the case concerned connecting flights, with the original point of departure and the final destination in a third country. Consequently, the connecting factors to the EU and the applicability of Regulation 261/2004 were limited to: 1) Community-based operating air carrier (Austrian Airlines), and 2) connection taking place in Vienna.

AG Saugmandsgaard Øe considered the above two factors sufficient to apply Regulation 261/2004, preferring a pro-passenger, broad interpretation of the provisions of the Regulation, and warning against a possibility of different treatment for passengers on the same (delayed or cancelled) flight, depending on how their whole journey was planned. 

The CJEU interpreted provisions of Article 3 Regulation strictly finding that the place of the connection is neither the place of departure nor arrival mentioned in this provision (para 23) and that the connected flights covered by one reservation should be evaluated jointly (para 26). The CJEU highlights the need for consistent interpretation here, thus if connecting flights are treated jointly for the purposes of estimating passengers' rights to compensation, they should not be 'artificially' separated for the purposes of assessing when Regulation 261/2004 is applicable (para 28). 

Further, the CJEU considers the systematic incoherence of Article 3 Regulation 261/2004 that could follow if the interpretation preferred by AG Saugmandsgaard Øe was supported. It does not address, however, concerns as to potential unequal treatment of various passengers of the same flight, focusing instead on assuring legal certainty of these provisions.

Public consultation time: Package Travel Directive

The European Commission just announced opening of a new public consultation, this time regarding the effectiveness of the new protection framework for package travel contracts and linked travel arrangements, incl. protection against insolvency of travel organisers. If you have thoughts, experience, comments on this, as well as ideas for the improvement of the framework - you could report these until 10 May 2022 on this website. A separate review/consultation is announced to follow shortly, on the topic of protection of passengers in stand-alone transport arrangements. 

Place of performance for multi-leg journeys - CJEU in LOT Polish Airlines (C-20/21)

Last week, on 3 February 2022, CJEU issued another judgment interpreting Article 7 Regulation 261/2004 on air passenger rights this time in combination with the interpretation of Article 7 Regulation 1215/2012 (Recast Brussels Regulation) in the case LOT Polish Airlines (C-20/21). The dispute concerned the jurisdiction of a national court over a claim for compensation of a delayed flight. 

The flight in case consisted of two legs of a journey with Lufthansa AG - Warsaw (Poland)-Frankfurt am Main (Germany)-Malé (Maldives). The first flight was operated by LOT Polish Airlines and its delay led the passengers to miss the second flight and arrive in Malé with more than 4 hours of a delay. The passengers claimed compensation for a delayed flight with a local court in Frankfurt am Main (Amtsgericht Frankfurt), which then disputed its jurisdiction as neither a place of departure or arrival listed in the contract of carriage (para 10). The referred question asked whether Frankfurt could be perceived as a place of performance pursuant to Article 7(1)(b) Regulation 1215/2012, which allows to determine domicile in contractual disputes regarding provision of services with reference to the place in which services were provided or should have been provided.

Previously, the CJEU has already confirmed the applicability of the jurisdiction rules governing contractual disputes to air passengers, regardless of the fact that their claims may be directed at operating air carriers with whom they did not conclude a contract (flightright and Others). The CJEU now reiterates the rules on determining jurisdiction for disputes where there are several places in which services were provided to looking for a place with the closest connecting factor between the contract and the court having jurisdiction (para 22). This tends to be the place where the 'main provision of services is to be carried out' (see Rehder). This should not be limited to the place of first departure and last arrival for a journey that consists of various legs (para 23). However, in the current case as the dispute arises from the delay of the first flight and the claim is raised against the air carrier operating that first flight, it seems that the place of first departure remains closely linked to the dispute and hence courts of that place should have jurisdiction (para 25). Consequently, the CJEU considers the courts of the place of arrival of the first leg of the journey not to have jurisdiction (para 27). The claim should be brought to courts of Warsaw rather than Frankfurt then, which is also considered to guarantee predictability and legal certainty for both parties (para 26).

Cookies, Google Analytics, transfers of PRN data and new guidelines on the right of access… Wrapping-up January events in data protection

The New Year brought us some interesting developments in the data protection landscape. There are a few January facts worth noting:

Fines imposed on Google and Facebook for non-compliance with the cookie rules 

At the beginning of January*, the French supervisory authority, Commission Nationale de l'Informatique et des Libertés (CNIL), imposed a 150 million euro fine on Google and a 60 million euro fine on FACEBOOK IRELAND LIMITED - both for violations related to the use of cookies. According to the authority, users of sites owned by the companies (namely google.fr, youtube.com and facebook.com) cannot reject cookies as easily as they can accept them. Accepting cookies is possible with a single click of a button on the page, while the equivalent option is not available for refusing cookies. Denying consent to cookies requires more involvement on the part of the user and at least several clicks. As a result, such a complicated refusal mechanism may act as a disincentive for users, so that they are more likely to accept cookies against their will. This in turn violates Article 82 of the French law transposing the provisions of the e-Privacy Directive. It also fails to meet the requirements of legally binding consent under the GDPR.

Freepik.com

As a reminder, this is not the first sanction imposed by the CNIL on Google. In December 2020, the CNIL also fined Google LLC and Google Ireland Limited 100 million euro, because a large number of cookies used for advertising purposes was automatically deposited on a user's computer, without obtaining prior consent and without providing adequate information. The Google companies filed an appeal against the decision, but the French Council of State in late January 2022 upheld the CNIL's decision. 

Use of Google Analytics not compliant with the GDPR

January was not a successful month for Google in terms of data protection. In addition to the above penalties, the Austrian Data Protection Authority found that a tool used on many websites, Google Analytics, violates the protection of EU citizens' personal data.** Why? Because the tool transfers personal data to the United States, and in the US, Europeans' personal data is not adequately protected. Previously, personal data from the EU to the US could be transferred under the EU Commission's decision on the adequacy of the protection provided by the EU-US Privacy Shield, but since the CJEU declared that decision invalid in mid-July 2020, data controllers should base data transfers on a different legal ground (for example, on standard contractual clauses). The problem is that the US law does not provide sufficient protection against access to personal data by various public authorities, regardless of the legal basis on which personal data is transferred. And regardless of the fact that EU-US data transfers became illegal literally overnight, many companies continue to transfer personal data to the United States, mainly using IT tools provided by US companies, just like Google Analytics or other similar technologies. The decision of the Austrian authority is therefore not surprising, but it certainly provides another confirmation that transfers of personal data to the US are legally questionable. Companies should examine their practices and consider choosing alternative European IT tool providers. But not only companies! Looks like the European Parliament should too - the European Data Protection Supervisor also issued a decision in January this year in which he questioned the legality of data transfers collected via cookies on one of the EP's websites. 

Freepik.com

EU rules on the collection of air passenger information are in line with the EU Charter of Fundamental Rights and the GDPR, but with some reservations

On the 27th of January, AG Pitruzzella delivered his opinion in case C-817/19 Ligue des droits humains concerning, inter alia, the interpretation of the provisions of Directive 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. AG Pitruzzella assumes that the transfer of PNR data and the pre-travel screening of air passengers by means of automated processing of such data is generally compatible with Articles 7 and 8 of the EU Charter of Fundamental Rights. However, he also pointed out that such data should only be stored when necessary in view of a serious and genuine threat to security and for a period limited to the minimum necessary. 

This case deserves a wider comment and a separate blog post, so we will come back to this topic shortly, as soon as the English version of the opinion is published on the Court's website. 

Guidelines on data subject rights - right of access

Finally, at the end of January, the European Data Protection Board published new guidelines on data subjects' rights, specifically on the right of access to data. For the time being, this is the version for public consultation. The feedback period is now open, so make your voice heard until March 11th!

* To be precise - CNIL's decisions were issued on December 31, 2021, but the information about the fines was published on the authority's official website in the first days of January. 

** Again, the decision was issued just before Christmas, but published on January 12, 2022.