Third party litigation funding and consumer redress

The EU Commission has recenetly published a comprehensive Study on Mapping Third Party Litigation Funding in the European Union incliuding all EU member states. Although the study covers all aspects of third party litigation funding, it is a potentially powerful tool for enforcing consumer rights, especially complex and costly collective redress actions, and can therefore be of interest to practicioners and academics alike interested in better enforcement of consumer rights. See also BEUC's view on third party litigation funding for collective redress.

New study on consumer protection in the digital age: should the burden of proof in the UCPD be reversed?

Earlier this month a very interesting report by Natali Helberger, Orla Lynskey, Hans-W. Micklitz, Peter Rott, Marijn Sax and Joanna Strycharz was published by BEUC. The study entitled "EU consumer protection 2.0: Structural asymmetries in digital consumer markets" addresses a number of topical issues concerning consumer protection in the digital age and consists of the following parts:

1. Surveillance, consent and the vulnerable consumer. Regaining citizen agency in the information economy
2. Personalised pricing and personalised commercial practices
3. A universal service framework for powerful online platforms

The first and most extensive part has a foundational nature and considers the key premises of consumer protection in view of structural asymmetries observed in digital consumer markets. Attention is paid, among others, to the concepts of digital vulnerability and consent. Following existing research, the authors remark that consumer vulnerability should not be reduced to internal characteristics, but can also be caused by external conditions, and that data-driven practices that promote exploitation of vulnerabilities can be linked to the lack of privacy. At the same time, privacy controls placed at consumers' disposal are often not effective and can lead to a false sense of security. The most ground-breaking conclusions and recommendations, however, follow from the subsequent analysis of what is described as "digital asymmetry". According to the authors, instead of focusing on the information aspect of the UCPD and the different consumer images, more weight should be attached to the structural power relations, including the power embedded in digital choice architectures controlled by online platforms. On this basis, a case is made for reversing the burden of proof in the UCPD so that effectivelly "unfairness of data exploitation strategies is presumed" (p. 77).

The second part of the study part looks more specifically at personalised pricing and advertising and the third part explores how obligations traditionally associated with services of general interest (SGI) could be applied to the platforms considered to hold a gatekeeper position.

We encourage our readers to consult this thought-provoking study, the full text of which can be found here.

GDPR complaints v Google: Will the (long) wait be worth it?

The European Consumer Organisation (BEUC) drew attention in the last week to the fact that when the national consumer organisations file complaints for infringements of the GDPR rules, the procedure is loooooong (Commercial surveillance by Google. Long delay in GDPR complaints). 

 

We have reported back in 2018 that several national consumer organisations have filed a complaint about Google's deceptive design (the use of dark patterns) to acquire their users' consent to constant tracking of their 'location history' (Google tracks every step you take). The complaints were lodged in various national data protection authorities in November 2019. It took until July 2019 for the decision to be made that the Irish Data Protection Commission will lead the investigation into the complaints. After another six months, in February 2020, we have found out that the Irish Data Protection Commission have also opened an investigation of their own motion (own volition inquiry). This means that there are two separate, but interlinked as they pertain to the similar reported infringements, procedures ongoing at the moment. 

 

Why? That is a very good question. What is the benefit of the opening up of a new procedure with/by the same authority? Supposedly, the own inquiry of the data protection authority will provide insights necessary to further resolve the submitted complaints. The date of any decision/report is unknown at the moment. Which raises the question whether submitting the GDPR complaints actually makes sense from the perspective of consumer protection. After all, whilst the procedure is ongoing and the complaints are pending, the reported practices have not been suspended.

Data protection (violations) by default: stakeholder views and new developments in enforcement

Last weeks brought some interesting new developments in the implementation of the EU rules on data protection, such as the conditions for a valid consent to the processing of personal data and the principles of data protection by design and by default. As we observed numerously on this blog, the developments in data protection are of direct relevance to consumer law and policy, considering that business practices in the digital economy are often connected to the processing of consumer data and, as such, can come within the purview of both fields.

One of the major topic in the ongoing data protection debate concerns default settings. As readers may recall, several months ago we reported on the judgment of the Court of Justice in case C-673/17 Planet49 (CJEU confirms stricter requirements for valid cookie consent...). The case confirmed that - just like in the GDPR - consent referred to in Articles 2(f) and 5(3) of the E-Privacy Directive cannot validly be obtained by way of a pre-ticked checkbox, which the user must deselect to refuse his or her consent. 

Pre-ticked checkboxes and similar mechanisms of collecting consumers' "consent" by default are unfortunately still very present in the digital market. Furthermore, by applying the so-called dark patterns businesses can steer consumer behaviours in the direction they desire, even without the use of default settings (for an illustration see: Google tracks every step you take). Fortunately, practices of this kind not only attract attention of consumer organisations, but are also gradually engaged with by the law enforcers. Last week a higher regional court in Germany - Kammergericht Berlin - ruled on the case brought against Facebook by the national association of consumer organisations (vzbv). The case concerned a total of 26 alleged violations of consumer and data protection law, many of which were confirmed by the court. Default "consent" to location tracking, sharing a link to the users’ profile with search engines and the use of name and profile picture for commercial purposes have all been found to violate the applicable rules on data protection. By contrast, Facebook’s marketing claims that its services "are free and always will be" have not been considered misleading under national provisions implementing the UCPD.

On the latter point, one which turns around the question whether or not personal data constitutes a price, the emerging court practice is not entirely coherent. Just two weeks before the Berlin ruling, the Administrative Court in Lazio (Tribunale Amministrativo Regionale) partially upheld the decision of the Italian Competition and Market Authority (Autorità Garante della Concorrenza e del Mercato, AGCM) which considered an analogous slogan, directed at Italian users, to qualify as an unfair commercial practice. The AGCM has meanwhile launched proceedings against Facebook for the company's non-compliance with the prior decision.

All of this comes at a time of a broader discussion about the interplay of data protection law and consumer law and the application of the - often broadly framed - provisions of both the GDPR and the UCPD. A certain convergence of views appears to be forming between consumer organisations and data protection bodies, even if the relevant overlap is not always complete. It seems that consumer organisations are willing to accept the economic role of data whenever it is beneficial to consumers (like in the case of potentially misleading "free" claims). The European Data Protection Supervisor, however, has been arguing against any direct analogies between data and price, as illustrated by his position on the recent modernisation of the EU consumer rules (and previously on the digital content directive). When it comes to the data protection by design and by default the alignment between the two stakeholder groups seems even stronger. Last November the European Data Protection Board published Guidelines 4/2019 on Article 25 GDPR, which have largely been supported by the association of European consumer organisations - BEUC. The organisation welcomes the operationalisation of both principles, including through the proposed selection of performance indicators as well as the illustrative case studies. Nonetheless, the achievement of effective protection of consumer data in the digital economy has still a long way to go. Limited personal scope of Article 25 GDPR, which only imposes an obligation on controllers, and the lack of clarity on the role and responsibility of developers/processors have been mentioned as the major gaps to be filled.

BEUC’s 7 recommendations for post-Brexit positive consumer protection

With Brexit finally approaching, the questions surrounding the legal uncertainty that will most likely follow the UK's departure from the EU are louder than ever. BEUC issued a position paper containing seven recommendations to secure positive outcomes for consumers after Brexit (found here). These seven recommendations are intended for the regulatory actors, not consumers themselves. In short, BEUC argues for a close cooperation between the EU and the UK (including the creation of joint surveillance bodies), as well as for the maintenance of the existing level of consumer protection. The seven recommendations are the following (as summarized by BEUC):

1. Inform consumers about what Brexit means for them

BEUC defends that the first step to take is to inform consumers about any changes that their rights will suffer. BEUC suggests preparing concrete guidance documents such as factsheets.

2. Protect consumers when implementing the withdrawal agreement

BEUC highlights the need to maintain current levels of consumer protection when implementing the withdrawal agreement, namely consumer safety when it comes to imported goods. In fact, BEUC reminds that UK customs will be required to ensure compliance of imported products with both UK law and EU law (particularly when it comes to imported products arriving in Northern Ireland and considered "at risk" of entering the EU market). For this, UK customs will need trained staff. Furthermore, BEUC considers that EU authorities will need additional financial and human means to oversee the controls that UK customs will perform. Finally, BEUC stresses that the role of the joint committee of the withdrawal agreement will be essential, given that it will define the criteria according to which goods are at risk of entering the EU market via Northern Ireland.

3. Make consumer protection a key objective of the future relationship

BEUC recommends that there is a chapter dedicated to consumer protection in the withdrawal agreement (which could look like this). The level of consumer protection should not be reduced, to encourage trade and investment in the UK. The level of protection of consumers' privacy and personal data should also remain high, and the EU should explore the possibility of an adequacy decision. BEUC mentions six points that the chapter should contain: i) affordable access to telecommunications for consumers who are traveling or communicating with other countries should be preserved; ii) the security of an affordable energy supply should be protected (namely the integrity of the single electricity market between Ireland and Northern Ireland should be renewed); iii) unjustified geoblocking should be eliminated; iv) access to affordable flights should be ensured; v) consumers should be properly informed about their rights; vi) consumers should have access to redress and online dispute resolution mechanisms.

4.  Ensure consumer choice of goods and services

In addition to the concerns expressed in point 2 regarding the import of safe products, BEUC recommends a baseline of zero tariffs and quotas to avoid that consumers are hit by unexpected high custom duties.

5. Maintain regulatory dialogues to preserve consumer safeguards

BEUC suggests the creation (or maintenance) of regulatory cooperation mechanisms, operating on a voluntary basis, to guarantee the surveillance of the market. These cooperation mechanisms should cover enforcement of consumer rights. Moreover, the UK and the EU should avoid a race to the bottom when it comes to the regulation of competition.

6. Assess the impacts on consumers

BEUC suggests a comprehensive qualitative and quantitative analysis of the effects of a future agreement on consumers.

7.  Involve consumer organizations and be transparent

BEUC states that the "level of transparency provided by the EU during the Brexit negotiations was unprecedented" and that the same level of transparency is expected in the future (also of the UK government). This requires consumer organizations to have access to consolidated negotiated texts, in order to provide recommendations and to inform consumers. To this end, BEUC recommends the creation of an EU-UK trade advisory group.

A call to improve enforcement of consumer law: BEUC Dieselgate report

The European Consumer Organisation BEUC has just published an interesting report summarizing the enforcement and policy-related actions in four years following the exposure of the Volkswagen emissions scandal (and subsequent reports of similar practices by other car manufacturers, see eg Commission investigates collusion...). The key message of the report concerns the flaws of the European enforcement system in the field of consumer law. The report notes that while multiple consumers around the world have already received compensation for the damage suffered, EU consumers are still waiting for car manufacturers to make amends.

Substantive rules

Source:  Pixabay

BEUC report begins with an overview of particular enforcement actions taken by its members in different types of proceedings. A reader who is less clued-up about the substantive legal rules may, however, find it useful to first have a look at later sections, which shed a bit more light on the legal background. As regards civil claims a distinction can be made between repair and compensation. This distinction is well illustrated by the settlement reached in the proceedings before the US court, in which affected car owners could, firstly, choose between a buyback or a free fix and, additionally, receive compensation ranging between $5,100 and $10,000 (p. 19). Aside from civil claims, a manufacturer, who installs defeat devices to manipulate emission results, can face monetary sanctions imposed by courts or administrative authorities. Much of BEUC criticism concerns the difficulties of the European consumers to receive compensation and the comparably low level of fines imposed by relevant authorities.

From a private law perspective, a particularly interesting part of the BEUC report concerns "a comprehensive comparative table" prepared by the organisation, analysing among others the concept of damage and the grounds for breach of contractual and non-contractual obligations (p. 16). According to BEUC, the analysis revealed significant correspondence of private law across the EU in all relevant aspects: the notion of compensation loss, such as the lower value of the car, the higher fuel consumption, repair costs or lesser performance; the grounds for breach of contractual obligations, such as non-conformity, fraud and error; and the grounds for breach of and non-contractual obligations, such as tort, misleading practices and unjust enrichment. This is appears to be a broad-brush approach as important differences emerge when each of the listed matters is analysed in more detail (e.g. tort liability in Germany and France, remedies for unfair commercial practices in different Member States). All in all, however, it is true that consumers across EU can rely on a diverse menu of options in order to claim compensation, and that some of them are connected to EU law.

Private enforcement

According to BEUC, the experiences made by its members demonstrate the ineffectiveness of collective redress mechanisms in most European countries. The report discusses particular collective proceedings initiated by national consumer organisations. What certainly stands out is the legal framework in Belgium and Portugal where collective redress is based on an 'opt-out' system. The report further discusses the proceedings in Italy and Spain, where an 'opt-in' mechanism appears to be in place. Austrian example is discussed somehow separately, although is is clear that important enforcement efforts are also put in there. According to the report, the Austrian consumer organisation VKI had brought "16 group actions in front of 16 courts representing a total of 10,000 consumers". The dispute currently revolves around jurisdictional matters, on which earlier this year a request for a preliminary ruling was directed to the Court of Justice.

The report also elaborates on the state of play in Germany - where, of course, Volkswagen and other important car makers are established. Most noteworthy development is a declaratory court action (Musterfeststellungsklage) brought by the consumer organisation vzbv. More than 430,000 consumers are reported to have joined the action to date (compared to 75,000 consumers in the Italian proceedings and 7,500 in the Spanish case). The proceeding, however, only allows the court to declare that VW infringed the law and damaged consumers, on which subsequent claims for compensation can be based.

BEUC also reports on several developments in the Member States where consumer organisations have no feasible options to engage in collective redress. Slovenia provides an interesting example: here consumer organisation ZPS has reportedly teamed up with a law firm which brought claims of Slovenian consumers before a German court (in a different type of proceeding than Musterfeststellungsklage, apparently). Importantly, the fact that certain countries are not mentioned in the report does not mean that no significant developments regarding VW case can be observed there; it rather suggests that the relevant consumer organisations are not involved. This seems to be the case for Poland, where law firms have taken the initiative from the very beginning. For example, after Polish courts had found to have no jurisdiction in some early proceedings, thousands of Polish consumers joined the declaratory court action brought by vzbv in Germany.

Public enforcement

A significant part of BEUC report concerns public enforcement. In this respect, indeed, VW has so far managed to avoid major blows (particularly compared to the numbers overseas). The highest sanction so far - totaling €1 billion - was imposed in a case brought by public prosecutors in Germany. There are also ongoing criminal cases in other Member States, among others France and Poland.

BEUC appears to be particularly disappointed with the (lack of) action of the European consumer protection authorities, including as part of the Consumer Protection Cooperation (CPC) network. It describes the dialogue carried out by the European Commission with VW and its very modest achievements. More severe measures have only been taken by consumer authorities in Italy and the Netherlands, which hit VW with the highest possible fines of €5 million and €450,000 respectively.

Concluding thought

The report is set against the background of ongoing EU developments. It welcomes the review of the CPC framework and the relevant type-approval/market surveillance system. Most importantly perhaps, the report comes at a time when the European legislators are still working on the proposed directive on representative actions for the protection of the collective interests of consumers. The negotiations on this file have remained controversial as, indeed, the proposal seems difficult to reconcile with many Member State traditions. Whether an improvement of consumer law enforcement can truly be achieved with amendments that are currently discussed remains an open question. Without doubt, however, the state of play of consumer law enforcement leaves much to be desired.

Consumers in the age of digital health and AI

The European Consumer Organisation - BEUC - recently published a new position paper on digitalisation in healthcare. The paper comes at the right time as the impact of digital technologies on health products and services indeed continues to grow. The potential benefits are recognized: better access to medical care, more effective prevention, diagnosis and treatment of diseases, support of healthy lifestyles. However, as pointed out by BEUC, the risks are also present. The issues of consumer privacy, security and safety are listed among the most salient ones.

Main insights

The position paper makes reference to the eHealth communication of the European Commission, which focused on three areas: 

1. citizens' right to secure electronic access and share their health data (improving electronic health record systems), 
2. improved research, disease prevention and personalised medicine (pooling data resources and using common standards),
3. digital tools for citizen empowerment and person-centered care (shifting focus from disease treatment to health promotion and well-being, supported by digital solutions such as wearables and mHealth apps).

While endorsing these general objectives, BEUC - as was to be expected - emphasises the need for adequate consumer safeguards. This general observation is followed by a list of more specific principles and recommendations. We sketch some of them further below - for more details we invite our readers to consult the original paper.

Consumers' control over their personal health data (including the right to decide about data-sharing, to access one's own data and to report on possible errors) features prominently throughout the paper. This translates into a call for a diligent implementation of the General Data Protection Regulation with respect to this sensitive category of personal data. Importantly, BEUC argues, data protection safeguards are also relevant in the context of electronic health records and relationship between patients and physicians.

Another eminent topic addressed in the paper are the digital health tools, which, in view of BEUC, should respect the principles of privacy and security by design and by default and remain under supervision of competent authorities. The paper emphasises the connection between security and safety by providing an illustrative example of a hacked pacemaker. An argument is also made for a minimum set of security measures for all digital health connected products, including mobile health applications, as an ex ante market access requirement. Medical Devices Regulation, Radio Equipment Directive and General Product Safety Directive are listed among key instruments to be revisited in this context.

Consumers and artificial intelligence (in healthcare)

An interesting part of the BEUC paper concerns the growing deployment of artificial intelligence in the healthcare sector and in consumer markets more generally. Indeed, the advances in machine learning have made it possible to generate operable knowledge from the previously intransparent data sets. As a result, data contained in health records as well as vast amounts of data produced through our daily use of digital products and services have become an even more valuable resource. The prospect of AI transforming the way diseases are prevented, treated and diagnosed is anything but exciting. A look at the website of IBM Watson Health will give the reader a good impression. However, as pointed out by BEUC, the picture is not always so rosy.

The observations which BEUC makes in this regard largely follow its earlier position paper on automated decision-making and artificial intelligence. Similar issues were also pointed out in the European University Institute's working paper on consumer law and AI published a couple of months ago. They concern, in particular, the growing information asymmetry and power imbalance, the impact on consumers' decision-making capacities, implications for access to essential services and the risk of discrimination. These, of course, are only early contributions and both the extent of indicated problems and the possible remedies must still be investigated. Considering the growing interests in AI of both scholars and policymakers further research is certainly to be expected.

Mis-selling of financial products: is there a need for a systematic approach?

As we are more and more expected to take control of our financial affairs e.g. to save for our retirement or to take up a mortgage loan to finance our house, financial decision-making is increasingly becoming part of our lives. Yet, at the same time, financial products are becoming overly complex, markets too diverse, and our financial decisions ever more important. Given the importance of these decisions, many of us would decide to get help from a financial adviser rather than to making an independent decision. We tend to trust financial advisers, trust that they are going to select the right product for us, the one that is the best fit for our needs and preferences. But are we really getting the right product? The financial mis-selling scandals suggest that we are not.

 

Unfortunately, mis-selling scandals because of bad advice are too common in Europe. Many of these scandals will be (too) familiar to our readers, such as the PPI scandal in the UK, the foreign currency loans in several Member States e.g. Spain, Greece, Hungary, Poland, or risky investment products in e.g. Belgium (see the map of major mis-selling scandals, including videos of testimonies here). More recently financial advice also got the attention of EU law-makers. In June 2018 the EU Parliament published a series of five studies on Mis-selling of Financial Products: 1) Marketing, Sale and Distribution, 2) Subordinated Debt and Self-Placement, 3) Consumer Credit, 4) Mortgage Credit, and 5) Compensation of Investors in Belgium. These studies pointed out the weaknesses in the current EU regulatory framework and its enforcement. In addition, in April 2018 the EU Commission published a study on the Distribution of retail investment products across the EU, concluding that consumers face significant challenges in making informed decisions (see our report here).

 

In the light of the above, BEUC launched a campaign for a real change in the financial advice sector. A change that needs to affect: sales incentives, regulatory framework and supervision and enforcement.

• Mis-alignment of sales incentives is a real problem in the financial advice sector. Commissions create a conflict of interest, steering advisors in a direction of offering risky products instead of acting in the best interest of consumers.
• According to BEUC, the current, patchy legal framework is not fit for purpose. As we know, the majority of legislative instruments, especially those adopted in the aftermath of the financial crisis, will regulate at least some aspect of financial advice. However, this approach creates inconsistency, for example, the regulation of issues like independence and qualifications are approached differently in various instruments, without even having common definitions of what they are referring to.
• Finally, many of the current rules is difficult to enforce, for example, the requirement in MiFID2 that the investment meets the needs of the consumer.

To improve the financial advise sector, BEUC suggests to: 

• ban commissions;
• create common definitions and rules for advisors, rules that set standards of professionalism and that are easy to comply with;
• better enforcement, enforcement coordinated by the EU supervisors (EBA, ESMA and EIOPA) and adequate powers of national supervisors.

Whilst it is not specially raised, it could be implied that that the above aims would be the best achieved by a separate, independent act such as a Directive on Financial Advice. What do you think?  Is there a need for a systematic approach? Is it viable to regulate financial advice independently from the underlying product that it relates to?

BEUC position paper on artificial intelligence

Last week BEUC published a very interesting paper on Automated decision making and artificial intelligence: a consumer perspective. The paper highlights the main challenges raised by AI and suggest ways to tackle these. Importantly, the paper calls for an EU Action plan on AI that would set out new consumer protection concepts and a comprehensive plan to update the old consumer protection tools. The position paper is a must read for everyone interested in the impact of new technologies on consumer protection.

"Food labels: tricks of the trade" - BEUC's report

On the same day that the Commission announces common methodology on comparing quality of similarly packaged food products, BEUC publishes its report "Food labels: tricks of the trade" on misleading labeling practices in the food sector in the EU (see more Food labels can fool you...). Three practices that have been further elaborated on are:

• labeling products as 'traditional' or 'artisanal';
• displaying fruit pictures on packaging for products that have little or no actual fruit content;
• labeling as 'whole grain' products with barely any fibre.

 The result of consumer confusion and misleading advertising practices may be the result of the lack of EU guidelines in this area of food products' advertising and labeling.

BEUC calls for:

• more definitions on the EU level of commonly used terms on food products' labels, such as 'natural', 'traditional' or 'artisanal';
• setting a minimum level of whole grain content for 'whole grain' claims;
• setting a minimum level of content for ingredients pictured on the front of the pack, e.g. fruits;
• obliging traders to display on the front of the pack the percentage of the advertised ingredient.

These recommendations would not only increase transparency of the composition of food products or facilitate better consumer decision-making, but also provide for a more fair food products' market in the EU.

E.g. the report mentions that while this product has many fruits on the packaging, they are only 2.5% of all ingredients

Towards the creation of the EU Financial Consumer Protection Agency?

A couple of months ago we reported on the results of the public consultation on the Operation of the European Supervisory Authorities (ESAs), and mentioned that civil sector representatives (Better Finance) advocated a complete overhaul of the existing system of EU financial supervision as opposed to partial improvements in the interest of consumers. This voice has now become lauder, and several representatives, including BEUC has joined their forced to request this reform. Today they posted an Open Letter to the EU Commission on the Proposal for the EU financial supervisory reform.

In this letter they explain that the current supervisory framework is not adequate to effectively protect consumers. Consumer protection comes as the last objective of the ESAs enjoying low priority as compared to other objectives. This low priority is evidenced for example by a failure to ever use one of their most significant powers, a power to temporarily prohibit the use of dangerous financial products. The letter also highlights that the ESAs has also failed to adequately coordinate national supervisory authorities, and that consequently consumer protection, or conduct of business supervision is neglected in some Member States.

In order to priorities consumer protection, the letter advocates the move towards a 'twin peak' model in the EU, that is, a towards a creation of a separate supervisory authority that would be in charge to control the ways in which financial firms conduct business with their customers. This separation of the consumer protection objective from other supervisory objectives (the 'twin peak' model) is already working well in some EU countries like the UK and Belgium, and outside the EU, for example, in the US. The letter therefore urges the EU Commission to reconsider its current approach to keeping the regulatory/supervisory structure as it is, and to give thought, and preferably action, to the 'twin peak' model.

Importantly, in addition to raising the importance, the letter also sets out a basic strategic plan for moving towards the new model. Phase 1 would include a clear separation of consumer protection mandate from other mandates of the existing ESAs, by reforming the Consumer Protection Divisions of these authorities and in phase 2, these would then be merged into a newly created  single authority, the EU Financial Consumer Protection Agency. The letter addressed other important questions such as funding, governance and mandate.

Is a single supervisory authority for consumer protection viable in the EU, or could consumers be just as effectively protected by prioritizing the consumer protection objective of the existing authorities? What do you think?

Putting an end to silos enforcement of consumer (data protection) rights?

Last month, BEUC and the European Data Protection Supervisor (EDPS) held a joint conference on the enforcement of fundamental rights- notably, the right to privacy- in the age of big data. 

BEUC urges all competent authorities to coordinate their actions and strategies in this field, putting an end to "silos" enforcement, which is unable to guarantee equal respect of consumer rights across policy areas. 

BEUC particularly welcomed the EDPS's recently published opinion on "coherent enforcement of fundamental rights in the age of big data", which contains a set of recommendations, Here an excerpt from the study summary:

"The EU institutions and bodies, and national authorities when implementing EU law, are required to uphold the rights and freedoms set out in the Charter of Fundamental Rights of the EU. Several of these provisions, including the rights to privacy and to the protection of personal data, freedom of expression and non-discrimination, are threatened by normative behaviour and standards that now prevail in cyberspace. The EU already has sufficient tools available for addressing market distortions that act against the interests of the individual and society in general. A number of practices in digital markets may infringe two or more applicable legal frameworks, each of which is underpinned by the notion of ‘fairness’. Like several studies in recent months, we are calling for more dialogue, lesson-learning and even collaboration between regulators of conduct in the digital environment. We also stress the need for the EU to create conditions online, as well as offline, in which the rights and freedoms of the Charter may thrive.

This Opinion therefore recommends establishing a Digital Clearing House for enforcement in the EU digital sector, a voluntary network of regulatory bodies to share information, voluntarily and within the bounds of their respective competences, about possible abuses in the digital ecosystem and the most effective way of tackling them. This should be supplemented by guidance on how regulators could coherently apply rules protecting the individual. We also recommend that the EU institutions with external experts explore the creation of a common area, a space on the web where, in line with the Charter, individuals are able to interact without being tracked. Finally, we recommend updating the rules on how authorities apply merger controls better to protect online privacy, personal information and freedom of expression."

According to the opinion, the Digital Single Market strategy represents a good opportunity for taking a more coherent approach. We will see whether the different actors involved will be willing to seize the chance!

GDPR, e-Privacy and beyond: more certainty and coherence for the online sector (or quite the opposite)?

The interplay of GDPR and e-Privacy Directive

One of the objectives of the General Data Protection Regulation (GDPR), which was adopted earlier this year and will effectively replace Directive 95/46/EC in 2018, was to make the European data protection framework fit for the 21st century. The extensive regulation does indeed bring the existing framework up to date and promises greater uniformity of national standards and interpretations. Driven by the desire to empower data subjects to fully exercise their right to personal data protection (Article 8 of the European Charter of Fundamental Rights, Article 16 TFEU, Article 8 ECHR), the instrument builds on the existing safeguards and extends or clarifies them where it deems necessary. Among many other things, the new data protection regulation strengthens the conditions for a valid consent, ensures that data subjects are provided with information and access to their data and can effectively object to the processing, reiterates the right not to be subject to a measure based on automated data processing and explicitly clarifies that this includes profiling. It also introduces a widely cited right to be forgotten and the equally important right of data portability. All these are correlated with the corresponding obligations of data controllers according to the newly formulated principles of data protection ‘by design’ and ‘by default’. Both principles bring about a significant paradigm shift as they not only require data controllers to ensure data protection compliance ex ante (i.e. already at the planning stage), but also to design standard settings in a way that only the minimum amount of personal data necessary is being processed. The regulation also elaborates on the data controller’s obligation to ensure data security and report data breaches.

In line with the previous personal data protection directive, the principles laid down in GDPR apply to any information concerning an identified or identifiable person (as explained in recital 26). The novelty, however, lies in the clarification that online identifiers provided by devices, applications and protocols as well as location data may be used to identify a person (see further clarification in recital 30). Without going into detail, it seems fair to assume that under the new regime many online identifiers – such as IP addresses, device IDs and cookies, in particular third-party cookies used for profiling and targeting – will be regarded as personal data.

In short, what emerges from the updated data protection act is an increasingly comprehensive regime with an intentionally broad scope of application. Nevertheless, believe it or not, there are still several issues that have not been addressed by data protection framework. These relate more broadly to the protection of privacy (Article 7 of the Charter), and have so far been regulated by Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive). In the words of the European Commission the directive “sets out rules on how providers of electronic communication services, such as telecoms companies and Internet Service Providers, should manage their subscribers’ data”. It touches upon issues such as: confidentiality of communications, security of networks and services, data breach notifications as well as requirements regarding, among other things, unsolicited commercial communications (spam), storing of information in subscribers’ terminal equipment [Article 5(3) – the source of the ubiquitous cookie consent pop-ups] and processing of traffic and location data. The interplay between e-Privacy Directive and the general personal data protection legislation is mentioned in recital 173 of the GDPR, which stipulates that:

This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation

As a result, the directive is currently undergoing review and has yet again attracted considerable public interest. In August the European Commission presented a summary report on the public consultations which were carried out in this context. A careful, consumer-oriented analysis was, as usual, submitted by BEUC and is now available on its website.

Review of e-Privacy Directive and BEUC response

Why do we need an e-privacy instrument and which services should be included in its scope?

BEUC: While recognising the important developments within the framework of personal data protection, BEUC remains convinced that the e-Privacy Directive should continue to form a lex specialis for the online sector, complementing and particularising the provisions of GDPR. In view of BEUC, sector-specific rules should address, in particular, the issue of data mining and tracking/profiling of users as well as confidentiality of communications. The scope of such an act (ideally – a regulation) should cover both traditional electronic communication services and over-the-top (OTT) services such as Voice over IP and instant messaging (Skype, Whatsapp, Messenger). OTTs are currently outside the scope of e-Privacy Directive, as they do not fall under the definition of an electronic communication service, which requires inter alia "conveyance of signals".

Which issues remain unresolved under the current data protection regime?

Security and confidentiality

BEUC: Providers of electronic communication services should be obliged to secure all communications by using the best available techniques to ensure security and confidentiality. Users should remain free to apply other techniques.

Comment: While the need to ensure security of electronic communications seems undisputed, a potential overlap of the e-Privacy instrument and other pieces of legislation, in particular GDPR, NIS Directive and their implementing acts, should be taken into account. At the same time, there seems to be a strong case to maintain and even extend the scope of existing provisions referring to confidentiality to OTTs, as this issue does not seem to be addressed elsewhere.

Accessing users’ devices (e.g. in order to place a cookie)

BEUC supports the existing consent requirement laid down in Article 5(3) of e-Privacy Directive. More importantly, however, it argues that users should not be prevented from accessing non-subscription based services if they refuse the storing of identifiers (i.e. cookies) that are not necessary to provide the service. Furthermore, according to BEUC, the lifespan of cookies should be linked to their purpose.

Comment: Five years after the implementation of the cookie consent provision, no one dares to deny that the directive failed to achieve its desired impact. Indeed, consent requests are generally treated as a formality and essentially confront the users with a take-it-or-leave-it situation. BEUC proposal appears suitable to address this problem. At the same time, questions relating to the interface between e-Privacy Directive and the remaining EU acquis continue to arise. Couldn’t the requirement to provide users with a clearer and more granular choice and to adhere to the principle of data minimisation be derived from GDPR (now that online identifiers are clearly in its scope)? To what extent could the collection of data for purposes of tracking/profiling, without the knowledge of the user, be considered a misleading omission of material information and potentially an unfair commercial practice? Does anyone still remember the recent UCPD guidance which has actually elaborated on this matter? What about the proposed Digital Content Directive and Distance Sales Directive - shouldn't they have something more to say about this? Is the privacy rationale sufficient to extend the legal effects of Article 5(3) and, consequently, is the e-Privacy Directive the right instrument to regulate this issue? Before reopening of the whole cookie debate once again, it would seem reasonable to first assess where we stand.

Traffic and location data

BEUC: The consent requirement for the processing of traffic and location data should be maintained and the exemptions to this rule should not be broadened. On the contrary, the scope of the provision should be extended to cover GPS location data and Wi-Fi network location data used by information society services in mobile devices.

Comment: Stricter conditions for the lawful processing of traffic and location data (consent requirement for certain types of the processing) along with specific requirements as to erasure or anonymisation of data can indeed be seen as justifiable, given the undeniable privacy concerns at hand. There also seem to be no convincing reasons for maintaining a distinction between data collected by electronic communications service providers and by other information society services providers. At the same time, while understanding BEUC concerns about anonymisation, it needs to be recognised that traffic and location data are essential for the proper functioning of many digital services. The European legislator should therefore make sure that the revised instrument does not throw the baby out with the bathwater.

Unsolicited commercial communications

BEUC argues that marketing messages sent through social media should be subject to the same opt-in obligation that applies to email. Indeed, both channels of communication share certain similarities. In fact, however, unsolicited commercial messages on social media do not seem to present a serious problem and in this domain the issue of targeted advertisements appears much more pressing. 

Conclusion

Beyond doubt, the principles of personal data protection ‘by design’ and ‘by default’ enshrined in GDPR constitute a significant development in the data protection regime. In the technologically-mediated digital ecosystem, where traditional concepts are often difficult to apply and even harder to enforce, an increased focus on ex ante compliance (e.g. already at the stage of designing products/services or programming algorithms) could present a promising way forward. According to BEUC, the concepts of ‘privacy by design’ and ‘privacy by default’ should become “fundamental guiding principles in the online environment”. Given the growing importance of data-driven business models this appears to be a noble aim. The European legislator should, however, also make sure that innovation is not killed on the way – and to ensure that, more clarity as to the practical application and the interdependence of particular legal acts is necessary. 

The risks and benefits of automated financial advice

In December 2015 the three European Supervisory Authorities (ESAs) (the European Banking Authority, the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority) issued a joint Discussion paper on automation in financial advice.

The ESAs have recognized that with increasing digitization of financial services, more and more financial institutions offer automated financial advice to their customers (also called 'robo-advice').Thus the Discussion paper is aimed at assessing what (if any) regulatory/supervisory action is required to enable consumers and firms to take advantage of the benefits and to mitigate the potential risks, of automated advice. The Discussion paper explains the concept of automated advice, and highlights the possible risks and benefits of this innovation.

Automated advice means that a recommendation to buy or sell financial products is generated by automated tools (typically websites using algorithms or decision trees) without (or with very limited) human intervention.

The ESAs believe that automated financial advice may be beneficial for consumers in terms of providing easy access to a quality service (free from behavioural biases, human error or poor judgment and reliant on a large volume of complex data) at a considerably lesser cost than traditional advice. However, they also recognize that automated advice may carry a great deal of danger. Importantly, consumers may find it more difficult to understand automated advice than traditional advice without a human interaction and being able to ask questions and seek clarifications; consumers may misunderstand the nature of the advice (they may receive general advice but believe that they have received personalized advice); consumers may end up with unsuitable advice because they do not understand how information is used by the automated tool and enter incorrect or incomplete data, or because of a failure in the automated tool itself. Finally, automated financial advice, as with any digital service, raises data protection issues.

The consultation period ended in March 2016. The Discussion paper generated great interest among the stakeholders and the ESAs have received many responses. BEUC welcomed the ESAs interest in automated financial advice, and considered the Discussion paper to be a well balanced discussion of the risks and benefits of automated advice. It has however highlighted that protecting consumers in this area will require new approaches, and that market outcomes may largely depend on the quality of algorithms used for guiding consumers through the advice process.

What do you think? Is automated advice more likely to benefit or to harm consumers?

Strong customer authentication and secure communication in payment services

Following the entry into force of the revised Directive 2015/2366 on Payment Services (PSD2), the European Banking Authority (EBA) is mandated to deliver several Regulatory Technical Standards (RTS) and Guidelines by January 2017. These should set out the details of the more general standards laid down in the Directive in order to secure their consistent application throughout the EU. EBA's RTS are therefore important for the smooth functioning of the single market for payment services.

As the first step, and before developing the full RTS, EBA has recently published a Discussion Paper on strong customer authentication and secure communication. The Discussion Paper specifies the requirements of strong customer authentication; the  exemptions to the application of these requirements; requirements to protect the payment service users' personalized security credentials; requirements for common and secure open standards of communication; and security measures between the various types of payment service providers.

BEUC has submitted a number of useful comments on the Discussion Paper. For example, BEUC has recommended the RTS should also consider that a good level of consumer protection in payment services is provided through an adequate combination of preventive and curative measures. Providing for a simple and unconditional refund policy in case of  unauthorized, fraudulent or disputed payment transactions is crucial for raising consumers' confidence in using payment services. It is also important that consumers' data are secure and that in case of data breaches effective redress mechanisms are in place. Finally, the requirements of strong customer authentication and the RTS should extend to mail orders and telephone orders. See for more recommendations and the full text of BEUC's response here.

EU Regulatory Framework for Financial Services: BEUC's view

The EU Commission has recently issued a Call for evidence on EU regulatory framework for financial services, aiming to understand the interaction of individual rules and the cumulative impact of all the rules, including overlaps, inconsistencies and gaps.

Responding to the call for evidence, BEUC has reviewed the existing regulatory framework for retail financial services, extending the scope of its review to supervision and enforcement activities and consumer redress schemes. The review has concluded that there are major loopholes and shortcomings in the areas of bank accounts, payment services, consumer and mortgage credit, investment products and that issues such as information disclosure, cross-selling practices and digitization and financial innovation raise special concerns. See BEUC's recommendations for remedying the identified problems and the full text of the response here.

The Commissions' current consultation and the Green Paper (that we reported on earlier) takes account of and complements this initiative.

BEUC on transparency in the TTIP

One of the most discussed issues regarding the Transatlantic Trade and Investment Partnership (TTIP) that is being negotiated by the EU and US concerns transparency. The TTIP negotiations have been heavily criticised for not giving enough clarity; it has been put forward that an open democratic debate is needed to legitimise the agreement (eg by Marija Bartl and Elaine Fahey, 'Transatlantic Partnership requires open democratic debate').

European consumer organisation BEUC has now published a number of suggestions for improving the input of an important group of stakeholders, ie consumers. Its recommendations are aimed at enhancing transparency and engagement in the TTIP, thus improving accountability to the public. BEUC's demands include: public access to documents, stakeholders' consultation, a more active role for the Advisory Group on the TTIP, and involvement of other EU institutions beside the Commission.

See also BEUC's new blog.

BEUC discussion paper on cloud contracts

Last October, an expert group on cloud computing contracts was established by the European Commission. In a recent discussion paper, consumer organisation BEUC listed a number of questions relevant to the work of the expert group on 'unfair terms in cloud computing service contracts'. These cover a wide range of issues, including (with emphasis added):

'- What elements should be taken into account to assess unfairness by lack of transparency?

- [C]lauses [that establish consumer obligations not proportionate to those of the trader] could be considered unfair under the general unfairness test of the Unfair Contract Terms Directive. Do you think there are elements specific to cloud computing services that should be taken into account to establish the lack of balance in the parties’ rights and obligations?

Would the assessment of these elements be different in paid and ‘free’ cloud computing contracts?

- To what extent suppliers of cloud computing services should obtain, for the mere access to the website, the explicit consent of consumers in order to ensure that they are aware of the contractual conditions (if the accessibility implies the conclusion of a contract)?

Would it be necessary to distinguish between the agreement on the contract terms and the agreement on the collecting and processing of personal data?

- Would it be appropriate that the contract provides specific cases in which the supplier is entitled to suspend the services that are the subject of the contract? Should these cases differentiate between contracts in which the contracting party is a consumer or a SME?

Should we envisage the need that the suspension of the services is preceded by a notice to user (that, in the specific cases of delay or failure in payments, gives to user a time limit within which he may fulfill)?

- How these clauses should incorporate the CRD requirements? For example, should the clause indicate that the consumer’s relevant means of payment (e.g. credit, debit card) will be charged only after he or she explicitly agrees so at the end of the trial period?

- Should the authoritative language version be the one used for the conclusion of the contract taking into account the pro-consumatore interpretation principle of the unfair contract terms directive?

Would this situation be different in a contract in which one party is a SME?

- Is it possible to identify basic elements that should be included in arbitration clauses of cloud computing service contracts (e.g. distinction between internal complain handling and independent ADR; non-mandatory and / or biding nature of the arbitration settlement)?

- Is it justified to request the consumer’s agreement to grant a licence over the content he/she supplied and that is protected under copyright law? To what extent this would be necessary to develop innovative cloud-based products?

If the answer to the first question is possible, under what circumstances that licence would be necessary? Is it necessary to make a distinction between paid and ‘free’ services?

- The framework of Directive 95/46/EC, national legislation and the interpretation of the Article 29 Working Party defines when the consent is valid. However, if the consumer has no choice but to accept, can this consent be considered ‘free’?

- Taking into account the requirements of Directive 95/46/EC, to what extend these types of clauses should be considered unfair?

Do you think that this type of processing of personal data is necessary to the development of innovative cloud services?

- Under what circumstances would it be justified to (legally) allow an exoneration of liability of the supplier of cloud computing services (e.g. due to the influence of external factors)?

- How these clauses [on contractual limitation of compensation due by the supplier] could be re-written in order to comply with the specific provisions of the unfair contract terms directive? Should we make a difference between paid and ‘free’ cloud service contracts?

- If the supplier assigns the contract or some rights or obligations deriving from it, it would be envisage the obligation for the supplier to inform the user, giving him the possibility to terminate the contract?

- What minimum elements should be included in jurisdiction and applicable law clauses? Would it be sufficient a disclaimer claiming that the consumer may be protected under his own legislation or it is necessary to be more specific?

- Despite the fact that in any event, the cloud provider has to comply with its obligations according to Articles 10, 11 and 14 of Directive 95/46/EC, do you think that in these situations [of transfer of personal data in corporate mergers] the consumer should be given with the possibility to withdraw from the contract?'

Google continued

Google remains at the centre of attention in the current debate on the responsibility of providers of search engine services to sufficiently and adequately protect consumers' personal data. Following the recent ground-breaking CJEU decision in Google Spain (on which we reported earlier this month), the company has now provided users with an online form to request links to specific pages to be removed from search results. Not unproblematically, as is underlined in the introduction to the form, it is up to Google to 'balance the privacy rights of the individual with the public's right to know and distribute information'. It indicates that it will seek the help of data protection authorities and others to refine its approach in the coming months.

European consumer organisation BEUC, in the meantime, poses serious questions concerning Google's dominant position in the European market. In a recent position paper, BEUC voices concerns regarding Google's alleged power to manipulate search results and, thus, distort competition. See also: BEUC - Google internet search case and BEUC - Fair Internet search, remedies in Google case.

What does the EP mean to consumers? - BEUC manifesto

While the elections for the European Parliament have started, it may be interesting to take some time to consider what is the Parliament's significance for consumers. In a recent Manifesto, European consumer organisation BEUC highlights the EP's impact on consumers' lives in the past years and sets out a list for future action.

The main areas indicated in the Manifesto are:

- food

- financial services

- consumer rights

- digital rights.

Furthermore, BEUC points its attention to the controversial Transatlantic Trade and Investment Partnership (TTIP), emphasising the importance of transparency in the negotiation process and in dispute resolution.

Monique Goyens, BEUC's Director General adds:

“Consumer policy directly and tangibly impacts on citizens’ daily lives. Over the last 30 years, the EU has written a true success story in this field. It has provided many fundamental protections, better market access, product safety standards, shopping and information rights. Yet most people are unaware that these often originate in ‘Brussels’.

“The new MEPs taking up office will be faced with major challenges such as securing stronger safeguards for financial services, improving the telecoms market, ensuring a neutral internet and restoring consumers’ trust in the food industry after recent scandals.

“The Parliament is still the most trusted EU institution. The incoming MEPs should understand that consumer policy is a way of reaching out to European citizens. They must work to sustain and increase this trust by putting consumer interests central.”