Out-Law News 3 min. read

Digital content rules should not encourage companies to avoid getting data consent, says MEP

Suppliers of digital content should not be encouraged to avoid asking consumers for consent to use their personal data by the wording of EU legislation, an MEP has said.

A new directive on contracts for the supply of digital content was proposed by the European Commission late last year and is currently being scrutinised by committees within the European Parliament.

A rapporteur for the Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee has suggested amendments to the Commission's proposals to "strengthen and clarify" aspects of the rules.

Marju Lauristin expressed concern that the original proposals, if introduced, "could create a perverse incentive for suppliers to not ask for the consumer's consent" to use their personal data.

In many cases suppliers of digital content provide that content to consumers in exchange for the right to collect and use their personal data, rather than charging consumers for access to the material.

The Commission wants to introduce new laws that would give consumers new rights of remedy and redress in relation to digital content supplied to them that is faulty or which otherwise fails to conform to sellers' descriptions. Those rights would apply in cases where consumers exchange either money or a "counter-performance" such as personal data in return for access to that content, under the plans.

Lauristin said, though, that the circumstances in which consumers would be able to exercise their rights under the new rules when their personal data is collected "seems to be too limited" and that, under the current drafting, digital content suppliers could be encourage not to seek consumers' permission to use their data.

"The proposal only covers types of contracts whereby the consumer either pays or 'actively provides' personal data as counter-performance," Lauristin said. "This seems to be too limited, as often nowadays consumers' personal data (such as location data, personal contacts, shopping history etc) are being used in a form of counter-performance while consumers are unaware of it. Furthermore, this limitation could create a perverse incentive for suppliers to not ask for the consumer's consent."

"It might therefore be advisable to broaden this provision in such a way as to include all contracts for the supply of digital content involving the use of the consumer's personal data," she said.

Under the UK's Consumer Rights Act most of the consumer rights and remedies provided for do not apply where consumers exchange personal data in return for access to digital content. The UK government has said it has "no fundamental objection" to consumer rights being extended in cases where consumers trade their personal data for access to 'free' digital content but is concerned about the effect there could be on businesses of doing so.

In her draft opinion Lauristin said the new EU directive should define personal data in the same way as the term is defined under the new General Data Protection Regulation. This would "ensure a clear differentiating line between personal data and any other data mentioned throughout the text [of the draft directive]", she said.

Lauristin also proposed changes to wording that requires digital content to be supplied in conformity to what is stipulated in the contract with consumers, or through other objective criteria such as technical standards or industry codes of conducts where that detail is not included in contract terms.

She said: "One could wonder if, in the light of the complexity of digital content products, the consumer is really able to fully grasp the terms and conditions of the contract and to make an informed decision. It might therefore be advisable to use more often objective and subjective criteria (such as technical standards or legitimate expectations) to ascertain conformity."

Provisions on when digital content suppliers would be liable for damages should also be expanded, Lauristin said.

"The [Commission's] proposal limits the supplier's liability to only the damages done to the hardware and software of the consumer," Lauristin said. "However, there might be cases where a consumer suffers serious economic or immaterial loss quite apart from any damage to its digital environment (for example if software contains a bug that allows hackers to gain access to a consumer's computer and steal his password for his bank account). It might therefore be advisable to broaden the scope for damages to include all damage done to the consumer."

"Furthermore, it might be interesting to allow member states, in setting the detailed rules on damages, to make a differentiation between those suppliers that did everything in their power to limit the possibility of damages (e.g. by compliance to a certain IT security baseline or standards) and those that did not have 'their house in order' (e.g. did not fix security vulnerabilities in their products/services that were known or reported to them) in order to encourage a stronger sense of responsibility and accountability among suppliers," she said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.