European Data Protection Supervisor
Le Contrôleur Européen de la Protection des Données

EDPS sees opportunities for stronger consumer and data protection

EDPS sees opportunities for stronger consumer and data protection


EDPS sees opportunities for stronger consumer and data protection

Individuals are entitled to enjoy the same rights online as they do offline, under EU law. This includes when consuming goods and services, whether they are supplied in exchange for money or not. Developing the data-driven economy is essential for EU growth, and trust in that economy requires upholding fundamental rights, the European Data Protection Supervisor (EDPS) said today, as he published his Opinion on the Commission’s Proposal for a Directive on certain aspects concerning contracts for the supply of digital content. The Opinion was issued at the specific request of the Council.

Giovanni Buttarelli, EDPS, said: “The EDPS supports the aim of the Commission’s initiative, which is to enhance consumer rights. I consider this an opportunity to harness synergies between consumer and data protection law in the interests of the individual. The proposed directive should avoid unintentional interference with the data protection rights and obligations set down by the EU last year in the General Data Protection Regulation. Individuals should not be required to disclose personal data in ‘payment’ for an online service. Rather, their rights and interests should be safeguarded by coherent application of up-to-date rules in the consumer and data protection area.”

The Commission’s proposal extends consumer protection to digital content supplied to the consumer in exchange for money or data, including personal data. The EDPS highlights the risk of confusion for consumers and business of any new provisions in EU law which appear to treat personal information, whose protection is a fundamental right, as mere commodity. It could interfere with the careful balance negotiated by the EU legislator in the GDPR, for example, on the role of freely-given consent and the right to data portability.

Applicable across the EU from May 2018, the GDPR already legislates for the use of personal data in the digital economy, including the strict conditions under which the processing of personal data can take place. The EDPS therefore urges the EU to avoid inadvertently interfering with the rules specified in the GDPR and to be covered in the future ePrivacy Regulation, as doing so could create legal uncertainty.

Specifically, rather than the notion of data as a counter-performance, he suggests considering the definition of services outlined in the e-commerce Directive or the provision used by the GDPR to define its territorial scope. Either of these definitions might provide inspiration for the protection of the rights of consumers in the exchange of personal data for services.  

The GDPR is a groundbreaking piece of legislation, which sets a precedent for data protection across the globe. The proposal on digital content is an opportunity to ensure that future oriented rules in the EU on data protection and consumer protection work in tandem in the interests of the individual.

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.

Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.

Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.

ePrivacy Regulation: On 12 April 2016, the European Commission launched a public consultation on the existing ePrivacy Directive as well as possible changes to the existing legal framework. ePrivacy rules govern the processing of personal data in the electronic communications sector and clarify customers' rights to privacy and confidentiality in online communications. Using the feedback from the consultation, the Commission prepared a new legislative proposal on ePrivacy, which was published on 10 January 2017.