European Data Protection Supervisor
European Data Protection Supervisor

EDPS calls for closer alignment between consumer and data protection rules in the EU

EDPS calls for closer alignment between consumer and data protection rules in the EU

08/10/2018
8
Oct
2018

EDPS calls for closer alignment between consumer and data protection rules in the EU

Consumer law and data protection can no longer afford to work in silos. The EU needs a big-picture approach to addressing systemic harms to individuals in digital markets, involving closer cooperation between enforcers in order to avoid legal uncertainty, the European Data Protection Supervisor (EDPS) said, as he published his Opinion on the legislative package A New Deal for Consumers.

The package is composed of the Proposal for a Directive as regards better enforcement and modernisation of EU consumer protection rules and the Proposal for a Directive on representative actions for the protection of the collective interests of consumers. The Opinion follows consistent calls from the EDPS for coherent enforcement by authorities responsible for the digital economy and society, including consumer, data protection and competition authorities.

Giovanni Buttarelli, EDPS, said:I support the aim of the Proposal to extend benefits to consumers who receive services without paying a monetary price. With ‘free’ the preferred price for many digital markets, the consumer should be protected irrespective of whether a contract under which a trade supplies or undertakes to supply digital content or services requires payment. Consumer law, like data protection law, needs to be effective in dealing with the digitisation of people’s lives. Increasing the concentration and complexity of digital markets has diminished people’s ability, whether as consumers or as data subjects, to control their digital lives, including what happens to data about them. However, the solution is not to pretend that personal data is a mere economic asset. This means ensuring that there is no such reference to personal data in contract definitions for the supply of digital content or a digital service. Therefore, the safeguards under the Charter of Fundamental Rights and the GDPR must be upheld. Closer alignment between consumer and data protection will require policymakers, as well as regulators, to deepen their dialogue and mutual understanding.”

Consumer and data protection law share the common goal of redressing imbalances between the individual and powerful companies. It is therefore essential that the two bodies of law are fully aligned and mutually reinforcing.

The concept of contracts for the supply of digital content or services for which consumers pay with their personal data is problematic. Specifically, it fails to respect the need to protect personal data set out in the Charter of Fundamental Rights and risks being interpreted in a way that is inconsistent with certain GDPR provisions, such as those relating to valid consent for data processing and the necessity of data processing for the performance of a contract.
 
Furthermore, the EDPS recommends that the proposal on collective redress be adjusted to complement the provisions in the GDPR for the representation of data subjects in exercising their rights. This requires more systematic cooperation between consumer protection and data protection authorities, which could be done, for instance, within the already existing voluntary network of enforcement bodies from competition, consumer and data protection areas - the Digital Clearinghouse.

The EDPS welcomes the initiative to update the enforcement of consumer rules, and calls for closer cooperation between consumer and data protection authorities, through initiatives such as the Digital Clearinghouse and the joint meetings of the European Data Protection Board and the Consumer Protection Cooperation Network.

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.

“A New Deal for Consumers”: On 11 April the European Commission adopted a Communication “A New Deal for Consumers” together with two legislative proposals: a proposal for a Directive amending Council Directive 93/13/EEC, Directive 98/6/EC, Directive 2005/29/EC and Directive 2011/83/EU as regards better enforcement and modernisation of EU consumer protection rules, and a proposal for a Directive on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC. The aim of the package includes modernising existing rules and fill gaps in the consumer acquis and providing better redress opportunities for consumers, support effective enforcement and greater cooperation of public authorities in a fair and safe Single Market.  

Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.

Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossary on the EDPS website.