EDPS’s Opinion on proposed Directive on contracts for the supply of digital content

On 14th of March, after having been consulted by the European Council, the Euopean Data Protection Supervisor (“EDPS”) issued an Opinion on the proposed Directive on certain aspects concerning contracts for the supply of digital content (“Opinion”). The aim of the Directive is to provide for a harmonised protection of the consumer as far as digital content is concerned, establishing a single set of rules across the EU governing contracts for the sale and rental of digital content and contracts for digital services.
The proposed Directive would apply to “any contract where the supplier supplies digital content to the consumer or undertakes to do so”:
4 in exchange of a price
5 but also when “the consumer actively provides counter-performance other than money in the form of personal data or any other data”.
The Directive moves from the assumption that undertakings providing digital services foster the perception that they are provided for free, while in fact the disclosure of personal information is required as a condition for the supply of the service.

Main issues
The Opinion welcomes the intention of the legislators to make sure that the so-called “free services” are subject to same protection for the consumers when they do not pay a price for a service or content. Nevertheless, according to the EDPS personal data cannot be intended as “price” or money. Personal information is related to a fundamental right and cannot be considered as a commodity.
The Opinion raises a number of issues given the involvement of fundamental rights and the specific protection granted to data under the EU data protection framework:
the EDPS considers that the term “data as a counter-performance” should be avoided
, since it rather legitimises the mal-practice of providing digital services “in exchange” of disclosure of personal information, without taking into account the specific nature of personal data. The EDPS also suggests other approaches that might be explored so as to avoid any implications of data acting as counter-performance: i) the use of the notion of “services” as defined in the E-commerce Directive (Directive 2000/31/EC) could be an alternative as to encompass services where a price is not paid; iI) another alternative could be the use of similar terms to the General Data Protection Regulation (“GDPR”) (referring to the offering of goods and services irrespective of whether a payment is required) in order to define the scope of the proposed Directive, without making reference to data used as counter-performance;
the EDPS recommends avoiding referring to data (actively) provided by the consumer since it contradicts the (existing and future) rules on data protection. In fact, no distinction between personal data actively and non actively provided can be made, since the same protection applies to data collected knowingly by the organisation processing the data, or the data given actively by the individual;
the EDPS recommends that Articles 13 and 16 of the Directive refer to the GDPR when it comes to the rights to erasure and the right to access one’s data, to the extent that personal data are concerned. Should non-personal data (“other data”) be processed, the EDPS recommends that the provisions of Article 13 and 16 should be aligned with the regime provided in the GDPR for the sake of 
the Directive should state explicitly that data processed by the suppliers shall only 
be used insofar this is in line with the EU data protection framework, including 
the GDPR and the e-Privacy legislation.
Practical actions
The EDPS warns the EU legislators against any new provision introducing the idea that people can pay with their data the same way as they do with money. Fundamental rights such as the right to the protection of personal data cannot be reduced to simple consumer interests, and personal data cannot be considered as a mere commodity. One cannot monetise and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction, because personal information cannot be conceived as a mere economic asset. The strict conditions under which a processing of personal date can take place are already set down in the GDPR and according to it, consent cannot be considered as freely given if the performance of a contract, or the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract (Section 7 of the GDPR).
If you want to know more, write here