Thursday, 20 October 2016

ECJ: dynamic IP addresses can be personal data- and yet websites may be able to store them without consent

Yesterday, the Court of Justice delivered its decision in Breyer v Bundesrepublik Deutschland (C-582/14, not yet available in English), a case concerning the lawfulness of the retention of dynamic IP addresses and other information by internet service providers. 

Mr Breyer contested the practice of the German federal government's websites, which keep a register of all IP addresses accessing information on their pages, together with a record of the pages visited and the time of each visit. The purpose of this information storage, according to the German government, is to prevent and/or readily prosecute cyberattacks. 

Two questions were raised before the Court of Justice: 1) whether, contrary to the assumptions of the Government when devising this practice, the information concerned constituted personal data under Directive 95/46; 2) if so, whether the German rules applicable to the retention of personal data by websites, which would make the Government's practice illegal, were compatible with the directive.

As to the first question, the Court of Justice answered that the collection of dynamic IP can be qualified as collection of personal data. The main issue to be discussed in this context was whether dynamic IP information, which is by definition not constantly associated to an individual user, can nevertheless be considered as capable of identifying that user. This is materially possible only through obtaining additional information from the internet service provider which has issued the IP number. 

Making reference to the directive's 26th recital, the Court reasoned that the answer to the question depends on the ability, for the website's owners, to obtain the "missing" information legally and without disproportionate expenditure. The ECJ considers that this possibility is clearly present in a case such as the one under scrutiny, especially in the event of a cyberattack. 

Therefore, the answer to the first question is that dynamic IP addresses are to be considered and treated as personal data by a provider which has the possibility to use them, in case of need, in order to identify the users associated to them. 

As to question 2), the Court had to consider the compatibility with Directive 95/46 of the German provision according to which- thus the interpretation prevailing in Germany- online service providers are only allowed to collect personal data for purposes related to their service provision- and charging of potentially ensuing fees. 

In particular, the Court considered whether a similarly interpreted restriction was compatible with article 7 letter f of the Directive, according to which providers can collect and preserve data in pursuit of their legitimate interests, provided they do not disproportionately impinge on the user's fundamental rights and liberties. The national legislation implementing the directive must leave some room for the balancing required by this provision. 

According to the Court, therefore, article 7 letter f of Directive 95/46 stands in the way of a national rule that generally disallows providers to store personal data with the purpose of securing the website's continued workability- which, inter alia, encompasses the prevention and prosecution of cyberattacks.

Thus, the answer of the second question is that the Directive does not allow national legislation to be interpreted in such a manner that would render the collection of personal data (ie dynamic IP addresses and access information) for the prevention of cyberattacks illegal.    

This decision is rather double-faced: on the one hand, it has a privacy-friendly attitude insomuch as it makes clear that all information can be personal data when the provider collecting it has the possibility to, at some point in time, use it to identify people who have accessed its webpages. On the other hand, though, it threatens to preempt national legislations giving a strict interpretation of the legitimate interests allowing data collection. It will be interesting to see which of the two faces will become more visible in the decision's aftermath. 

Wednesday, 19 October 2016

Comparing prices in hyper- and supermarkets - AG Saugmandsgaard Øe in Carrefour Hypermarchés (C-562/12)

AG Saugmandsgaard Øe has issued an opinion today in the case C-562/12 (Carrefour Hypermarchés) concerning an issue of a potential misleading and comparative advertising. Carrefour holding consists of many hyper- and supermarkets across France, with supermarkets generally being smaller in size than hypermarkets. One of its main competitors is Intermarché holding that also operates many hyper- and supermarkets. While Carrefour has 223 hypermarkets, Intermarché has 79. 

In December 2012 Carrefour run a new advertising campaign, both on TV and online, in which it compared prices of selected 500 leading brand products in its shops and competitors' shops under a slogan 'Lowest price guarantee'. The comparison was clearly favourable to Carrefour, who also promised to pay twice the price difference if consumers proved that the advertised prices were incorrect. Intermarché questioned the objectivity of this price comparison and its correctness, as well as a possibility of this advertisement misleading consumers, as it wasn't made clear to consumers that the comparison was between prices of consumer products in Carrefour's hypermarkets and Intermarché's supermarkets. Especially, since both Carrefour and Intermarché belong to retail outlets which each have shops of identical format and size, whose prices where then not directly compared with.

The CJEU was asked to answer such questions as (1) whether comparative advertisement referring to prices of consumer goods should be allowed only if the shops are of the same size and format; (2) if the compared shops differ in size and format whether consumers should be informed about this under the UCPD's obligation of Art. 7 to reveal material information to consumers; (3) if (2) is answered positively, how should this information be given to consumers.

The AG advises the Court to answer that indeed (1) comparative advertisement may only compare prices of goods sold in shops of similar formats and sizes but only IF:

"it is found, in the light of all the relevant circumstances of the case, and in particular in the light of the information in or omissions from the advertising at issue, that the transactional decision of a significant number of consumers to whom that advertising is addressed is likely to be made in the mistaken belief that all the shops in those retail chains have been taken into account in calculating the general price level and the amount of savings which are claimed by the advertising and that, accordingly, those consumers will make savings of the kind claimed by the advertising by regularly buying their everyday consumer goods from shops in the advertiser’s retail chain rather than from shops in the competitor’s retail chain"


"the selection of the shops for the comparison has the effect of artificially creating or increasing any difference between the prices charged by the advertiser and by the competitor."

Thus, the national court has to consider the effect of a given advertisement on both consumers and fair competition to assess whether in a given case the comparative advertisement showed by Carrefour has infringed requirements of the Directive 2006/114/EC. If it is not misleading and it is done in an objective way, it should be allowed. 

"In my view, there is in principle no reason to consider that an advertiser’s economic freedom does not also extend to the possibility of comparing prices in shops having different formats and sizes. In so far as an advertiser is capable of benefiting from economies of scale, as a result of the size, format or number of shops available to him, and, consequently, of charging prices lower than those of his competitors, he should be able to derive the benefits therefrom for marketing purposes." (Par. 30)

The discretion of the advertiser in designing his marketing strategies is not unlimited, however, and should consider the need to provide objective comparisons and not to mislead consumers.

The AG expresses also an interesting view on the capabilities of average consumers: "I consider that the average consumer is fully capable of deciding whether a price difference justifies, in his view, purchasing a product in one or other of the shops, when those shops have different formats or sizes, which may also entail differences in terms of the geographical proximity of the shops." (Par. 31) However, in the particular case: "I consider that an asymmetric comparison of that kind might deceive an average consumer as to the actual difference in the prices charged in the advertiser’s shops and in the competitor’s shops, by giving that consumer the impression that all the shops in the retail chains were taken into consideration in calculating the price information presented in the advertising, although that information applies only to certain types of shops in those retail chains." (Par. 42)

Only the second requirement - whether the comparison might artificially create or increase difference in charged prices on the market - should, however, be considered by the national court when assessing (2) whether consumers should have been informed about divergence in size and format of shops compared in this advertising. In general, the AG does not see the information on size and format of shops as always being material to consumers, but in certain circumstances it may become material information. (Par. 68-69)

If the information on the difference between compared shops should have been given to consumers, this would need to occur in the advertisement itself (3), pursuant to the AG. Only such dissemination would assure that the information is provided in a clear, intelligible, unambiguous and timely manner, esp. since choosing to compare prices of goods sold in shops with different sizes/ formats was a voluntary choice of the advertiser. (Par. 78)

Wednesday, 12 October 2016

Putting an end to silos enforcement of consumer (data protection) rights?

Last month, BEUC and the European Data Protection Supervisor (EDPS) held a joint conference on the enforcement of fundamental rights- notably, the right to privacy- in the age of big data. 

BEUC urges all competent authorities to coordinate their actions and strategies in this field, putting an end to "silos" enforcement, which is unable to guarantee equal respect of consumer rights across policy areas. 

BEUC particularly welcomed the EDPS's recently published opinion on "coherent enforcement of fundamental rights in the age of big data", which contains a set of recommendations, Here an excerpt from the study summary:

"The EU institutions and bodies, and national authorities when implementing EU law, are required to uphold the rights and freedoms set out in the Charter of Fundamental Rights of the EU. Several of these provisions, including the rights to privacy and to the protection of personal data, freedom of expression and non-discrimination, are threatened by normative behaviour and standards that now prevail in cyberspace. The EU already has sufficient tools available for addressing market distortions that act against the interests of the individual and society in general. A number of practices in digital markets may infringe two or more applicable legal frameworks, each of which is underpinned by the notion of ‘fairness’. Like several studies in recent months, we are calling for more dialogue, lesson-learning and even collaboration between regulators of conduct in the digital environment. We also stress the need for the EU to create conditions online, as well as offline, in which the rights and freedoms of the Charter may thrive.

This Opinion therefore recommends establishing a Digital Clearing House for enforcement in the EU digital sector, a voluntary network of regulatory bodies to share information, voluntarily and within the bounds of their respective competences, about possible abuses in the digital ecosystem and the most effective way of tackling them. This should be supplemented by guidance on how regulators could coherently apply rules protecting the individual. We also recommend that the EU institutions with external experts explore the creation of a common area, a space on the web where, in line with the Charter, individuals are able to interact without being tracked. Finally, we recommend updating the rules on how authorities apply merger controls better to protect online privacy, personal information and freedom of expression."
According to the opinion, the Digital Single Market strategy represents a good opportunity for taking a more coherent approach. We will see whether the different actors involved will be willing to seize the chance!

Monday, 3 October 2016

Tax increase on consumer goods - an effective nudging tool?

There is an interesting article in today's The Guardian by P. Barkham on how the introduction of a 5p charge for plastic bags last year in the UK has led to significant changes in consumer purchasing behaviours and ultimately contributed to better environment protection (Six billion plastic bags can't be wrong - so what do we tax next?). Logically, you wouldn't think that just the fact that consumers were faced with having a choice of paying less for their groceries if they brought their own bags, would lead to significant behavioural changes, considering the diminutive amount of the price increase. But still... of course, just the fact of having to confirm this additional charge might have been discouraging, as well as could have brought consumers' attention to the reason behind this sudden charge - environmental protection. The author poses a valid question whether tax policy is where we may expect more nudges to occur in the future.

Thursday, 29 September 2016

Online portal for participating in EU legislative processes

Within the Better Regulation Agenda, the EU Commission has launched an online portal over the summer that enables everyone to follow and to contribute to EU legislative processes.

The portal offers the possibility to track the law-making process, following the different phases of the annual Commission work programme, though the roadmaps, impact assessment reports and experts groups. It also offers the possibility to everyone to share their views on drafts that the Commission will take into account when further developing the acts.

See the press release here.

Wednesday, 21 September 2016

Consumers' attitudes to Terms and Conditions (T&Cs)

The European Commission has published a study on "Consumers' attitudes to Terms and Conditions" conducted by a consortium consisting of Ecorys, Tilburg University, University of Amsterdam and GfK. The legal expertise was provided for this study by Marco Loos (CSECL, University of Amsterdam) and Joasia Luzak (CESL, University of Exeter; CSECL, University of Amsterdam). Within the study experiments were conducted to, among other things, examine how quality cues impact consumer attitudes to standard terms and conditions, whether the length and complexity of text of disclosure matters etc. The Commission announces that the results of this study will inform the ongoing review of EU consumer and marketing law, as they are relevant both for the revision of Unfair Contract Terms Directive and the Digital Single Market proposals. No specific plans have yet been announced though.

The final report is available here.

Previous research has shown that when buying products and services online, the vast majority of consumers accept terms and conditions (T&Cs) without even reading them. Although by not reading the T&Cs consumers are disempowering themselves, this behaviour can be viewed as rational from a cost-benefit perspective. As such, it would be unrealistic but arguably also unnecessary to expect all consumers to read and comprehend all T&Cs that they encounter: In most cases these T&Cs will not have an impact on the performances of the parties. On the other hand, even in such cases consumers may want to have a short look at the T&Cs in order to assess the reliability of the trader with whom they are about to conclude a contract. Therefore, this research took on a dual approach as to how to help consumers assess the substantive quality of the T&Cs.
The first approach was to increase readability. We investigated whether readership and understanding would be increased by shortening and simplifying the T&Cs. The assumption was that some consumers are motivated to be informed about (specific parts of) the T&Cs before making a purchase. If consumers are motivated to read the T&Cs, they should be able to understand this information. This approach is in line with the case-law of the Court of Justice pertaining to the requirement in Article 5 of the Unfair Contract Terms Directive (UCTD) that terms and conditions must be drafted in plain and intelligible language. According to the Court, this requirement implies that terms must be drafted in such language that the average consumer can foresee, on the basis of clear, intelligible criteria, the economic consequences which derive from these terms for the consumer. Shorter and simpler T&Cs could contribute to the readability of the T&Cs and therefore to better consumer decisions regarding whether or not to conclude the contract with a particular trader.
The second approach was to create effortless awareness. This approach was not focused on increasing the share of consumers who read the T&Cs per se. Rather, it investigated how consumers can be made more aware of the content of the T&Cs, or at least of the quality thereof, without them spending much more effort. To that extent, we investigated whether trust in the T&Cs and purchase intentions would be increased by adding a quality cue to the online store, such as the presence of a logo of a national consumer organisation accompanied by the statement “these terms and conditions are fair”. The assumption was that when the T&Cs were accompanied by such a statement, consumers would trust the content of the T&Cs more and would therefore be more willing to conclude a contract with that trader compared to traders that did not accompany their T&Cs with such a statement. Again, this may then contribute to better decision-making by consumers regarding whether or not to contract.
On the basis of our findings, we have made the following policy recommendations:
1. To improve readership, T&Cs could be presented in a default exposure format.
- The study shows that where consumers can access the T&Cs by clicking on a link, only a small percentage of consumers (9.4%) opened the T&Cs in the absence of a quality or reading cost cue. When the T&Cs were directly provided on the screen and consumers had to scroll through them, only 22.1% indicated that they did not read the T&Cs at all, compared to the 90.6% in the voluntary exposure experiment. How much readership can be improved by this measure needs to be investigated in further experiments that directly compare free and default exposure conditions on the same outcome measure.
2. To improve readership and understanding, T&Cs could be standardised and presented in a simple and short format, containing no more than the most relevant information.
- From the perspective of general consumer law and product-specific regulations, certain information must be disclosed to consumers by traders. Standardised forms for providing this information may facilitate reductions in length. This study suggests that T&Cs do not need to be long and complex, and traders actually have a commercial and legal interest in keeping T&Cs short and simple.
- When the T&Cs were simplified and shortened, more consumers indicated that they had read the T&Cs. For example, when the T&Cs were extremely short and simple, 26.5% reported to have read the whole T&Cs compared to only 10.5% in the standard long and complex T&Cs condition. Consumers also understood the T&Cs better when they were short and simple. This was found on an objective comprehension test about the content of the T&Cs as well as on consumers’ self-report on how easy or difficult it was to comprehend the T&Cs.
- Moreover, consumers’ attitudes towards the T&Cs were influenced by the length and complexity of the T&Cs. Simple and short T&Cs were trusted more than long and complex ones. Consumers were also more satisfied with the content of the T&Cs, felt less frustrated while reading them, and felt that reading them was more worth their time when the T&Cs were simplified and shortened. It should be emphasised that in this part of the experiment the length and complexity of the T&Cs differed but their substance did not. This suggests that it is indeed the length and complexity of the texts as such that influence the trust that consumers have in the fairness of the T&Cs, irrespective of the content.
- Importantly, consumers indicated that they did not miss relevant information in the short and simple T&Cs. Thus, despite shortening them, the T&Cs appeared to contain all relevant information of the longer version, at least from consumers’ viewpoint. This suggests that the shorter T&Cs were at least equally effective in providing the necessary information as the longer and more complex T&Cs.
- The effects did not depend on whether the online store was domestic or foreign (meaning that the effects were present on both types of online stores), and hardly differed between countries.
- Shortening the T&Cs is in line with other European legislative instruments. In this respect it is important to note that under the Consumer Rights Directive (CRD) traders need to present a list of information items in a clear and comprehensible manner before the consumer is bound by the contract. This information needs to be actively presented to consumers and cannot be buried in the T&Cs. Similarly, relevant practical information could possibly be included in the FAQ section at a website instead of in T&Cs, thus further enabling traders to shorten the T&Cs.
3. To improve readership of T&Cs, a statement with an estimation of the time it takes to read the T&Cs could be added (a reading cost cue). If providing such a reading cost cue is made mandatory it may also work as an incentive for traders to reduce the length of their T&Cs.
- Experiment 2 showed that readership of the T&Cs was influenced by the presence of a reading cost cue. In one condition, we added the message that “reading the terms and conditions takes less than five minutes” next to the link by which the T&Cs could be accessed. This reading cost cue increased the number of consumers opening the T&Cs from 9.4% to 19.8%. Moreover, the time spent on the T&Cs indicated that when a reading cost cue was present, respondents who opened the T&Cs also spent, on average, more time on that page than respondents who opened the T&Cs when no such reading cost cue was present.
4. To increase effortless awareness of the T&Cs, quality cues may be helpful. Customer feedback, national consumer organisation endorsement, and European consumer organisation endorsement cues can be used, as they positively influence trust and purchase intentions. The most positive effects are achieved with a national consumer organisation endorsement cue on domestic online stores, and with a European consumer organisation endorsement cue on foreign online stores.
- Adding a quality cue indicating that the terms and conditions are fair had an effect on consumers’ trust in the T&Cs and their purchase intentions. Adding a customer feedback quality cue, an endorsement by a national consumer organisation, and an endorsement by a European consumer organisation increased trust and purchase intentions. These positive effects were found on domestic as well as foreign online stores (though more pronounced on domestic stores) and on existing as well as non-existing online stores.
- The quality cues were not all trusted to an equal extent. Although all cues had positive effects, a positive customer feedback cue was trusted the least, indicating that (supposed) endorsement by customers is trusted less than (supposed) endorsement by a consumer organisation. Which of the consumer organisation endorsement cues was trusted the most depended on the type of online store. On domestic online stores, a national consumer organisation endorsement cue was trusted the most. On foreign online stores, a European consumer organisation endorsement cue was trusted the most.
- A promise-to-be-fair by the seller and expert endorsement sometimes decreased trust and purchase intentions. This study therefore does not find evidence to support the promotion of such quality cues.
– Adding a quality cue seems to be effective on both familiar and unfamiliar online stores, although the effects appear to be larger on familiar online stores. Preliminary study 2 highlighted that the positive effects of adding a quality cue are more pronounced on existing (familiar) than on non-existing (unfamiliar) online stores. A similar result was found with subjective familiarity. The main study did, however, also find positive effects on non-existing (unfamiliar) online stores (experiment 3). Taken together, these findings suggest that the effects of adding a quality cue are present on existing (familiar) and non-existing (unfamiliar) online stores, although the effects are sometimes more pronounced on existing (familiar) online stores.
- When deciding on whether to add a quality cue to an online store, differences across Member States do not appear to be so large as to warrant that they be given much weight.
5. Policy may also focus on raising general and specific awareness, thus making consumers more aware of their basic rights.
- Both preliminary studies demonstrated that consumers’ knowledge of consumer rights (general awareness) is limited. Interestingly, consumers' self-reported knowledge is not equally low, indicating that consumers are generally unaware of their lack of knowledge.
- In order to raise general awareness, one can think of information campaigns initiated by governments, consumer authorities, or consumer organisations through media channels or at the point-of-purchase (e.g. when entering a mall).
- Finally, policy may focus on raising specific awareness. An example is that information about the delivery period and length of the right of withdrawal and commercial guarantee must be mentioned on the first page/screen of the order form, as this is typically the type of information consumers need before they can make their decisions.

Monday, 19 September 2016

GDPR, e-Privacy Directive and beyond: more certainty and coherence for the online sector (or quite the opposite)?

The interplay of GDPR and e-Privacy Directive

One of the objectives of the General Data Protection Regulation (GDPR), which was adopted earlier this year and will effectively replace Directive 95/46/EC in 2018, was to make the European data protection framework fit for the 21st century. The extensive regulation does indeed bring the existing framework up to date and promises greater uniformity of national standards and interpretations. Driven by the desire to empower data subjects to fully exercise their right to personal data protection (Article 8 of the European Charter of Fundamental Rights, Article 16 TFEU, Article 8 ECHR), the instrument builds on the existing safeguards and extends or clarifies them where it deems necessary. Among many other things, the new data protection regulation strengthens the conditions for a valid consent, ensures that data subjects are provided with information and access to their data and can effectively object to the processing, reiterates the right not to be subject to a measure based on automated data processing and explicitly clarifies that this includes profiling. It also introduces a widely cited right to be forgotten and the equally important right of data portability. All these are correlated with the corresponding obligations of data controllers according to the newly formulated principles of data protection ‘by design’ and ‘by default’. Both principles bring about a significant paradigm shift as they not only require data controllers to ensure data protection compliance ex ante (i.e. already at the planning stage), but also to design standard settings in a way that only the minimum amount of personal data necessary is being processed. The regulation also elaborates on the data controller’s obligation to ensure data security and report data breaches.

In line with the previous personal data protection directive, the principles laid down in GDPR apply to any information concerning an identified or identifiable person (as explained in recital 26). The novelty, however, lies in the clarification that online identifiers provided by devices, applications and protocols as well as location data may be used to identify a person (see further clarification in recital 30). Without going into detail, it seems fair to assume that under the new regime many online identifiers – such as IP addresses, device IDs and cookies, in particular third-party cookies used for profiling and targeting – will be regarded as personal data.

In short, what emerges from the updated data protection act is an increasingly comprehensive regime with an intentionally broad scope of application. Nevertheless, believe it or not, there are still several issues that have not been addressed by data protection framework. These relate more broadly to the protection of privacy (Article 7 of the Charter), and have so far been regulated by Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive). In the words of the European Commission the directive “sets out rules on how providers of electronic communication services, such as telecoms companies and Internet Service Providers, should manage their subscribers’ data”. It touches upon issues such as: confidentiality of communications, security of networks and services, data breach notifications as well as requirements regarding, among other things, unsolicited commercial communications (spam), storing of information in subscribers’ terminal equipment [Article 5(3) – the source of the ubiquitous cookie consent pop-ups] and processing of traffic and location data. The interplay between e-Privacy Directive and the general personal data protection legislation is mentioned in recital 173 of the GDPR, which stipulates that:

This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation

As a result, the directive is currently undergoing review and has yet again attracted considerable public interest. In August the European Commission presented a summary report on the public consultations which were carried out in this context. A careful, consumer-oriented analysis was, as usual, submitted by BEUC and is now available on its website.

Review of e-Privacy Directive and BEUC response

Why do we need an e-privacy instrument and which services should be included in its scope?

BEUC: While recognising the important developments within the framework of personal data protection, BEUC remains convinced that the e-Privacy Directive should continue to form a lex specialis for the online sector, complementing and particularising the provisions of GDPR. In view of BEUC, sector-specific rules should address, in particular, the issue of data mining and tracking/profiling of users as well as confidentiality of communications. The scope of such an act (ideally – a regulation) should cover both traditional electronic communication services and over-the-top (OTT) services such as Voice over IP and instant messaging (Skype, Whatsapp, Messenger). OTTs are currently outside the scope of e-Privacy Directive, as they do not fall under the definition of an electronic communication service, which requires inter alia "conveyance of signals".

Which issues remain unresolved under the current data protection regime?

Security and confidentiality

BEUC: Providers of electronic communication services should be obliged to secure all communications by using the best available techniques to ensure security and confidentiality. Users should remain free to apply other techniques.

Comment: While the need to ensure security of electronic communications seems undisputed, a potential overlap of the e-Privacy instrument and other pieces of legislation, in particular GDPR, NIS Directive and their implementing acts, should be taken into account. At the same time, there seems to be a strong case to maintain and even extend the scope of existing provisions referring to confidentiality to OTTs, as this issue does not seem to be addressed elsewhere.

Accessing users’ devices (e.g. in order to place a cookie)

BEUC supports the existing consent requirement laid down in Article 5(3) of e-Privacy Directive. More importantly, however, it argues that users should not be prevented from accessing non-subscription based services if they refuse the storing of identifiers (i.e. cookies) that are not necessary to provide the service. Furthermore, according to BEUC, the lifespan of cookies should be linked to their purpose.

Comment: Five years after the implementation of the cookie consent provision, no one dares to deny that the directive failed to achieve its desired impact. Indeed, consent requests are generally treated as a formality and essentially confront the users with a take-it-or-leave-it situation. BEUC proposal appears suitable to address this problem. At the same time, questions relating to the interface between e-Privacy Directive and the remaining EU acquis continue to arise. Couldn’t the requirement to provide users with a clearer and more granular choice and to adhere to the principle of data minimisation be derived from GDPR (now that online identifiers are clearly in its scope)? To what extent could the collection of data for purposes of tracking/profiling, without the knowledge of the user, be considered a misleading omission of material information and potentially an unfair commercial practice? Does anyone still remember the recent UCPD guidance which has actually elaborated on this matter? What about the proposed Digital Content Directive and Distance Sales Directive - shouldn't they have something more to say about this? Is the privacy rationale sufficient to extend the legal effects of Article 5(3) and, consequently, is the e-Privacy Directive the right instrument to regulate this issue? Before reopening of the whole cookie debate once again, it would seem reasonable to first assess where we stand.

Traffic and location data

BEUC: The consent requirement for the processing of traffic and location data should be maintained and the exemptions to this rule should not be broadened. On the contrary, the scope of the provision should be extended to cover GPS location data and Wi-Fi network location data used by information society services in mobile devices.

Comment: Stricter conditions for the lawful processing of traffic and location data (consent requirement for certain types of the processing) along with specific requirements as to erasure or anonymisation of data can indeed be seen as justifiable, given the undeniable privacy concerns at hand. There also seem to be no convincing reasons for maintaining a distinction between data collected by electronic communications service providers and by other information society services providers. At the same time, while understanding BEUC concerns about anonymisation, it needs to be recognised that traffic and location data are essential for the proper functioning of many digital services. The European legislator should therefore make sure that the revised instrument does not throw the baby out with the bathwater.

Unsolicited commercial communications

BEUC argues that marketing messages sent through social media should be subject to the same opt-in obligation that applies to email. Indeed, both channels of communication share certain similarities. In fact, however, unsolicited commercial messages on social media do not seem to present a serious problem and in this domain the issue of targeted advertisements appears much more pressing. 


Beyond doubt, the principles of personal data protection ‘by design’ and ‘by default’ enshrined in GDPR constitute a significant development in the data protection regime. In the technologically-mediated digital ecosystem, where traditional concepts are often difficult to apply and even harder to enforce, an increased focus on ex ante compliance (e.g. already at the stage of designing products/services or programming algorithms) could present a promising way forward. According to BEUC, the concepts of ‘privacy by design’ and ‘privacy by default’ should become “fundamental guiding principles in the online environment”. Given the growing importance of data-driven business models this appears to be a noble aim. The European legislator should, however, also make sure that innovation is not killed on the way – and to ensure that, more clarity as to the practical application and the interdependence of particular legal acts is necessary. 

Friday, 16 September 2016

Effective consumer protection in light of Article 47 EUCFR: Opinion of AG Kokott (C-503/15 Margarit Panicello)

Yesterday, Advocate General Kokott presented her opinion in yet another case on Spanish procedural law and the effective protection of consumers against unfair contract terms (Case C-503/15, Margarit Panicello). We have reported on this blog on earlier cases, most notably Banco Español de Crédito, Sánchez Morcillo and Finanmadrid

The present case stands out, because of the explicit reference to Article 47 of the EU Charter of Fundamental Rights in the request for a preliminary ruling. The 'referring court' (one of the questions at issue is whether the Secretario Judicial - court registrar - can actually be regarded as a court or tribunal for the purposes of Article 267 TFEU) has asked the EU Court of Justice whether certain procedural rules are incompatible with Article 47, in that they preclude the possibility of judicial review. In Spain, there is a special procedure (jura de cuentas) available to lawyers for the recovery of unpaid fees that are owed to them by their clients. Unpaid fees could be a sign of a soured relationship, and lawyers would rather not litigate against their clients; for them, jura de cuentas is a preferably 'evitable' (avoidable) evil. AG Kokott's opinion makes clear why it might be an 'evitable' evil in light of EU law as well.

To relieve the judiciary, the exclusive competence to deal with the jura de cuentas procedure has been transferred to the Secretarios Judiciales. The procedure is optional; lawyers can still choose to initiate court proceedings. The applicable procedural rules preclude the Secretario Judicial to examine ex officio whether the contracts between lawyers and their clients (natural persons), on the basis of which recovery of unpaid fees is claimed, contained possible unfair terms or unfair commercial practices. AG Kokott's conclusion that those rules are incompatible with Directive 93/13/EEC (on unfair terms in consumer contracts) is perhaps not very surprising, against the background of the CJEU's case law. The opinion is more interesting from the perspective of Article 47 of the Charter, which safeguards the right to effective judicial protection against violations of the rights and freedoms guaranteed by EU law. 

In the case of Finanmadrid, the referring court had made a similar reference to the Charter, but the CJEU avoided answering the question related to Article 47 (click here for some reflections on this case). In yesterday's opinion, AG Kokott explicitly adopts the reference to Article 47 of the Charter. And rightly so, because the procedural rules at issue do not only impede the (full) effectiveness of Directive 93/13/EEC, they may also constitute an intolerable interference with "the right to an effective remedy before a tribunal" enshrined in Article 47. As AG Kokott observes (para. 114), when provisions of national law fall within the scope of EU law, it must be assessed whether they are compatible with EU fundamental rights (click here for a further analysis of Case 617/10, Åkerberg Fransson). Moreover, the CJEU has held in Sánchez Morcillo (para. 35) that: 

"the obligation for the Member States to ensure the effectiveness of the rights that the parties derive from Directive 93/13 against the use of unfair clauses implies a requirement of judicial protection, also guaranteed by Article 47 of the Charter, that is binding on the national court (see, to that effect, judgment in Banif Plus Bank, C‑472/11, EU:C:2013:88, paragraph 29). That protection must be assured both as regards the designation of courts having jurisdiction to hear and determine actions based on EU law and as regards the definition of detailed procedural rules relating to such actions (see, to that effect, the judgment in Alassini and Others, C‑317/08 to C‑320/08, EU:C:2010:146, paragraph 49)."

According to AG Kokott, several elements of the jura de cuentas procedure are problematic in light of the required level of consumer protection. These elements are partly considered with respect to the question whether the request for a preliminary ruling is admissible. They are nevertheless relevant for a substantive assessment of the Spanish procedural rules (cf. paras. 104-105 and 115-117). 
  • The first element is the 'reversal of the dispute' or 'shift of initiative' to the client/consumer, who needs to oppose the claim before the proceedings become contradictory (para. 41). Only then, the case will be more closely examined on the merits (paras. 44-47). 
  • Secondly, the decision of the Secretario Judicial is non-appealable and immediately enforceable, even though it does not obtain res judiciata force (paras. 48-50 and 91). In AG Kokott's view, enforcement of the decision is equated - by the Spanish legislator! - with the enforcement of judicial decisions, just like judgments given in preliminary relief proceedings (paras. 51-60). This means that there is neither an obligation for the Secretario Judicial to ex officio examine possible unfair terms, nor an opportunity for the client/consumer to raise a defence that would suspend the enforcement proceedings. 
  • Thirdly, the jura de cuentas procedure concerns a legal dispute (paras. 83-86) and has a mandatory, binding character, even though it is optional for lawyers (paras. 87-88). 
  • Fourthly, even if an ex officio examination of unfair terms would be possible at the enforcement stage, that would not be sufficient, for reasons of both process efficiency and the effectiveness of EU law (paras. 133-136). A decision would still be given and the client/consumer would receive a demand to pay, exercising pressure. Therefore, there is a risk that payment would take place without enforcement proceedings being necessary. 
  • Fifthly, filing opposition against enforcement cannot be compared to having the opportunity to oppose the claim before a decision is given (para. 136). Such an opposition would not suspend the proceedings, and would thus pave the way to the payment of potentially unfair claims (para. 137). 
Although these elements are not listed as such by AG Kokott, they directly support her conclusion that the procedural rules at issue are contrary to Article 47 of the Charter as well as Directive 93/13/EEC (read in conjunction with Directive 2005/29/EC concerning unfair business-to-consumer commercial practices). All these elements resonate with the right to effective judicial protection, which includes - inter alia - the right to an effective, proportionate and dissuasive remedy, respect for the rights of the defence, the right to be heard and the principle of equality of arms. The opinion demonstrates that Article 47 of the Charter can provide a framework for the assessment of procedural rules that govern legal disputes falling within the scope of EU law, in this case: a dispute about a contract possibly containing unfair terms (and unfair commercial practices). If and to what extent Article 47 and the principle of effectiveness or the 'full effect' of EU law overlap, remains to be seen. In this respect, the 'referring court' makes a distinction between judicial review in general (question 1) and ex officio examination under Directive 93/13/EEC (question 2). AG Kokott does not separate the notion of judicial review and Article 47 of the Charter from the context of Directive 93/13/EEC, probably because Article 47 has an accessory character: it always requires a connecting link with a substantive provision of EU law. That does not mean that Article 47 does not have anything to contribute. AG Kokott seems to recognise this in her opinion. 

The question of admissibility has not been addressed in this blog. However, AG Kokott's views as regards the independence of the Secretario Judicial (paras. 71-81) are worth reading. It is interesting to note that the Spanish government has argued that the Secretario Judicial cannot be considered as an 'externally' independent authority, which has sparked a discussion about the transfer of quasi-judicial competences away from the judiciary and the Rule of Law (cf. para. 86). If the CJEU follows AG Kokott's conclusion that the request should be declared admissible, it will be difficult to avoid a reference to Article 47, which is an expression of "the fact that the Union is a community based on the rule of law" (see the Explanations relating to the Charter of Fundamental Rights). 

Thursday, 15 September 2016

Provision of information on a durable medium: AG Bobek on Case C‑375/15

Today, an interesting opinion by AG Michal Bobek has been published. It concerns more directly the field of e-banking, but also touches on a question of more general relevance to consumer law, namely when information can be said to have been "provided" to consumers and what constitutes a "durable medium" allowing prolonged accessibility of the information. 

In the case under review, a bank was using its e-banking mailbox as a tool to communicate changes in its terms and conditions to its customers. The question before the court of justice boiled down to whether this practice complied with the Payment Services Directive (Directive 2007/64/EC), which requires information on contractual changes to be timely provided to consumers on a durable medium. 

The AG starts with pointing out that, in his opinion, "providing" the information is a separate requirement than the "durable medium". 

The "durable medium" requirement has been the object of some discussion; the AG concludes that the most reasonable understanding of this requirement- not only in the context of this directive- is that it does not entail that information should be provided on a physical or "hardware" support, but that only two main characteristics should be guaranteed: 
1) accessibility for an appropriate amount of time; 
2) unaltered "reproducibility", which entails both the possibility to store the information for the consumer and the impossibility for the service provider to alter the contents of said information.

According to Bobek, it will be difficult for internal mailboxes to fulfill these requirements on their own merits- in other words, the mailbox can hardly be the "support" or durable medium on which information is provided. However, they can more easily be a transmission mechanism for the transmission of information on a durable medium- such as, we understand, a PDF file. 

On the other hand, even in case reasons would exist for the national court to consider the information as given on a durable medium, in itself the transmission via internal mailbox cannot be considered as "provision" of information. The information can, under the directive, only be considered to have been "made available" to the consumer. 

Provision of information, according to the AG, can be said to have been accomplished if a further alert is sent to the consumer through an instrument that he would more easily have regular access to- such as a personal email address or home mail. 

Although this seems to set the bar pretty high, the solution presented could still be seen as more lenient to service providers than the Court's precedent in Content Services, which had considered an email containing a link to a webpage not to represent "giving" of information under the Consumer Credit Directive (2008/48/EC). While the AG seems tempted to suggest that Content Services should be overturned or at least delimited, he mostly directs his efforts at distinguishing the two cases, by pointing out that the two directives (Payment Services and Consumer Credit) employ different language and also pursue different goals. Additionally, the AG observes that in a framework service contracts as the one at hand in the present case, the parties can agree that in general communication will take place via internal emails, thus in this case, once a consumer is alerted, "clicking several times or even typing a user name and passwords" are not actions which is unreasonable to require from a consumer to "receive" information sent to them (see para 82).
The opinion addresses several potentially contentious issues- which is confirmed by the fact that several governments (including the Italian and Polish governments) and the Commission intervened in the procedure. 

PS On a side, the opinion also touches on the question of whether the right to be provided information (in a certain way) can be waived by means of consent to standard terms. In this case, the question is not addressed by means of the Unfair Terms Directive- however, the court case stemmed from an injunction by a consumer association which sought to prevent the bank's continued use of a term by which the consumers agreed to information concerning contractual changes being provided in the way discussed. The Commission claimed this was a valid term, the AG disagrees.

Monday, 12 September 2016

AG opinion in Vanderborght (C-339/15): Belgian prohibition of all ads for dental care is EU law-proof.

Last Thursday, AG Bot has delivered his opinion in case C-339/15, a Belgian case concerning the prohibition, in that country, of any form of advertisement relating to dental care.

The national court which has submitted the preliminary ruling request doubts the compatibility of these- quite old- Belgian provisions with primary and secondary EU law- with headings ranging from internal market freedoms to the Unfair Commercial Practices Directive, to the so-called "E-commerce" Directive.

An interesting question that the Court may need to address is whether a similar prohibition can fall under the exception carved out into the UCPD for "health and safety aspects of products", the regulation of which is left unaffected by the directive.

According to AG Bot, the provision does fall under that exception. Looking at the Directive's recitals, the AG observed that under recital 9 makes clear that Member States would "be able to retain or introduce restrictions and prohibitions of commercial practices on grounds of the protection of the health of the consumers". In his view, this observation is reinforced by the fact that according to the commission's guielines on the implementation of the UCPD, all measures adopted by the Member States tgat aim at protecting interests which are not of an economic nature fall outside the scope of the Directive (para 37).  For this reason, the Directive does not apply. 

The e-commerce directive is in principle applicable (para 49), Under article 3 of that Directive, in principle information society services (such as, in this case, online advertising by a professional) are subject to the law of the MS in which the service provider is established. In the case at hand, the professional concerned was located in Belgium- thus the directive sets no obstacles to the applicability of Belgian law.  
According to the Directive's article 8, professionals must be able to give clients information on their activities through the internet; however, in the case of regulated professions, they can only do so provided they comply with the (national) deontological rules of the profession. According to AG Bot, legislation such as that as issue in the main proceesings must "be interpreted as clearly playing a role in ensuring compliance with the rules of deontology regulating the profession of dentist" (para 67). Thus, the AG thinks the restrictions set out by Belgian law may be justified by reasons associated with the compliance with the deontological rules of the profession of dentist. 

In particular, AG Bot explains in the following section assessing the rules' compatibility with treaty law, the protection of public health is such that even quite far-reaching measures, su as the ones discussed in the case, can satisfy the requirement of proportionality (see para 100 and ff). This is both due to the crucial interest that healthcare has for citizens and to the pervasiveness of information asymmetries in this field, which make trust an indespensable element. 

Advertisement of healthcare services and products, according to the AG, is capable of undermining consumer trust. The need to preserve trust is such that negative integration is not desirable and the Union has at several points felt the need to legislate in order to facilitate mobility of providers (para 114).

In any case, the prohibition cannot be unlimited since providers must be able to let the public know of their existence.  This condition, according to the AG, is satisfied as long as a sufficiently detailed publicly available directory exists, "free from enticements or incentives", where names, contact details and areas of expertise are indicated (para 118).

The AG, it seems, considers the disruptive potential of advertisement on patient's trust a given, and bases large parts of his analysis on this fact- it remains to see whether the Court will agree.