The so-called Omnibus Directive 2019/2161[1] is part of the European Union’s ‘New Deal for Consumers’ initiative aimed at amending four legal acts, namely Council Directive 93/13/EEC (unfair contract terms), Directive 98/6/EC (price indications), Directive 2005/29/EC (unfair commercial practices) and Directive 2011/83/EU (consumer rights – “Consumer Rights Directive”) in order to improve and modernise consumer protection legislation and to strengthen their enforceability. The EU Member States must transpose the Omnibus Directive into national law by November 28, 2021 and must apply said national law as of May 28, 2022. In this article we outline key changes introduced by the Omnibus Directive and draw parallels to the implementation of the General Data Protection Regulation by companies (“GDPR”).
The key changes introduced by the Omnibus Directive concern (i) extending the scope of the application of the Consumer Rights Directive to situations where the user “pays with his/her data” for digital content and digital services, (ii) increasing the transparency of online purchases, including information on personalised pricing, as well as on consumer reviews, and (iii) strengthening the enforceability of consumer rights by requiring EU Member States to introduce measures to impose high fines. As concerns (ii), i.e., the increased level of transparency for consumer dealings, a look into the GDPR, in particular into Art. 5 para. 1 lit 1 GDPR on the principle of transparency may serve as an indication that the changes introduced by the Omnibus Directive will have similarities with the EU data protection legislations.
Digital content and digital services in exchange for data
Via the Omnibus Directive, the provisions of the national laws implementing the Consumer Rights Directive will also apply to long distance contracts for the provision of digital content or digital services without the consumer paying a monetary consideration, but in exchange for their personal data. As a consequence, the consumer protection information obligations and the right of withdrawal will apply to those long distance contracts. Digital content and digital services may include, for example, apps, video and audio sharing, file hosting services, webmail, social media, and other website services, such as maps, weather, or travel guides services.
The provisions of the Consumer Rights Directive will, however, not apply to contracts for digital content and digital services if the personal data provided by the consumer are exclusively processed by the trader for the purpose of (i) supplying the digital content or the digital service or (ii) complying with legal obligations which the trader is subject to. There seems to be a parallel between these exceptions under consumer protection law and the justification grounds for the processing of personal data under GDPR, i.e., Art. 6 para. 1 lit. b GDPR (permitting the processing of personal data for the purpose of carrying out a contract) and Art. 6 para. 1 lit. c GDPR (permitting the processing of personal data to comply with a legal obligation). Thus, if – from a data protection law perspective – the trader is processing the consumer’s data based on legal bases other than Art. 6 para. 1 lit. b GDPR or Art. 6 para. 1 lit. c GDPR, in particular if the processing is based on consent (6 para. 1 lit. a GDPR) or legitimate interests (Art. 6 para. 1 lit. f GDPR), this is an indication that pursuant to the new provisions the consumer’s rights under Consumer Rights Directive are triggered.
However, the legal basis for the processing of the personal data is still only an indication and exceptions may apply. For example, recital 35 of the Omnibus Directive states that the Consumer Rights Directive should also not apply to situations where the trader only collects metadata, such as information concerning the consumer’s device or browsing history, except where this situation is considered to be a contract under national law. From a GDPR perspective and taking into account the decision of the Court of Justice of the European Union in the Planet 49 case (C 673/17, October 1st, 2019), depending on the circumstances, in particular the exact purpose and the method of collecting such data (i.e. usage of cookies or similar tracking technologies), the collection and processing of metadata may require consent. In view of the said recital, it appears that the amended Consumer Rights Directive and the legal bases in the GDPR do not exactly correlate. It is therefore recommended to analyse the application of the Consumer Rights Directive separately from the legal basis used for the processing of the personal data taking also into consideration the European Data Protection Board’s guidelines.[2]
Recital 35 provides for another exception for contracts on digital services and digital content: The Consumer Rights Directive shall not apply to situations where the consumer, without having concluded a contract with the trader, is exposed to advertisements exclusively in order to gain access to digital content or digital service. Although no examples are given, it appears that different types of information services or entertainment websites providing users with the possibility to access content without logging in and deriving income from the advertisements that are displayed on the site will be able to benefit from this exemption. On the other hand, the exemption may no longer apply if the trader requires the users to accept the site’s terms and conditions or collects their data for the purpose of personalized advertising (e.g. by relying on consent from a data protection law perspective).
The new consumer protection rules for digital content and digital services in exchange for data might have an impact on the ongoing discussion as to whether or not the provision of a service can be conditioned upon receiving consent to the processing of personal data. In the European Data Protection Supervisor’s (“EDPS”) Opinion 8/2018 on the legislative package “A New Deal for Consumers”, the EDPS expressed his concern that the changes introduced by the Omnibus Directive could mislead service providers to believing that the processing of data based on consent in the context of a contract is legally compliant in all cases. This discussion is particularly relevant in the context of cookies and similar tracking technologies, i.e., can a website deny access if the user does not consent to the usage of cookies? While the amended Consumer Rights Directive applies to a scenario where users receive digital content free of charge but in exchange provide their personal data for purposes other than the provision of the service itself, it does not provide a response from a privacy perspective. Whether or not the provision of a service may be based on consent for the processing of personal data must still be assessed under the GDPR. In other words, companies that use a “free” business model (service in exchange for consent to processing of personal data) will still have to comply with the provisions of the GDPR (see recital 33), including Art. 7 para. 4 GDPR containing conditions for (voluntary) consent. Making the performance of the contract with the consumer conditional upon the consent to process data that is not necessary for the performance of the contract bears the risk of being deemed not freely given and thus, invalid.
Price personalising
Pursuant to the Omnibus Directive, consumers must, where applicable, be informed that the price was personalised on the basis of automated decision-making so that the consumer can decide whether or not to enter into the contract based on a personalized price.
The GDPR provides for specific rules for automated decision-making from a data protection law perspective. If the price proposal is based on the processing of personal data (and not, for example, on the fact that prices are changed in real time according to the market situation), in particular, on the profiling of a person within the meaning of the GDPR and the trader’s decision will produce legal effects or similarly significantly affects the consumer, the trader will be subject to specific obligations for such automated decision-making procedures. Thus, traders that opt for a model based on prices of products or services automatically adapted to the profile of the customer should first analyse how to introduce such a model in accordance with the requirements of the GDPR.
Consumer reviews
Products “recommended” by other users are more attractive to consumers. In case of consumer reviews of products, traders must pursuant to the Omnibus Directive inform about whether and how the trader ensures that the published reviews originate from consumers who have actually used or purchased the product. Thus, companies will have to provide respective processes and procedures. The verification of opinions will therefore very likely have to be linked to personal data of those who provide them, which are currently often anonymous. Consequently, the verification procedures must also be in line with the GDPR, e.g. comply with transparency requirements, purpose limitation, etc.
Can we learn something from the time when GDPR was being implemented?
The Omnibus Directive is an extremely comprehensive piece of legislature,
amending a number of legal acts and at the same time referring to other
regulations, including the GDPR. It will particularly affect businesses that
are focused on online sales and that offer digital services “for free”,
but in consideration of personal data. Companies should get prepared sooner
rather than later and use their lessons learned and their procedures from their
GDPR implementation project.
[1] Directive (EU) 2019/2161 of the European Parliament and of the Council of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and of the Council as regards the better enforcement and modernisation of Union consumer protection rules also called “Better Enforcement Directive”.
[2] It may be interesting to note that the provisions of Omnibus Directive which refer to providing digital services and content in exchange for personal data were also the subject of European Data Protection Supervisor’s (“EDPS”) Opinion 8/2018 on the legislative package “A New Deal for Consumers”, who expressly advocated for a clarification in case of conflicts between consumer law and data protection law provisions, see https://edps.europa.eu/sites/edp/files/publication/18-10-05_opinion_consumer_law_en.pdf.
