The Proposed Digital Content Directive and its Implications for the Data Economy

Similar documents
EU GENERAL DATA PROTECTION REGULATION

Privacy Policy. To invest significant resources in order to respect your rights in connection with Personal Data about you:

on the legislative package A New Deal for Consumers

GDPR: What Every MSP Needs to Know

Committee on Civil Liberties, Justice and Home Affairs. of the Committee on Civil Liberties, Justice and Home Affairs

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

GDPR & SMART PIA. Wageningen University Feb 2017

Personal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR

Privacy Notice. Stanton Chase Bucharest

Nissa Consultancy Ltd Data Protection Policy

December 28, 2018, New Delhi, INDIA

Data Protection Notice Contact Center

1. The legal basis for data processing, the personal data processed:

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

Xerox Privacy Notice: Rights of data subjects pursuant to the General Data Protection Regulation

Principles of Personal Data Protection

General Data Protection Regulation (GDPR) Business Guide

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

AmCham EU s position on Directive on certain aspects concerning contracts for the supply of digital content

DATA PROTECTION NOTICE

Committee on the Internal Market and Consumer Protection Committee on Legal Affairs

PRIVACY STATEMENT Date: 25 May 2018

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

25 April "The member countries are: Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Finland, France,

PRIVACY STATEMENT Date: 25 May 2018

Effective as of 25th May 2018 INTRODUCTION

Data Protection Notice for Business Partners

Data Protection Notice for Business Partners

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

General Personal Data Protection Policy

This Notice applies to you if you are a job applicant or other potential employee of the Kao Company.

PRIVACY POLICY. is made in compliance with applicable law. You find our contact details at the last page of this Privacy Policy.

DIGITAL SME Response regarding European Commission's Public Consultation 'Building the European data economy'

Information duties for applicants

Brasenose College Data Protection Policy Statement v1.2

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

CELESTYAL CRUISES LIMITED SUBJECT ACCESS REQUEST POLICY

PRIVACY POLICY. 1. Who is who in this privacy policy?

VITROLIFE S PRIVACY POLICY

Response to the Questionnaire on Contract Rules for Online Purchases of Digital Content and Tangible Goods

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

Privacy Policy for Suppliers

The new EU data protection Regulation: The business opportunity beyond legal compliance. Kalliopi Spyridaki Chief Privacy Strategist, Europe

Consequences of Brexit in the area of consumer protection. Dr. Malte Kramme

Privacy notice Corporate customer

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

DATA PROTECTION POLICY VERSION 1.0

GGIS DATA PROTECTION AND PRIVACY POLICY

Privacy Policy for participation in HUGO BOSS EXPERIENCE UK,

EU General Data Protection Regulation (GDPR)

10366/15 VH/np DGD 2C LIMITE EN

Registered Office - Via Mecenate, Milan Tel Fax

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

Danske Bank International Privacy Notice

Danske Bank International Privacy Notice

P Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1.

Introduction to the General Data Protection Regulation (GDPR)

SAFECAP PRIVACY POLICY STATEMENT

WHAT YOU NEED TO KNOW [WHITE PAPER] ABOUT GDPR HOW TO STAY COMPLIANT

Information for Business Partners

GDPR factsheet Key provisions and steps for compliance

Committee on the Internal Market and Consumer Protection. Committee on the Internal Market and Consumer Protection

PROPOSAL FOR A BETTER ENFORCEMENT AND

European Parliament Committee on Legal Affairs. Draft Report on the proposal for a CESL ( )

9768/16 BM/dd 1 DG D 2A

Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

The GDPR enforcement deadline is looming are you ready?

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

Privacy Policy 2018 VERSION 1.0

Genera Data Protection Regulation and the Public Sector

DATA PROTECTION RECRUITMENT POLICY OF THE EUROPEAN COMMUNICATIONS OFFICE (ECO)

The ICT Service:

Council of the European Union Brussels, 17 December 2018 (OR. en)

General Terms and Conditions for Advertisers

Valid from Approved by Johan Orrenius

Preparing for the GDPR


EDPS Opinion on safeguards and derogations under Article 89 GDPR in the context of a proposal for a Regulation on integrated farm statistics

GENERAL TERMS AND CONDITIONS FOR USING THE JUVENTUS eprocurement PORTAL

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

Foundation trust membership and GDPR

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

Privacy Policy. Which data are processed in detail and how they are used depends on which services have been requested or agreed.

Allied Telesis International BV Business Partner Contact Data Privacy Notice

STROMMA S PRIVACY POLICY

ARTICLE 29 DATA PROTECTION WORKING PARTY

EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1

ACCENTURE BINDING CORPORATE RULES ( BCR )

STROMMA S PRIVACY POLICY

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

The new proposal for harmonised rules for certain aspects concerning contracts for the supply of digital content

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES

General Data Protection Regulation (GDPR) Frequently Asked Questions

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT. Committee on Civil Liberties, Justice and Home Affairs

Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications

GDPR Factsheet - Key Provisions and steps for Compliance

Transcription:

The Proposed Digital Content Directive and its Implications for the Data Economy Christiane Wendehorst XXXII Nordic Conference on Legal Informatics, 13 November 2017 Proposed Digital Content Directive Proposal of 9 December 2015 for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content, COM(2015) 634 final Came together with Proposal COM(2015) 635 final, meanwhile replaced by Proposal COM(2017) 637 final, on contracts for the sale of goods Initially not connected with the data economy, but rather with the Commission s failed attempt to introduce a Common European Sales Law, cf. Proposal COM(2011) 635 final, withdrawn in late 2014 Split regime (sale of tangible goods/supply digital content) chosen for mainly political reasons, but hardly fit for the Internet of Things Christiane Wendehorst 2

Proposed Digital Content Directive Council General Approach of 1 June 2017 (No. doc. 9901/17 ADD 1 ) has brought the Proposal still more in line with sales law doctrine and terminology, i.e. with the existing Consumer Sales Directive 1999/44/EC and the proposed Sale of Goods Directive COM(2017) 637 final, and the Unfair Contract Terms Directive 93/13/EEC with regard to unilateral modification of features and termination of long-term contracts Innovative features if any are Ø Explicit extension to contracts where the consumer does not pay a price in money, but provides personal or other data instead Ø Extension to digital services Christiane Wendehorst 3 Proposed Digital Content Directive Supply of digital content or services Toleration of data processing or payment of price in money Provider-to-user contract Non-monetary counter-performance Christiane Wendehorst 4

1. The notion of data as counter-performance 5 Who pays for ( free ) services? Toleration of data processing Non-monetary counter-performance Christiane Wendehorst 6

DCD-Proposal COM(2015) 634 final Article 3 Scope 1. This Directive shall apply to any contract where the supplier supplies digital content to the consumer or undertakes to do so and, in exchange, a price is to be paid or the consumer actively provides counter-performance other than money in the form of personal data or any other data. 4. shall not apply to digital content provided against counter-performance other than money to the extent the supplier requests the consumer to provide personal data the processing of which is strictly necessary for the performance of the contract and the supplier does not use that data for commercial purposes. Christiane Wendehorst 7 EDPS Opinion 4/2017 17. There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation. One cannot monetise and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction. Christiane Wendehorst 8

DCD Council General Approach Article 3 Scope 1. This Directive shall apply to any contract where the supplier supplies or undertakes to supply digital content or a digital service to the consumer ( ). It shall not apply ( ) to the supply of digital content or a digital service for which the consumer does not pay or undertake to pay a price and does not provide or undertake to provide personal data to the supplier. It shall also not apply where personal data are exclusively processed by the supplier for supplying the digital content or digital service, or for the supplier to comply with legal requirements to which the supplier is subject, and the supplier does not process these data otherwise. Christiane Wendehorst 9 Sec. 2 German Injunctive Relief Act (2) Consumer protection laws are 11. provisions concerning the admissibility of a) collection. b) processing or use of personal data, relating to a consumer, by a business, where the data are collected, processed, or used for purposes of advertising, market or opinion research, operation of a credit agency, creation of personality and user profiles, address trade, other trade in data, or for similar commercial purposes,. a similar commercial purpose within the meaning of no. 11 of the first sentence does not include, in particular, the situation where a consumer s personal data are collected, processed or used by a business for the sole purpose of the conclusion, performance, or termination of a contractual or similar legal relationship between the business and the consumer. Christiane Wendehorst 10

Three models Inclusion of all contracts except where genuinely free Data not treated in the same way as money But all contracts treated in the same way Processing of data for commercial purposes Data not treated in the same way as money But may trigger the same legal effects in particular contexts Data as counterperformance Data normally treated in the same way as money Implications not fully spelt out in existing drafts Christiane Wendehorst 11 Pro counter-performance model Overdue recognition of the economic reality Awareness-raising among lawmakers and citizens - but: could be achieved without calling data counter-performance Strong impulse for the future extension of certain price-related provisions to data (e.g. information duties and button solution under CRD) - but: could equally be achieved without calling data counter-performance Christiane Wendehorst 12

Trading human rights? Concerns raised in EDPS Opinion 4/2017 arguably misguided: - Inadequate exaltation of the human rights relevance of personal data (irrespective of their nature and the purpose of processing) - Comparison to trade in live human organs totally unacceptable - Opinion ignores the economic reality and the potentials of the data economy - Opinion could be seen as expropriating consumers instead of empowering them Christiane Wendehorst 13 Relationship with GDPR Potential incompatibility with GDPR because data subjects cannot, albeit indirectly, waive their rights (such as to withdraw consent or request erasure) under the GDPR If GDPR prevails we create inconsistencies within the law of contract because a right to withdraw, without any negative legal consequences, one s own counter-performance under the contract would be an alien element Christiane Wendehorst 14

Problem: Unfairness control Article 4 of Directive 93/13/EEC (UCTD) 2. Assessment of the unfair nature of the terms shall relate neither to the definition of the main subject matter of the contract nor to the adequacy of the price and remuneration, on the one hand, as against the services or goods supplies in exchange, on the other, in so far as these terms are in plain intelligible language Qualification of data as counter-performance would automatically mean that relevant clauses are no longer subject to unfairness control (except transparency test) under most national legal systems Negative consequences for consumers would, by far, outweigh any potential gain Christiane Wendehorst 15 2. The anti-tying rule in Article 7(4) GDPR 16

Anti-tying rule Starting point: Requirement of a legal ground (justification) for any processing of personal data, e.g. consent, necessity for the performance of a contract, or legitimate interests Article 7 GDPR Conditionsfor consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Christiane Wendehorst 17 Anti-tying rule Anti-tying rule in Article 7(4) GDPR refers to consent having to be freely given In the light of the wording performance it is arguably possible to make the conclusion of a contract dependent on consent (disputed) Consent arguably not freely given where the data subject does not have a reasonable alternative because of the market dominance of a model, taking into account any network effects, and the significance of the service for the data subject (e.g. Facebook) Christiane Wendehorst 18

3. Autonomous or accessory nature of contract law? 19 DCD Council General Approach Article 13a Obligations of the supplier in the event of termination 2. In respect of personal data of the consumer, the supplier shall comply with the obligations applicable under Regulation (EU) 2016/679 ( ). 3. Furthermore, the supplier shall make available to the consumer any digital content ( ) to the extent that it does not constitute personal data, which was uploaded or created by the consumer when using the digital content or digital service supplied by the supplier. in reasonable time The supplier shall also refrain from using any of that digital content Christiane Wendehorst 20

DCD Article 13a: Obligations of the supplier in the event of termination 3.. The supplier shall also refrain from using any of that digital content which this Article requires to be made available to the consumer, unless more than one consumer generated the particular content and other consumers are able to make use of it. Similar rule in Article 16(3) on termination of long-term contracts. GDPR Article 17: Right to erasure ( right to be forgotten ) 1. The. controller shall have the obligation to erase personal data where : (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;.. In some cases, restriction of processing under Art 18 GDPR applies instead Christiane Wendehorst 21 DCD Article 13a: Obligations of the supplier in the event of termination 3. the supplier shall make available to the consumer any digital content ( ) which was uploaded or created by the consumer when using the digital content or digital service. shall not be required to make available to the extent that such digital content only has utility within the context of using the digital content or digital service or which cannot be disaggregated or only with disproportionate efforts. The consumer shall be entitled to retrieve that digital content. in a commonly used and machine-readable format. GDPR Article 20: Right to data portability 1. The data subject shall have the right to receive the personal data in a structured, commonly used and machine-readable format where: (a) the processing is based on consent or on a contract and (b) the processing is carried out by automated means. 2.. the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. 4. The right shall not adversely affect the rights and freedoms of others. Christiane Wendehorst 22

DCD Article 13a: Obligations of the supplier in the event of termination 3. The consumer shall be entitled to retrieve that digital content free of charge, without hindrance from the supplier, in reasonable time GDPR Article 12:.modalities for the exercise of the rights of the data subject 3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.. 5.. any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Christiane Wendehorst 23 Contract lawaccessory to thegdpr? Classical contractual obligations such as making restitution of user-generated content or refraining from its further use are being replaced by mere references to the GDPR Creation of a split regime: for personal data only the GDPR applies, for other data consumer contract law applies, leading to inadequate and inconsistent results Christiane Wendehorst 24

Contract lawaccessory to thegdpr? Exapmple: Consumer C had uploaded her photos to the Cloud of provider P and terminates the contract. Restitution of photos showing individuals, or private homes, or whose file properties include camera or geolocation data that can, together with other data, be associated with a particular individual, is made under Article 20 GDPR, and erasure is subject to Article 17 GDPR (i.e. only upon request; only where data are processed by automated means; without undue delay but at the latest within one month/three months; ) Restitution of other photos, such as fully anonymised photo files showing landscapes, is made under the DCD, and the supplier has to refrain from any further use under contract law (i.e. no request required; in reasonable time;.) Christiane Wendehorst 25 Contract lawaccessory to thegdpr? Where is the limit? Will I be entitled to claim delivery of photos from a photographer, or my proofread manuscript from a proof-reader, or an invoice with my name on it, only under the GDPR because my request is about personal data? What is particularly dangerous are potential implications for standard contract terms control (cf. already the case law of the German Supreme Court in Happy Digits and Payback) Christiane Wendehorst 26

4. Implications of the DCD for the data economy 27 Contractual promises in the data economy GDPR, Data Economy & Co Digital Content Directive (DCD) Processing of data Supply of data Supply of digital content and services Toleration of data processing Controller-to-processor contract Controller-to-controller contract Provider-to-user contract Non-monetary counter-performance Christiane Wendehorst 28

DCD Council General Approach Article 2 Definitions For the purposes of this Directive, the following definitions shall apply: 1. 'digital content' means data which is produced and supplied in digital form, for example video files, audio files, applications, digital games and any other software, 2 1a. 'digital service' means (a) a service allowing the consumer the creation, processing or storage of, or access to, data in digital form ( ); or (b) a service allowing the sharing of or any other interaction with data in digital form uploaded or created by the consumer and other users of that service;. Christiane Wendehorst 29 Data as tradeable commodities Supply of digital content and services is being given a face and distinct legal shape (with implications far beyond B2C contracts) Simple supply of data under a controller-to-controller transaction (almost exclusively B2B contracts) is hardly ever analysed from a contract law perspective This raises questions concerning the relationship between the DCD framework and the Data Economy framework (GDPR, Privacy Shield, Building a European Data Economy Initiative) Christiane Wendehorst 30

Data as tradeable commodities Supply of data Controller-to-controller contract Supply of digital content and services Provider-to-user contract No clear demarcation line between (simple) supply of data in a controller-to-controller transaction and supply of digital content or services Possible criteria: IPR protection, existence of a license, focus on function or information, Do we at all need to draw the line? Christiane Wendehorst 31 Data as tradeable commodities Supply of digital content: Start-up business B requires intelligent software for the development of a new robot and purchases the software from producer P. (Simple) supply of data: Start-up business B requires large amounts of industrial data for the training of a new robot and purchases the data from business S. Christiane Wendehorst 32

Data as tradeable commodities Debate on the DCD focusses on liability for lack of conformity and selected further rights and remedies in a provider-userrelationship Debate on the GDPR and the Data Economy focusses on data privacy, IPR protection, access and portability rights, investment protection, etc. Debatescould and should be merged in orderto avoid inconsistencies Christiane Wendehorst 33 Data as tradeable commodities Both DCD and GDPR ignore controller-to-controller transfers and fail to address their challenges Controller-to-controller transfers are, however, addressed by - standard contractual clauses for the transfer of personal data to third countries (Commission Decisions 2001/497/EC and 2004/915/EC) - EU-U.S. Privacy Shield Framework Principles (Annex II to Commission Implementing Decision (EU) 2016/1250). Disadvantage for European businesses dealing with European data; not enough certainty for making sound investment decisions Christiane Wendehorst 34

Legal issues in the data economy Example: Start-up business B requires large amounts of data for the training of a new robot and purchases these data at the price of EUR 2 million from business S. It turns out that S had gained control of the data a) by way of wrongful collection of machine data of companies I 1 to I 9 ; b) in violation of the GDPR; c) in conformity with the GDPR, but after the data were transferred to B the relevant data subjects withdraw their consent to the processing and request erasure. The data were not protected under IP law, nor under the sui generis protection for databases, nor as trade secrets. B is already far advanced in training the robot. What is the legal situation? Christiane Wendehorst 35 Legal issues in the data economy Example for a research project ALI-ELI Principles for a Data Economy Christiane Wendehorst 36

Conclusions The proposed DCD is essentially a sales law instrument; innovative features if any concern the extension to services and to supply in exchange for data. The human rights argument against any use of data as counter-performance is unconvincing. However, more can be lost than gained by qualifying user data as counter-performance, i.e. the Council takes the preferable approach to the scope of the DCD. Conclusions Article 7(4) GDPR does not entirely preclude the business model addressed in the DCD, but where the consumer does not have a reasonable alternative (e.g. Facebook) businesses must offer also a pay-model. The Council s strategy of treating contract law as accessory to the GDPR, thus creating a different regime for personal data than for other data, is misguided.

Conclusions It is next to impossible to draw a clear line between supply of digital content or services (DCD) and supply of data under a controller-to-controller transaction, i.e. the DCD will have implications for the data economy at large However, the DCD addresses but a very narrow range of issues, and the bulk of really intricate issues arising with contracts in the data economy remains yet to be solved. The Proposed Digital Content Directive and its Implications for the Data Economy Christiane Wendehorst XXXII Nordic Conference on Legal Informatics, 13 November 2017

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback