Digital Consumers and The Law. Towards a Cohesive European Framework
HELBERGER N. and o., Digital Consumers and The Law. Towards a Cohesive European Framework, The Netherlands, Kluwer Law International, 2013
|Abstract|| This book provides a critical analysis of how digitisation affects established concepts and policies in consumer law. Based on evidence of the actual experience and problems encountered by consumers in digital markets, the book offers a ground-breaking study of the main issues arising in relation to the application of general consumer and sector-specific law. An interdisciplinary team of researchers from the Centre for the Study of European Contract Law (CSECL) and the Institute for Information Law (IViR), both University of Amsterdam, combine their expertise in general consumer and contract law, telecommunications law, media law, copyright law and privacy law in a joint effort to point the way to a truly cohesive European Framework for Digital Consumers and the Law.
Topics in this book include the characteristics of digital content markets and how they relate to traditional consumer law; consumer concerns, reasonable expectations and how they are protected by law; the difficult question of the classification of digital content; legal questions triggered by prosumers and underage consumers; the feasibility and future of the information approach to consumer protection; the role of fundamental rights considerations, and the legal implications of an economy that uses personal data as the new currency.
Digital Consumers and the Law is an important analysis for all those interested or involved in the regulation of digital content markets. With its comprehensive discussion of a wide range of fundamental as well as praxis-oriented questions, it is an essential read for academics, policy makers, members of the content industry as well as consumer representatives.
|Topics||Business Model, Consumer, Contract, Data Protection, Security, Information Security, Technology, Transparency|
- 1 Notes
- 2 P. 53 ss. (Pre-contractual Information Requirements for Digital Content)
- 2.1 Are existing legislative information obligations applicable to digital content products?
- 2.2 Do existing legislative information obligations address all the information needs of consumers of digital content products?
- 2.3 Do existing legislative information obligations address also the issues concerning not the content of the information to be provided, but its form?
- 2.4 How can consumers be guaranteed not only information about the particular terms and conditions on one supplier, but also the ability to compare the terms and conditions between various suppliers?
- 2.5 How can consumers be protected from information excess and receive only the information that they actually need?
- 2.6 How can compliance with the form requirements be guaranteed while taking into account that is not necessarily always in the interest of suppliers to be clear and unambiguous about certain aspects of their offer?
- 2.7 How will it be decided whether the information approach is actually the best and most effective form of protecting and empowering consumers?
- 2.8 Summarizing
- 3 P. 81 ss. (Conformity and Non_Conformity of Digital Content)
- 4 P. 149 ss. (Money Does Not Grow on Trees, It Grown on people: Towards a Model of Privacy as Virtue)
P. 53 ss. (Pre-contractual Information Requirements for Digital Content)
CJEU, case 362/88, GB-INNO v. Confédération du Commerce Luxembourgoise, § 18: “under Community law concerning consumer protection the provision of information to the consumers is considered to be one of the principal requirements”.
Consumer information is particularly relevant when dealing with digital content, because its usability depends for the most part on licensing conditions (when digital content is protected by copyright) and technology.
Indeed, in an analog context, there are standardized and well-known benchmarks (which depend on the intrinsic characteristics of analog goods – accessibility to the embedded corpus mysticum – if present – is possible without reproduction; there is no need for complementary devices of a particular brand to use the good; uses that are susceptible to harm the provider of the good are not easy to put in place) that establish what can be done with the good. On the contrary, when we have digital goods, on one hand it is potentially possible to put in place all kind of (harmful) activities simply using an initial single copy of a work, but on the other hand the simplest activities may be prevented through technology: i.e. there are no intrinsic features when dealing with digital content.
It is therefore important for consumers to be informed about the interoperability (need for particular hardware or software requirements; technical tying to goods or services of a particular brand) and the functionality of the product (DRM, TPMs, region code, tracking of consumers' behavior).
Other aspects on which consumer may be interested of being informed are licensing conditions, quality of the digital product, the collection and processing of personal data, professional standards and codes of conduct, legal information (legal information is about consumers' legal rights, cancellation policies, instructions for reporting a problem to the trader, remedies, etc.).
We must answer to a series of questions when dealing with consumer information needs about digital content and the satisfaction of these needs by legislation:
Are existing legislative information obligations applicable to digital content products?
In general contract and consumer law: we may refer to the DIRECTIVE 2011/83/EU on consumer rights, which expressly refers to digital content; for the rest, information obligations haven't normally being written having digital content in mind, or their applicability has been even excluded when dealing with digital content. In sector-specific law, often the obligations have been written specifically for digital content.
Do existing legislative information obligations address all the information needs of consumers of digital content products?
At p. 61, HELBERGER answers affirmatively: it is true that, depending on the type of product, a different legislation applies, but we can anyway find five different types of pre-contractual information more or less present in the different domains: information about the contracting party; performance-related information; price-related information; term-related information; legal information. In article 5 of the DIRECTIVE 1999/44/EC on certain aspects of the sale of consumer goods and associated guarantees we can find the requirement of informations of all these types. Moreover, “[w]ith the enactment of CRD, […] much of the legal uncertainty regarding the duty to inform consumers about functionality and interoperability of digital content products has been removed” (HELBERGER, p. 63).
“What remains unclear is whether suppliers are only required to inform consumers about technical restrictions or also about contractual restrictions” (p. 64): but HELBERGER itself affirms (p. 64) that the obligation of specifying the rights and obligations of both contracting parties (?) and of making the terms available before the conclusion of the contract (in CRD we can find several times: “before the consumer is bound by a contract”) implies information obligations about licensing conditions. Problems may remain when services are not supplied on the basis of a contract (e.g. broadcasting and radio services): here do we have an information obligation?
Finally, if we consider information about privacy, data protection law already obliges traders to provide consumers with information prior to the processing of their personal data (DIRECTIVE 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, art 7: “[...] personal data may be processed only if: (a) the data subject has unambiguously given his consent”); however, we may question if the notion of informed consent is still sufficient to protect consumers' privacy, especially considering the role personal data have in the new economy: not a by-product of economic activity, but an economic asset in its own right (HELBERGER p. 65); “as well as being a commodity in its own right, data is the motor and fuel which drives the information society” (Information Technology Law, p. 15).
“Moreover, failure to comply with the duties to inform consumers about the main characteristics of products and services triggers sanction under consumer sales law, the law of unfair commercial practices, and contract law” (HELBERGER, p. 59). And also failure to comply with the informed consent established by the Data Protection Directive may lead to a misleading practice. So also Directive 1999/44/EC (Consumer Sales Directive), Directive 2005/29/EC (Unfair Commercial Practices) and Directive 95/46/EC (Data Protection Directive) can be useful in this domain.
DIRECTIVE 2011/83/EU on consumer rights (Consumer Rights Directive). Recital 19: “Digital content means data which are produced and supplied in digital form, such as computer programs, applications, games, music, videos or texts, irrespective of whether they are accessed through downloading or streaming, from a tangible medium or through any other means. Contracts for the supply of digital content should fall within the scope of this Directive. If digital content is supplied on a tangible medium, such as a CD or a DVD, it should be considered as goods within the meaning of this Directive. Similarly to contracts for the supply of water, gas or electricity, where they are not put up for sale in a limited volume or set quantity, or of district heating, contracts for digital content which is not supplied on a tangible medium should be classified, for the purpose of this Directive, neither as sales contracts nor as service contracts. For such contracts, the consumer should have a right of withdrawal unless he has consented to the beginning of the performance of the contract during the withdrawal period and has acknowledged that he will consequently lose the right to withdraw from the contract. In addition to the general information requirements, the trader should inform the consumer about the functionality and the relevant interoperability of digital content. The notion of functionality should refer to the ways in which digital content can be used, for instance for the tracking of consumer behaviour; it should also refer to the absence or presence of any technical restrictions such as protection via Digital Rights Management or region coding. The notion of relevant interoperability is meant to describe the information regarding the standard hardware and software environment with which the digital content is compatible, for instance the operating system, the necessary version and certain hardware features. The Commission should examine the need for further harmonisation of provisions in respect of digital content and submit, if necessary, a legislative proposal for addressing this matter.”
Art. 5(1): “Before the consumer is bound by a contract other than a distance or an off-premises contract, or any corresponding offer, the trader shall provide the consumer with the following information in a clear and comprehensible manner, if that information is not already apparent from the context: (...) (g) where applicable, the functionality, including applicable technical protection measures, of digital content; (h) where applicable, any relevant interoperability of digital content with hardware and software that the trader is aware of or can reasonably be expected to have been aware of.”
Do existing legislative information obligations address also the issues concerning not the content of the information to be provided, but its form?
From a study by Europe Economics in 2011, it emerges that between 16% and 44% of digital consumers don't understand the information provided to them (for reasons like complexity and technicality on the language, small font, layout, length).
Moreover, consumers that actually read the information provided are the minority (for reasons similar to the above-mentioned.
The legislator, if he decides to choose a mandatory information approach instead of bans and legal requirements, should make the information accessible and useful. For example, information should be framed in a way that points consumers towards real-life implications: information should not only be clear and unambiguous, but also instructive. Information should also be presented in the correct time and context: if information is provided when I need it, I'm more interested in reading it (e.g. separate buttons for the different part of the terms and conditions, information in the section of the website where it is more relevant, labels (also Antonio has suggested that), instructions, FAQs.
Information prioritization can also be a solution: it is particularly relevant when information is visualized from small screens; the Consumer Rights Directive – art. 8(1), '“Formal requirements for distance contracts” – says: “With respect to distance contracts, the trader shall give the information provided for in Article 6(1) or make that information available to the consumer in a way appropriate to the means of distance communication used in plain and intelligible language. In so far as that information is provided on a durable medium, it shall be legible.” Moreover, Recital 36 says that when information is accessed via devices with small screens, the key information should be made available online at first, with a link or address where the consumer can find the rest of the obligation (“In the case of distance contracts, the information requirements should be adapted to take into account the technical constraints of certain media, such as the restrictions on the number of characters on certain mobile telephone screens or the time constraint on television sales spots. In such cases the trader should comply with a minimum set of information requirements and refer the consumer to another source of information, for instance by providing a toll free telephone number or a hypertext link to a webpage of the trader where the relevant information is directly available and easily accessible.”).
How can consumers be guaranteed not only information about the particular terms and conditions on one supplier, but also the ability to compare the terms and conditions between various suppliers?
Informed choice is also a question of being able to compare different products, not only of being able of choose or refuse a particular product. For information to be comparable, there is need for an ontology in the presentation of information. Also third-party recommendation services may help users. Recital 32 of Consumer Rights Directive deals with the availability of comparable information, stated as important not only consumer interests, but also for the competitiveness of the market (“The availability of transparent, up-to-date and comparable information on offers and services is a key element for consumers in competitive markets where several providers offer services. End-users and consumers of electronic communications services should be able to easily compare the prices of various services offered on the market based on information published in an easily accessible form.”). The Recital also talks about making information available to third parties (see BRODI about Smart Disclosure). See also art. 21 of the Directive. All this should be extended even beyond the communications sector.
How can consumers be protected from information excess and receive only the information that they actually need?
Information is not always provided to reduce information asymmetries, but also for other purposes, e.g. for misleading consumers. The Directive of unfair commercial practices has a broad definition of UCP (art. 5(2)) and it covers any activity connected with the promotion, sale or supply of a product to consumers (art. 2(d)). An excess of information can actually distort the “economic behavior of consumers” (art. 5(2)): e.g. they are dissuaded from reading it.
Moreover, the CRD, art. 6(2), says: “As regards compliance with the information requirements laid down in this Chapter, the burden of proof shall be on the trader.” If we could state that the burden of proof concerns not only the provision of information, but also its provision in an effective and consumer-friendly way, this may be of help. Indeed, providers not always have incentives for making information provided understandable for consumers.
How can compliance with the form requirements be guaranteed while taking into account that is not necessarily always in the interest of suppliers to be clear and unambiguous about certain aspects of their offer?
How will it be decided whether the information approach is actually the best and most effective form of protecting and empowering consumers?
[[Information obligations stress party autonomy. Substantive rules, on the contrary, determining the features and characteristics contracts should have, are the result of a balancing process, aimed at standardizing certain consumer expectations, rights and legitimate interests.]]
For example, German copyright act requires information about TPMs; French law bans incompatible digital content services as the result of the application of DRM technologies.
Considering the fact that only a small fraction of consumers understand or even read pre-contractual information provided, consumer information may not be the best way to protect consumer interests
[[CC1::CC8::U1::U10::U11::U12::When dealing with digital content, it seems particularly important to provide some substantive rules, because – when digital content is involved – “no clear benchmark exists of what consumers can reasonably expect from digital products”: indeed, “[d]ue to the intangible nature of most digital content products, the main characteristics are basically a matter of technical configuration and terms of licensing – factors that can vary from supplier to supplier and from product to product. Because of the lack of an objective benchmark, once consumers have been informed about usage restriction, they can no longer claim that the use of restrictive DRM technology constitutes a case of non-conformity. In this way, consumer information can result in a creeping degradation of traditional user freedoms” (HELBERGER, p. 77). Indeed, when an information approach is followed, it is information that shapes the expectations of consumers and the level of protection guaranteed to them, and with digital products even the bastion of objective benchmarks – that exist with analog products, because of their objective usability features – falls. With digital products, some standardization through substantive mandatory rules may help to grant a minimum set of reasonable expectations.]]
This standardization may be industry-driven, or the result of a formal legal process, or the result of the operation of an independent regulatory authority.
A positive effect would be the reduction of information burdens for traders and consumers.
The French Hadopi is an example of an existing government agency responsible for setting standards for digital content.
If we follow an information approach, there is need for assessing what information requirements are applicable to digital content, if they satisfy all the information needs of consumers, if they prescribe not only the content, but also the form of information (information framing, no information excess, information comparison); if adequate rules exist, and if traders respect them, we can say that transparency is satisfied; but, seen the absence of objective benchmarks when dealing with digital content, we may also question if transparency is sufficient, or if some mandatory rules that provide some standardization of digital content products wouldn't better satisfy the objective of an high level consumer protection pursued by the EU.
P. 81 ss. (Conformity and Non_Conformity of Digital Content)
DIRECTIVE 1999/44/EC on certain aspects of the sale of consumer goods and associated guarantees, art. 2 (“Conformity with the contract”):
1. The seller must deliver goods to the consumer which are in conformity with the contract of sale.
2. Consumer goods are presumed to be in conformity with the contract if they: (a) comply with the description given by the seller and possess the qualities of the goods which the seller has held out to the consumer as a sample or model; (b) are fit for any particular purpose for which the consumer requires them and which he made known to the seller at the time of conclusion of the contract and which the seller has accepted; (c) are fit for the purposes for which goods of the same type are normally used; (d) show the quality and performance which are normal in goods of the same type and which the consumer can reasonably expect, given the nature of the goods and taking into account any public statements on the specific characteristics of the goods made about them by the seller, the producer or his representative, particularly in advertising or on labelling
3. There shall be deemed not to be a lack of conformity for the purposes of this Article if, at the time the contract was concluded, the consumer was aware, or could not reasonably be unaware of, the lack of conformity, or if the lack of conformity has its origin in materials supplied by the consumer.
4. The seller shall not be bound by public statements, as referred to in paragraph 2(d) if he: — shows that he was not, and could not reasonably have been, aware of the statement in question, — shows that by the time of conclusion of the contract the statement had been corrected, or — shows that the decision to buy the consumer goods could not have been influenced by the statement.
5. Any lack of conformity resulting from incorrect installation of the consumer goods shall be deemed to be equivalent to lack of conformity of the goods if installation forms part of the contract of sale of the goods and the goods were installed by the seller or under his responsibility. This shall apply equally if the product, intended to be installed by the consumer, is installed by the consumer and the incorrect installation is due to a shortcoming in the installation instructions.
To apply this conformity test to digital content, we must first of all consider if the definition of “tangible movable good” can apply to the product considered, and if the contractual relationship concerning the product allows the application of this Directive (in fact, the Directive deals with “sales”). Concerning the second point, “it need not matter whether the contract is classified as a contract for sale or services, as the conformity test could, in principle, apply to both types of contract” (HELBERGER p. 86); “the conformity test in practice is used also with regard to lease contracts and services contracts” (HELBERGER, p. 108).
From the conformity test of art. 2(2) of the Directive, it can be inferred that non-conformity is present when the consumer legitimate expectations are not satisfied: these expectations could come from the presentation by the trader of the qualities of the product, from the confirmation by the trader that a particular use of the product wanted by the consumer is possible, from the ordinary purposes, quality and performance of goods of the same type.
The problem – with digital content – is that it is difficult to establish “ordinary” features, because of the lack of objective benchmarks (new phenomenon, no standards, rapid technological developments...).
It is doubtful that abstract considerations could be taken into account when determining product conformity. One exception could be mandatory rules established by – for example – data protection or copyright law: if we have mandatory rules, and the product doesn't respect them (e.g. it processes personal data without prior consent of the consumer, or it doesn't allow to make a back-up copy if the product is a software), this constitutes a lack of conformity. But we have also to remember that, even if there are non-mandatory rules or no rules at all, we can anyway have a lack of conformity when consumer's legitimate expectations are not satisfied.
Statements given by the product provider are of great importance in determining the legitimate expectations of consumers. And this is partly a problem, because in this way the conformity test may be manipulated by the product provider: his statements become a “self-fulfilling prophecy” (HELBERGER p. 89). It is true that the existing legislative framework may be a partial correction, and the ordinary features of similar products also, but we have to remember – for what concerns these ordinary features – that “given the fact that there is no standard (yet) to indicate what constitutes “normal use” or “ordinary use of the digital content, this criterion is often of little use” (HELBERGER p. 89).
We can summarize stating that legitimate expectations depend on industry statements and on more objective notions (legislation, ordinary use, similar products, state of the market, state of technology...).
When dealing with digital content, there are main three types of conformity problems (HELBERGER, p. 91):
Accessibility, functionality and compatibility issues
We have non-conformity (it may depend both on technical problems and DRM) if the consumer was entitled to continuous access but there are access problems, or if the digital content is not provided within the time necessary to perform its function.
When – because of TPMs or incompatibility of formats and standards – the consumer can't access digital content or transfer it to another device and make use of it according to its ordinary or specifically agreed purpose, it constitutes a lack of conformity, unless, before the conclusion of the contract, the consumer wasn't “properly informed of such restrictions, and such restrictions cannot be said to constitute an unfair contract term, an unfair commercial practice, or an unlawful restriction of fundamental rights such as the right to information or the right to privacy” (HELBERGER p. 94); therefore, we also have to examine the Consumer Information Directive about the information requirements, the Directive on Unfair Terms in Consumer Contracts about unfair contract terms, the UCP Directive about unfair commercial practices, the Data Protection Directive about privacy, etc.; in Germany, when digital content is protected by TPMs, it must be labeled as such, and, when it isn't, it is a case of non-conformity.
[[CC8::TC2::TC3::TC4::Traders may also use TPMs to secure future trade: the lack of interoperability causes a lock-in phenomenon: if I want to continue to use the digital content purchased, I have to use a hardware of a particular brand, and, if it breaks, I have to purchase another of the same brand: if consumers weren't informed prior to the conclusion of the contract, this is a lack of conformity; if they were informed, consumer sales law can't help, but perhaps competition law and UCP law can.]]
Consumers should also be informed of the presence of region codes, otherwise it is a lack of conformity.
Lack of interoperability may depend on TPMs but also on problems of standard and format incompatibility: today, the CRD imposes an obligation to inform consumers about TPMs and interoperability: when it isn't provided, it is a breach of trader's information obligation, but also a lack of conformity of the product.
So, about interoperability: if information isn't provided about lack of interoperability because of standard/format incompatibility or because of TPMs, it is a violation of information obligation according to CRD and a non-conformity of the product according to Consumer Sales Directive; if information is provided, and it is provided in a way that makes consumer's legitimate expectations of interoperability (we may question if an information provided in a way that can't make the consumer's legitimate expectations fall allows the applicability only of the Consumer Sales Directive or also of the CRD, seen that – in the latter – the burden of proof of the compliance with the information requirements belongs to the trader, but it is unclear if he has to prove only the formal satisfaction of the requirement or also the effectiveness of the information provided), these Directives can't help, but the UCP Directive and competition law perhaps can.
Bad or substandard quality
DIRECTIVE 85/374/EEC on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products (Product Liability Directive), art. 6(2): a “product shall not be considered defective for the sole reason that a better product is subsequently put into circulation”.
Parties may agree about the substandard quality of the product, and it isn't a problem.
[[CC1::CC16::U3::The digital content should be used with operating system and software normal at the time the contract is concluded.
Technological developments may soon make out-dated the product purchased: for these reasons, normally consumers are enabled to frequently update the digital content: if parties have agreed upon these updates, and they are no longer provided, this is a breach of contract; when there is no explicit agreement, “it could be argued that consumers would have to be able to make use of the digital content for a reasonable period of time” (HELBERGER, p. 103): we have non-conformity when the normal purpose of digital content is to be used for a certain period of time, and due to technological progress the use is no more possible for that period, as the technological development should and could have been foreseen at the moment the contract was concluded, because art. 3(1) of Consumer Sales Directive says that: “The seller shall be liable to the consumer for any lack of conformity which exists at the time the goods were delivered”. “The same would apply if the trader discontinued the online service the consumer needs to be able to use the digital content” (HELBERGER, p. 103): but this only if the consumer wasn't informed about and if this discontinuity could have been foreseen at the moment the contract was concluded; if these conditions aren't satisfied, it may be a breach of the long-term contract, but not a lack of conformity. But the consumer can't reasonably expect that such updates will be available for an unlimited amount of time, even in exchange for remuneration, “as at a certain point it may be commercially inviable to provide such updates if the product itself has become obsolete. The reasonable expectations of consumers would then dictate when their right to be able to continue to use the digital content subsides” (HELBERGER p. 104).]]
Flaws, bugs and other security and safety matters
The decisive point is whether the digital content meets the reasonable expectations consumers may have of the product.
[[CC10::U1::Long-term contracts: it is easier to apply the conformity test when digital content is delivered on data carrier or through download. Because we have more case law. When, on the contrary, the content is transferred only for a limited period of time or it can be used for a determinate number of times, or it is accessible by consumers, but I remains under the control of the provider, we have less experience about. In this case, we are dealing with contract that don't resemble much to sales contracts, but to service or lease contracts.
The main problem is the question if the conformity test takes care of the fact that in long-term contracts “the digital content should not only conform to the contract at the start of the contract period but also throughout the contract period” (HELBERGER p. 108). Moreover, if the digital content is provided through the Net, can we apply the Consumer Sales Directive, according to the fact that it applies only to tangible movable goods?
There is probably need for a general provision “indicating that where the digital content is not provided on a one-time permanent basis, the trader must ensure that the digital content remains in conformity with the contract throughout the contract period” (HELBERGER p. 110).]]
P. 149 ss. (Money Does Not Grow on Trees, It Grown on people: Towards a Model of Privacy as Virtue)
Personal data is the “digital currency” (HELBERGER, p. 149): in the digital market, we have several examples of barters between “free” digital services and personal data.
Privacy and Data Protection are not the same right: the first is in Art. 7 of the Charter of Fundamental Rights of the EU, the second is in Art. 8.
Respect for private and family life
Everyone has the right to respect for his or her private and family life, home and communications.
Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
Privacy is a negative liberty, a freedom in the sense of absence of control by others: the right to be let alone.
Data Protection is a right closely linked to the rise of modern technology: like privacy, it gives importance to restrictions, prohibitions and control, but also to the fairness and transparency and proportionality of the processing of personal data. DIRECTIVE 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive) and DIRECTIVE 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (e-Privacy Directive, which contains more specialized rules for the telecommunications sector) are the most important EU documents about data protection.
The Data Protection Directive applies when “personal data” are “processed” under the authority of the “controller” of the personal data on the territory of the EU.
“Personal data” and “processing” are defined very broadly (art. 2 (a) and (b)). The controller is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data” (art. 2 (d)). Data protection rules apply when “the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State” or when “the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State” (art. 4 (a) and (c)).
Non-sensitive data may be processed only on six legitimate basis, and the most important is if the data subject has given his unambiguous consent (another reason is when it is necessary for the performance of a contract): art. 7. When we have sensitive personal data, there is need for an explicit consent (the other reasons are less important, and they not include the contract performance): art. 8.
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
Letters (b), (c) and (e) of art. 6 of the Data Protection Directive are called the “data minimization principle”: personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected, and they may be kept in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected, and they may be collected only for specified, explicit and legitimate purposes and no further processed in a way incompatible with those purposes.
Artt. 10 and 11 are about the transparency principle: they clarify the information to be given to the data subject about the data processing.
Art. 12 of the Data Protection Directive is about the right to access, which includes the right to obtain from the controller “communication to him in an intelligible form of the data undergoing processing and of any available information as to their source”.
The core of the right to data protection is often found in the “informed consent”: a consent by the data subject on the processing of hos personal data, a consent based on detailed information about which personal data is processed, by whom, for what purpose, for how long, in what manner etc.
[[CC10::CC4::TC6::With digital content, we may question if the “browse-wrap” consent which is often given by the consumer simply using the website respects the notion of informed consent: paradoxically, the website must be used in order to read the contract, or even become aware of its existence; and anyway it isn't sure if the consumer has read the contract and so if his consent is informed, or even if it can be qualified as a consent. So, if a browse-wrap contract entails the processing of personal data for reasons that are not strictly necessary for the performance of the contract itself, it can be questioned if this processing would be legitimate under the Data Protection Directive (HELBERGER pp. 158-159).
Art. 2 (h): “'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.
Art. 7: “[...] personal data may be processed only if: (a) the data subject has unambiguously given his consent”.
Moreover, the consent should be “freely given”, and it is questionable that a consent through browsing could be considered freely given.]]
Data breaches may happen when the information duty isn't respected, for example, and also when the requirements concerning the fair and secure data processing aren't respected: personal data must be process fairly and lawfully (art. 6); art. 17 is about the security of processing, and for example controllers are required to adopt appropriate technical measures to avoid data leaks. The obligation is though a obligation of means, not an specific-result obligation.
When the processing is taken by a processor (Art. 2(e): “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller”), the processor must choose a processor providing sufficient security guarantees, and must ensure compliance with those measures. That means that, if a data breach comes from the processor (which can simply be an actor which hosts personal data on behalf of the controller), not only the processor may be responsible if he hasn't respected his obligation of means, but also the controller may be responsible if he hasn't correctly chosen the processor or if he hasn't assured his compliance with security measures.
Security of processing
1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.
The e-Privacy Directive contains some telecom-specific privacy rules related to data breaches, cookies and spam, among others. It has been amended by DIRECTIVE 2009/136/EC (Citizens' Rights Directive). Art. 4 (about the security of data processing) of the e-Privacy Directive has been amended.
1. The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented.
2. In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.
But what is an electronic communication service? “In general terms, an electronic communications service is a conveyance service for signals, for example a fixed or mobile telephone service” (http://www.ofcom.org.uk/static/archive/oftel/ind_info/eu_directives/).
About cookies, the amended e-Privacy Directive says that the placing of a tracking cookie is allowed only if the subscriber or user concerned has given his consent, having been provided with clear and comprehensive information in accordance with the Data Protection Directive, inter alia, about the purposes of the processing.
Old text of art. 5(3) e-Privacy Directive:
“Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”
New text of art. 5(3) e-Privacy Directive: “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
The new definition deals with “consent”: and it is questionable if the information and the consent requirements are satisfied when the consent is most commonly derived from the browser settings of a computer, which by default accepts all or most cookies (HELBERGER, p. 161).
Privacy as currency (HELBERGER p. 162). The processing of personal data is today not only a method to facilitate the core business model, but it is becoming the core of the business model. This collection may be done explicitly through registration forms, tacitly through sharing personal information on social network, or secretly via cookies. Cookie: it is placed on an Internet user's computer and enables that computer to be recognized during subsequent visits; they may be functional when cookies when used for a service explicitly requested by an Internet user; they are tracking cookies when used to minutely register the Internet behavior of Internet users (HELBERGER, p. 160).
The barter of personal data in return for free Internet services raise several legal issues:
1. privacy and data protection: 1) can a right which deals with autonomy, dignity and freedom of citizens be capitalized?; 2) can we talk of informed consent, if most Internet users are unaware of this barter?;
2.[[CC4::unfair commercial practices: can we consider as a misleading practice the fact of giving apparently free service, actually to collect in exchange personal data? In fact, misleading practices may concern also false or deceiving information about price (art. 6(1)(d) UCP Directive), but we have to remember that for the application of the Directive the misleading practice has to have an influence on the average consumer's behavior (some consumers may decide not to access the service if they know about the fact that data collection is the price for it, but the average consumer will?); but we also have to consider that we have some practices that are aways unfair (see Annex I of the Directive): among these, we have one about the fact of describing a product as gratuitous when actually the consumer has to pay anything other than the unavoidable cost (n. 20), and another about the trader who falsely claim or create the impression that he is not acting for purposes relating to his business, trade, craft or profession (n. 22). Here there is no need to demonstrate an influence on consumers' behavior.]]
3. contract law: if we see this exchange as a barter, rules of contract law should apply; we may refer to PECL (Principles of European Contract Law): art. 2.102 is about intention of parties to be bound, and it is questionable that the consumer has the intention to be bound, seen that most times he is unaware of the barter itself (so it is questionable that when we have browse-wrap contracts there is an intention of the consumer to be bound); art 2.104 is about terms not individually negotiated, and this is the case of most of those barters: these terms may invoked by a party against the party that doesn't' know them only if it is proved that reasonable steps were taken to bring them to the other party's attention before or when the contract was concluded, and terms are not appropriately brought to a party's attention by a mere reference to them in a contract document, even if the party signs that document (so the terms which are not individually negotiated and that are simply put on the website in a “terms and conditions” document and to accept which the consumer should simply browse on the site may not respect this rule); art. 2.106 is about written modification only, and it is questionable whether the practice of unilaterally modifying the terms and conditions and the privacy settings is legitimate (“(1) A clause in a written contract requiring any modification or ending by agreement to be made in writing establishes only a presumption that an agreement to modify or end the contract is not intended to be legally binding unless it is in writing. (2) A party may by its statements or conduct be precluded from asserting such a clause to the extent that the other party has reasonably relied on them”: this provision seems to imply that unilateral modifications arent' possible or, at least, that aren't possible when they are detrimental to the other party).
Privacy as currently shaped by legislation is on one hand really strict, and may impede developments and innovation that could come form free flows of data;on the other hand, the new trends of personal data collection and processing seem not to be prevented by the existing legislation, so it probably a non-effective one.
The two alternative models presented are privacy by design and privacy as property: the former however presents the risk of obstructing the free flow of data and the subsequent innovation (i.e. it would fully impede the exchange of free service for personal data; moreover, as it is stated [here], "we live in a connected world in which we neither singularly author nor own our data"); the latter (which would made the data subject's consent always necessary: we will come to a full informational self-determination) would fully capitalize personal data, and it may be unethical to monetize it; moreover, sometimes data concern more than an individual; finally, research has demonstrated that people are actually willing to give up large doubts pf personal data in return for relatively small benefits: so, in case of privacy as property it is doubtful that the threats to privacy brought by Internet would be avoided.
See Three Major Challenges for the Internet of Things about privacy as property: the author says that - if usually consumers pay "free" services like Facebook with personal data - therefore, if IoT devices are sold for money, probably the data produced by them should be property of the consumers.
HELBERGER (p. 168 ss.) thus suggests privacy as virtue: we don't concentrate on the data subject and on its subjective rights to privacy and to data protection, but on the controller and on his duty to process data in a virtuous way.
This means that the controller should make the process of processing personal data (composed by four phases: the gathering of data, the storing of data and the organizing of the material, e.g. to make data computer-readable or to make data comparable; the discovery, normally by algorithms, of patterns, profiles and relationships, which may be causal or statistical; the decision-making on the basis of the patterns and relationships discovered) more virtuous, through the collection also of meta-data about the context in which the process takes place (Where and when data was gathered? For what purposes? Which methodology has been employed to collect data? How data has been organized and stored? Which is the process of the analysis? The purposes of the gathering should be respected. In which contexts the patterns discovered are applied to make decisions? All the meta-data should be accessible).
The benefits of this model would be that, if we concentrate on the subjective right to privacy, data subjects are often unaware, and often it isn't easy to find the subject whose interests are harmed by data processing – especially when we have aggregated data and group profiles; on the contrary, if we concentrate on the duties of the controller, we can act against him when he doesn't respect them, even if a material harm has not taken place yet (preemptive action) or if a particular harmed subject isn't identifiable.