Jusletter IT

Data as Counter-performance: A New Way Forward or a Step Back for the Fundamental Right of Data Protection?

A Data Protection Analysis of the Proposed Directive on Certain Aspects for the Supply of Digital Content

  • Author: Laura Drechsler
  • Category: Articles
  • Region: Belgium
  • Field of law: Data Protection
  • Collection: Conference proceedings IRIS 2018
  • Citation: Laura Drechsler, Data as Counter-performance: A New Way Forward or a Step Back for the Fundamental Right of Data Protection?, in: Jusletter IT 22 February 2018
With the proposed Directive on digital content the Commission has tried to give legal reality to the fact that individuals «pay» for otherwise «free» services online with their personal data («data as counter-performance»). The legislative procedure has revealed severe doubts on the compatibility of this concept with the GDPR and the fundamental rights nature of data protection. This paper aims for reconciliation by considering the Directive as another means of data protection as a fundamental right, and by arguing for the enhanced practical opportunities using European consumer law can offer.

Table of contents

  • 1. Introduction
  • 2. Proposed Directive on certain aspects for the supply of digital content
  • 3. Key areas of criticism and their treatment in the legislative negotiations
  • 3.1. Incompatibility with the GDPR
  • 3.2. Conflict with the fundamental rights nature of data protection
  • 3.3. Legitimisation of the business model of free services
  • 4. Arguments for reconciliation
  • 4.1. Proposal could be applied in parallel to the GDPR
  • 4.2. Obligation for the EU legislator to protect personal data
  • 4.3. Pragmatic approach to a new business model
  • 5. Concluding remarks

1.

Introduction ^

[1]
With the proposal for a Directive on certain aspects for the supply of digital content («the Proposal»), the European Commission (EC) tries to give legal reality to a perceived fact: namely that individuals «pay» for otherwise «free» services online with their personal data.1 The ongoing legislative procedure has revealed severe doubts by the co-legislators2 and the European Data Protection Supervisor (EDPS)3 on the possibility of expressing this reality in terms that are legally compatible with the General Data Protection Regulation (GDPR)4 and fundamental rights. To avoid future difficulties, it is important that the legislative process manages to sort out the question of whether there is indeed an issue with the fundamental right to data protection and the GDPR at the next legislative stage. This paper aims to suggest a possible reconciliation by considering the Directive as another means of data protection as a fundamental right, and by arguing for the enhanced practical opportunities that using European consumer law can offer.5

2.

Proposed Directive on certain aspects for the supply of digital content ^

[2]
The Proposal was published in a package together with a Proposal for a Directive on online and other sales of goods6 in December 2015 to continue the EC’s efforts to fully harmonize rules within the EU consumer law.7 It is intended to close a perceived gap in European consumer law, which already featured in the failed proposal for a Common European Sales Law (CESL), namely the protection of the consumer when acquiring digital content or digital services.8 The relatively concise proposal replicates largely the rules of Directive 1999/44/EC.9
[3]
To discuss all aspects included in the Proposal would exceed the range of this paper, therefore it will only focus on the attempt of the EC to include in its scope free services, meaning services that appear to be free, but where in reality the consumer is required to surrender valuable personal information in exchange for using the services.10 Hence, the Proposal should not only apply to contracts where digital content is bought against money, but also in cases where data is provided (Art. 3 (1) Proposal). This notion11, which was already included in the CESL (Rec. 18 and Art. 107 CESL), should prevent differing consumer rules for business models12 and ensure that the consumer is always protected (Rec. 13 Proposal). Realizing the overlap and potential conflict with the GDPR, the EC provides that the application of the Proposal should be in full compliance with the EU data protection framework (Rec. 22 Proposal). The Proposal also aims to foster different fundamental rights, e.g. Arts. 16 (freedom to conduct a business) of the Charter of Fundamental Rights of the European Union («CFREU»)13, interestingly without mentioning Arts. 7 (privacy) and 8 (data protection) CFREU (Rec. 55 Proposal).

3.

Key areas of criticism and their treatment in the legislative negotiations ^

[4]
The relative vagueness of the «counter-performance»-notion led to intense discussions in the EP and the Council during their negotiations, that can be summarised into the following three key areas.

3.1.

Incompatibility with the GDPR ^

[5]
Firstly, it was argued that the Proposal would be incompatible with the GDPR. The first point of contention was the restriction of the scope of application only to cases where the consumer actively provided personal data (Art. 3(1) Proposal). This notion is expanded, though not explained, in the Recitals of the Proposal, and intends to exclude especially automatically generated information collected by a cookie (Rec. 14 Proposal). Such a restriction does not feature in the GDPR.14 As Beale rightly notes, this rule in the Proposal also provides a perverse incentive to secretly collect data from the consumer, as then it would not apply.15 It also contradicts the finding of the Article 29 Working party («WP29») considering data collected by cookies16 and specifically IP addresses17 to be personal data, depending on the circumstances, as it degrades them to a sort of second class personal data, to which not all consumer law safeguards apply.18 Considering the draft proposal of the e-Privacy Regulation19, where the processing of meta-data of electronic communication data requires consent of the data subject20, it could be argued, as the EDPS notes21, that to introduce such a differentiation endangers the coherence of the EU data protection system. During the negotiations both the EP and the Council recognized the problem and proposed differing solutions. The EP de facto abandoned any distinction between actively and passively provided personal data.22 The Council also dropped the term «actively»23, but kept in Rec. 14 the non-application of the Proposal to situations where the supplier only collects metadata.24
[6]
A second point of debate surrounded the awkward interplay of the legal grounds for data processing of Arts 6 and 9 GDPR with the exception to the scope of application in Art. 3 (4) Proposal. Art. 3 (4) sets an exception for the applicability of the Proposal for situations, where the processing of data is strictly necessary for the performance of a contract or the meeting of legal requirements, if the supplier does not process them in a way incompatible with that purpose. This provision essentially combines in one paragraph the data protection principles of lawful processing and purpose limitation.25 The difference in wording of the provisions26 can perhaps be explained by the fact the Proposal was published before the finalisation of the GDPR (December 2015 to May 2016), and was addressed by both Council and EP in their amendments. The Council leaves a fragment of the exception in Art. 3 (1) General Approach by wording it in a more limited manner,27 which still raises the question of whether the Proposal provides for a new or different legal ground of processing than the GDPR.28 The EP suggests yet another wording29, which seems to hint at the ground «legitimate interest of the controller» of Art. 6 (1) (f) GDPR, however without the important caveat that this cannot be outweighed by the fundamental rights and freedoms of the data subject.30 Interestingly, a different solution was found for a similar issue, namely with regard to Art. 13 (2) (b) and (c) Proposal, which includes rights seemingly replicating some data subject rights of the GDPR (e.g. Arts. 17 and 20). In this case, both the Council and the EP simply stated that «in respect of personal data of the consumer, the supplier (trader) shall comply with the obligations applicable under Regulation (EU) 2016/679».31

3.2.

Conflict with the fundamental rights nature of data protection ^

[7]
Secondly, the concept of concluding contracts in exchange for personal data was seen as contradicting the fundamental rights nature of data protection by treating personal data as a mere commodity.32 The fundamental right of data protection is enshrined in Art. 8 CFREU and, as Hijmans argues, either serves to give the individual control over their personal data or is a claim that all data processing needs to be based on fairness with special safeguards.33 Both rationales could be impaired if personal data are treated as a mere economic asset. A data subject might not be in control of his or personal data in situations where consent would not be an acceptable legal ground because of a clear imbalance between data subject and controller in economic terms.34 Additionally, the complexities involved in attaching numerical economic value to personal data from the perspective of the data subject35 could impair control exercised by the data subject. Treating personal data as an economic asset might also undermine the whole concept of fair data processing, as it makes it seemingly easy to contract personal data away, leading to more data processing and less protection overall.36 Moreover, it has been argued that the concept of human dignity is at the core of fundamental rights and stands in the way of personal information being treated as a mere economic asset.37 Finally, a concrete issue can arise in data processing based on the consent of the data subject. In such situations Art. 8 CFREU and especially Art. 7 (3) of the GDPR gives the right to the data subject to withdraw consent at any moment. This can prove tricky in a contractual relationship, where the contract would oblige the data subject to continue supplying personal data even though consent was withdrawn.38 Interestingly, neither the Council nor the EP introduced fundamental changes to address these issues in their amendments.

3.3.

Legitimisation of the business model of free services ^

[8]

A last data protection issue was especially debated in the EP, and revolves around the fact that including contracts that treat personal data as payment for services in a EU legal instrument might provide legitimisation for a business model (free services) that is highly problematic from a data protection angle.39 «Free services» as an economic reality40 put data subjects under wide-spread commercial surveillance («see-through consumer»).41 EU data protection law and especially the GDPR intend to rein this in by strictly applying the principles of purpose limitation and with clearer rules on further compatible processing (Rec. 50 and Art. 6 (4) GDPR)) and lawful processing (e.g. by highlighting that consent cannot always be used as a legal basis (Art. 7 (4) GDPR)). These important restrictions seem to be overturned by the Proposal, as it includes no rules on the matter.42

[9]
While the Council does not tackle this issue in its position, the EP provides at least the option for the national laws of the Member States to decide whether such contracts should be allowed or not and what conditions need to be fulfilled for the validity of contracts against personal data.43 Even more interestingly, both EP and Council drop the term chosen by the EC («counter-performance other than money») and replace it with more neutral expressions.44 Hereby, they are both not following the alternatives suggested by the EDPS,45 but also avoid an express acceptance of personal data as a counter-performance in a contract.

4.

Arguments for reconciliation ^

[10]
After this short outline of the main areas of critique from a data protection perspective, this last section aims to propose some possible reconciliatory approaches that could be applied to overcome the difficulties.

4.1.

Proposal could be applied in parallel to the GDPR ^

[11]
A part to the solution for the issues raised regarding the compatibility of the Proposal with the GDPR could lay in considering the GDPR as being the prevalent one for data protection purposes. Such an interpretation would already be possible under the originally proposed text, as Art. 3 (7) Proposal provides that in case of a conflict with another EU legal instrument, the other act should take precedence.46 This Article has not been amended much by either Council or EP.47 It is also nothing new at least for EU consumer law, where for example the wide scope of application of Directive 93/13/EEC on unfair terms in consumer contracts («Unfair Terms Directive») leads to it being applied to data protection issues.48 This would also align with the different scopes of applications of both instruments: The GDPR has a wide scope of application, applying to all fully or partly automated data processing with a few exceptions.49 Its rules will probably apply in all situations covered by the Proposal, since even in contracts for the supply of digital content against a monetary price, personal data will be exchanged as well (e.g. a purchase of an e-book could include processing of name, address, e-mail, credit card information etc.).50 Whether such personal data processing is in accordance with EU data protection law will be solely determined by the GDPR.51 It is only in the specific situation, where personal data serve as a sort of «currency», that the Proposal will also apply. This is the case, where a consumer receives digital content or a digital service (as the Council and the EP rename it)52 exclusively by providing personal data (free services). For such situations both instruments could apply. The Proposal would offer contractual remedies for the consumer if the digital content or digital service is not in conformity with what was agreed upon or can usually be expected (Art. 6 Proposal). As remedies, the consumer can request repair or replacement, a remedy not available under EU data protection law. The GDPR offers data subjects a list of rights they can rely upon as an addition or alternative, such as the right of access.
[12]
Admittedly, this approach would not solve all the issues raised in the debate about compatibility with the GDPR. Firstly, the application of the Proposal only to situation where the consumer «actively» provided personal data in exchange for a digital content or digital service, would remain an issue. As already noted, this would incentivize covert collection. For a better alignment, the amendment of the EP should be followed that completely abandons this differentiation.53 Regarding the issue of the exception from the scope of application in Art. 3 (4) Proposal, a clear parallel application of the two instruments could help insofar as the question of whether processing is lawful should be for the GDPR alone to solve. Thus, the questions of whether data are necessary for the performance of a contract, to fulfil legal obligations, or in the legitimate interest of the controller (principle of lawful processing) should be answered within the GDPR as a preliminary question.54 As contract law is a competence of the Member States (Rec. 10 Proposal), the validity of a contract that does not comply with the GDPR but that is necessary for the application of the Proposal will essentially depend on their respective national law.55 As Helberger argues, clauses contradicting data protection (therefore inter alia also the GDPR) could be interpreted as being against «good faith» under Art. 3(1) Unfair Terms Directive and hence not apply.56 To achieve this result, the final Proposal should include a provision similar to the one introduced by the Council and the EP to avoid a similar conflict with the data subject rights of the GDPR.57

4.2.

Obligation for the EU legislator to protect personal data ^

[13]
With Art. 16 (2) Treaty on the Functioning of the European Union (TFEU)58, the EU received a clear mandate to issue rules for the protection of personal data.59 As the right to data protection is also guaranteed under Art. 8 CFREU as a fundamental right, the EU legislator is moreover required by Arts. 2 and 3(1) Treaty on European Union (TEU)60 to promote data protection in its external and internal policies.61 As the EDPS rightly states, the GDPR was adopted to regulate the use of personal data based on Art. 16 TFEU and further implement Art. 8 CFREU.62 However, there is no rule that a fundamental right cannot be protected in more than one instrument at EU level. For example, a high level of consumer protection (required by Article 38 CFREU) is implemented by several EU consumer law instruments, such as the Unfair Terms Directive already mentioned, as well as the Consumer Rights Directive63, Directive 1999/44/EC64 and others.65 Article 8 CFREU itself is not only specified by the GDPR but also by the e-Privacy Directive66 (soon to be replaced by the proposed e-Privacy Regulation).67 The EU legislator has therefore all the opportunities provided by the Treaties to fulfil the obligation to protect personal data. The opportunities for consumer law to protect personal data have already been recognised by the EDPS68 and several authors.69
[14]
The arguments that accepting that personal data can be exchanged against digital content and services undermines the control of the data subject, the system of fair data processing, and human dignity, all have at their core a rejection of the idea that personal data can be an economic asset. However, as Langhanke/Schmidt-Kessel rightly observes, commercialisation is a reality nowadays and one should not deny this by focusing only on the fundamental right of data protection.70 The enjoyment of property is recognised as a fundamental right for the EU (Art. 17 CFREU), and property is an economic asset. Fundamental rights protection and the status of personal data as an economic asset therefore seem to at least not exclude each other per se.
[15]
Regarding the more concrete issue of the data subjects losing their effective right to withdraw consent by contracting away their personal information, Langhanke/Schmidt-Kessel again provide a convincing answer. For them, a contract of personal data in exchange for digital content or a digital service should be more accurately termed a contract where the trader obtains the consent of the data subject to legally use the economic value of the personal information.71 Fundamental rights law prevents the data subject from waiving their right to withdraw consent, as this would violate ordre public, hence, any contractual obligation to provide consent entered into by the consumer is a weak one, since the consumer has the right to frustrate it at any time.72 This does not prevent it from being part of a contract though, especially for the purposes of consumer law.73 With the withdrawal of consent at all times thus preserved, this argument seems to not contradict the acceptance of personal data as a «counter-performance» by the Proposal.

4.3.

Pragmatic approach to a new business model ^

[16]
The last point of criticism mentioned earlier concerned the hesitations of legitimising a business model monetizing personal data. However, following the analysis in the previous chapter and accepting that personal data can be an economic asset without undermining its fundamental rights nature also implies the legitimacy of the business model. The GDPR also indirectly recognizes the legitimacy of exchanging data for services by expanding the territorial scope in Art. 3 GDPR, which as Rec. 23 explains also covers the offering of «good and services (…) irrespective of whether connected to a payment». While this in no way provides an express legitimisation of the business model of free services, it can be interpreted as a pragmatic approach to ensure such business models are covered within the GDPR.
[17]
Pragmatically accepting the reality of the free services business model, would also not come without its rewards. Especially the EP showed in their amendments that embracing the reality of personal data as an economic asset could lead to interesting developments. Firstly, they propose that conformity with the contract supplying digital content or digital services under the Proposal presupposes that the requirements of the GDPR are observed. Content or services violating the GDPR would therefore trigger the remedies for non-conformity with the contract under the Proposal.74 This has also been proposed by several authors, either just for the principles of privacy-by-design and privacy-by-default of the GDPR, or for data protection principles like data minimisation in general.75 In the end, if adopted, it could mean more of the alignment already partly possible by using the Unfair Terms Directive76 and lead to comprehensive ground rules for the digital economy.77 Secondly, the EP has proposed an amendment to the Unfair Terms Directive in the Proposal, listing as an unfair term, such contractual clauses that are circumventing the GDPR.78
[18]
In the end, as a result of all this alignment of consumer and data protection law in the Proposal, the data subject/consumer could choose better which remedies might offer the best relief in their concrete case. For example, in a situation where the digital content received is not functioning and was also based on data processing incompatible with the GDPR, the consumer/data subject could insist on it being brought in conformity (if national law accepts the contract as valid), which would entail that also the GDPR be observed, assuming that the amendments of the EP are eventually adopted.

5.

Concluding remarks ^

[19]
The Proposal is a bold step and should be given a chance to see whether it succeeds in its aims. However, the data protection issues raised during the negotiations need to be further addressed and sorted out before the finalisation of the proposal. Open issues include problems with the compatibility with the GDPR, especially the introduction of a differentiation between actively and passively provided personal data, and the unhappy mingling of different data protection principles in the scope of the Proposal. As for the more basic concerns regarding the weakening of the fundamental rights protection of personal data and the legitimisation of the business model of free services, this paper has attempted to show that there are at least some valid counter-arguments to these criticisms. These concerns should be taken serious in the next legislative stage though and addressed with concrete provisions. In the end, the Proposal could be an opportunity to also promote data protection with the means of consumer law, and to further the cooperation and alignment between EU data protection and consumer law, which could lead to more remedies being available for individuals to assert their fundamental rights of data protection.79
  1. 1 European Commission (EC), Proposal for a Directive of the European Parliament and of the Council on certain aspects for the supply of digital content [2015], COM(2015) 634 final, Art. 3 (1).
  2. 2 Council of the European Union (Council), Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content (First reading) – General approach [2017], 2015/0287 (COD), Annex «Main Elements of the Compromise», pp. 4 f.; European Parliament (EP), Report on the proposal for a directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content [2017], A8-0375/2017, pp. 90 f.
  3. 3 EDPS, Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content [2017], 14 March 2017, p. 3.
  4. 4 Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 2016/119, 1.
  5. 5 This has been advocated by the EDPS in: EDPS, Preliminary Opinion: Privacy and competitiveness in the age of big data – The interplay between data protection, competition law and consumer protection in the Digital Economy [2014], March 2014, p. 38.
  6. 6 EC, Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the online and other distance sales of goods [2015], COM(2015) 635 final.
  7. 7 Wendland, GEK 2.0? Ein europäischer Rechtsrahmen für den Digitalen Binnenmarkt, GPR 2016, p. 8 (p. 8).
  8. 8 EC, Proposal for a Regulation of the European Parliament and of the Council on a Common European Sales Law [2011], COM(2011) 635 final; Wendland, Ein neues europäisches Vertragsrecht für den Online-Handel? Die Richtlinienvorschläge der Kommission zu vertragsrechtlichen Aspekten der Bereitstellung digitaler Inhalte und des Online-Warenhandels, EuZW 2016, p. 126 (pp. 126 f).
  9. 9 Directive 1999/44/EC of the European Parliament and of the Council of 25 May 1999 on certain aspects of the sale of consumer goods and associated guarantees, OJ L 1999/171, 12.
  10. 10 Preliminary Opinion, supra note 5, p. 10.
  11. 11 See: Schulze/Staudenmayer, Digital Revolution – Challenges for Contract Law. In: Schulze/Staudenmayer (Eds.), Digital Revolution: Challenges for Contract Law in Practice, Nomos, Germany 2016, pp. 19–32 (p. 32).
  12. 12 Staudenmayer, Digitale Verträge – Die Richtlinienvorschläge der Europäischen Kommission, ZEuP 2016, p. 801 (p. 807).
  13. 13 Charter of Fundamental Rights of the European Union, OJ C 2000/364, 1 and OJ C 2010/83, 389.
  14. 14 See scope of the GDPR: GDPR, supra note 4, Art, 2 (1).
  15. 15 Beale, Scope of application and general approach of the new rules for contracts in the digital environment. In: Website of the European Parliament. http://www.epgencms.europarl.europa.eu/cmsdata/upload/4a1651c4-0db0-4142-9580-89b47010ae9f/pe_536.493_print.pdf [2015], p. 13.
  16. 16 WP29, Opinion 1/2008 on data protection issues related to search engines [2008], 4 April 2008, p. 9.
  17. 17 WP29, Opinion 4/2007 on the concept of personal data [2007], 20 June 2007, pp. 16 f.
  18. 18 Ibid., p. 13.
  19. 19 EC, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) [2017], COM(2017) 10 final, Rec. 17, Art. 4 (3) (c), Art. 6 (2) (c).
  20. 20 See also: EDPS, Opinion 5/2016: Preliminary EDPS Opinion on the review of the ePrivacy Directive (2002/58/EC) [2016], 22 July 2016, p. 13.
  21. 21 Opinion 4/2017, supra note 3, p. 12.
  22. 22 Report A8-0375/2017, supra note 2, p. 18 (Amendment 21); thereby following the suggestion of the EDPS, see: Opinion 4/2017, supra note 3, p. 21.
  23. 23 Council, Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content (First reading) – General Approach [2017], 2015/0287 (COD), p. 8 (Article 3).
  24. 24 Council, Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content (First reading) – Recitals [2017], 2015/0287 (COD), p. 12 (Recital 14).
  25. 25 For an explanation of the principle of purpose limitation, see: WP29, Opinion 03/2013 on purpose limitation [2013], 2 April 2013, pp. 21 ff.; for an explanation of the principle of lawful processing, see: WP29, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC [2014], 9 April 2014, pp. 10 ff.
  26. 26 Art. 3 (4) Proposal speaks of data «strictly» necessary for the performance, while for the GDPR in Art. 6 (1) (b) just «necessary» suffices. Similarly, Art. 3 (4) Digital Content Proposal mentions «meeting legal requirements», while Art. 6 (1) (c) talks about «compliance with a legal obligation». Presumably, the concepts are intended to be the same, but the different wording could lead to diverging interpretations.
  27. 27 General Approach, supra note 23, p. 8 (Article 3).
  28. 28 See: Opinion 4/2017, supra note 3, pp. 14 ff.
  29. 29 Report A8-0375/2017, supra note 2, p. 54 (Amendment 83).
  30. 30 See: Opinion 06/2014, supra note 25, pp. 33 ff.
  31. 31 General Approach, supra note 23, p. 31 (Article 13a); Report A8-0375/2017, supra note 2, p. 76 (Amendment 110).
  32. 32 This is especially emphasised in the Opinion of the EDPS, which compares the market for personal data to the market for human organs, see: Opinion 4/2017, supra note 3, p. 7.
  33. 33 Hijmans, The European Union as Guardian of Internet Privacy: The story of Art 16 TFEU, Springer, Switzerland 2016, pp. 54 f.
  34. 34 See the situation mentioned in: GDPR, supra note 4, Rec. 43; Purtova, The illusion of personal data as no one’s property, Law, Innovation and Technology 2015, p. 83 (p. 87).
  35. 35 See: Helberger, Profiling and Targeting Consumers in the Internet of Things – A New Challenge for Consumer Law. In: Schulze/Staudenmayer (Eds.), Digital Revolution: Challenges for Contract Law in Practice, Nomos, Germany 2016, pp. 135–161 (p. 150); See also: OECD, Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value [2013], OECD Digital Economy Papers No. 220, p. 17.
  36. 36 Cohen, Examined Lives: Informational Privacy and the Subject as Object, Stanford Law Review 2000, p. 1373 (p. 1391).
  37. 37 EDPS, Opinion 8/2016 on coherent enforcement of fundamental rights in the age of big data [2016], 23 September 2016, p. 7.
  38. 38 Langhanke/Schmidt-Kessel, Consumer Data as Consideration, EuCML 2015, p. 218 (p. 221).
  39. 39 Dix, Daten als Bezahlung, ZEuP 2017, p. 1 (p. 4).
  40. 40 See: Preliminary Opinion, supra note 5, p. 6; Opinion 8/2016, supra note 37, p. 6.
  41. 41 Billen, The Challenges of Digitisation for Consumers. In: Schulze/Staudenmayer (Eds.), Digital Revolution: Challenges for Contract Law in Practice, Nomos, Germany 2016, pp. 11–17 (p. 15).
  42. 42 See: Opinion 4/2017, supra note 3, p. 17.
  43. 43 Report A8-0375/2017, supra note 2, p. 17 (Amendment 20).
  44. 44 Ibid., p. 53 (Amendment 80); General Approach, supra note 23, p. 8 (Article 3).
  45. 45 Opinion 4/2017, supra note 3, pp. 10 f.
  46. 46 This could be seen as proclaiming subsidiarity for the Digital Content Proposal with all other Union acts, as noted by: Schmidt-Kessel/Erler/Grimm/Kramme, Die Richtlinienvorschläge der Kommission zu Digitalen Inhalten und Online-Handel – Teil 1, GPR 2016, p. 2 (p. 6); It is even more clearly expressed in an amendment by the Council, see: General Approach, supra note 23, p. 13 (Article 3).
  47. 47 General Approach, supra note 23, p. 12 (Article 3); Report A8-0375/2017, supra note 2, p. 56 (Amendment 89).
  48. 48 Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts, OJ L 1993/95, 29, Art. 3; Helberger, supra note 35, pp. 145 ff.; Helberger/Zuiderveen Borgesius/Reyna, The Perfect Match? A Closer Look at the Relationship between EU Consumer and Data Protection Law, CMLR 2017, p. 1427 (pp. 1449 ff.).
  49. 49 Ennöckl, Artikel 2 Sachlicher Anwendungsbereich. In: Sydow (Ed.), Europäische Datenschutzgrundverordnung – Handkommentar, Nomos/Manz/Dike, Deutschland 2017, pp. 239–246 (pp. 240 ff.).
  50. 50 See as example for smart objects: Helberger, supra note 35, p. 136.
  51. 51 See: Helberger/Zuiderveen Borgesius/Reyna, supra note 48, p. 1462.
  52. 52 Both Council and EP limit the definition of «digital content», which according to the original proposal also encompassed services, to the one used in the Consumer Rights Directive 2011/83/EU in Art. 2 (11), and introduce a separate «digital service» definition. These changes do not affect the original scope, but expresses the scope more clearly. See: General Approach, supra note 23, p. 4 (Article 2); Report A8-0375/2017, supra note 2, p. 49 (Amendment 69).
  53. 53 Report A8-0375/2017, supra note 2, p. 18 (Amendment 21).
  54. 54 As also the EDPS notes, see: Opinion 4/2017, supra note 3, p. 13.
  55. 55 Comparably to the provision in the Unfair Terms Directive, see: Unfair Terms Directive, supra note 48, Art. 6 (1).
  56. 56 See: Helberger, supra note 35, p. 148.
  57. 57 General Approach, supra note 23, p. 31 (Article 13a); Report A8-0375/2017, supra note 2, p. 76 (Amendment 110).
  58. 58 Treaty on the Functioning of the European Union, OJ C 2012/326, 47.
  59. 59 Hijmans, supra note 33, p. 4.
  60. 60 Treaty on European Union, OJ C 2012/326, 13.
  61. 61 Hijmans, supra note 33, p. 20.
  62. 62 Opinion 4/2017, supra note 3, p. 8.
  63. 63 Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/11/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council, OJ L 2011/304, 64.
  64. 64 Directive 1994/44/EC supra note 9.
  65. 65 A good overview of the consumer law instruments in the EU can be found in the recent Fitness Check of the European Commission, see: EC, Commission Staff Working Document – Report of the Fitness Check on Directive 2005/29/EC (…); Council Directive 93/13/EEC (…); Directive 98/6/EC (…); Directive 1999/44/EC (…); Directive 2009/22/EC (…); Directive 2006/114/EC (…) [2017], SWD(2017) 209 final.
  66. 66 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 2002/201, 47, Rec. 2.
  67. 67 Draft e-Privacy Regulation, supra note 19, Rec. 4.
  68. 68 Preliminary Opinion, supra note 5, p. 33; supplemented by: Opinion 8/2016, supra note 37, pp. 8 ff.
  69. 69 Helberger, supra note 35; Helberger/Zuiderveen Borgesius/Reyna, supra note 48; more critically, but seeing some value: Gonzáles Fuster, How uninformed is the Average Data Subject? A Quest for Benchmarks in EU Personal Date Protection, Iniciativa Digital Politècnica 2014, p. 92 (p. 102).
  70. 70 Langhanke/Schmidt-Kessel, supra note 38, p. 219.
  71. 71 Langhanke/Schmidt-Kessel, supra note 38, p. 220.
  72. 72 Ibid., p. 221.
  73. 73 Ibid., p. 221.
  74. 74 Report A8-0375/2017, supra note 2, p. 63 (Amendment 99).
  75. 75 See Wendehorst, Sale of goods and supply of digital content – two worlds apart?. In: Website of the European Parliament. http://www.europarl.europa.eu/cmsdata/98774/pe%20556%20928%20EN_final.pdf [2016], pp. 14 f.; Spindler, Contracts For the Supply of Digital Content – Scope of application and basic approach – Proposal of the Commission for a Directive on contracts for the supply of digital content, ERCL 2016, p. 183 (pp. 194 f.).
  76. 76 See: Helberger, supra note 35, pp. 147 ff.
  77. 77 See: Helberger/Zuiderveen Borgesius/Reyna, supra note 48, p. 1459.
  78. 78 Report A8-0375/2017, supra note 2, p. 86 (Amendment 121).
  79. 79 The author would like to thank Prof. Christopher Kuner (VUB) and Prof. Gloria González Fuster (VUB) for their helpful comments and suggestions to the various drafts.