Personal data as payment for digital content and digital services – the Swedish and Norwegian implementation of directive 2019/770
On 20 May 2019, the EU adopted Directive 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services. The directive is relevant to both Swedish and Norwegian law, and the implementation process has begun in both countries. The directive contains, inter alia, provisions on what reasonable expectations the consumer may have to the digital service, and what rights the consumer can exercise in case of any deficiencies or delays. However, the most interesting is perhaps that personal data may be used as payment.
By Kaare Risung, Fredrik Steen and Sondre Arora Aaserud
As a step in its digital single market strategy, the EU adopted directive 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services (the "DCD") in May 2019. The purpose of the DCD is to provide a high level of consumer protection by laying down common rules on certain requirements concerning contracts between traders and consumers for the supply of digital content or digital services.
As defined in the DCD, "digital content" means data which are produced and supplied in digital form (e.g. applications, video files, music files, e-books and computing programs) and "digital service" means either (i) a service that allows consumers to create, process, store or access data in digital form (e.g. text editor and video games accessed through cloud services); or (ii) a service that allows the sharing of or any other interaction with data in digital form uploaded or created by the consumer or other users of that service (e.g. sharing of music and video and social media). In this article, we will refer to digital content and digital services jointly as "Digital Content", unless there is need to differentiate.
The DCD applies to a contract when a trader undertakes to provide Digital Content in exchange for payment. The DCD also applies to a contract under which the consumer pays for the content by providing their personal data to the trader rather than monetary consideration. However, the DCD will not apply to a contract where the sole purpose of the trader's data collection/processing is (i) to provide the relevant Digital Content or (ii) to meet a regulatory requirement incumbent on the trader.
In particular, the DCD contains rules on: (i) the conformity of Digital Content with the contract; (ii) remedies in the event of a lack of such conformity or a failure to supply; and (iii) the modification of Digital Content. The provisions laid down in the DCD are mandatory and are for the benefit of the consumer. The rules of the DCD apply to, for example, contracts pursuant to which consumer gains access to music, e-books, cloud-services, or video games.
In Norway, the DCD has not yet been implemented but the Ministry of Justice has submitted a proposition on a new Norwegian Digital Services Act ("NDSA") which has been subject to consultation. It is arguable that Norwegian consumer protection legislation in this area is currently incomplete, as the Norwegian Consumer Purchases Act only applies to digital services stored on a physical medium (such as a DVD). There is a need for separate consumer protection legislation applicable to digital services so that consumers' legal protections keep pace with technological developments.
In Sweden, the DCD will be implemented (together with EU directive 2019/771 on contracts for the sale of goods) under a new Consumer Sales Act. While implementation of the DCD [under national law] fills a legislative vacuum when it comes to Digital Content, it also presents new challenges.
The DCD and personal data as a non-commodity
The DCD explicitly states that personal data is a fundamental right and therefore cannot be considered as a commodity. However, as mentioned above, the DCD will apply to a contract where the consumer has provided personal data as consideration for the Digital Content, except in situations where the personal data provided by the consumer are (i) exclusively processed by the trader for the purpose of supplying the Digital Content; or (ii) provided in order to allow the trader to comply with legal obligations to which the trader is subject. Digital Content is often supplied in exchange for the consumer's personal data, and this business model is used in a considerable portion of the market, so it is right that the DCD will apply to such contracts in order to ensure that consumers are entitled to contractual remedies.
EU Regulation 2016/679 (the "GDPR") is also concerned with the processing of personal data. The preamble of the DCD states the GDPR will prevail in the event of a conflict between the DCD and the GDPR. The GDPR requires a legal basis for processing of personal data. For traders, the most common bases are (i) that the processing is necessary for the fulfilment of a contract, (ii) a legitimate interest, (iii) to comply with a legal obligation that the trader is subject to, or (iv) that the trader has the individual's consent to the processing.
The DCD may therefore be applicable to contracts pursuant to which a consumer gives the trader personal data as consideration for the Digital Content and the trader processes that personal data on the legal basis of consent or legitimate interest. Processing the personal data for the purpose of supplying the Digital Content under the CDC would be in line with the fulfilment of contract basis under the GDPR, while processing the data for the purpose of allowing the for the trader to comply with legal obligations under the CDC would be in line with the legal obligation basis under the GDPR.
Processing of personal data based on consent in relation to the DCD
If the processing of personal data provided in exchange for the Digital Content is based on consent, the question arises as to what will happen to the contract if a consumer were to withdraw their consent in accordance with their rights under the GDPR. The DCD lacks detail on the consequences of a consent being withdrawn. As such, the question has been left to the national legislators.
In Sweden, withdrawal of consent is not a breach contract but may be cause for termination on other grounds. For example, the Swedish legislator provides the following examples in its preparatory work for transposal of the DCD into Swedish law: the withdrawal of the consent may be seen as a notice of termination from the consumer or as a new basis for the agreement that may permit the trader to terminate the contract based on general principle of a new basis for the agreement enabling termination (as opposed to the consumers breach of contract).
The Swedish government states that the consequences of a withdrawn consent may vary depending on the circumstances in the individual case. To maintain flexibility, the new Swedish legislation should avoid defining the effects of a withdrawn consent and instead let courts assess it on a case-by-case basis. As such, it remains unclear what the effects of a withdrawn consent may mean for a contract under hand governed by Swedish law.
These issues have been discussed by the Norwegian Ministry in its preparatory work for transposing the DCD into Norwegian law but that no precise guidance has yet been given. However, it is stated in the proposed NDSA that there is nothing that prevents the consumer from using personal data as payment, and that withdrawal of payment may mean that the supplier's obligations to deliver would cease in accordance with general contract law principles, including the mutual performance principle. The Norwegian Ministry is nonetheless uncertain as to whether these kinds of issues are likely to occur, partly because the consumer in any case has a right to terminate standing agreements pursuant to the proposed NDSA § 33. In addition, the Ministry has noted that the consumer's right to withdraw consent is something the supplier should consider when preparing agreements and assessing the contractual value.
Processing of personal data based on legitimate interest in relation to the DCD
In a commercial context, it may be difficult to find a legitimate interest that prevails over the rights and freedoms of the data subject, as the legitimate interest of the trader will generally be an economic interest (see EDPS opinion 4/2017 on the proposal of the DCD: link). However, the legitimate interest basis should still be considered, together with an assessment of potential risks to the individual's rights and freedoms when processing their personal data.
If your company provides Digital Content, you should consider whether amendments to your contractual the terms and conditions are required in order to account for the rights of consumers under the DCD. You should also consider reviewing your [routines and] policies regarding processing of personal data to ensure compliance with implementation of the DCD under national law.
Due to the uncertainties and new challenges presented by the DCD and by its interactions with existing data protection legislation such as the GDPR, seeking legal expertise is advised. At Schjødt, we have experience advising on issues relating to the Digital Content industry, including material such as video games, computing programs and applications, as well as market leading competence in areas key to consumer contracts, intellectual property, and personal data protection.