“The relationship between EU consumer law and data protection”

by Laura Drechsler, Brussels Privacy Hub, LSTS, VUB


On 18 December 2018, the Brussels Privacy Hub organised a second edition in its Brussels Privacy Hub Meets the Author”-events series on “The relationship between EU consumer law and data protection”. For this edition a lively discussion about the interplay of EU consumer and data protection law was led by the two of the authors of the recent article in the Common Market Law Review “The perfect match? A closer look at the relationship between EU consumer law and data protection” Dr Frederik Zuiderveen Borgesius (University of Amsterdam) and Agustín Reyna (BEUC) (the other author Natali Helberger from the University of Amsterdam unfortunately had to cancel last minute). The discussion was further elaborated by interventions of Professor Gloria González Fuster (LSTS/VUB) and Christian D’Cunha (EDPS), and chaired by Dr Hielke Hijmans (Brussels Privacy Hub). A full video-recording of the event can be found here.

At the beginning of the event, Dr Hielke Hijmans introduced the topic by reflecting that data protection and consumer law currently seem like two different worlds, that would need to work closer together. As the article at the centre of the discussion “The perfect match? A closer look at the relationship between EU consumer law and data protection” (“the Article”) pointed out there are similar notions in both areas of law, such as the concept of “fairness”. The similarities become especially important, when considered so called “free services” (= services, which seem to be for free but where in reality the consumer provides his or her personal data), since they pose a challenge for both data protection and consumer law.

A first response to the Article was presented by Christian D’Cunha (EDPS). He reminded the audience about the Preliminary Opinion the EDPS issued in 2014 discussing the potential impact a better coordination of consumer law, data protection and competition law could have for data protection ad privacy. This opinion has been updated in 2016 with new proposals. For him, it is of utmost importance that the connection between the rights of the consumer and the rights of the data subject is further questioned, since barriers between them are starting to fragment. More research should also be done on the relationship with competition and anti-trust law, which were also mentioned in the 2014 Preliminary Opinion, since they play a crucial role in countering market concentration via mergers detrimental to the consumer/data subject in the big data market.

For competition and anti-trust law, it is important to remember that economic actors always want the maximum value, be it as a seller or as a buyer of a product. For this purpose, both sides have a century-old desire to manipulate the other actors in their favour. The current market, it is argued, has a monopoly problem. As a recent study showed, 80% of corporate wealth is held by the 10% of companies, rich in intellectual property (= mainly tech platforms). Their dominance now already lasts for nearly over a decade, which shows that perhaps the traditional legal response against monopolies (mainly anti-trust law) failed.

The Article engages with this post-price economy, where most interactions are not monetary exchanges anymore. It mentions Article 6 of the Unfair Commercial Practices Directive, which indeed could be a crucial tool, that has not been considered enough yet. Article 6 states, that a commercial practice is misleading if it contains false information or is in any way likely to deceive the average consumer, even if the information is factually correct, which causes or is likely to cause consumers to take a transactional decision that they would not have taken otherwise. This is the case for free services and should play a role in its assessment. 

As a final point, D’Cunha tried to give an answer to the definition of “counter-performance” in the context of free services. For him the “price” in such transactions is not necessarily the amount of data a consumer/data subject discloses, but it could also be the individual freedom to consume certain content, e.g. in a way the extent to which an algorithm determines your search results could be a “price” or the inability to port information between different online services. Both consumer and data protection law are intended to address serious imbalances between unequal parties (controller/data subject; trader/consumer). The Article excellently points out, how three consumer instruments and the GDPR could lead to cases for misleading information in the context of free services. One criticism here could be that the assumption of consumer law that consumers in possession of enough information are able to make the right choices, over-relies on information. The transactional space for free services is opaque, so reliance on information alone is inefficient. Therefore, consumer law should like the GDPR move more in the direction of accountability, and put the onus on the controller to minimise harm. D’Cunha highlighted though, that despite all this personal data should not be viewed as an economic currency. As stated in the EDPS Opinion on the proposal of the European Commission for a Directive on certain aspects concerning contracts for the supply of digital content (“Digital Content Proposal”), the existence of a market for personal data, does not mean it is a legitimate market. Personal data is connected to human dignity and must be treated accordingly.

In the next intervention, Professor Gloria González Fuster (LSTS/VUB) firstly recalled that the fundamental right to data protection in Article 8 Charter of Fundamental Rights of the European Union (“CFREU) is rather new, and therefore the relationship to other areas, such as consumer law, still needs to be understood comprehensively. There is especially a need to further theorise on the differences between the concept of “data subject” and “consumer”. It is tempting to protect data subjects as consumers, as it is commented upon in the Article, but while the concepts are similar, they are not the same and might rather be “false friends”.

Considering the concept of fairness in both data protection and consumer law, it is clear that while they are similar, the concept of “fair data processing” can be interpreted as more narrowly, or as reaching much further. Fairness, unlike in consumer law, is not just about making the transaction itself fair, but might be interpreted broadly as to also include the requirement of having rights of the data subjects, obligations for the controller (including accountability) and supervision by an independent authority.

A similar issue can be stated regarding the presumed similarity that both data protection and consumer law protect the weaker party in a transaction. Although this can be said for consumer law, data protection law focuses on the asymmetry of power differently, in that it wants to make data subjects stronger through data subject rights and circumstances more favourably with an independent supervisory authority. However, data subjects are not trusted to make all the decisions about their personal data, otherwise consent would be the required legitimacy basis for all data processing. As a result, data protection protects the weaker party very differently from the way consumer law does.

A final “false friend” lies in equating the role information plays in consumer and in data protection law. In consumer law information is provided to the consumer, so that he or she can make a free choice (not necessarily ‘the right choice’). The freedom of their choice is preserved by letting them take all circumstances into account with correct and adequate information. That is however, not the role information plays for data protection. The data subject does not have selective right to choose. In the case of consent, it can merely decide to give consent or not. Once consent is given, as the CJEU confirms in its Deutsche Telekom judgement, the data subject cannot choose which specific controller can use the data (e.g. in the CJEU case in which public depository a phone number is shown). In the interplay of consumer and data protection law, this raises the question on how compatible both information concepts really are.

In the last section of the debate, authors of the Article Dr Frederik Zuiderveen Borgesius (University of Amsterdam) and Agustín Reyna (BEUC) reacted to the received comments.

Reyna explained that the Article was inspired by the publication of the Digital Content Proposal, in which the European Commission seemingly expanded consumer law to cover data protection. When engaging with the proposal, it was realized that while the perspectives of consumer and data protection law are completely different, the reality of the market mixes them together. This reminded Reyna of the experiences with the Unfair Commercial Practices Directive, which through its wide scope of application touches upon many different areas of law, such as energy law or financial services regulation.

A similar role could be taken by the Digital Content Proposal in the context of free services. Free services have not been included in Consumer Rights Directive, which wanted to update consumer law for the digital era, as its scope only encompasses services against monetary payment. The idea of the Digital Content Proposal was to include free services in a clear manner. During the discussions in the Commission, many difficult issues had to be solved, such as “Is personal data disposable?”, “How can commodification of personal data be avoided?” or “How to define the counter-performance of free services?”. In the end, it was decided to avoid definition in those questions and leave it up to interpretations and the national systems. This just shows that more analysis on the interrelation of consumer law and data protection is required, especially on the potential value extending consumer law to free services could have for data protection. The Article argues that value could be found in the notions of fairness and choice of consumer law.

In his remarks Zuiderveen Borgesius reacted to the criticism that consumer law and data protection concepts are not the same and therefore “false friends”. He elaborated, that while indeed the concepts are not the same, this does not affect the fact that law developed in a way that brought both areas closer to each other. Even if it would be decided that data protection and consumer law should be strictly separated, there might still be a consumer organisation or a judge who brings or decides a claim brought on both. Consumer law and data protection do interact in a reality, where the market is hovering up data.

An interesting role for consumer law could be in helping to assess legitimate interests of the controller according to Article 6 (1) (f) GDPR. Article 6 (1) (f) GDPR states that a data controller can process personal data, if it is in their legitimate interests, which are not outweighed by the fundamental rights and interests of the data subject. Consumer law could be a factor in the balancing exercise this requires and help the controller to apply the provision correctly. Concepts of consumer law, such as black list and grey list for unfair practices (black: practice is presumed to be unfair; grey: practice is likely to be unfair and needs special evaluation), could be useful for the controller when assessing his or her processing activities.

The initial presentations were followed by a lively debate with the audience members.

Connect with us

Brussels Privacy Hub

Law Science Technology & Society (LSTS)

Vrije Universiteit Brussel

Pleinlaan 2 • 1050 Brussels



Stay informed

Keep up to date of our activities and developments. Sign up to our newsletter:

My Newsletter

Copyright © Brussels Privacy Hub