On 14 March 2017, the European Data Protection Supervisor (EDPS) published his Opinion on the protection of personal data when used instead of paying for “free” online services. The EDPS is an independent European body responsible for advising EU institutions on data protection issues.
The opinion was delivered following a request from the Council of the EU for a package of legislative proposals on contracts for the provision of digital services (e.g. social media platforms and cloud computing services ) and the online sale of digital goods (including films, computer programs, mobile applications, etc.) Among the objectives of the proposed directives is the protection of consumers who are required to disclose their personal data as a condition of the supply of “free” online services.
The opinion warns that the concept of “data as performance” in digital contracts, as set out in the proposed guidelines, could cause confusion and change the balance established by the General Data Protection Regulation (GDPR). The opinion considers that the notion of counter-performance must be aligned with the consent provisions of the GDPR, which establish new conditions for assessing whether consent has been freely given in the context of digital transactions. The EDPS is concerned that the proposed guidelines will effectively reverse the presumption in the GDPR that the processing of personal data based on consent, under a contract, would not be lawful unless the data processed is necessary for the performance of the contract.
The Opinion goes on to note that the use of the “balance of interests” test to legitimize processing in this context should be considered on a case-by-case basis. Generally, however,data uses in a digital environment require free, specific, informed and unambiguous opt-in consentand must not be based on the legitimate interests of the data controller (notwithstanding the explicit reference in recital 47 of the GDPR to direct marketing constituting a potential legitimate interest).
Referring to the case law of the European Court of Human Rights, the opinion states that in the EU personal data cannot be treated as a mere economic good, but rather is subject to the protections of the EU Charter of Fundamental Rights. The EDPS observes that: “There may be a market for personal data, just as there is, tragically, a market for living human organs, but that does not mean that we can or should give that market the blessing of legislation.”
The opinion concludes by recommending, among other things, to avoid the expression “data as counter-performance”, so that the guidelines are not misinterpreted as limiting the protection of consumers’ personal data when this data is provided. in exchange for “free” digital goods or services. Instead, the EDPS recommends that the proposed directives be explicitly linked to the requirements of the GDPR and online privacy legislation (a proposal for an online privacy regulation is also currently pending before the European Parliament and Council). EU).