The Directive (EU) 2019/770 allowing the use of personal data as the price for the purchase of digital content and services is now being transposed in most EU countries, potentially opening a new phase of exploitation of data within the European Union.
The term for the transposition of the Directive (EU) 2019/770 on certain aspects of contracts for the supply of digital content and services expired on July 1, 2021, and the new provisions will be effective from January 1, 2022.
The most controversial provision of the Directive allows the possibility of using personal data as the price for purchasing digital content and services. Article 3 of the Directive (that has been literally transposed in the Italian Consumers Code) prescribes that it applies when “the trader supplies or undertakes to supply digital content or a digital service to the consumer, and the consumer provides or undertakes to provide personal data to the trader, except where the personal data provided by the consumer are exclusively processed by the trader for the purpose of supplying the digital content or digital service in accordance with this Directive or for allowing the trader to comply with legal requirements to which the trader is subject, and the trader does not process those data for any other purpose.”
Under this provision, it is made, therefore, possible to use personal data as consideration for having digital services and contents in return as part of a contractual synallagma, only if the individual consents to a data processing in excess of the minimum necessary to use the service/content or to allow the fulfilment of legal obligations.
A series of exclusions apply to this principle in relation to the specific cases, including:
- healthcare services, for services provided by healthcare professionals to patients
- gambling services;
- financial services (of a banking, credit or insurance nature);
- individual retirement, investment or payment services; and
- software offered by the professional based on a free and open license.
Even though the exceptions narrow down its scope, the change is still significant. Indeed, it raises several questions about its compatibility with the GDPR’s principle of freedom of consent. Suppose the processing of personal data for a specific purpose beyond the performance of the contract is the consideration for the services/contents. In that case, the individual should be obliged to consent to its use. Achieving the right balance between the need to benefit from the Directive’s rights and avoid potential claims of violations of data protection regulations will be crucial, mainly when the new provisions are first applied.
The type of goods that can be “purchased” through personal data is
- a “digital content” defined as data produced and provided in digital forms, such as an estimate for the offer of a service or even a simple update service or newsletter on products and services offered by a company; and
- a “digital service” defined as (a) a service that allows the consumer to create, process, store or access data in digital form; or (b) a service that allows the sharing of or any other interaction with data in digital form uploaded or created by the consumer or other users of that service
Of particular interest is the use of data as a consideration for purchasing digital content such as newsletters and other communications about the company’s goods and services. In fact, the change introduced by the Directive could open the door to allow customers’ profiling as a purpose beyond what is strictly necessary to send commercial communications without having to rely more on legitimate interest or consent as the legal basis.
In this case, the legal basis could be just the performance of the contract, understood as the contractual counter-performance to which the consumer is committed under the terms of the Directive as implemented in the EU countries.
This aspect is a delicate issue on which it would be useful to have guidelines from the European Data Protection Board, as occurred in the past for other issues where overlapping regulations were interacting, such as the interaction between the GDPR and the PSD2 which has several impacts on fintech and that we covered in the article “The European Data Protection Board sets the rules of Fintech with its guidelines on the PSD2“.