Regulators and courts in the EU are increasingly vigilant in relation to privacy practices and policies of large online companies. In recent years and months, the pressure increases not only through privacy-specific regulations and enforcement, but also through the application of consumer legislation. As the below examples from France and Germany show, some courts or regulators assess privacy practices and policies against the rules on unfair or abusive trade practices — in some countries, the legislator is even proposing new laws to that end. This is a worrying trend, as it could trigger the application of an additional set of rules to privacy policies, and implies that EU consumer protection authorities may acquire competence in relation to online privacy policies, in addition to the EU data protection regulators.
The committee’s recommendations identify the following privacy practices as illicit or abusive under French consumer law:
- clauses suggesting that certain information is not personal data, contrary to French data protection legislation (e.g., IP addresses or browsing behavior);
- provisions indicating that the consumer’s mere usage of the website amounts to consent for the processing of his or her sensitive personal data;
- failure to gather express consent from a minor’s legal representative concerning the processing of the minor’s data;
- failure to set out the specific purposes of the data processing;
- clauses that do not limit the platform’s retention of personal data;
- onward transfer clauses that fail to specify the third parties to whom the personal data may be disclosed;
- clauses allowing data transfers to third countries without gathering explicit consent from the user;
- clauses suggesting that the consumer is responsible for keeping his or her personal data secure.
Other recommendations affecting privacy policies
The committee also addresses non-privacy-specific issues, some of which are also relevant for privacy practices and policies. By way of example, some of the practices that the committee considers illicit or abusive under French law are:
- failure to provide the terms/policies in French;
- suggestions that the social network services are free of charge;
- clauses giving the provider the right to unilaterally change the terms/policy without prior notification; and
- jurisdiction clauses that exclude the application of French consumer law.
The evolutions in France remind us of legal actions brought in Germany, where privacy policies and practices of several large IT companies have been scrutinized by courts under the consumer contract rules for some time.
In the future, we will likely see an uptake in legal actions concerning privacy policies. This is because most recently (see Inside Privacy, Germany Wants to Introduce Class Actions for Privacy Violations, February 5, 2013), the German Government approved a draft law, which would explicitly provide associations such as consumer associations a right of action in cases involving violations of certain rules governing the processing of consumers’ personal data.
The application of consumer contract legislation to privacy policies in the EU risks opening Pandora’s box. First, it would trigger the application of another broad set of requirements to the content of privacy policies, beyond privacy legislation. Bringing online policies — which by nature apply globally — into compliance with this additional category of rules would present significant challenges for the companies concerned. Adding to the complexity, there is also a significant risk that both sets of rules would contradict each other, which could in turn impair legal certainty (for example, consent requirements on the basis of consumer contract legislation for processing activities that do not necessarily require consent under the applicable privacy laws, such as in the area of international data transfers). Consequently, complex legal issues could arise, especially in view of the character of data protection legislation as lex specialis. Second, it would mean that consumer authorities may acquire (further) competence in relation to privacy policies — adding dozens of supervising authorities to the 28 currently competent EU data protection authorities. Arguably, this could lead to tensions and discussions between authorities, not only in terms of competence demarcation but also with regards to possible contradictory requirements. To this day, no mechanisms exist to resolve competence disputes between the authorities in the different areas of law.
Of course, the above DGCCRF recommendations and the German cases are mere examples, and at this stage, there is no consensus regarding the relationship between consumer legislation and privacy policies and practices – let alone clear-cut legislation or regulation. Nonetheless, (online) companies should closely monitor if and how this recent trend evolves, not only in France and Germany but also in other EU Member States.