Regulators and courts in the EU are increasingly vigilant in relation to privacy practices and policies of large online companies.  In recent years and months, the pressure increases not only through privacy-specific regulations and enforcement, but also through the application of consumer legislation.  As the below examples from France and Germany show, some courts or regulators assess privacy practices and policies against the rules on unfair or abusive trade practices — in some countries, the legislator is even proposing new laws to that end.  This is a worrying trend, as it could trigger the application of an additional set of rules to privacy policies, and implies that EU consumer protection authorities may acquire competence in relation to online privacy policies, in addition to the EU data protection regulators.


An advisory committee to the French consumer agency DGCCRF (“the committee”) published recommendations regarding compliance of social media policies with French consumer legislation.  The committee targets privacy-specific issues, but also general consumer law concerns, intellectual property-related matters, digital content-specific issues, etc. The recommendations explicitly list what type of privacy practices/policy clauses are illicit or abusive under French consumer legislation.   While the recommendations apply to  “services agreements” with the consumer, their content is such that they clearly intend to target different types of social media policies – including terms of use, privacy policies, and cookie policies.

                Privacy-specific recommendations

The committee’s recommendations identify the following privacy practices as illicit or abusive under French consumer law:

  • clauses suggesting that certain information is not personal data, contrary to French data protection legislation (e.g., IP addresses or browsing behavior);
  • provisions indicating that the consumer’s mere usage of the website amounts to consent for the processing of his or her sensitive personal data;
  • failure to gather express consent from a minor’s legal representative concerning the processing of the minor’s data;
  • failure to set out the specific purposes of the data processing;
  • clauses that do not limit the platform’s retention of personal data;
  • onward transfer clauses that fail to specify the third parties to whom the personal data may be disclosed;
  • clauses allowing data transfers to third countries without gathering explicit consent from the user;
  • clauses allowing the provider to change its privacy policy without prior notification to the user; and
  • clauses suggesting that the consumer is responsible for keeping his or her personal data secure.

                Other recommendations affecting privacy policies

The committee also addresses non-privacy-specific issues, some of which are also relevant for privacy practices and policies.  By way of example, some of the practices that the committee considers illicit or abusive under French law are:

  • failure to provide the terms/policies in French;
  • insufficiently clear cross-references between different policy documents (e.g., links to privacy policy in the terms of use);
  • suggestions that the social network services are free of charge;
  • suggestions that the consumer’s mere usage of the website amounts to consent with the terms of use;
  • clauses giving the provider the right to unilaterally change the terms/policy without prior notification; and
  • jurisdiction clauses that exclude the application of French consumer law.


The recommendations are not legally binding, but are representative of the shift towards (even) stricter scrutiny of social media policies.  Additionally, they are likely to influence French courts when assessing privacy policies.  In that respect, it will be interesting to see whether the recommendations will affect the pending case (Paris) regarding a claim launched by UFC-Que Choisir — France’s principal consumer organization – in Spring 2014 against Google, Facebook and Twitter.  In its press release, UFC Que Choisir indicated that through its claim, it seeks deletion or modification of “the myriad of contentious clauses” in the terms of use and privacy policies of these companies.


The evolutions in France remind us of legal actions brought in Germany, where privacy policies and practices of several large IT companies have been scrutinized by courts under the consumer contract rules for some time.

For example, in 2013, in two separate judgments, both Google and Apple saw several clauses struck out from their privacy policies, primarily because the clauses were qualified as unfair terms in consumer contracts (see Inside Privacy, Berlin Court Condemns Google, Strikes Provisions in Privacy Policy and Terms, November 21, 2013).

In the Google case, the court took the view that consumer contract legislation applies to privacy policies, despite the argument that the clauses concerned do not constitute terms in consumer contracts, because for most of its services Google does not conclude contracts with consumers.   According to the court, where consumers consider privacy policies and terms of use to be linked (in casu because consent for both instruments was gathered at the same time), the privacy policy also qualifies as a consumer contract.  Moreover, the court took the view that, as such, providing services in exchange for a consent regarding data processing constitutes a contractual relationship.  The court in the Apple case applied a similar reasoning.  Appeals are pending against both the Google and the Apple rulings.

In the future, we will likely see an uptake in legal actions concerning privacy policies.  This is because most recently (see Inside Privacy, Germany Wants to Introduce Class Actions for Privacy Violations, February 5, 2013), the German Government approved a draft law, which would explicitly provide associations such as consumer associations a right of action in cases involving violations of certain rules governing the processing of consumers’ personal data.

Pandora’s Box?

The application of consumer contract legislation to privacy policies in the EU risks opening Pandora’s box.  First, it would trigger the application of another broad set of requirements to the content of privacy policies, beyond privacy legislation.  Bringing online policies — which by nature apply globally — into compliance with this additional category of rules would present significant challenges for the companies concerned.  Adding to the complexity, there is also a significant risk that both sets of rules would contradict each other, which could in turn impair legal certainty (for example, consent requirements on the basis of consumer contract legislation for processing activities that do not necessarily require consent under the applicable privacy laws, such as in the area of international data transfers).  Consequently, complex legal issues could arise, especially in view of the character of data protection legislation as lex specialis.  Second, it would mean that consumer authorities may acquire (further) competence in relation to privacy policies — adding dozens of supervising authorities to the 28 currently competent EU data protection authorities.  Arguably, this could lead to tensions and discussions between authorities, not only in terms of competence demarcation but also with regards to possible contradictory requirements.  To this day, no mechanisms exist to resolve competence disputes between the authorities in the different areas of law.

Of course, the above DGCCRF recommendations and the German cases are mere examples, and at this stage, there is no consensus regarding the relationship between consumer legislation and privacy policies and practices – let alone clear-cut legislation or regulation.  Nonetheless, (online) companies should closely monitor if and how this recent trend evolves, not only in France and Germany but also in other EU Member States.