Selling digital content in Europe - more contract changes from the EU

Under proposed new EU rules intended to give consumers additional rights under online contracts, social media, hosting and other services may be classified as “digital content”, including those provided for free but in exchange for provision of personal data.

Selling digital content in Europe - more contract changes from the EU

UK (and soon Irish) providers of digital content may already have had to adapt to specific new national rules on consumer rights. New ones may be coming. Not immediately, but the EU Commission in a proposed directive ‘on certain aspects concerning contracts for the supply of digital content’ has set out a system which would require some significant changes to contracts and dealings with consumers.

Harmonisation of contractual rules can be a “Good Thing”. Depending on the EU Member State, digital content supplies may currently be treated as goods, services, rentals, or a specific category of supply, each with their own rules. With digital content being a prime category for cross border supplies, then this proposal could at least reduce the tailoring needed for contracts across the EU. On the other hand, it approaches the subject squarely from a consumer rights perspective which may directly affect drafting and application of some of our familiar terms and conditions. As a “full harmonisation” proposal, Member States would not be permitted to deviate from it, even to give additional protection to their own consumers. Also we wouldn’t be permitted to contract out of the rules in our EULA or general conditions.

1. What supplies are covered?

Digital content as we might most easily understand it is covered (e.g., “video, audio, applications, digital games and any other software”). However, digital services such as cloud storage and publishing would also fall within the definition of digital content, i.e., services “allowing the creation, processing or storage of data in digital form, where such data is provided by the consumer” or “allowing sharing of and any other interaction with data in digital form provided by other users of the service”. Although the definition may be a little awkward, the clear intention is that all manner of digital activities should be covered, including social media.

On the other hand, certain activities that are subject to specific sectorial rules are excluded i.e., healthcare, electronic gambling, or financial services, as well as “services performed with a predominant element of human intervention” that happen to be provided digitally (examples could be legal or consulting services). “Electronic communication services” are also excluded. This is generally the way with EU legislation, and other specific rules already apply to them, but this does risk further contributing to a multi-tier system where calls and messaging are treated differently from other types of sharing (so an SMS is regulated differently from a Facebook post or tweet, with direct messages potentially somewhere in the middle…)

2. What contracts are covered?

Only business to consumer contracts are covered. A consumer is a natural person acting outside of their business (cf. in the UK where this is “wholly or mainly” outside of business).

Paid-for content and services are covered as expected, but the big novelty is that services would also be covered where the consumer “actively provides counter-performance other than money in the form of personal data or any other data” (except for legally required data). So this includes many “free” services that require registration; but not those provided in return for viewing advertising. There seems to be some logic in that lower expectations may apply for free content or services, but equating collection of personal data with payment, though clearly a well-used business model, would be a new departure, and in the UK would bring many more services within the scope of the Consumer Rights Act.

3. What obligations would suppliers have?

The supplier would need to provide digital content:

  • “immediately” after making the contact (unless otherwise agreed)
  • in accordance with all the provisions of the contract – and potentially with pre-contractual information
  • that is fit for any purpose made known by the consumer and accepted by the supplier
  • that is the latest version (unless otherwise agreed)
  • that is correctly installed if installed by the supplier or in accordance with the supplier’s instructions (or those which should have been supplied in order to make it fit for purpose)
  • free of any third party claims or rights.

The burden of proof to show that digital content corresponds to the contract would fall on the supplier (unless the failure was due to the consumer knowingly installing it in an incompatible environment).

The supplier would not be permitted to make changes to digital content supplied if this adversely affects the consumer’s access to or use of it, unless this is stipulated in the contract, the consumer is given prior notice on a “durable medium”, and the consumer is permitted to terminate the contract free of charge and retrieve his or her consumer generated content.

4. What rights would consumers have?

If the digital content was not supplied (on time): to terminate the contract immediately.

If the digital content supplied was not in accordance with the contract then: (i) to have the defects rectified within a reasonable time at no cost (unless impossible, disproportionate in cost or unlawful); or (ii) if no rectification is made on time or at all, to receive a reasonable reduction in price or to terminate the contact, including where rectification would have caused significant inconvenience to the consumer. Termination would be reserved for cases where the non-conformity affects functionality, interoperability and other main performance features of the digital content such as accessibility, continuity and security, and again the burden of proving that it does not would fall on the supplier.

Upon termination, the supplier would have 14 days to refund any money paid – but importantly would also need to ensure that any data etc. provided in lieu of money is no longer used.

In any event, the supplier would be required to compensate the consumer for any “economic damage” caused to the consumer’s environment (hardware, other content, network connection) by defective digital content.

Outside of defective supply, the consumer would also be entitled to terminate any contract after the first twelve months, even if it was stated to be for an indefinite period or automatically renewed.

Note that where the supplier is liable to the consumer under these provisions, then the supplier would have express rights to pursue others in the supply chain that caused the liability.

5. What to do?

This is still very much a proposal and, given the significant changes to current national laws, amendments seem very likely. If and when agreed by the EU institutions, there would still be a two year period for EU Member States to adapt national laws to incorporate these provisions. Nonetheless, clearly this would affect well-used contractual clauses that we are accustomed to seeing e.g., reserving rights to modify or withdraw services, excluding liability for damage to equipment, or disclaiming any implied warranties of fitness for purpose. Eden Legal will return to this, as well as to additional EU proposals affecting consumer contracts for online sales of goods, and portability of online content services.


READ THIS NEXT: ADR/ODR: New website information requirements for EU online traders

  • Are crypto wallet addresses personal data?

    Are crypto wallet addresses personal data?

    Never assume. They can easily be…

  • EU International Data Transfers - new 2021 Standard Contractual Clauses

    EU International Data Transfers - new 2021 Standard Contractual Clauses

    The European Commission has issued a new set of standard contractual clauses (“SCCs”) to address new requirements under the GDPR, changes in the digital economy, but most importantly the European Court’s judgment in Schrems II requiring supplementary measures for some exports. The new SCCs are comprehensive and fill some gaps; but they require data importers and exporters to invest significantly in documenting how they will overcome local government surveillance laws.

  • Adtech Regulation under the EU’s draft Digital Services Act

    Adtech Regulation under the EU’s draft Digital Services Act

    A lot has been made of the liability and transparency provisions of the EU’s proposed Digital Services Act.

    However, there are also a few advertising-specific obligations (proposed to be) coming for online platforms that deserve a closer look.

  • "Due diligence" obligations for EU online platforms

    The quickest-possible look at the EU’s draft Digital Services Act and proposed new obligations for intermediaries and online platforms.

    Eden Legal will return with additional posts on: (1) liability for illegal content; and (2) specific adtech-related obligations, under the proposed Regulation.

    #Lawinagraphic – minimum wordiness, maximum user-friendliness.

  • How will Artificial Intelligence Systems be regulated in the EU?

    How will Artificial Intelligence Systems be regulated in the EU?

    The European Commission has put forward a proposed Regulation on a European Approach for Artificial Intelligence, also known as the “Artificial Intelligence Act”. It’s a proposal and before entering into application faces a likely lengthy path through the EU institutions which seems bound to produce a hefty amount of debate and amendments.

  • 2021 will be the Year of Smart Contracts

    2021 will be the Year of Smart Contracts

    Smart contracts are here. Eden Legal’s very initial, very personal thoughts on them.

  • GDPR EU/UK Representative - do we need one?

    GDPR EU/UK Representative - do we need one?

    Everything you need to know about appointing an EU and/or UK representative as required by the GDPR.

    Update 14 February 2021: under the EU Council’s agreed position on the future E-Privacy Regulation, providers of electronic communications services, providers of publicly available directories, senders of direct marketing over electronic communications services, and anyone using processing and storage capabilities or collecting information processed by or emitted by or stored in the end-users’ terminal equipment (i.e. adtech!) will also be required to appoint a representative in the EU and communicate it to the relevant national supervisory authority.

  • GDPR and Brexit - take us to the bridge

    GDPR and Brexit - take us to the bridge

    The EU-UK Trade and Cooperation Agreement has avoided major changes to personal data flows between the EEA and UK at least until 30 April 2021. However, if we process data of individuals in both the EEA and the UK, then we face the prospect of complying with two similar but distinct regulatory regimes.

  • The ICO fines Marriott and BA for GDPR Breaches - 10 Takeaways

    The ICO fines Marriott and BA for GDPR Breaches - 10 Takeaways

    If you’re handling personal data subject to EU (and/or UK) laws then you would do well to read the UK Information Commissioner’s (“ICO”) decisions to fine Marriott and BA for failures to have in place appropriate cyber-security measures. And this post for 10 more easily digestible takeaways.

  • EU Court invalidates Privacy Shield - what to do?

    EU Court invalidates Privacy Shield - what to do?

    The Court of Justice of the EU has struck down the EU Commission’s EU-U.S. Privacy Shield Framework decision, but in principle left in place the EU Commission’s Standard Contractual Clauses, which organisations can sign in order to impose EU-style data protection obligations on non-EU data importers. For now, where we used to rely the Privacy Shield framework, the pragmatic approach may be to sign SCCs – but the story won’t end there.