On 14 March 2017, the European Data Protection Supervisor (EDPS) issued its Opinion on the protection of personal data when it is used in lieu of payment for “free” online services.  The EDPS is an independent EU body responsible for advising the EU institutions on data protection matters.

The Opinion was issued following a request by the EU Council in regard to a package of legislative proposals on contracts for the supply of digital services (e.g. social media platforms and cloud computing services) and the online sale of digital goods (including films, computer programmes, mobile applications, etc.) Among the aims of the proposed directives is to provide protection to consumers who are required to disclose their personal data as a condition of the supply of “free” online services.

The Opinion warns that the concept of “data as counter-performance” in digital contracts, as set out in the proposed directives, could cause confusion and alter the balance struck by the General Data Protection Regulation (GDPR). The Opinion considers that the concept of counter-performance must be aligned with the consent provisions of the GDPR, which establish new conditions for evaluating whether consent has been freely given in the context of digital transactions.  The EDPS is concerned that the proposed directives would effectively overturn the GDPR’s presumption that the processing of personal data based on consent, in the context of a contract, would not be legitimate unless the data being processed was necessary for the performance of the contract.

The Opinion goes on to note that the use of the “balance of interests” test to legitimise processing in this context would have to be examined on a case-by-case basis. As a rule of thumb, however, “the uses of data in a digital environment require a free, specific, informed and unambiguous ‘opt-in’ consent” and should not rely on the legitimate interests of the controller (notwithstanding the explicit reference in GDPR Recital 47 to direct marketing constituting a potential legitimate interest).

Referencing the case law of the European Court of Human Rights, the Opinion states that in the EU, personal data cannot be treated as a mere economic asset but, rather, is subject to the protections of the EU Charter on Fundamental Rights. The EDPS observes that:  “There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation.”

The Opinion concludes by recommending, among other things, that the term “data as counter-performance” should be avoided, so that the directives are not misconstrued as limiting the protection of consumers’ personal data when such data is provided in exchange for “free” digital goods or services. The EDPS recommends, instead, that the proposed directives be linked explicitly to the requirements of the GDPR and the e-Privacy legislation (a proposed Regulation on e-Privacy is also currently pending before the EU Parliament and Council).