Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Spain has just passed the law transposing Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services ("Directive 2019/770"). This Directive has updated and brought more specific protection for consumers that enter into agreements with traders in relation to digital services or digital content (e.g. apps, e-games, SaaS, e-Books, some medical devices, etc. ). It will be applicable from January 2022. However, the applicability of Directive 2019/770, and its implementation in practice needs to be carefully assessed. This law also has relevant data protection implications, as it regulates digital contracts where the service / content is provided in exchange of personal data (and not money).
The new provisions (that have been incorporated to the Spanish Consumer Act) will be applicable from January 2022. Therefore, companies still have time to implement their procedures and policies in line with the Spanish transposition of Directive 2019/770.
Directive 2019/770 is intended to expand and improve accuracy of protection for consumers that acquire content or services with inherent digital content. The concept of consumer for the purposes of Directive 2019/770 is comparable to the concept of consumer under current EU laws.
On the other hand, the entities bound by the obligations of Directive 2019/770 are any natural or legal person, irrespective of whether privately or publicly owned, that acts for purposes relating to that person's trade, business, craft, or profession.
Directive 2019/770 applies to the supply of digital content or digital services to consumers. For instance, it covers:
"inter alia, computer programmes, applications, video files, audio files, music files, digital games, e-books or other e-publications, and also digital services which allow the creation of, processing of, accessing or storage of data in digital form, including software-as-a-service, such as video and audio sharing and other file hosting, word processing or games offered in the cloud computing environment and social media".
It should be noted that Directive 2019/770 also applies to the provision of services by tangible medium, such as DVDs, CDs, USB sticks and memory cards, as well as to the tangible medium itself, provided that the tangible medium serves exclusively as a carrier of the digital content.
Therefore, Directive 2019/770 applies to an extremely broad range of digital products. For instance, it applies to contracts where the consumer is provided with tailor-made software, electronic files required in the context of 3D printing of goods and medical devices, such as health applications (if they can be obtained by the consumer without being prescribed or provided by a health professional).
Directive 2019/770 does not apply to:
The Directive does cover contracts where the consumer does not pay money as consideration, but it provides personal data to the trader in exchange of the services. There are a few examples in Directive 2019/770:
However, the Directive shall not apply to cookies or similar tracking technologies, except where the use of these technologies can be considered within the framework of a contract under national laws.
Please see the data protection section below for further information for the relevant implications.
The content / digital services will need to be supplied to the consumer without undue delay once the contract is in force. This obligation will be complied with when the consumer has the possibility to download / access the content, physically or virtually.
If the trader does not comply without undue delay, the consumer will need to make a request for the content / service to be provided immediately or within an additional deadline agreed by both parties. Should this not happen, the consumer has the right to terminate the contract.
There are several requirements for conformity:
Lack of conformity can be remedied by the consumer by requesting the trader to solve the situation, requesting a discount, or terminating the contract. In addition, the consumer is allowed to request additional compensation of any damages, where applicable. The consumer is allowed to stop paying any pending amount until the trader resolves issues arising from its lack of conformity.
There are some exceptions to consumer rights to request remedies due to the lack of conformity. For instance, if remedies would involve disproportionate efforts / resources where the digital content / service has insignificant / low value, or where the lack of conformity is not significant.
Besides, "where the digital content or digital service is not supplied in exchange for a price but personal data are provided by the consumer, the consumer should be entitled to terminate the contract also in cases where the lack of conformity is minor".
The period of protection for consumers under Spanish law implementing Directive 2019/770 is two years from the time of supply, unless a longer period of time is stipulated in the contract. In the case of digital content / services provided continuously over a period of time, the protection covers the duration of the contract.
The period of protection will be suspended in the case of lack of conformity, and will resume at the moment of proper conformity.
Directive 2019/770 expressly states that its content shall be construed without prejudice of data protection laws (i.e. Data Protection Regulation – "GDPR" – and national laws "implementing" GDPR). In the same sense, it also states that the content of the Directive does not change or affect any data protection principle or provision, including GDPR. In fact, in the event of conflict between Directive 2019/770 and GDPR, GDPR will prevail.
Besides, the Directive "fully recognizes" that personal data is a fundamental right and that therefore personal data cannot be considered as a commodity. This has also been the opinion of the European Data Protection Supervisor ("EDPS") when analysing the proposal of Directive 2019/770.
In spite of this, the Directive still accepts that in the market of digital services / content, it happens that those services / content are often provided in exchange for personal data, and that the Directive "should ensure that consumers are, in the context of such business models, entitled to contractual remedies". In this vein, the Spanish transposition of Directive 2019/770 expressly recognizes that "this modality is getting more and more common" and that "it is urgent and necessary to cover this vacuum".
It is a very precarious balance, as personal data in exchange for content / services will only apply when the processing of personal data is not mandatory to provide the service / content, nor mandatory to comply with any law. According to the opinion of the EDPS, consent and legitimate interest would be options as available legal bases under art. 6 GDPR (although in addition to these, other legal bases could arguably also be suitable):
However, Directive 2019/770 itself contains a provision allowing EU Members to regulate the consequences for contracts covered by the Directive in the event that the consumer withdraws the consent for the processing of his/her personal data. The Spanish transposition of Directive 2019/770 expressly envisages that the trader / data controller is allowed to terminate the contract in the event the data subject withdraws consent.
Besides, if the processing of personal data is based on the legitimate interest, in principle this would involve that the processing is not necessary to perform the agreement. Therefore, terminating the agreement or forbidding the use of a web / app would need to be carefully assessed. However, the Spanish transposition of Directive 2019/770 expressly envisages that the trader / data controller is allowed to terminate the contract in the event the data subject objects to the processing.
It should also be noted that under Directive 2019/770 "the trader should be entitled to continue to use the content provided or created by the consumer in cases where such content either has no utility outside the context of the digital content or digital service supplied by the trader, only relates to the consumer's activity, has been aggregated with other data by the trader and cannot be disaggregated or only with disproportionate efforts".
Here, Directive 2019/770 seems to accept a reality that the regulators need to be aware of. However, its acceptance is not fully committed, and has not brought legal certainty to companies and to data subjects / consumers. It’s not clear how data supervisory authorities will react in practice, because in the event of conflict between Directive 2019/770 and the GDPR, GDPR will prevail.
This could lead to an unwanted consequence. The enforcement of GDPR could potentially undermine the applicability in practice of the provisions of Directive 2019/770 if data protection supervisory authorities adopt a strict approach. However, should this happen, Directive 2019/770 would be devoid of substance, which is obviously not the intention of the legislator. This is a passionate legal challenge that all stakeholders will need to address soon.
As the Spanish implementation of Directive 2019/770 will be enforceable as of January 2022, we still have time to obtain the guidance of EU regulators (including the Spanish data Protection Agency) in order to align compliance with both the Directive 2019/770 and the GDPR.
Authored by Gonzalo F. Gallego and Juan Ramón Robles