The collection of data as compensation to other purposes than the provision of digital content or services

On May 22, the Official Journal of the European Union published the Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services. This Directive aims to establish a set of common rules that will govern the contracts that are perfected between traders and consumers for the provision of digital content or services that take place from January 1, 2022.

The Directive will apply to any contract where the trader supplies or undertakes to supply digital content or a digital service to the consumer and the consumer pays or undertakes to pay a price. Also, when the consumer provides or undertakes to provide personal data to the trader, except where the personal data provided by the consumer are exclusively processed by the trader for the purpose of supplying the digital content or digital service in accordance with this Directive or for allowing the trader to comply with legal requirements to which the trader is subject, and the trader does not process those data for any other purpose.

Thus, the Directive will apply, for example, when the consumer opens an account on a social network and provides a name and an email address, and this data is used for purposes other than exclusively the provision of content or digital services, or other than compliance with legal requirements. However, it will not apply, for example, when consumer registration is necessary under applicable law for security and identification reasons.

Likewise, the assumption in which the consumer, without having signed a contract with the trader and in order to have access to certain digital content or services, consents to the sending of advertising, escapes the application of the Directive.

The limit to this exchange that seems to be “legalized” with the Directive is that the trader must comply with the applicable obligations in accordance with Regulation (EU) 2016/679 (GDPR).

Thus, the facts that give rise to a breach of the obligations, rights and extra-contractual actions derived from the GDPR, such as the fundamental principles of data protection by design and by default or the minimization of the data, can be considered, depending on the circumstances of the case, a lack of conformity of the digital content or services with the subjective requirements or objectives of conformity established in the Directive. This lack of conformity could originate  the termination of the contract or, where appropriate, the application of corrective measures, as long as it does not become impossible or is not disproportionate to the trader.