Tag: consumer protection

European Union Reins in Big Tech

Οn Tuesday, 5 July 2022, the European Parliament held the final vote on the new Digital Services Act (DSA) and Digital Markets Act (DMA), two bills that aim to address the societal and economic effects of the tech industry by setting clear standards for how they operate and provide services in the EU, in line with the EU’s fundamental rights and values.

What is illegal offline, should be illegal online

The Digital Services Act (DSA) sets clear obligations for digital service providers, such as social media or marketplaces, to tackle the spread of illegal content, online disinformation and other societal risks. These requirements are proportionate to the size and risks platforms pose to society.

The new obligations include:

    • New measures to counter illegal content online and obligations for platforms to react quickly, while respecting fundamental rights, including the freedom of expression and data protection;
    • Strengthened traceability and checks on traders in online marketplaces to ensure products and services are safe; including efforts to perform random checks on whether illegal content resurfaces;
    • Increased transparency and accountability of platforms, for example by providing clear information on content moderation or the use of algorithms for recommending content (so-called recommender systems); users will be able to challenge content moderation decisions;
    • Bans on misleading practices and certain types of targeted advertising, such as those targeting children and ads based on sensitive data. The so-called “dark patterns” and misleading practices aimed at manipulating users’ choices will also be prohibited.

Very large online platforms and search engines (with 45 million or more monthly users), which present the highest risk, will have to comply with stricter obligations, enforced by the Commission. These include preventing systemic risks (such as the dissemination of illegal content, adverse effects on fundamental rights, on electoral processes and on gender-based violence or mental health) and being subject to independent audits. These platforms will also have to provide users with the choice to not receive recommendations based on profiling. They will also have to facilitate access to their data and algorithms to authorities and vetted researchers.

A list of “do’s” and “don’ts” for Gatekeepers

The Digital Markets Act (DMA) sets obligations for large online platforms acting as “gatekeepers” (platforms whose dominant online position make them hard for consumers to avoid) on the digital market to ensure a fairer business environment and more services for consumers.

To prevent unfair business practices, those designated as gatekeepers will have to:

    • allow third parties to inter-operate with their own services, meaning that smaller platforms will be able to request that dominant messaging platforms enable their users to exchange messages, send voice messages or files across messaging apps. This will give users greater choice and avoid the so-called “lock-in” effect where they are restricted to one app or platform;
    • allow business users to access the data they generate in the gatekeeper’s platform, to promote their own offers and conclude contracts with their customers outside the gatekeeper’s platforms.

Gatekeepers can no longer:

    • Rank their own services or products more favourably (self-preferencing) than other third parties on their platforms;
    • Prevent users from easily un-installing any pre-loaded software or apps, or using third-party applications and app stores;
    • Process users’ personal data for targeted advertising, unless consent is explicitly granted.
Sanctions

To ensure that the new rules on the DMA are properly implemented and in line with the dynamic digital sector, the Commission can carry out market investigations. If a gatekeeper does not comply with the rules, the Commission can impose fines of up to 10% of its total worldwide turnover in the preceding financial year, or up to 20% in case of repeated non-compliance.

Next Steps

Once formally adopted by the Council in July (DMA) and September (DSA), both acts will be published in the EU Official Journal and enter into force twenty days after publication.

The DSA will be directly applicable across the EU and will apply fifteen months or from 1 January 2024 (whichever comes later) after the entry into force. As regards the obligations for very large online platforms and very large online search engines, the DSA will apply earlier – four months after they have been designated as such by the Commission.

The DMA will start to apply six months following its entry into force. The gatekeepers will have a maximum of six months after they have been designated to comply with the new obligations.

Source: European Parliament

The EU Digital Markets Act

The EU has recently unveiled its much-expected landmark proposal for a Digital Markets Act (DMS). Twenty years after the introduction of the eCommerce Directive, the DMA envisages a new legal basis for competition and platform management, covering everything from content moderation  to app stores, search and self-preferencing.

The DMA introduces rules for platforms that act as “gatekeepers” in the digital sector. These are platforms that have a significant impact on the internal market, serve as an important gateway for business users to reach their customers, and which enjoy, or will foreseeably enjoy, an entrenched and durable position. This can grant them the power to act as private rule-makers and to function as bottlenecks between businesses and consumers.

With an eye mainly to US big-tech, the Digital Markets Act is set to prevent gatekeepers from imposing unfair conditions on businesses and consumers and ensure the openness of important digital services. Examples of these unfair conditions that gatekeepers sometimes impose on others include prohibiting businesses from accessing their own data when operating on these platforms, or situations where users are locked into a particular service and have limited options for migrating to alternative service providers.

Gatekeeper on the historic Banco Santander, Lisbon.

The enforcement system of the DMA is of particular importance, as the proposal does not seem to leave much space to national authorities. In fact, the European Commission shall be vested with extensive investigative powers (see Articles 19-21) and shall be able to impose fines and periodic penalty payments in case of non-compliance (Articles 26-27) of the same magnitude as in antitrust cases (up to 10% of annual turnover and 5% of daily turnover for fines and periodic penalty payments respectively).

In case of systematic non-compliance that has further strengthened or extended the gatekeeper’s position, the Commission may even impose behavioral or even structural remedies on the gatekeeper, including divestiture (Article 16). Structural remedies are a last resort penalty and can be imposed only if there are no equally effective behavioral remedies. The European Commission may also issue interim measures (Article 22) and accept commitments offered by the gatekeeper (Article 23).

Together with the Digital Services Act, the DMA is oriented at providing better protection to consumers and to fundamental rights online, establishing a powerful transparency and accountability framework for online platforms and leading to fairer and more open digital markets.

Harmonised across the EU and directly applicable, the new rules will make it easier to provide digital innovations across borders, while ensuring the same level of protection to all citizens in the EU.

Further information can be retrieved from the Commission’s dedicated webpage.

A New Deal for Consumers

On 8 November 2019, the European Parliament and the Council adopted a directive on the better enforcement and modernisation of EU consumer protection rules. The directive is a part of the so-called “New Deal for Consumers” legislative package proposed by the European Commission in April last year. The directive, which the Member States will have 24 months to implement into their national legislation, is bound to bring about many significant changes, especially for businesses trading online. The most notable updates are briefly set out below.

Online Marketplaces

In today’s online intermediation services (marketplaces), the trading coordinates of the actual seller is not always clear to the end-consumer. This has been identified as an issue, since consumer protection rules do not apply to C2C (consumer to consumer) relationships, and a consumer could unknowingly purchase products from another private individual through a marketplace. The new legislation introduces transparency as regards whom the consumer is entering into an agreement with.

That is, when buying from an online market place, consumers will have to be clearly informed about whether they are buying goods or services from a trader or from a private person, so they know what protection they will benefit from if something goes wrong. Moreover, when searching online, consumers must be clearly informed when a search result is being paid for by a third-party trader or not. They will also be informed about the main parameters determining the ranking of search results and who they can turn to when something goes wrong.

Personalised Pricing

Transparency will be further required with respect to personalised pricing. The new legislation mandates that consumers be clearly informed when the price presented to them is based on personalisation on the basis of automated decision-making. There should be noted, here, that GDPR restricts the use of automated decision-making, which may also impact the use of personalised pricing.

Consumer Protection for “Free” Services

There is no denying the fact that data may often replace monetary payment when using online services such as social media, cloud services, and email services. To bolster consumer protection for such “free” services, the directive now requires that the fourteen (14) day withdrawal right be applicable to digital services will also apply to such “free” services.

Clear Information on Price Reductions

In order to address misleading price information, the new directive dictates that any announcement of a price reduction must indicate the prior price applied by the trader. The prior price means the lowest price applied by the trader during a period of time not shorter than 30 days prior to the application of the price reduction.

New penalties for Violations

Aiming to reimburse consumer protection, the new directive grants the national legislator the right to impose a fine of up to 4% of the trader’s turnover for violations that are widespread and affect consumers in several Member States. This follows the same pattern with personal data protection, where the GDPR introduced similar fines for violations. This pattern has proved successful, as many enterprizes have proceeded with substantial investments to enhance data protection. It is therefore expected that businesses shall now need to turn their attention to furhter enhancing their compliance with consumer protection legislation.

The directive is only one of the two directives making up the New Deal for Consumers legislative package. The second directive on representative actions for the protection of the collective interests of consumers would empower certain qualified entities, such as consumer organisations, to launch representative actions seeking injunctions and collective redress (e.g. compensation, replacement, or repair) on behalf of a group of consumers. This directive is still making its way through the legislative process.

Cookies should come with a consent

On October 1, 2019, the Court of Justice of the European Union (CJEU) ruled that storing cookies on an Internet user’s computer requires active consent. Consent cannot be implied or assumed and therefore a pre-ticked checkbox is insufficient (the press release can be found here).

The CJEU ruling stems from a 2013 case, in which the German Federation of Consumer Organizations (GFCO) took legal action against online lottery company Planet49. Planet49’s website actually required customers to consent to the storage of cookies in order to participate in a promotional lottery; as part of entering the lottery, participants were presented with two separate checkboxes: The first one was an unticked marketing checkbox, in case the user wished to be receiving third-party advertising. The second one, though, was a pre-ticked box allowing Planet49 to set cookies to track the user’s behavior online. The GFCO argued that this practice was illegal, since the authorization to set cookies did not involve explicit consent from the user.

In fact, the CJEU agreed with the GFCO in its finding that Planet49 is required to obtain active consent from its users, such consent not being possible in the form of a pre-selected checkbox. This active consent, ruled the Court, is required without any further differentiation, in particular, between strictly necessary cookies, reach measurement cookies or tracking cookies; the CJEU adopts this way the view that the cookie consent requirement applies regardless of whether or not the information accessed through the cookie is personal data within the definition of the GDPR.

Furhtermore, according to the CJEU it would “appear impossible” to objectively ascertain whether a user has provided informed consent by not deselecting a pre-ticked check-box, as the user may simply have not noticed the checkbox, or read its accompanying information before continuing with his or her activity on the website. Further to that, the CJEU held that active consent is expressly set out in GDPR, where recital 32 expressly precludes “silence, pre-ticked boxes or inactivity” from constituting consent.

In view of the above reasonings, it seems that consent obtained for placing cookies with the help of pre-ticked boxes, or through inaction or action without intent to give consent, even prior to the GDPR entering into force, has been unlawfully obtained. So it now remains to be seen if any action by supervisory authorities shall ensue, to tackle some of those data collection practices relying on unlawfully obtained consent.

As the case may be, following years of disparate approaches by national transposition laws and supervisory authorities, the ruling in Planet49 has introduced a much needed clarity on how the “cookie banner” and “cookie consent” provisions in the ePrivacy Directive should be applied.

In this regard, the Planet49 case is likely to have an impact on the ePrivacy regulation ongoing negotiations, which is set to regulate cookie usage in the not-so-distant future. Until this time arrives, website owners wishing to avoid any “kitchen accidents” would be well advised to request cookie consent for all cookies other than cookies that are technically required to properly operate their website. That is, marketing, tracking, and analytics cookies may only be used with explicit, clear, informed and prior consent, provided by means of a consent management tool.

Real-Time Bidding under the Sword of Damocles

On 20 May 2019, complaints were filed with the competent Data Protection Authorities in Spain, the Netherlands, Belgium, and Luxembourg, in connection with one of the latest digital marketing practices called Real-Time Bidding (“RTB”). The complainants consider RTB a “vast scale personal data leakage by Google and other major companies” in the behavoiral advertising industry.

A typical RTB transaction begins with a user visits a website. This triggers a bid request that includes various pieces of data, such as the user’s demographic information, browsing history, location, and the page being loaded. The request goes from the publisher to an ad exchange, which submits the request, along with the accompanying data to a bid manager. Advertisers automatically submit their bids in real time, in order to place their ads and the advertising space goes to the highest bidder, who displays the winning ad on the website. Real-time bidding transactions typically happen within 100 milliseconds (including receiving the bid request and serving the ad) from the moment the ad exchange received the request.

The criteria for bidding on particular types of consumers can be very complex. The complainants, nevertheless, point out tha there is no control over what happens to the data, a situation similar to the Facebook data leakage that enabled Cambridge Analytica to profile people, but for the fact that it is far greater in scale.

For example, Google relies on self-regulatory guidelines that rely on the companies that receive its broadcasts to inform it if they are breaking its rules. Google claims that over 2.000 companies are certified in this way. Google DoubleClick / Authorized Buyers sends, however, intimate personal information about virtually every single online person to these companies, billions of times a day.

It is relevantly reminded that in accordance with the applicable GDPR provisions, a company is not permitted to use personal data unless it tightly controls what happens to that data. In fact, Art. 5 (1)(f) GDPR requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss”.

Unlocking e-commerce in Europe

On 3 December 2018, Regulation (EU) 2018/302, better known as the Geo-blocking Regulation, entered into force. This development is a part of the European Commission’s digital single market strategy to ban unjustified geo-blocking, which restricts the consumers’ ability to access a website, complete a purchase, being rerouted to a country specific website, or refused delivery or payment because of their location.

Geo-blocking occurs when a consumer wants to browse products or services on a trader’s website, but is denied access. This can include the practice of rerouting to a country specific version which may display different products or prices. Even when consumers can access their preferred site, they may be prevented from finalising the purchase or are required to pay by debit or credit card from a particular country. Geo-blocking Regulation now prevents this behaviour by prohibiting the practice of automatically rerouting consumers to country specific websites and banning unjustified discrimination in relation to payment methods. In fact, only few days following the Regulation’s entry into force, the European Commission fined Guess €40 million for anticompetitive agreements to block cross-border sales.

Nevertheless, although EU-based traders will no longer be permitted to refuse to sell to consumers based on their nationality or place of residence, the new rules do not require such traders to offer delivery of the goods to consumers who live in a different country. Certain goods and services are excluded from the scope of the Regulation, including transport services, retail financial services and healthcare service. Importantly, the Regulation does not cover the provision of (non-audiovisual) copyright protected content services (such as e-books, online music, software and videogames). Audio-visual services also do not fall within the scope of the Regulation.

This webpage, provided by the European Commission, explains in a concise way how online sellers can ensure their services are compatible with the new rules and provides examples of best practices.

Chatbots – Die Geister, die ich rief…

Back in 1966, MIT professor Joseph Weizenbaum developed a comparatively simple program called ELIZA, which performed natural language processing. ELIZA was initially published to show the superficiality of communication between man and machine but ended up surprising a considerable number of individuals, who attributed human-like feelings to the computer program.

Half a century later chatbots are technically advanced enough to appeal to a broader audience and are increasingly used to handle communications with customers, operating in absence of a clear legal framework for their use.

But, can a chatbot make a legally binding declaration of intent on behalf of a company, given that declarations under the law are to be performed only by natural persons or legal entities?

There is broad legal consensus that – at least for automated chatbots – this is practically a non-issue, as the declaration of a chatbot can be always attributed to its operator. With automated chatbots, declarations of intent are generated based on predefined settings, i.e. computer declarations which may not be explicitly regulated by law but are nevertheless legally binding.

Although the will to act, which is necessary for a legally binding declaration of intent, is not present at the time a computer declaration is generated, proof of intent is provided through the activation of the chatbot by the operator.

Legal scholars have in fact constructed the presence of all requirements necessary for a  declaration of intent to be legally binding: (a) awareness of intention and (b) the will to engage in a transaction. Due to the automation, both requirements may not present when a chatbot generates a declaration of intent; Ultimately, though, they are both satisfied, since they can be traced back to the human operator.

LIABILITY IN The Age of AUTONOMY

The Sorcerer’s Apprentice, Illustration of Ferdinand Barth, 1882.

The above construction of a computer declaration, however, presents certain limitations in regard to autonomous chatbots. In contrast to automated chatbots, autonomous chatbots make decisions using self-learning algorithms. Here, artificial intelligence is used and the chatbot operator no longer has any direct influence on the results and, as a rule, cannot even verify the decisions that are made.

Against this background, the correlation between the actions of the system operator and that of the chatbot does not seem satisfactory, and subsequently the principles of a computer declaration no longer apply.

At present, autonomous systems are still in an early phase of development, so that this restriction has little practical relevance. However, this is bound to change more sooner than later, and will require legislative adjustments.

One of the main issues to be addressed, here, is whether a tortuous act performed by the chatbot is due to human error, for example the incorrect programming of the chatbot. While with automated chatbots it seems possible to attribute the tortuous act to the actual cause, this becomes more difficult to prove with increasingly autonomous chatbots.

In questions of liability relating to the use of chatbots and similar systems, the injured party faces the problem of having to prove possible neglect of duty or system errors. With the increasing complexity of systems, this is a huge challenge and a considerable obstacle if the injured party wants to assert its claims successfully.

For this reason, some believe that the burden of proof should be carried by the manufacturer or operator of the system. This implies that a manufacturer or operator must prove that there was no misconduct on their part, and that they have exercised proper diligence in programming and operating the system.

A so-called objective liability is also being considered in connection with automated systems. The liability gap created by the complexity of automated systems, no longer allowing for “actions” to be easily attributed to a natural or legal entity, could be closed by holding operators liable for damages caused by their system, whether they are to blame or not.

Last comes the ground-breaking – yet distant – option for attributing a distinct legal personality to automated chatbots. In fact, the more self-learning systems become independent from the originally intended and programmed approach, the louder the demand is to grant them their own legal personality, at least in respect with liability issues. As a consequence, any damage caused by such a system would have to be compensated by the system itself. This could be done by means made available by the operator or the manufacturer.

An interim step, broadly contemplated by legal scholares, would be introducing a compulsory insurance policy, to cover damages caused by either automated or autonomous systems. This prerequisite is already a rule, when large market players contract with chatbot manufacturers.

As the case may be, chatbots are here to stay, to provide an enhanced user experience and give a new soul to daily interactions, or take what’s left of it. Chatbot manufacturers and operators should hence be well prepared, by drafting an inclusive End User’s License Agreement and having all necessary policies in place to ensure that their broom is timely stopped, before the floor is awash with water.

Live your Anti-Trust Legend in Greece

Private enforcement of anti-trust law is here to stay; the long awaited introduction of Law 4529/2018 on Wednesday 14 March 2018 offers a valuable tool in the hands of the Greek market player, who now plays an equally essential part in applying competition rules (private enforcement). Law 4529/2018 transposed Directive 2014/104/EU and applies to individual civil actions for damages incurred following a breach of competition law.

Key features of Law 4529/2018:

  • The Law clarifies that victims are entitled to full compensation for the harm suffered, which covers compensation for actual lossand for loss of profit, plus payment of interest from the time the harm occurred until compensation is paid.
  • Parties will have easier access to evidence  they need in actions for damages in the antitrust field. In particular, if a party needs documents that are in the hands of other parties or third parties to prove a claim or a defence, it may obtain a court order for the disclosure of those documents. The judge will have to ensure, however, that disclosure orders are proportionate and that confidential information is duly protected.
  • Any participant in an infringement will be responsible towards the victims for the whole harm caused by the infringement (joint and several liability), with the possibility of obtaining a contribution from other infringers for their share of responsibility. However, to safeguard the effectiveness of leniency programmes, this will not apply to infringers which obtained immunity from fines in return for their voluntary cooperation with a competition authority during an investigation; these immunity recipients will normally be obliged to compensate only their (direct and indirect) customers.
  • The Law establishes a rebuttable presumption that cartels cause harm. This will facilitate compensation, given that victims often have difficulty in proving the harm they have suffered. The presumption is based on the finding that more than 90% of cartels cause a price increase. In the very rare cases where a cartel does not cause price increases, infringers can still prove that their cartel did not cause harm.
  • Clear limitation period rules are established so that victims have sufficient time to bring an action. In particular, victims will have at least 5 years to bring damages claims, starting from the moment when they had the possibility to discover that they suffered harm from an infringement. This period will be suspended or interrupted if a competition authority starts infringement proceedings, so that victims can decide to wait until the public proceedings are over.
  • From 16 September 2018 onwards, all actions raised on the basis of Law 4529/2018 shall be heard before a special devision of the First Instance Court of Athens, which shall be comparted by judges specialized in competition law.

New Law on Consumer Protection

The recent enactment of Law 4512/2018 on 17 January 2018 has introduced, among others, a series of amendments to the framework governing consumer protection in Greece. The most important of these amendments are summarily the following:

    • The definitions of “consumer” and “supplier” are now clarified and amended to conform with ECJ jurisprudence and EU secondary law. In this regard, the consumer’s definition is narrowed down to include only persons acting for purposes which are not related to their trade, business or profession. Small scale enterprises, however, may now enjoy a protection equivalent to that of natural persons, as regards General Terms of Business.
    • It is clarified that all goods are covered by a free two (2) year legal guarantee.
    • The vendor’s obligation to provide an additional (commercial) guarantee is abolished. A commercial guarantee, however, may be provided following payment of an extra fee or in the form of extension of the guarantee already provided.
    • Issues in connection with the provision of an instruction manual and after-sales technical support services are now clarified. Such services include technical, repair and maintenance services, as well as the seamless supply of spare parts and components required for the purchased item.
    • General product safety rules and the corresponding producer’s and distributor’s obligations are set out in a clear and inambiguous manner. In addition, the obligations regarding CE marking, i.e. the manufacturer’s declaration that the product meets the requirements of the applicable EC directives, are now clearly defined.
    • The provisions on the protection of mental health of minors are being amended to introduce specific arrangements prohibiting the marketing of products which pose a risk to the psychological, mental or moral development of minors, or promote discrimination based on race, sex, religion, nationality, disability or sexual orientation.
    • Consumer associations may now be subsidized through donations, sponsorships and aids from scientific institutions, foundations or legal entities. Such donations, however may not stem from individual suppliers or organizations these suppliers belong to.

In addition, Ministerial Decision 5338/2018 has codified Law on Consumer Protection, including all amendments and additions effected over the last years. If you are interested in this recent Codified Version, you may find it by following this link.

The New Hammer of the CPC Regulation

 

“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”

Abraham Maslow

 

The other day the European Parliament has repassed the Consumer Protection Cooperation (CPC) regulation, with an eye on the creation of an effective mechanism to combat rogue traders both online and offline. Provisions stipulated therein are bound to  enforce consumers’ rights in the Single Market and close legal loopholes, which are exacerbated because consumer protection systems differ among EU member-states.

Investigation and enforcement powers of national consumer authorities shall include, among others:

  • requesting information from domain registrars and banks to identify rogue traders,
  • purchasing goods or services as test purchases, including under a cover identity (“mystery shopping”),
  • ordering the explicit display of a warning to consumers, or ordering a hosting service provider to remove, disable or restrict access to an online interface (e.g. website or app) if there are no other effective means to stop an illegal practice,
  • imposing penalties, such as fines or periodic penalty payments, and
  • seeking to obtain commitments from the trader to offer adequate remedies to the affected consumers, and informing them of how to seek compensation.

One of the less appealing features of the regulation, however, is the introduction of an overreaching general website blocking provision. Instead of providing for the removal of content that infringes on consumer protection laws as a last resort measure, the regulation introduces overreaching internet blocking measures and sets them readily available in the hands of the national competent authorities, without prior judicial authorization.

In particular, Article 9 par. 4 of the regulation on the minimum powers of competent national authorities provides that:

Competent authorities shall have at least the following enforcement powers: […] (g) where no other effective means are available to bring about the cessation or the prohibition of the infringement covered by this Regulation and in order to avoid the risk of serious harm to the collective interests of consumers:

(i) the power to remove content or to restrict access to an online interface or to order the explicit display of a warning to consumers when they access an online interface;
(ii) the power to order a hosting service provider to remove, disable or restrict access to an online interface; or
(iii) where appropriate, the power to order domain registries or registrars to delete a fully qualified domain name and to allow the competent authority concerned to register it; including by requesting a third party or other public authority to implement such measures; […]

Such a provision forces internet access providers to create a website blocking infrastructure, which is viewed by many as a tool to potential abuse for any number of other purposes, including censorship. To give a recent example, independence-related websites were blocked in Catalunya just weeks ago. The swift blocking of those websites was made possible only because of website blocking infrastructure that had previously been put in place for other purposes, such as barring access to sites involving copyright infringement.