Ioana Stoica – Is there any overlap between the Omnibus Directive and the General Data Protection Regulation?

The Omnibus Directive 2019/2161 (“the Directive”), part of the European Union’s “New Deal for Consumers” initiative, amended several legal acts in order to modernize and strengthen consumer protection existing legislation. The General Data Protection Regulation (“the GDPR”) sets out the rules for collecting, storing, and processing of personal data.

While these two pieces of legislation may seem separate, there is significant overlap between them, and it is not yet clear how the intersection of the two affects certain commercial practices.

In this article, we’ll explore certain commercial practices which trigger the application of both the GDPR and the Directive.

Relevant aspects addressed by the Directive

The Directive brings several relevant changes. First, it expands the Consumer Rights Directive’s application, to situations where users “pay with their data” for digital content and services. Secondly, it aims to improve transparency in online purchases by imposing businesses to provide certain information on personalised pricing. These changes have been implemented to increase consumer protection in digital transactions and to ensure that they are informed of how their data is being used.

Price personalisation

Businesses can tailor the prices of their offers for specific consumers or consumer categories using automated decision-making and profiling. Such practice allows them to assess the purchasing power of individual consumers and act accordingly.

Price personalisation is expressly mentioned as a permitted practice by the Directive, which establishes that businesses have to inform consumers in a clear manner when the price they are presented with has been personalized through automated decision-making. However, this information requirement does not apply to “dynamic” or “real-time” pricing techniques that quickly and flexibly adjust prices in response to market demands, as long as they do not involve automated decision-making (based on personal data).

The issue of personalised pricing triggers the application of GDPR, as individuals have the right not to be subjected to automated individual decision-making, including profiling, which produces legal effects or significantly affects them.

In this sense, the European Data Protection Board has provided guidelines, emphasising the need for transparency and fairness in personalised pricing, including informing individuals about the logic involved in the decision-making process and providing them with the right to object to such processing.

However, it is not clear how the requirement of consent for automated decision-making will be implemented in relation to personalised prices or to what extent such practices could be based on the legitimate interests of the business (if and when the effects of automated decision-making could be considered insignificant).

Also, when a business chooses to implement a pricing model based on prices automatically adapted to the profile of the customer, it should first analyse if they ensure compliance with GDPR’s requirements such as: providing consumers with information about the processing, applying the right legal basis and ensuring its implementation, providing an effective execution of the right to access, rectify, or erase personal data and implement appropriate technical and organisational measures.

Paying with data for digital content and digital services

Digital content and digital services may include almost anything from apps, e-mail, social media, marketplaces, maps, video and audio sharing platforms and others

The Omnibus Directive extends the application of the Consumer’s Rights Directive to long-distance contracts for the provision of digital content or digital services, for which the consumer ‘pays’ with their personal data. As a result, consumer protection information obligations and the right of withdrawal will apply to those long-distance contracts.

However, the Consumer Rights Directive does not apply to contracts for digital content and digital services if the personal data provided by the consumer are exclusively processed by the trader for:

• the purpose of supplying the digital content or the digital service – which will trigger the application of Art. 6 paragraph 1 lit. b GDPR – as long as the data provided is actually necessary for the performance of the contract;
• complying with legal obligations which the trader is subject to – which will trigger the application of Art 6 paragraph 1 lit. c GDPR – as long as the trader can identify the applicable legislation.

Therefore, if the processing activity takes place based on the legal basis of (i) consumer’s consent or (ii) the business’s legitimate interest, this may indicate that the consumer’s rights under Consumer Rights Directive are triggered.

However, the legal basis applicable under GDPR is just an indication and exceptions may apply. For example, the Directive mentions that in cases where the business collects only meta-data (no contract being concluded), the Consumer Rights Directive may not be applicable. However, under the GDPR, the processing of metadata may require consent.

Another relevant exception to the application of the Directive refers to the situation in which the consumer is exposed to ads exclusively for the purpose of gaining access to digital content or digital service. However, such processing may be based either on the legitimate interest of the trader or on the explicit consent of the consumer in the case of personalized advertising.

This has a direct effect on the questions of “is consent freely given” and “can we condition access to the service upon receiving consent” as, in the end, whether or not the provision of a service may be based on consent, will have to be assessed, firstly, under the GDPR.

Final thoughts

In conclusion, the Omnibus Directive and the GDPR overlap in certain commercial practices, particularly in price personalization and ‘paying’ with data for digital content and services. The Directive expands the Consumer Rights Directive’s application to such situations, while the GDPR sets rules around the collection, storage, and processing of personal data.

Overall, the Directive and the GDPR aim to protect consumers in digital transactions, and businesses should carefully analyse how to ensure compliance with both regulations as, from our experience, there’s no ‘one size fits all’ solution.