Businesses relying on standard consumer contracts may have to review their contractual terms following the French judgment against AOL. On 2 June 2004, AOL’s standard subscriber contract was held to be unenforceable as it breached data protection laws (in addition to breaching mandatory consumer and contract laws). As a result, AOL had to pay large damages, remove its offending clauses, inform its customers of the changes made, e-mail the judgment to its subscribers in addition to publishing the judgment in three daily national newspapers.
Enhanced enforcement of the Data Protection Directive is not just a French headache. Following the Article 29 Working Party’s (A29WP) recent appeal that supervisory authorities should co-operate with one another by exchanging useful information and by exercising their powers where requested by an authority of another Member State, businesses throughout Europe ought to reassess the legality of their standard contractual terms.
Enhanced enforcement urged by the A29WP
The A29WP was set up by the Data Protection Directive with the purpose of promoting “…the uniform application of the general principles of the Directives in all Member States…”. In its publication on Enforcement, issued in November last year, the A29WP noted that bilateral co-operation may be particularly useful in ensuring harmonised compliance.
That could mean in practice that the data protection authority of the country where the data subject lives would exchange information with the data protection authority of the country where the data controller is established. It may, therefore, no longer be possible to rely on the assumption that differences in national laws would stand in the way of a joint effort by the authorities to take a more pro-active approach.
Bearing in mind that the AOL case was brought by the well-respected French consumer body “Union Federale des Consommateurs” (as opposed to by a wronged individual), such joint efforts may actually materialise sooner rather than later. Most EU countries that have similar consumer bodies to those in France may not have to think twice about initiating cross-border actions against perpetrators of data protection breaches. Before jumping to conclusions, however, it may be worth taking a closer look at the unenforceable terms of AOL’s subscriber contract, and analyse how such breaches could have been avoided.
Positive consent to cross-border data transfer and direct marketing
AOL’s contract contained terms to the effect that the subscriber’s personal data would be transferred outside the EU, and communicated to third party direct marketers. However, a customer’s consent is generally required for the purpose of transferring data cross-border. For the purpose of direct marketing, the customer must be offered an opt-out possibility, and consent is required when direct marketing is made by electronic means.
Consent in France needs to be positive, i.e. the subscriber needs to actively communicate his/her consent by ticking an opt-in box.
AOL’s contract, however, relied on an opt-out approach, whereby the subscriber’s consent was held to be implied where he/she failed to register the fact that he/she did not want his/her data to be transferred cross-border and/or shared with direct marketers. The High Court of Nanterre dismissed the opt-out approach as it considered it to be too demanding for the subscriber. As a result, both of these terms were held to be illegal and were consequently unenforceable.
The consequences of non-compliance of the data protection principles are, therefore, potentially significant. With this knowledge in mind, it may be worthwhile considering taking the following practical measures when entering into a contract with a customer/subscriber that enables you to access and process his/her personal data - whether it is his/her name, postal address, e-mail address or other piece of information that directly or indirectly makes him/her identifiable:
- do not transfer data outside the EU unless the data subject has consented to such a transfer, or one of the limited exceptions applies
- depending on the circumstances, when positive consent cannot be obtained in practice, rely on the signature of EU international model clauses with the recipient of the data, or on the adoption of binding corporate rules if the cross-border transfers of data are done within the same group of companies
- obtain positive consent for sharing personal data with third party marketers if such third parties are situated outside the EU or if direct marketing is made by electronic means. In other cases, make sure that customers are offered a possibility to opt-out
- do not rely on unamended American standard consumer contracts as they may not comply with European data protection laws
France was the last EU country to implement the Data Protection Directive, and the Commission had previously initiated enforcement action against the country. This factor may partly explain why the French High Court imposed such a strict judgment on AOL for breaching data protection principles despite the fact that such principles had not yet been transposed into national law (the Directive was implemented one month after the AOL decision). However, this fact does not mean that the French courts are likely to relax their attitude to data protection compliance in the future. The strict precedent is in line with the A29WP’s initiative of enhanced enforcement and may serve as a warning to businesses that data protection compliance is being taken seriously at both national and European levels.