< Back

Share |

The clock is ticking – can the DSM project be completed?

With time running down to the European elections in May 2019, despite some notable successes for the Digital Single Market initiative, there are important gaps, particularly around ePrivacy and consumer law.

November 2018

The Digital Single Market project is the flagship of the Junker presidency of the European Commission. Hugely ambitious in scope, the battle to break down barriers to digital access and trade across the EU has seen the launch of over 35 major legislative proposals.

The successes

There are some major pieces of legislation which have been completed, including:

  • The General Data Protection Regulation (already significantly progressed by the launch of the DSM project)
  • The Cybersecurity Directive
  • The Regulation on Portability of online content
  • The Geo-blocking Regulation (see our article)
  • The Roaming Regulation
  • Internet connectivity Regulation
  • The Regulation on cross-border delivery services
  • Regulation on cross-border enforcement of consumer protection law

Also nearing completion at the time of writing:

  • Copyright Directive (see our article)
  • Revised AVMS Directive
  • Regulation on free flow of non-personal data
  • The EU Electronic Communications Code

Outstanding priorities

As part of its mid-term review in May 2017, the Commission highlighted three outstanding areas where further action was needed: the data economy, cybersecurity and online platforms. Progress has been made but lack of clarity in areas like ePrivacy and consumer protection, are causing headaches for some businesses, particularly with Brexit looming.


The ePrivacy Directive 2002, as amended most recently in 2009, (implemented in the UK by the Privacy and Electronic Communications Regulations or PECR, also amended five times) covers universal service and user rights in relation to electronic communications networks and services. For the majority of businesses, the most important elements deal with the use of cookies and similar technologies, and rules on electronic marketing. Communications network and service providers must also comply with security and privacy obligations.

The Commission published a proposal for an ePrivacy Regulation to overhaul the Directive and harmonise application across the EU. The initial intention was for the Regulation to come into effect at the same time as the General Data Protection Regulation (GDPR) on 25 May 2018, but this always looked ambitious and it now seems likely that the Regulation will not be finalised before the European elections in May 2019.

The initial proposal for an ePrivacy Regulation was published in January 2017. It:

  • Applies to 'over the top' service providers such as WhatsApp, Facebook, Gmail and Skype and not just to telecommunications service providers.
  • Takes the form of a Regulation rather than a Directive.
  • Covers both content and metadata derived from electronic communications – both will need to be anonymised or deleted if users have not given consent, unless required for billing purposes.
  • Gives traditional telecommunications providers more scope to use data and provide additional services, subject to obtaining appropriate consent.
  • Streamlines rules on cookies – consent to cookies will be able to be given through browser settings and consent will not be needed for non-privacy intrusive cookies improving internet experience and cookies set to count visitors to a website.
  • Bans unsolicited electronic communication by any means including phone calls if users have not given consent.
  • Allows Member States to require that marketing callers display their phone number or use a special prefix. And
  • Enhances enforcement, including by bringing penalties for non-compliance in line with those under the GDPR.

Amidst extensive lobbying, the current Austrian Presidency of the Council of the European Union published a revised draft in July 2018. The new proposals suggested a watering down of the original requirements around information which has to be given to users about third party cookies and the requirements to make users select privacy settings whenever new privacy options are available. The Presidency commented that the original proposals were impractical and would result in 'consent fatigue'.

The new proposals also include a widened scope to use cookie walls (where access to services is denied unless cookies are accepted) under certain circumstances, for example, anti-fraud, security and statistical purposes, or where users are given a choice to use the services with or without cookies which collect their personal data.

The most recent set of amendments at the time of writing was published on 19 October 2018. The Presidency had set out its intention to stick with the approach in the July draft but asked for input from Member States including specific drafting, on some of the outstanding elements and also made some changes to the July draft, in particular, to Articles 6 (Permitted processing) and Article 10 (Protection of end-users' terminal equipment). The 19 October draft was discussed at a meeting on 26 October. The Council's final agreed position will form the basis for negotiations with the European Parliament.

It is believed that Austria does not intend to do more than issue a status update before it hands the file over to the Romanian presidency in January 2019. Due to the interruption of the elections, this means that the ePrivacy Regulation is most unlikely to come into effect before 2020.

Perhaps the biggest issue for most businesses relates to the uncertainty around unsolicited electronic marketing communications and consent, both in relation to electronic marketing and cookies. Businesses are already having to get their heads around the GDPR concept of consent and the different rules which apply to B2B and B2C marketing in some Member States. It would have been helpful if the rules had been consolidated (or at least finalised) in one batch. Policies and terms and conditions (should) already have been scrutinised and amended where necessary for the purposes of GDPR compliance. Marketing databases (should) have been cleansed. Many of these processes may have to be gone through again when the ePrivacy Regulation is finally agreed.

Consumer protection

Consumer confidence is crucial to a genuine digital single market; confidence that personal data will be safe, confidence that disputes can be easily resolved; confidence that consumers will get access to the best prices; confidence that they will be treated fairly.

Consumer protection law is, however, notoriously difficult harmonise. The Commission's last attempt was the Common European Sales Law (CESL) which aimed to create an optional pan-European contractual instrument for cross-border online sales between businesses and consumers and businesses where one business was an SME. The European Parliament strongly backed CESL but it faltered in the Council. The UK, along with France and Germany, were strongly opposed.

The Commission had more success with the Consumer Rights Directive 2011 (implemented in the UK as the Consumer Contracts Regulations 2013). This harmonised rules on pre-contractual information, cancellation and additional charges in consumer contracts but did not tackle issues like statutory implied terms and remedies.

In December 2015, as part of the DSM project, the EC published proposed Directives on the online and distance sale of goods and the sale of digital content. This was followed in May 2016, by a Regulation on Member State cooperation on enforcement of consumer protection law which became law in December 2017.

Despite having been published fairly early on during the Digital Single Market project, progress has been slow in this area. Both these Directives require Member States to implement equivalent provisions of a standard which must be no higher and no lower than those in the Directives.

It is fair to say that the UK, in particular, was not overjoyed at the prospect of these Directives. This was less because it disagreed that rules needed to be overhauled, than because it had recently done its own overhaul of consumer protection law, passing the Consumer Rights Act (CRA) 2015. The EC proposals cover similar ground to the CRA with respect to digital content and goods, however, there are some crucial differences.

Digital Content Directive

  • The definition of "digital content", which was taken from the Consumer Rights Directive, is different to the one used in the CRA.
  • The supply of non-essential personal data is treated in more or less the same way as financial consideration for digital content in the new draft Directive but not in the CRA which is particularly relevant as much of the CRA applies only to paid-for digital content. Personal data given in exchange for digital content, beyond what is necessary for performance of and to ensure conformity with the contract, is considered to be "counter-performance other than money" and treated in the same (or similar) way to financial consideration. In addition, where the consumer gives the supplier personal data in order to obtain digital content, the supplier must stop using the data when the contract is terminated. This, could, therefore, extend the scope of the regime significantly in the UK and will affect a broad range of businesses (although there is a certain lack of clarity to the provisions).
  • There is a presumption that digital content is to be supplied immediately after conclusion of the contract, whereas under UK law (derived from the Consumer Rights Directive), the consumer must explicitly request immediate supply and acknowledge that they will lose their cooling off period as a result. While the two provisions are not mutually incompatible, they do appear to be pulling in different directions.
  • Crucially, the rules on burden of proof are different. Under the CRA, the digital content is only presumed not to have conformed to the contract on point of delivery, for a period of six months after supply. Under the draft Directive, this presumption applies permanently which reverses the burden of proof as compared with the regime in the UK.
  • There is also a statutory termination right which does not exist under the CRA. Consumers will have the right to terminate long-term contracts and contracts to which the supplier makes major changes.
  • In addition, under UK law, remedies may only be claimed up to six years from supply. Under the draft Directive, there is no time limit. The consumer can request a remedy in relation to defective digital content at any time on the basis that digital content is not subject to wear and tear.

Online and distance sale of Goods Directive

The draft Online Goods Directive on the online and distance sale of goods was republished in June 2018, and now covers the sale of all goods, not just online and distance sales. Again, there are some major differences between the CRA and the EC proposals.

  • While the remedies available are similar, there is no short term right to reject as under the CRA. Instead, the consumer moves straight to repair or replacement and can only terminate if repair or replacement is unsuccessful.
  • Again, the burden of proof rules are different. Under current EU rules, for a certain period of time after supply, the consumer is not required to prove a defect was present on delivery; it is, instead, up to the supplier to prove it was not. This period of time will be harmonised to a standard two years. This compares with five years in Scotland and six in the rest of the UK.
  • Minor defects – if the seller is unable to repair or replace a defective product, consumers will have the right to terminate the contract and be reimbursed. This will apply in case of minor as well as major defects.
  • No claim for refund or reduction after a single repair attempt.
  • Consumers need to expressly accept known defects (under the CRA, they have to be obvious or drawn to the consumer's attention).
  • A statutory right to withhold payment of outstanding amounts until defects are fixed (not present in the CRA).
  • Less scope for deduction from refund sums payable to the consumer on rejection of goods.

A number of Member States are also affected by the following:

  • No duty to notify – the consumer will not lose the right to a remedy if they fail to report a defect within a certain period of time as is currently the case in a number of Member States.
  • Second-hand goods – consumers will have rights in relation to second-hand goods purchased online for a period of two years rather than the current one-year period which applies in some Member States.

What about Brexit?

Under the terms of the Withdrawal Act 2018, EU law in force at the time of exit will become UK law. It seems unlikely that either the ePrivacy Regulation or the consumer Directives will have been passed before we exit.

The UK will almost certainly mirror the ePrivacy Regulation whenever it comes in, at least in terms of provisions around cookies and direct marketing. The government has prioritised continuing the free flow of personal data between the UK and EU after exit and, while the ePrivacy rules sit alongside the GDPR, the UK is unlikely to want to diverge from the EU on these points.

It is much less clear what will happen if the consumer protection Directives make it through the legislative process. European Member States are used to having to deal with different regimes in different countries and that may persuade the UK that it should stick with the CRA, rather than changing consumer protection law again in order to bring it in line with EU law. Having said that, UK businesses will not be able to sell to EU consumers if they do not comply with local consumer protection law. It may just be simpler to fall in line with the EU.

The extent to which the UK will benefit from or indeed have access to an EU Digital Single Market is somewhat up in the air at the moment. From the EU's perspective, while the project is far from complete, a lot has been achieved in what, for the European Commission (which tends not to move quickly) is a relatively short space of time.

If you have any questions on this article please contact us.

watch face
Debbie Heywood

Debbie looks at the outstanding consumer and privacy elements of the DSM project.

"The extent to which the UK will benefit from or indeed have access to an EU Digital Single Market is somewhat up in the air at the moment. From the EU's perspective, while the project is far from complete, a lot has been achieved"