EU institutions have always tried to ensure that consumers receive adequate protection within the context of e-commerce. EU legislation on the topic is rapidly evolving and, indeed, EU institutions have just adopted a new package of rules, including a directive on contracts for the supply of digital content and services (the "Digital Content Directive") as well as a directive on contracts for the sale of all kind of goods, including goods with a digital component such as smartwatches (the "Sales of Goods Directive").1 Another relevant issue is the interaction with the new EU data protection rules, which must be respected by data controllers during the execution and performance of e-commerce contracts.
The rationale of these provisions is to protect the weak party of the contractual relationship (the consumer) and to boost EU consumer rights in a digital context.
An overview of the Italian legal framework on e-commerce contracts
In Italy, the e-commerce sector is mainly regulated by Legislative Decree no. 70/2003 and by Legislative Decree no. 206/2005 (the "Consumer Code").
The Italian Consumer Code implements EU Directive no. 2011/83 on consumer rights. The Consumer Code aims at protecting consumers against professionals within the sale of goods and services. The provisions contained in the Consumer Code also apply to "distance contracts" ̶ meaning the agreements reached between two contractual parties who are not physically present in the same place at the time of the execution of the contract ̶ and to e-commerce contracts, which fall under the said category, i.e. contracts negotiated and executed by electronic means.
Article 51 of the Consumer Code states that the professional has a pre-contractual duty of information towards the consumer. More specifically, the professional must provide to the consumer, clearly and by appropriate means, information listed in Article 49, paragraph 1 of the Consumer Code including, among others, an indication of the main characteristics of the goods or services, information on the supplier's ID details, etc. Furthermore, the consumer who has executed a distance contract or an e-commerce contract is entitled to unilaterally withdraw from it within 14 days from a) the day of execution of the contract, in the case of contracts of services; b) from the day in which the consumer or a third party appointed by the consumer receives the goods, in case of contracts of sale. The term of 14 days applies only if the professional has correctly informed the consumer of the existence of the right of withdrawal, while if the consumer has not been duly informed of such a right, he can withdraw within 12 months from the execution of the contract.
Processing personal data under GDPR in the context of the provision of online services to data subjects
As mentioned above, a relevant issue related to e-commerce contracts is the need to comply with EU data protection rules, mainly embodied in the General Data Protection Regulation no. 679/2016 (the "GDPR"). Article 6, paragraph 1, letter b) of the GDPR provides a lawful basis for the processing of personal data to the extent that the "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".
The European Data Protection Board ("EDPB") has just adopted guidelines no. 2/2019 2, which refers to the scope and enforcement of the above mentioned Article 6, paragraph 1, letter b) of the GDPR to the processing of contracts for online services. In such guidelines the EDPB points out that personal data must be processed in a fair and transparent manner and affirms that both the principles of purpose limitation and data minimisation are particularly relevant in contracts for online services. Additionally, according to the EDPB, when assessing whether Article, 6, paragraph 1, letter b) GDPR is an appropriate legal basis for an online contractual service, "regard should be given to the particular aim, purpose, or objective of the service". In this respect it is necessary to assess whether the processing is objectively necessary for a purpose which is integral to the delivery of that service to the data subject. The data controller should be able to demonstrate that if the specific processing of personal data does not occur, such a contract with the data subject cannot be performed. Lastly, it should be noted that, according to the EDPB, when the contract is fully terminated, the processing of personal data will no longer be necessary for the performance of the contract and so the data controller is required to stop the processing.
E-commerce contracts will continue to grow rapidly in the near future. Therefore, it will be very interesting to monitor how national legislators will amend current local provisions to implement the new EU rules and what will be data controllers' fundamental approach to processing personal data within the e-commerce context. For future updates on these topics don't miss out on our future posts on these matters and... don't forget to sign up to our TMT Bites Newsletter!
1 The texts of the new directives will now be formally signed and published in the Official Journal of the EU and member states will have two years to transpose the new rules into their national law. The official text of the two directives are available here.
2 The text of EDPB's guidelines no. 2/2019 is available here.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.