chevron-down Created with Sketch Beta.

Antitrust Magazine

Volume 36, Issue 1 | Fall 2021

European Consumer Law in a Digital Economy: How EU Enforcers Are Rising to the Challenge

Agustín Reyna

Summary

  • The European Commission's Unfair Contract Terms Directive (UCTD) 5 and the Unfair Commercial Practices Directive (UCPD) have been particularly useful in addressing consumer harms from digital platforms.
  • Although the European Commission lacks authority to directly enforce consumer protection rules, in 2004 it established the Consumer Protection Cooperation Network (CPC Network), which has proved effective in bringing together Member States’ bodies that are competent under national law to enforce consumer protection rules, to cooperate in cross-­border cases.
  • In 2020, the EU adopted the Representative Actions Directive, requiring every Member State to establish a system of representative actions on behalf of consumers for violations of a variety of EU consumer protection laws and broadening the possibility for qualified entities representing consumers to seek damages collectively in all Member States.
European Consumer Law in a Digital Economy: How EU Enforcers Are Rising to the Challenge
Felix Fernandez Gonzalez via Getty Images

Jump to:

The European Union has gained global recognition for the enforcement of antitrust laws against digital companies like Google, Amazon, Apple, and Facebook, as well as for its ambitious privacy laws like the General Data Protection Regulation (GDPR). However, little attention is often paid to the increasingly active enforcement of European consumer law with respect to digital markets. For example, in 2018 the Italian Competition Authority applied its consumer protection powers to decide that Facebook had deployed aggressive commercial practices to force consumers to give their consent to the collection of data. French courts have found that Google, Facebook and Twitter imposed a number of terms and conditions that were in breach of the EU’s rules on unfair contract terms. In 2019 the Hungarian competition authority fined Facebook 3.6 million euros for misleading consumers as to the purportedly free nature of Facebook services.

The EU Single Market gives these digital and other companies the possibility to offer their goods and services online to almost 450 million consumers a nearly frictionless commercial environment. This also means that companies can also deploy practices that harm consumers located in different Member States. This risk has prompted the EU to start looking for mechanisms which, while respecting individual Member States’ enforcement competence, can tackle such practices in a more effective manner.

This article provides an overview of the consumer protection legal regime in the EU relevant to digital markets, including the role of the European Commission in a decentralized enforcement model. The article also discusses challenges to protecting consumers against specific online practices that can harm them, such us manipulation of choice architecture through the use of so-called “dark patterns.” And, finally, it provides an overview of private enforcement in consumer law as complementary to public enforcement in the EU.

EU Consumer Protection: Legal Framework and Enforcement Architecture

Legal Framework.

The EU has developed over the last four decades a substantive consumer protection framework regulating different aspects of consumer transactions, such as unfair contract terms, pre-contractual information to be provided to consumers before conclusion of a contract, the right of withdrawal in long-distance and off-premises contracts, guarantee rights as well as unfair commercial practices taking place before, during and after the conclusion of the contract. This body of consumer law is complemented by sector-specific laws protecting consumers in the area of electronic communication services, financial services, transportation (by air, rail, water, bus or coach), package travel and holiday products (e.g., timeshares), audiovisual services, alternative dispute resolution, portability of online content, and protection against discrimination in e-commerce based on nationality or place of residence in the Single Market. These laws are defined as “Union laws that protect consumers’ interests.”

In cases addressing consumer harm by online platforms, two instruments have been particularly important in recent years: the Unfair Contract Terms Directive (UCTD) and the Unfair Commercial Practices Directive (UCPD). The UCTD protects consumers against unfair standard terms in consumer contracts and includes a list of terms presumed to be unfair, while the UCPD targets unfair commercial practices aimed at distorting consumers’ decision-making process. Both instruments have been used as the legal basis to tackle online practices harming consumers ranging from misleading or incomplete information, lack of transparency of terms and conditions and unfair or unlawful terms of use creating an imbalance between the rights and obligations of online platforms and consumers. In 2019, the EU adopted the “Modernisation Directive,” which added new pre-contractual information requirements regarding specific online practices such as price personalization, search rankings and consumer reviews and established higher fines of up to 4 percent of the infringing company’s turnover in the Member States concerned.

However, while European consumer rights have been largely defined at the EU level, their implementation and enforcement have been left to each individual Member State. This has led to divergent approaches within the EU Single Market, with varying degrees of stringency in the laws adopted and different enforcement structures. To reduce such divergence in the Single Market, the EU has gradually moved towards “full-harmonization” of consumer protection, thereby limiting the ability of national law makers to deviate from minimum EU rules (e.g., by adopting more protective provisions), and has sought to streamline enforcement by creating networks of enforcement authorities with sufficient enforcement powers and obligations to cooperate with each other.

Enforcement Architecture.

Unlike in competition law, the European Commission does not have powers to directly enforce consumer protection rules. However, in 2004 the EU established the Consumer Protection Cooperation Network (CPC Network), which brings together Member States’ bodies which are competent under national law to enforce consumer protection rules, to cooperate in cross-­border cases, also referred to as intra-Union infringements. The Consumer Protection Cooperation Regulation (CPC Regulation) was thoroughly reviewed in 2017 to address (among other things) ineffective cross-border enforcement (particularly in digital markets), by boosting the powers of the competent authorities and by introducing a cooperation mechanism to coordinate action against violations occurring in more than one Member State.

Strong Powers for National Authorities.

The CPC Regulation requires Member States to give powers to national competent authorities and bodies entrusted with the enforcement of consumer protection rules. These enforcement powers apply to both purely domestic cases (e.g., trader and consumer located in the same Member State) and to cross-border cases (e.g., trader and consumer with their residence or establishment in different member states). These include (i) investigative powers, such as the ability of authorities to request and gather information, obtain access to documents, conduct on-site inspections and undertake anonymous shopping as if they were consumers, and (ii) enforcement powers. The Regulation requires that competent authorities have the power to adopt interim measures where there is a risk of serious harm to the collective interest of consumers,” to impose effective, proportionate, and dissuasive fines, including periodic penalty payments, and to seek commitments from traders.

The Regulation also requires Member States to give competent authorities sufficient resources to carry out their activities and to effectively enforce the Regulation. However, EU law does not require consumer protection enforcement authorities to be independent, in contrast to antitrust and data protection enforcers, which must be financially and politically independent.

When it comes to online violations, the CPC Regulation requires the competent authorities to have powers to request a hosting service provider to remove, disable, or restrict access to an online interface. This power can only be exercised in cases where it is necessary to avoid serious harm to the collective interests of consumers. The assessment of the seriousness of the harm must be carried out on the basis of a proportionality test in which other interests, rights and freedoms protected by other national and EU laws, including the EU Charter of Fundamental Rights, need to be taken into account.

From National to EU-Wide Enforcement

To promote consistent enforcement of EU consumer protection law, the CPC Regulation establishes a mechanism for cooperation between competent national bodies to coordinate action in case of widespread infringements in different EU Member States. To identify widespread infringements and to establish which competent authorities are concerned, the CPC Regulation takes a broad approach that requires the competent national authorities to consider several factual elements such as the place where the trader is established, the location of the trader’s assets, and the location of the consumers affected and points of sale of the trader, namely shops and websites.

Furthermore, for an infringement to be defined as widespread it needs to harm, or be likely to harm, the collective interests of consumers residing in at least two Member States other than the Member State in which the act or omission giving rise to the infringement originated or took place, the trader responsible for the act is established, or the evidence or assets of such traders are to be found. Only the collective interest of consumers can be taken into account, not the harm suffered by an individual consumer, for which other Courts (e.g., European Small Claims Procedure ) and out-of-court mechanisms (Alternative Dispute Resolution and Online Dispute Resolution) exist to resolve the dispute.

Under the CPC Regulation, there is harm or potential harm to the collective interest of consumers only when a number of consumers are affected. However, the regulation provides no minimum threshold for the number of consumers affected or likely to be affected in at least two Member States. Notably, the CPC Regulation also applies to violations that have ceased before the enforcement action started or is completed (Article 2(1)), such as in cases where the infringement might have ceased in one Member State but it is still taking place in another Member State.

Duty of Cooperation.

Member States’ competent authorities have a duty to cooperate with each other. Under the mutual assistance mechanism, an authority (applicant authority) can request another authority (requested authority) to provide any relevant information necessary to establish whether an intra-Union infringement has taken place and to bring such an infringement to an end (Article 20). An authority can also refuse a request by an applicant authority and in the event of disagreement, the European Commission is requested to issue an opinion and is entitled to ask information and access any exchanges between the two authorities.

The CPC Regulation requires member states to designate a single liaison office to be responsible for coordinating the investigation and enforcement activities of the competent authorities (Article 5(3)). This, therefore, requires Member States to guarantee that the competent authorities have all necessary powers not only to conduct their own investigations, but also to fulfill this duty of cooperation.

The Role of the European Commission.

The European Commission has an important role as coordinator of actions taken by the CPC authorities against widespread infringements. Although it lacks direct enforcement powers, the Commission can notify national authorities when it has reasonable suspicion of a widespread infringement and can support authorities by collecting evidence and information related to the suspected infringement. The Commission also acts as coordinator of the enforcement action in the case of an EU-wide infringement and can also take that role in the case of a widespread infringement when competent authorities have failed to designate a coordinator. However, despite this important role of the European Commission, the CPC Regulation does not require adequate funding for the Commission’s coordination of CPC activities (currently under the Directorate General for Justice and Consumers), in contrast to the requirement of sufficient funding for national competent authorities.

External Alerts by Consumer Organizations.

The CPC Regulation also provides that consumer organizations, alongside other bodies such as European Consumer Centres and trade associations, can be designated to issue external alerts to the CPC Network. These alerts seek to draw the authorities’ attention to potential widespread infringements. The European Consumer Organization, BEUC, has been designated by the Commission to issue such external alerts.

BEUC has issued external alerts regarding practices in the digital environment: one alleging that the popular video-­sharing service TikTok had failed to protect children and teenagers from hidden advertising and potentially harmful content on its platform, and one against WhatsApp alleging the company had engaged in unfair commercial practices by sending persistent and intrusive notifications to pressure users to accept its policy updates.

While these “external alerts” serve as complaints, the CPC Regulation does not include specific rights for the parties submitting the alerts. This is in contrast to Council Regulation No 1/2003 on the implementation of the rules on competition laid down in Articles 101 and 102 of the Treaty, under which consumer organizations enjoy the right to submit complaints and to be heard in competition proceedings before the European Commission. These rights include the ability to submit comments on statements of objections, participate in oral hearings, and provide feedback in “market tests” of proposed undertakings (i.e., typically changes to the company’s business practices).

Commitments.

In the context of a coordinated action, under Article 19(3) of the CPC Regulation, members of the CPC Network can “set out the outcome of the investigation and the assessment of the widespread infringement or, where applicable, the widespread infringement with a Union dimension in a common position agreed upon among themselves.” This common position can be used to negotiate specific changes and remedies with the concerned trader in the form of commitments (Article 20). For example, in 2018 the CPC Network obtained commitments from Twitter, Google, and Facebook to adapt a number of clauses of their respective terms and conditions to comply with EU rules on unfair contract terms. And in 2020, the CPC Network obtained commitments from Booking.com and Expedia Group to change the way each presents offers, discounts, and prices to consumers to allow consumers make informed comparisons.

Obtaining commitments as a remedy is a novelty in consumer cases at EU level. These commitments can include undertakings to cease a business practice giving rise to a concern as well as to remedy the harm caused to consumers by the conduct of concern by means of specific measures. Such measures can include the remedies included in EU consumer sales law such as repair or replacement of goods, price reductions, termination of the contract and reimbursement of the price paid for goods or services. The competent authorities can also seek to obtain such commitments from the trader “where appropriate.” This provides leeway to the authorities to persuade traders to offer commitments going beyond the cessation of the infringement and to include measures of a reparative nature. However, the CPC Regulation does not mention the possibility of providing compensation for damages to consumers.

Moreover, the legal status of the common positions of the CPC Network members assessing a trader’s conduct or the statement by the trader accepting commitments is not clear. As these are not decisions by a competent authority, it would not be possible to seek their enforcement before national courts. This means that, even if there is a common position adopted expressing concerns about a company, a private party seeking damages before national courts would be required to prove the existence of the infringement and the causal link with the harm caused. In this respect, a common position does not allow direct follow-on actions, so that to seek compensation a claimant would still need to bring a stand-alone action in which the common position would constitute one element of proof.

Digital Cases Under the CPC Network.

In addition to the cases referenced above against social media (Twitter, Google, and Facebook) and booking platforms (Booking.com and Expedia Group), the CPC Network has coordinated actions about information on Apple and Google Android devices regarding in-app purchases and exhortations to children to make such purchases (2014), and scams and frauds related to products sold online falsely claiming to prevent or cure COVID-19 (2021). Most recently, the CPC Network has raised concerns regarding a number of practices by Google, including the transparency of its search results ranking and of the business model of Google Flights, the reliability of hotel reviews presented to consumers, the provision of essential pre-contractual information regarding products and services offered on the Google Play Store and Google Store and unfair contract terms. Following an external alert by the BEUC, the CPC Network has also launched a formal dialogue with TikTok to review its commercial practices and policies.

Enforcement Challenges in Digital Markets

As demonstrated in these actions, EU consumer law has played a very significant role in the protection of consumers in digital markets. However, the specific characteristics of digital markets and the way companies, in particular large online platforms, operate have shown the limits of traditional consumer protection remedies based on information disclosure. When engaging online, consumers are at risk of being manipulated by misleading design interfaces and unfair practices aimed at pushing consumers to take, or not to take, decisions that are not always in their own interest but to the benefit of the trader. Such interfaces and practices are often referred to as “dark patterns.” For example, a trader might design its contract termination interface with multiple steps to discourage consumers from terminating a service. This is what BEUC’s Norwegian member, the Norwegian Consumer Council, has alleged regarding obstacles to cancel the Amazon Prime subscription that exceed the steps needed to subscribe to the service. “Dark patterns” are also at the heart of the external alert to the CPC Network by BEUC on WhatsApp’s notifications to consumers regarding changes to its terms and conditions. Alleged instances of dark patterns, like these, present particular challenges because they cannot be addressed through greater disclosure.

The risk of “dark patterns” has profound implications in the fields of data and privacy protection, both enshrined in the EU Charter of Fundamental Rights. Choice architecture regarding privacy configurations is often designed in such a way that consumers must take so many steps to choose more privacy-friendly options that they simply give up. This is the case of “click fatigue,” a form of “dark patterns” which discourages consumers from changing default configurations. For example, the Norwegian Consumer Council has issued a report that alleges that Facebook and Google have used this technique in the design of their privacy settings.

Current horizontal consumer protection rules could be better enforced against dark patterns. This would require, however, competent authorities to take a broad perspective in their interpretation of the rules on consumer protection against unfair practices, and in particular to take into account user interfaces and techniques applied by traders to make consumers take (or not take) certain decisions, as well as to carefully consider the effect traders’ practices may have on consumer behavior in practice.

In addition, tackling these forms of manipulation cannot be left to consumer law alone. Antitrust and data protection law enforcement can and should play their part to complement consumer law. Allowing consumers to make informed choices is a pre requisite for competitive markets as well as for the protection of people’s own personal data. One of the weaknesses of enforcement in Europe has been that authorities often operate in “silos” without necessarily considering the implications of a given behavior in relation to other closely related areas of law. There have been attempts to enhance cooperation between consumer protection, competition and data protection bodies in several Member States and in the UK. For example, in July 2020, the UK Competition and Markets Authority, the Information Commissioner’s Office, and the Office of Communications created the Digital Regulation Cooperation Forum. This network was established to ensure a greater level of cooperation, given the unique challenges posed by regulation of online platforms.

The Role of Private Enforcement

The CPC Regulation only addresses public enforcement. However, in the EU there are several jurisdictions with a long standing tradition of private enforcement. For example, consumer organizations have sought the enforcement of consumer rights before national courts through injunction proceedings and, where available, collective actions. However, collective redress proceedings vary considerably across the EU. In some countries like France, collective redress proceedings are based on opting-in, while other countries like Portugal apply an “opt-out” system and others, such as Belgium, use a combination of both systems.

In 2020, the EU adopted the Representative Actions Directive, which requires every Member State to establish a system of representative actions on behalf of consumers for violations of a variety of EU consumer protection laws. This Directive is a milestone in EU law and is considered a crucial instrument to facilitate access to justice for consumers. While the Directive allows Member States to retain the power to organize their judicial systems and procedures, the new EU rules on collective redress broaden the possibility for qualified entities representing consumers to seek damages collectively in all Member States. This perspective could also deter companies from infringing consumer protection rules.

Conclusion

Consumer protection in the EU is a developed area of law which has proven to be important for the protection of consumers in online markets despite the limitations on its enforcement. The short but significant experience of the CPC Network has shown that coordination of national enforcement bodies is essential to address consumer law violations in digital markets. However, there are several questions that need to be addressed from a procedural viewpoint, particularly in relation to the rights of third parties in the EU investigations under the CPC Regulation, the legal value of the CPC common positions before national courts, and the cooperation between different enforcement networks components for other areas of EU law.

With increasing digitalization of many elements of consumers’ lives and exposure to new risks, we can also expect further changes to the EU’s legal framework and greater integration of enforcement competences. In the meantime, the CPC Regulation provides for a coherent framework for national enforcers and the European Commission to work together and rise to the challenge of effectively applying consumer law in a digital economy.

Views expressed are the author’s own.