Twitter was ordered to change all of its contractual documentation intended for French users and to make the entire judgment publicly available.
Following a remarkably thorough analysis, the First Instance Court of Paris (the “Court”) not only held that the Twitter contract was a consumer contract for pecuniary interest (1) and that Twitter ought to be considered as data controller under the French Data Protection Act (2) but it also ruled that 266 clauses included in Twitter’s contractual documentation, including those set forth in contracts that are no longer offered to users, were abusive (3).
- French consumer law applies to Twitter’s contractual documentation
Twitter claimed that the French Consumer law provisions were inapplicable because the contract to use this social network entered into by users was free of charge.
As a matter of fact, while the service offered by Twitter to its users has no financial consideration, the Court pointed out that Twitter “sells to partner companies, whether advertising or profit-making companies, personal and non-personal data freely disclosed by users during their registration on the platform and during their use of the service”. As such, “the supply of data freely collected and then processed and valued by Twitter must be analyzed as a benefit within the meaning of Article 1107 of the French Civil Code, said benefit constituting the consideration for the benefit that Twitter offers to users, which means that the contract entered into with Twitter is a contract for pecuniary interest”.
Consequently, Twitter can be considered as a professional and the users that share contents as consumers within the meaning of the introductory Article of the French Consumer Code. French consumer law provisions therefore apply.
- Twitter considered as data controller within the meaning of the French Data Protection Act
The plaintiff argued that some of the clauses included in Twitter’s contractual documentation were abusive insofar as they introduced a presumption of liability of users and limited, if not waived, Twitter’s liability whereas Twitter, as data controller, has the obligation to preserve the security of the data, to prevent their alteration and damage, or access by non-authorized third-parties.
Twitter, for its part, claimed that it was not the data controller since users determine, in their capacity as “the editorial persons responsible” for their publications, the purposes of such publication and, as such, are to be considered as the data controllers. Twitter also contended that it acted as a subcontractor only “upon instruction of the data controller”; it claimed that it was merely a technical provider in charge of hosting the data published by users.
Consequently, the Court found that Twitter was the data controller and, thus, pursuant to Article 3 of the French Data Protection Act, that it ought to “take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties”. The Court further held that the clause that “prompt users to believe that they are solely responsible for the security of their data” is illegal within the meaning of Article 34 of the French Data Protection Act.
- The clauses concerning personal data held illegal
Having ruled on these substantive issues, the Court then carefully analyzed all of the clauses included in the contractual documentation made available by Twitter between 2014 and 2016.
This article will only focus on some of the personal data related clauses that were held illegal, i.e. those “which have the object or effect of creating a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of the consumer” (Article L. 212-1 of the French Consumer Code).
- Lack of characterization of personal data
Some clauses provided for the collection of “information” or “details” from users without specifying however that these were personal data. But the pre-contractual information requirements imposed on professionals means in particular that consumers must be provided with a clear presentation and a plain and intelligible language of the clauses of the proposed contract.
In the matter at hand, Twitter claimed that users “necessarily” understood that the proposed offers were “likely to include commercial communications” between it and third parties.
Pursuant to Article 6 of the French Data Protection Act, the Court ruled that even though there is actually no real obligation to legally characterize personal data, the data controller must obtain the informed and expressed consent of the person whose personal data will be collected and processed. Users must indeed be able to understand what use is actually made of their data, irrespective of whether such data have been disclosed on their own initiative or through the use of tools such as tracers or cookies.
- The presumption that users consented to the contract and to the processing of their personal data merely by navigating Twitter
The plaintiff claimed that the specific consent of the users was required to process their personal data. Conversely, Twitter indicated that the general consent of users is deemed given upon their registration on Twitter.
In any event, the plaintiff underlined that the consent, even if established, cannot constitute a specific consent from users to the processing of their personal data for behavioral advertisement purposes. Interestingly, Twitter also argued that the “average Internet user” is more and more “educated” and aware that websites like Twitter finance themselves this way.
The Court considered that consent may not be inferred merely from a registration on a web site and from the subsequent navigation on this site. As such, Twitter’s contractual documentation was held unfair as it merely indicated that the collection of personal data – disclosed by users when they register on and use the platform – was the necessary consideration for the access to Twitter’s service.
- The lack of users’ consent to the transfer of their personal data outside the European Union
The Court also ruled that the clauses providing for users’ implied acceptance – resulting from the use of the service – of the transfer of their personal data to third-party countries, including unidentified countries (“any other country where Twitter operates”), were abusive as these countries may not provide a sufficient level of protection for the privacy, freedoms and fundamental rights of relevant users within the meaning of Article 68 of the French Data Protection Act. Indeed, the safe harbor and then privacy shield certification included in the contractual documentation does not cover all the countries to which data are transferred but only the United States of America.
- The lack of information about the purposes of the personal data processing and the transfer of such data to third parties
Twitter contended that personal data were collected solely in the interest of users in order to feed and improve the services provided to them.
However, the analysis of the clauses carried out by the Court showed that Twitter could use the contact details of users in order to “submit commercial offers” and that “[Twitter’s] services are financed by advertising”. In this respect, Twitter claimed that the use of the personal data collected from users enabled to propose commercial offers and that such use was a “way to help” “other people” find users’ accounts without however clearly identifying the “people” to whom the data are disclosed.
As such, the Court found not only that Twitter had breached its obligations to inform users on the purposes of the data processing and on the recipients of the data transfers – as per Article 32-I of the French Data Protection Act – but also that such clauses had the effect of conferring upon Twitter the exclusive right to interpret an ambiguous clause in a way that would be more favorable to it. Consequently, the Court held that these clauses were unfair.
- Twitter’s disclaimer of liability with respect to data security
The data controller is the person who determines the purposes and means of the processing of personal data (Article 3 of the French Data Protection Act). Article 34 of said Act imposes on the data controller the obligation to take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties.
In its contractual documentation, Twitter recommends users to “think carefully about what [they] make public”, thereby suggesting that users are solely responsible for the contents they publish, despite the collection of personal data to which they have not consented.
The Court held that users are neither informed nor aware that their personal data are collected, which means that in such a situation it is not actually conceivable that users can “think carefully” about the contents that they publish. Such a clause is, therefore, abusive. Twitter, as data controller, remains responsible for taking all useful precautions to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties.
- The indefinite storage of users’ personal data by Twitter
The Court recalled that pursuant to Article 36 of the French Data Protection Act personal data may not be stored for a period longer than is necessary for the purposes for which they are collected and processed.
Yet, Twitter’s contractual documentation stipulated that users’ data – including personal data – are kept for an unlimited period of time after the deletion of the users’ accounts, Twitter thereby reserving the right to keep such data without reasonable cause for a period incommensurate with the time necessary to achieve the purposes for which they were collected and processed. Even worst, in case of termination of the contract, Twitter kept the contents published by users.
Because such clauses acknowledge that Twitter, a professional, enjoys a unilateral decision-making authority, they are, under French Consumer law, obviously likely to create a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of consumers.
In conclusion, this remarkably long judgment (more than 236 pages) and the thorough analysis contained therein are fully in line with the General Data Protection Regulation according to which a professional that collects personal data must absolutely ensure that users have given their informed consent. As the French legislation governing unfair contractual terms is derived from Council Directive no. 93/13/CEE of April 5, 1993, attention needs to be paid to the impact that this judgment may have in other EU Members States.
Finally, the impact of this judgment will also need to be assessed in light of the forthcoming decisions which will be rendered in the two pending proceedings before the French courts against Facebook and Google based on similar claims.