EC Proposal to Pay with Personal Data Could Undermine Privacy and Harm the Online Ecosystem

If data is the new oil of the digital economy, as is often said, consumers are the fossilized organic source; that is, while consumers provide the crude data, it is businesses that turn data into a valuable asset. The question of how to balance the rights of businesses and consumers in managing this digital resource is at the heart of a proposed Directive on contracts for the supply of digital content, otherwise known as the Digital Contracts Directive (DCD).

The proposed Directive was issued by the European Commission in December 2015 and introduced the notion of data as a negotiable asset in contracts between businesses and consumers. Article 3 of the proposal states that a contract between a consumer and a business may include the provision of (personal) data as consideration in return for access to or ownership of digital content or services. This concept is appealing to policymakers hoping to regulate ‘free’ digital content (content that is provided in exchange for personal data or any other data of the consumer) and offer consumers leverage to negotiate their participation in the data-fueled online marketplace.

In an ideal world, individuals would be empowered to manage their own data while granting industry some ability to access their information, a foundation that would make the proposed Directive more palatable. But the EU legal framework around ownership and sovereignty of personal data is far from clear, and the DCD proposal stands in sharp contrast to the existing public discourse in Europe around data protection and privacy, where privacy and protection of personal data have the status of distinct human rights. The DCD proposal has provoked a debate about these issues amongst EU Member States, which recently solicited an opinion from the European Data Protection Supervisor (EDPS) on the subject.

The German Minister for Interior, Thomas de Maizière, has voiced many of the concerns of Member States over the concept of “private ownership of data” and the risk this might entail for consumer privacy. Minister de Maiziere cautions, “If I can sell ‘my’ data, there is a danger of privacy being up for sale. Then at some point, only the wealthy will be able to afford to opt out, while the economically weaker are effectively forced to put ‘their’ data up for sale”. The DCD proposal also conflicts with the rights and remedies detailed in the UK’s Consumer Rights Act, which become invalidated when consumers exchange personal data in return for access to digital content. While the UK government has stated that it has “no fundamental objection” to applying these rights to situations where consumers exchange personal data for access to ‘free’ digital content, it has also said these rights could “unduly inhibit” that “very innovative business model”. Most recently, Giovanni Buttarelli (EDPS) published an Opinion on the Commission’s proposal, warning that “individuals should not be required to disclose personal data in ‘payment’ for an online service”.

We believe that the use of personal data as a bargaining chip for free content should not give companies carte blanc to widely share an individual’s data or make it publicly available, or that consumers should lose all rights to their data. But larger issues loom: the notion of data as counter-performance raises the risk of over-regulation and, as outlined by the German Minister for Interior, the UK government and the EDPS, it poses serious implications for individual privacy and for many common online business models.

Implications for Privacy and Protection of Individual’s Personal Data

The DCD proposal raises many questions about the protection of personal data under EU law. While the EDPS welcomed the aim of ensuring that consumers receive protections when using “free services” without paying a price for services or content, it warned that personal data “cannot be considered as a mere commodity” or its protection “reduced to simple consumer interests”. Moreover, protection of personal data is enshrined in Article 8 of the EU Charter of fundamental rights and is implemented in EU legislation, such as the the General Data Protection Regulation (GDPR) and the proposed ePrivacy Regulation. By introducing the notion of using personal data as counter-performance and a separate scheme for consumer access to personal data, the DCD proposal by the Commission interferes with EU data protection principles, as laid down in EU legislation and the EU Charter, creating legal uncertainty. “It could interfere with the careful balance negotiated by the EU legislator in the GDPR, for example, on the role of freely-given consent and the right to data portability”, stressed the EDPS.

Following the same line of thinking, the Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament issued an Opinion on the DCD proposal, warning that suppliers of digital content could have an incentive not to ask for a consumer’s consent to collect their personal data. The rapporteur of the LIBE opinion, Member of the European Parliament (MEP) Marju Lauristin, outlined the concern that the circumstances in which consumers would actually exercise their rights of remedy and redress would be “too limited, as often nowadays consumers’ personal data (such as location data, personal contacts, shopping history, etc.) are being used in a form of counter-performance while consumers are unaware of it”. To mitigate this concern, MEP Lauristin recommended that the DCD define “personal data” in accordance with how it is defined in the GDPR.

Data can indeed have both monetary and intrinsic value for consumers, but the concept of “data as a counter-performance” risks opening the door to discrimination by service or content suppliers. If a supplier deems the data of no value, could they refuse to contract with the consumer?

Conflicts with Existing Online Business Models for Apps and Services

For digital content providers, the DCD proposal would require them to guarantee that their content is comparable in value to the personal data being offered. Conformity would be assessed through a series of primary and secondary standards, with the primary standard the contract and its binding pre-contractual information, and the secondary standard including objective criteria such as international technical standards and public statements. The secondary standards would also be assessed only “to the extent that the contract does not stipulate such requirements ‘in a clear and comprehensive manner’”. In a case that is determined to have “lack of conformity”, consumers would have a right to require the providers to “bring the digital content in conformity”, terminate the contract and obtain damages, or receive “refunds”. Businesses would face the burden of demonstrating conformity in advance of an agreed-upon contract, and it is unclear whether consumers are in the position to truly comprehend the terms and conditions of such a contract or make an informed decision about the trade-off. It’s not difficult to anticipate serious problems for regulators in assessing conformity and determining resulting damages or remedies.

Furthermore, if data is considered as a counter-performance, businesses may have legitimate expectations regarding the ‘quality’ or volume of data to be provided by a consumer. This could actually lead to businesses demanding more data from consumers in the long run, potentially  eliminating scenarios where content and services are widely available via browser incognito modes. The DCD also raises the prospect of legal actions taken against consumers if and when companies believe users have not provided the requisite exchange of data. This path may lead to situations where both businesses and consumers are forced to reveal far more information that they originally intended.

The DCD proposal also poses logistical challenges that may undermine the free ad-supported business model used by many apps and digital services. For instance, users would be entitled to have any and all data returned to them as a “refund” of sorts in the event they decided to stop  using a free service or app. This would particularly affect small and medium businesses which rely on data to optimise and improve user experience via their early free software versions.

It is our view that the Commission’s proposal should focus on clear and harmonised applications of the GDPR’s right to data portability, which would allow consumers to easily take their data with them if and when they decide to  switch services. Though data portability is intertwined with notions of data ownership, and thus in murky legal territory, it is by itself an important tool to empower individuals to access, transfer and ultimately control their identity, media and other types of personal data.

Echoing the opinion of the EDPS, we believe the GDPR already sets strict conditions under which the processing of personal data can take place. Article 3 of the DCD may risk interfering with the strong data protection rules provided for in the GDPR and those in the forthcoming ePrivacy Regulation. This proposal could cause serious legal uncertainty for industry and harm core privacy rights of consumers in the process.