In data-driven business models, users’ personal data is collected in order to determine the preferences of consumers and to the tailor production and advertising to these preferences. In these business models, consumers do not pay a price but provide their data, such as IP numbers, locations, and email addresses to benefit from the digital service or content. Contracts facilitate interactions between these providers and users. Their transactions are regulated by contracts in which their agreement on data use and data processing are stipulated. Data is always collected and processed through a contractual relationship and in this paper, I will argue that there are problems arising from contracts involving data to which contract law applies and that contract law can map these problems and offer insights. The scope of this study will be limited to issues where data is provided as counter-performance and where data is provided in addition to a monetary payment.
Sous les modèles commerciaux à caractère numériques, les données personnelles sont collectées afin de déterminer les préférences des consommateurs et d’y ajuster la production et la publicité. Ainsi, les consommateurs ne paient pas un prix mais pour bénéficier de services u d’accès aux contenus numériques, contribuent leur données, telles leurs adresses IP, leur situation géographique, ou leurs adresses de courrier électronique. Les interactions entre les fournisseurs et les consommateurs se font par des contrats qui stipulent les termes de leur accord sur l’usage et le traitement des données. La collecte et le traitement de celles-ci étant toujours régis par des accords, le droit des contrats permet de cartographier et d’éclairer les problems juridiques soulevés par ces relations. Parmi ces problèmes, la présente étude se limitera aux cas où les données sont fournies à titre de contrepartie contractuelle, ou en complément à un paiement de somme monétaire.
In datenbasierten Geschäftsmodellen werden persönliche Daten gesammelt, um Verbraucherpräferenzen zu bestimmen und Produktion ebenso wie Werbung auf sie personalisiert zuzuschneiden. In diesen Geschäftsmodellen zahlen Verbraucher keinen Preis, sondern geben ihre Daten hin – etwa IP-Nummern, Standorte, e-mail-Adressen, über die sie Dienste und Inhalte entgegennehmen. Verträge unterstützen diesen Austausch zwischen Anbietern und Nutzern. Ihre Transaktionen werden durch Vertrag geregelt, in dem ihre Abrede zu Datennutzung und -verarbeitung festgehalten erscheint. Daten werden also immer im Rahmen einer Vertragsbeziehung gesammelt und verarbeitet und der vorliegende Beitrag geht dahin die Probleme zu diskutieren, die daraus resultieren, dass auf dieses Phänomen Vertragsrecht angewandt wird und wie Vertragsrecht die Probleme sinnvoll kartographieren kann, damit auch Struktur gibt. Dabei werden nur Fragen angesprochen, die Situationen betreffen, in denen Daten als Gegenleistung oder als zusätzliche Leistung neben Bezahlung hingegeben werden.
1 Data-driven Business Models and Contract Law
We are living in an era where data drives everything we do, including businesses. In data-driven business models, users’ personal data is collected in order to determine the choices of consumers and adjust the production and advertisement of goods and services based on these preferences. Data is at the very heart of these business models. It is generally accepted that there are four main components of the personal data value chain: (1) the collection of data through devices such as mobile phones, smart appliances, sensors, (2) the storage and aggregation of data through browser histories and search service providers, (3) the analysis and distribution of data by data analysts, providers, and financial institutions, (4) and finally, the usage of data by businesses, government and public sector agencies.
In data-driven business models, consumers do not pay a price but provide their data, such as IP addresses, locations, and email addresses in order to benefit from the digital service or content. In these business models, data can be necessary for the proper functioning of contracts or data can be generated through the use of digital service or content itself. Service or content providers either sell the data collected to advertisers or generally purchase space to place their advertisements where behavioural targeting plays a significant role as it is more efficient compared to previous simple marketing techniques.
The use of data has created its own economy and this development has grasped the attention of the EU legislator. In 2013, the European Commission Communication on ‘Towards a thriving data-driven economy’ presented an action plan to introduce the data-driven economy in future applicable regulatory issues, such as the ownership and transfer of data. Following this initiative, in 2015, in the Digital Single Market for Europe, the Commission recognized the lack of legal clarity concerning big data, cloud services, and IoTs, and finally, in 2017, the European Data Economy initiative with the Communication Building a European Data Community was introduced where it was concluded that there is still a need for a legal framework to regulate the economic exploitation and tradability of data. On 20 May 2019, a new directive concerning contracts for the supply of digital content and digital services (DCD) was adopted, which aims at the full harmonization of certain key elements of digital content and digital service contracts concluded between businesses and consumers.
Consumer data is always collected and processed based on a contractual relationship. Because data has economic value, businesses have started to offer digital goods and services to consumers in exchange for data instead of a monetary payment. However, data protection law, in particular, the General Data Protection Regulation (GDPR), places restrictions on the way in which personal data can be used. As a result of this, data-driven technologies often do not fit into existing legal categories and create problems within certain legal regimes. In particular, contract law and data protection law are not fully aligned and the contractual consequences of exercising data protection rights are unclear.
This paper focusses on the interplay between contract law and data protection law. Contract law concerns the economic ordering of society and if a new technological development impacts the society, which impacts this economic order as well, then contract law will be triggered to provide workable frameworks for these new developments. Data protection law, on the other hand, concerns controlling the personal data of individuals by providing them with legal rights regarding the use of their personal data.
Analyses from the contract law perspective are necessary for transactions where personal data is provided in exchange for a good or service because data protection rules are not concerned with the fairness of bargains where consumers provide their personal data in exchange for a service or good. In this study, I will argue that contract law can provide mechanisms which can be tailored to individual situations to regulate contracts involving personal data. To that end, I will map a number of situations in which gaps exist with regard to the connection between contract law and data protection law. The scope of this study will be limited to issues where personal data is provided in exchange for a good or service. I will focus on European contract law but as not all aspects of contract law are regulated in EU law, I will refer to English and German law as the examples of national law of civil and common law systems.
The article is structured as follows. First, contract law and party autonomy will be briefly discussed in terms of personal data. Secondly, the contractual consequences of the use of data as an alternative currency in contracts will be scrutinized. As consent plays a significant role in contracts for the processing of personal data, thirdly, contractual problems with consent will be examined. In particular, the contractual consequences of the withdrawal of consent will be discussed. Finally, remedies and conformity problems regarding contracts that involve data will be investigated. The article wraps up with a brief conclusion. The practice of offering ‘free services’ in exchange for personal data poses a range of fundamental problems, not only in terms of data protection law but also contract law. The main finding is that there is a gap between contract law and data protection law and contract law should be taken into consideration when creating an efficient environment for digital transactions between data subjects and good and service providers.
2 Contract Law and Party Autonomy
In the age of big data, data controllers have become more effective in influencing the actions and individual decisions of data subjects, which throws into question the autonomy of data subjects in entering into privacy contracts. Although the GDPR, which superseded the Data Protection Directive 95/46/EC, seeks to enable data subjects with respect to monitoring and controlling their personal data, in the absence of a minimum level of privacy protection, avoiding privacy contracts is almost impossible for data subjects. This can be observed in digital content contracts in return for personal data where the principle of pacta sunt servanda is not respected due to the fact that the single exchange of performance becomes more important instead of the continuity of performance in contracts where long-term developments play a role.
In fact, when personal data is used as a means of exchange in contracts, one of the issues to consider is the autonomy of parties. Data subjects often lack bargaining power, which reduces their party autonomy in the contracting phase. Autonomy is regarded as the fundamental right of individuals to take actions and freely enter into legal relationship regarding their own future through their own actions, which can be seen in private law as the principle of the freedom of contract. When the data subject’s right to privacy is infringed, this will influence the data subject’s freedom of choice as to what contracts to conclude and on what terms, which ultimately undermines the autonomy of the party. Therefore, first of all, from a contractual point of view, the autonomy of data subjects is limited when it comes to drafting digital content or service contracts for data because they have limited bargaining power.
Secondly, the GDPR limits the autonomy of parties because a data subject cannot oblige himself to provide personal data to an unlimited extent. In fact, data protection law limits the autonomy of digital service providers with regard to the use of data. If the digital service supplier prevents the data subject from using the right of withdrawal, the contract will be unenforceable.
Moreover, how the value of personal data will be determined also affects the autonomy of parties. Putting price tags on each individual’s data may sound like a rather utopian idea but at the same time, there are cases in which individuals fill out online surveys by sharing their personal data and earn money in return. Furthermore, personal data tend to have value when they are aggregated. When the data processor combines the data of many individual users, this makes it even much more challenging to allocate a separate price for the individual data in transactions. This also limits the autonomy of the data subject regarding the ‘price of the service’ as it is not possible for the data subject to know the value of his data. Thus, it needs to be examined whether the traditional understanding of party autonomy remains the same and to what extent personal data can be used in exchange for digital goods or services by individuals. Contract law developed frameworks for balancing the rights of businesses and consumers, for instance, and these frameworks could provide guidance in determining the ways in which party autonomy should be handled in relation to contracts involving data.
3 Data as an Alternative Currency in Contracts
In the data economy, there is a tendency to treat data as a tool for paying a price in transactions where digital service or content is provided. It can be stated that currency usually has two functions that it can be ‘cashed out’ for goods and services and also it can store value. For English law, for instance, since personal data provided in return for a digital service or digital content has economic value, it can be argued that there is consideration at the stage of contract formation.
Data as a currency will bring certain questions regarding fairness in its wake. Fairness requires that data is not collected in secret, which means data subjects need to have access to their data. It is generally accepted that contract law deals with and enforces the pre-conditions of the fairness of bargains. In the preamble of the EC Directive on Unfair Terms in Consumer Contracts, it is stated that ‘...the main subject matter of the contract and the price/quality ratio may nevertheless be taken into account in assessing the fairness of other terms.’ By analogy, it can be argued that personal data can be considered as a price.
In such a case, if the personal data is collected on the ground of the necessity for the performance of the contract, how is it going to be established that only the necessary data is collected? When websites that are based on user-generated content such as Wikipedia are taken into consideration, although users provide their personal data in exchange for using the digital content provided on the website, it can be argued that the digital content only needs the data in order to link it with the article’s version history and only for the purposes necessary to make the service function in conformity with the contract. In cases where data is provided in return for goods or services, as many factors play different roles, it is challenging to attach a single and characteristic purpose to the contract.
If the necessary data for the performance of the contract is not revealed to the data subject or data that is collected is more than necessary for the performance of the service, then fairness discussions will arise. A disproportionate consideration, which is the collected data that is more than necessary for the performance of the contract, is nothing different from an unfair price and therefore the doctrine of unconscionability in German law can be triggered. However, by taking discussions regarding the iustum pretium (just price) doctrine into account, it can be stated that unless there is an extreme case, the doctrine should not apply and national law should determine the limit of application.
It is also worth noticing that there are mobile applications called free, such as ‘imo free video calls and chat’ downloaded by more than 500 million people. Even though it is called free, they collect an enormous amount of personal data of users. Here one might ask whether the simple existence of the word ‘free’ in these kinds of apps creates unfairness, at least in the context of the Unfair Commercial Practices Directive 2005/29/EC where it is stated that
‘This provision (No 20 of the Annex I to the Unfair Commercial Practice Directive) is based on the idea that consumers expect a free claim to be exactly that, meaning they receive something for ‘nothing’, that is, no money or other consideration has to be given in exchange.’
If the statement above is interpreted broadly, the data itself can be thought of as consideration in which the unfair practice can be observed. Although there is a rule of freedom of contract that allows parties to decide with whom they want to make contracts and on what terms, contract law doctrines still do not permit the strong party to exploit the weaker party ‘in the name of freedom of contract’. It can be argued here that the fair procedure of contract formation is not followed.
Another issue concerns the substance of the data provided by individuals. Although it is argued that commercialization turns consumers’ personal data into consideration which brings new risks and requires new rules, it is still a problem whether inaccurate data can be considered as consideration as well. Even though in civil law, for instance in German law, there are no consideration requirements for contracts, in common law jurisdictions, such as in English law, there needs to be a consideration in order to legally enforce contracts. Consideration is usually defined as ‘something of value in the eye of law’, which must be given by the promisee to make the promise enforceable. If the inaccurate data is actually related to an existing third party, will the condition of the provision of the consideration be met? Apparently, this can lead to problems as there is no standard accepted in the EU when it comes to the quality of data that is provided in return for digital content or service.
The question regarding the classification of contracts where personal data is used as a payment method also becomes important because most of the EU members currently hold the view that payment in contracts can only be made with money. The classification matters in terms of the rules applicable to these contracts, in particular, the rights of the data subject regarding termination and conformity with the contract. Rules that are applicable to these new types of contracts for data resemble not only contracts for sale but also contracts for services although do not fully match with them. In the EU, as for contracts for sales and services, many national contract laws accept that the payment can be made with money and the seller pays the agreed price. However, there is no regulation that states whether data can constitute the price. It is likely that all EU member states prefer a sui generis regime and apply specific rules for these new type of contracts for data, which can impede the cross-border supply and harmonization of digital content within the EU. Yet contract law can provide more adequate solutions if ‘payment with money’ can also include ‘payment with data’.
4.1 Contract Formation
Excluding English law, as it necessitates consideration for the existence of a valid contract, when the Principles of European Contract Law are taken into account, which are common principles that underline the creation of a contract in many different legal systems in the EU, it can be observed that in order to have a valid contract, two main requirements need to be satisfied: an agreement and the intention of the parties to be legally bound. In order to reach an agreement, there needs to be an offer and acceptance.
According to the GDPR, consent is a legal ground for processing personal data and it does not always correspond to the offer and acceptance procedure in contract law. Indeed, these two concepts, namely, giving consent for processing data within the meaning of Article 6(1)(a) and entering into a contract are not the same but have different consequences regarding the data subjects’ rights and expectations. Even though consent to process personal data and a contract can separately be a legal ground for processing personal data, they cannot be merged and blurred. For instance, when a consumer buys an online product, he provides his credit card details and home address to the retailer to make the payment and to fulfil the contract, and the retailer must process the data subject’s credit card and home address for the delivery. Even though this provision of data can be found in the terms of service, this in itself does not lead to the conclusion of a contract. In these kinds of cases, consent to process data is necessary for the performance of the contract and Article 6(1)(b) of the GDPR is applicable for the processing of the data.
In Article 6 of the GDPR, the lawfulness of processing is regulated and consent is only one of the grounds. Pursuant to Article 6(1)(f) of the GDPR, if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (...), the processing will still be lawful. Here the problem arises when it comes to the definition of legitimate interests. Pursuant to recital 47 of the GDPR, the legitimate interest could exist, for example, where ‘there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.’ From a contractual point of view, it can be argued that the legitimate interest test may not simply be justified on a commercial basis.
Another problem regarding the use of personal data as counter-performance is the specific purpose for the collection and use of personal data. Contracts through which data collection and processing takes place need to have a specific purpose in the very beginning of the contractual relationship which covers the entire relationship between contractors. In the GDPR it is required that at the time of the collection of the personal data, the specific purposes for which personal data are collected and processed should be explicit, legitimate, and determined. Technology changes and is outdated by the minute and new uses for the data collected show up. This makes it cumbersome to limit the use of the data still for presupposed purposes.
Although the consent that parties grant is static, the practice itself calls for, in a way, a sort of dynamic consent which can serve the purpose of the parties in a better way. Similar to the processing of personal data in return for a service, in the field of biobank research, for instance, it is rarely possible to identify all potential future applications of tissue samples, which often requires reliance on broad consent to the identification of appropriate uses of the tissue sample. Data protection law can benefit from contract law in this sense, in particular, medical treatment contracts. In the field of medical treatment, there is already the concept of dynamic consent that is still being developed, especially in biobanking research, which can provide fine level control over the use of biobank donors’ sample and data. Therefore, in the long term, developments that arise through the interaction between contract law and data protection should be closely observed.
4.2 Withdrawal of Consent
Another contractual consequence of consent concerns the right of withdrawal. If an individual provides his personal data in return for the supply of digital content or service, pursuant to Article 7(3) of the GDPR, he also has the right to withdraw his consent at any time. However, if there are no other grounds for the collecting and processing of the personal data of the individual in question, the processing and collecting will have to stop. Therefore, the data subject may not be prevented from withdrawing his consent as it is his fundamental right, which does not give rights to the digital content or service provider to claim damages on the basis of breach of contract. The Article 29 Working Party states that the withdrawal is exercised for the future which means the processing that took place in the past is not affected by the withdrawal but if there are no other legal grounds in order to justify the further use and storage of the data in question, it has to be deleted by the data controller.
The fact that the data subject is entitled to withdraw his consent seems to be in contradiction with the binding nature of an obligation. However, certain service contracts entail similar rules and can at least offer legal frames for service contracts for data. In medical treatment contracts, for instance, which interact with public law regulation and fundamental rights, patients are allowed to retract their consent in every stage of the medical treatment because it is a fundamental right. Unlike contracts in which personal data is processed, the patient is informed about all stages of the treatment and observes the treatment which makes it easy for the patient to retract. On the other hand, one could argue that it is a general issue of contract law that blanket consent can cover all future purposes. However, in case of any possible violation of the fundamental right of data subjects consent needs to be obtained every time and the processing of personal data by the operator of a search engine ‘cannot be justified by merely the economic interest which the operator of such an engine has in that processing.’ It is argued that when data subjects provide their personal data in return for digital goods or services, they still want to benefit from the application of data protection rules. However, Article 8 of the CFREU and Article 7(3) of the GDPR give the right to the data subject to withdraw his consent at any moment which also creates problems as the contract obliges him to continue supplying the data. For those cases, the parties can always specify in their contract what the consequences of the withdrawal of consent will be and what happens with regard to the future use of data.
In the absence of this specification, it is ambiguous in the GDPR whether the withdrawal of consent means termination in the contractual sense. One of the feasible contractual approaches considers data provided by the data subject as consideration and treats it as a license to use the data for the service or digital content; so, when the data subject withdraws his consent, for instance, then the use of his data and provision of the digital service or content are terminated. It can be argued that every contract where personal data is provided by data subjects in return for a digital service or digital content can be regarded as a long-term contract due to the fact that the consent requirement does not form the subject matter of the contract but it is rather the duty of the consumer to tolerate the processing thereof. In this vein, the result of the withdrawal of consent would be the termination of the contract in question. Indeed, Article 7(3) of the GDPR can also be interpreted within the concept of long-term contracts as it produces only effects for the future without affecting the lawfulness of the past processing of data subject’s data.
Yet this provision still does not make it clear whether partial termination is possible. If this partial termination is possible, it is necessary to discuss what parts of the services or content will not be provided anymore and on what grounds. Indeed, when the right to terminate the contract is used by the data subjects in cases where due to the abuse of personal data, breach or non-performance, for instance, will the agreement continue to operate with regards to the benefits received before the date of the termination? In such a case, is the data subject entitled to be granted compensation for not being able to receive the digital service or content, and if so, how will the compensation be calculated?
Further questions arise where there is a contract that needs to be performed in instalments. Here contracts that involve personal data can be regarded as anomalies. This is so because in such a contract in many jurisdictions the aggrieved party not only has the right to refuse to accept and refuse to render its counter-performance for the defective instalment or part but also it may be entitled to reject any further performance if the non-performance affects the whole contract. Applying this to the contract where data is provided as counter-performance, it can be argued that the partial termination will also be prospective.
Moreover, it is significant to realize whether the withdrawal of consent per se leads to the breach or results in the termination of the contract ipso jure. As the GDPR requires a freely given consent to process the personal data of data subjects, if consent becomes part of the contract, it turns out to be a contractual obligation which will face the obstacle of the legality of the contract due to Article 5 of the GDPR. It is argued that as it is provided by the law, the application of the right of withdrawal by the data subject may not be qualified per se as the breach of contract and does not provide the other party with a claim for damages. However, it is also claimed that withdrawal of consent should give a right to the digital content or service provider to terminate the contract unilaterally as it may become burdensome to the latter to provide his service or content. However, it is ambiguous at what moment the service or content provider can consider the performance of his obligation burdensome for him in the lack of the collection of personal data. Similarly, it needs to be considered whether he still owes any responsibility to the data subject in the first place in cases where the former does not terminate the contract.
In conclusion, there is a need to reconsider the way consent is conceptualized in law, its application, and consequences in the digital world. There is a better and more specific understanding that can encompass, at least, the abovementioned problems. It needs to be kept in mind that many transactions unavoidably take place with some sort of inequality in knowledge and power, which is more frequently observed in the ‘information era’. The problem comes into existence when the law perceives consent as a simple condition, instead of taking into account the details as to whether consent can be far more nuanced and more workable methods can be developed within the existing rules. Yet contract law can identify these problems through general contract law and provide tailored insights through the application of certain general and specific contract law rules, which are analyzed above.
5 Remedies and Conformity
Data subjects provide their personal data to digital content or digital service providers. This so-called ‘freemium model’ becomes the premium model when data subjects pay a price. Contracts for the supply of digital content and services is one of the examples for this where one of the parties supplies the digital content or service to another by himself or through a third party. In cases where the other party’s performance does not conform to the contract, consumers are entitled to certain contractual remedies.
The provision of personal data by individuals in contracts brings about questions about conformity. The first question is about the quality of the digital content or digital service that is provided in return for the provision of personal data. In other words, it is a question whether those who provide data instead of paying a price can obtain the same rights when it comes to the conformity with the contract. It is argued that consumers who do not pay a price but provide data instead do not expect the same quality compared to those who pay a price. However, this distinction is becoming blurred, if not completely gone away, when it comes to mobile apps that can be downloaded on Google Pay for € 1 or less. Indeed, it is not clear-cut whether the data provided, such as names and email addresses in return for the mobile application can replace the actual payment of a price in order to enable the data subject to be subject to the same conformity standards.
With regards to conformity and fitness for the purpose of digital content, the application of traditional contractual law tools, in particular, those that apply to the sale of goods might be considered. Certain jurisdictions, such as New Zealand, simply extend the definition of goods in their national law in order to include digital content yet there might be a risk that rules regarding tangible items might not fit for intangible items. For instance, unlike property law rules regarding tangibles, the fate of people’s digital assets is ambiguous.
Furthermore, pursuant to Article 14(6) of the DCD, the consumer may terminate the contract only if the lack of conformity with the contract is not minor. The question here is whether there can be more suitable alternatives when the nonconformity is minor and not sufficient to terminate the contract. In circumstances where in addition to the provision of personal data a monetary payment is made, the price reduction on the digital service/content can be a solution. However, if the digital content or service does not work at all, then the price reduction would not be an appropriate remedy. The same is also true for transactions where only personal data is provided as counter-performance because in such a case price reduction would not be possible. One potential solution would be to provide the digital content or digital service for the data subject in question without collecting his data for a period equaling the period during which the digital content or digital service was not in conformity with the contract.
So far my assumptions and examples have been based on those contracts that are made in return for the provision of data instead of payment of a price. However, in practice, there are many digital contracts concluded not only in return for the user’s data but also monetary payment. In these type of mixed contracts, it is not clear-cut what specific digital service and digital content are provided in return for the data provided and a monetary payment. This assessment is also required when it comes to the application of the rules concerning data protection. In fact, in these cases, there is not a clear answer in the DCD for the assessment of to what extent the withdrawal of the data subject’s consent can influence the supplier’s performance in the form of the digital content or digital service. It can be argued that as it is rather impossible to distinguish the part of the digital content or service, the withdrawal of the consent to process the data should conclude the termination of the long-term contract as a whole.
Finally, it needs to be underlined how the service provider can comply with the result of the termination. Pursuant to the DCD, if the consumer provided personal data as a counter-performance instead of a monetary payment, then the trader has to take any necessary actions to refrain from using that data. Yet, the data which is provided by the data subject can easily be copied, pseudonymised, and might be used elsewhere by the processor or collector itself or sub-contractors. If the data has already been passed on to third parties, it may not be possible to have them deleted the data. It is suggested that as the analytical findings are beyond the reach of the individual’s consent, i.e., it is highly likely that the data subject’s data can potentially be used by unknown third parties, the data subject should also be allowed to continue to use the service although the consent has been withdrawn. However, in either case, this termination in practice may not bring about the same conclusion compared to contracts that are made in the non-digital world. In such cases, specific performance, which is a discretionary remedy in English law, can be used as a remedy to receive the data back from those parties that are involved in the collection and processing procedures.
As has been demonstrated, there are certain problems arising from contracts involving data. In this study, an analysis has been made by taking two main arguments, namely, whenever data is collected and processed, contract law applies and when problems relating to the GDPR arise from those contracts, contract law can function as a potential solution mechanism to map the issues and provide certain solutions, not only through general contract law but also the tools of specific contracts, such as medical treatment and consumer sales contracts.
Firstly, as has been noted, consent comes with a cost, as there are technical and legal ambiguities when it comes to its scope. The observation of data flow and control of personal data seem to be challenging to follow by the data subject or the controller. When one looks at what takes place in practice, it can be seen that the requirement of consent in the GDPR needs to be more elaborated and cover the data subject’s further consent. Data subjects generally give blanket consent and this blanket consent does not have the details and long-term consequences, which contract law can provide. The GDPR did consider certain parts of consent but again in practice, it leaves open quite a lot of questions, in particular, related to the control of data and further agreements about the processing of data. Consent does not cover the spectrum of what is happening with the personal data at stake and what businesses want to use the data for. In other words, the GDPR is still somewhat ineffective. Contracts involving personal data can benefit from the notion of dynamic consent that is being developed in certain kinds of contracts, such as contracts concerning medical treatment, which eventually can provide data subjects with a better environment in participating in the digital economy.
What also requires further research is whether contracts that involve personal data made in the digital environment of the big data era, – in particular, those in which consumers pay with their personal data – need to be considered the same as traditional contracts where consumers pay a price. This is also closely related to conformity because if the data subject pays with his data, the question is whether he can have the same expectations as he would have in the case of a monetary payment. Besides, the traditional application of contractual concepts of termination to the contracts that are made in return for data raises questions regarding both contractual remedies and consequences.
Furthermore, within the EU, certain legal instruments, such as the GDPR try to create a balance when it comes to the collection of personal data and the fair processing thereof. However, in certain aforementioned points, they fail to do so as they miss the connection with contract law. Similarly, although the DCD, in many aspects in line with the GDPR, attempts to mitigate the negative consequences of data-driven business models, it also has ambiguities when it comes to contracts for the supply of digital services or digital content that are made through the provision of personal data. Even though the main concepts of contract law, such as offer, acceptance, and consideration requirements, remain the same, new challenges have been observed due to the digital revolution.
Last but certainly not least, it is worth pointing out that data has no borders, and thus, instead of focusing on only one or two national laws to find out how those laws deal with the problems, I believe that the solutions should be searched for in the common tools of contract law in certain jurisdictions to give a clear picture of international practice. In this context, what needs to be examined is the connection and correlation between data protection law, rules that are applicable to digital content and services, and contract law. Contract law needs to be taken into consideration as well regarding achieving the goals that are set out in the GDPR.
© 2020 Walter de Gruyter GmbH, Berlin/Boston
Dieses Werk ist lizensiert unter einer Creative Commons Namensnennung 4.0 International Lizenz.