Jus CivileISSN 2421-2563
G. Giappichelli Editore

Personal data supplying: the issue of bundled consent (di Tereza Pertot, Ricercatrice a tempo determinato – Università degli Studi di Trieste)


Despite the increasing attention given to the flow of personal data and especially to the phenomenon of supplying personal data in order to get a content or a service, there are still many questions arising from the use of data instead of money and its exchange on the market that need to be answered. In particular, it is still debated whether personal data can be legitimately considered a tradeable asset or not. In this regard, the relationship between contract and data protection law is to be more precisely defined. Article 7(4) of the GDPR does not seem to prevent a data subject’s consent from being bundled to the conclusion of a contract and/or to the contractual performance, as is usually the case when (digital) contents, services and (other) goods are supplied against data. However, scholars, courts, and national and European authorities still have different opinions not only with regard to the question of whether Article 7(4) of the GDPR provides for a (strict or weak) ban on tying, but also regarding the question of which specific facts must be considered when determining the consent’s freedom and validity (despite the link existing with the contract and the contractual performance).

Fornitura di dati personali e consenso condizionato

Nonostante la crescente attenzione rivolta dal legislatore europeo al tema della circolazione dei dati personali, plurime sono le questioni alle quali il quadro normativo vigente non offre risposte univoche. L’attenzione degli studiosi si appunta, non di rado, sul rapporto fra la disciplina contrattuale e quella relativa alla protezione dei dati personali. Al riguardo, discussa è, ad esempio, la portata dell’art. 7, comma 4, GDPR. In particolare, fra gli interpreti, ci si interroga se la disposizione vieti di per sé qualsiasi forma di condizionamento; o se l’idoneità di quest’ultimo a pregiudicare la libertà del consenso al trattamento dei dati personali prestato dall’interessato dipenda, piuttosto, dalle (ulteriori) circostanze del caso. Opinioni discordanti si riscontrano, inoltre, pure fra coloro che propendono per una relativizzazione della regola dell’art. 7, comma 4, GDPR, per ciò che riguarda l’individuazione dei criteri sulla base dei quali procedere alla valutazione della validità del consenso condizionato.

COMMENTO

Sommario:

1. General introduction - 2. Personal data as contractual (counter-)performance: still an open question? - 3. Personal data supplying and privacy consent: the relationship between (consumer) contract and data protection law - 4. The meaning of Article 7(4) GDPR and the legitimacy of a bundled consent - 4.1. A) The strict ban on tying - 4.2. B) The possibility to bypass the bundling prohibition by use of legal basis for processing other than consent - 4.3. C) Conditionality as one of several circumstances to be considered by assessing the freedom of consent - 5. Adhesion to the opinion sub C) - 6. The (ongoing) evolution of CJEU case-law - 7. Final remarks - NOTE


1. General introduction

New technologies enable enterprises to collect large amounts of data. Collected datasets may consist of personal or of non-personal data, depending on whether the information relates to an identified or identifiable natural person or not [cf. Article 4(1) of the GDPR and Article 3(1) of the Regulation (EU) 2018/1807]. [1] Delineating the boundary between personal and non-personal data could be difficult in practice, as datasets are often mixed and as even data not related to an individual and/or which has been rendered anonymous may become personal by matching it with data from other sources. [2] Keeping this in mind, the paper will, however, only focus on the processing involving personal data. [3] The latter, in fact, presents some specific problems, which arise where data is collected and used for commercial purposes, as increasingly happens nowadays. There are many different ways in which personal data may be processed and monetized. For example, data concerning consumers’ habits may be used to establish their preferences and, subsequently, for targeted advertising. [4] Moreover, (anonymized) personal data might be processed to train artificial intelligence systems as well as to verify their outcomes. [5] It may also be “transferred” from individuals to (many) enterprises as well as from one enterprise to another, against payment. [6] Building on the assumption that data are essential for innovation and economic growth, it is not surprising that the goal of the latest European strategy is to remove barriers for access to data in order to make it available to different players. [7] This should be especially achieved by designing and putting in place fair and safe mechanisms of data sharing. Some of them are now provided, e.g., by the so-called Data Governance Act (hereinafter: DGA), [8] which seeks inter alia to regulate trustworthy intermediaries, serving as neutral organizers of the exchange of data–personal and not–between data subjects and data holders, on the one side, and data users on the other [Articles 2(11) and 10 et seq.]. By providing for many safeguards in order to encourage voluntary data sharing (which may also occur for altruistic purposes: so-called data altruism, Articles 16 et seq.) as well as to promote the re-use of information held by the public sector (Articles 3 et seq.), the DGA clearly aims at developing both, the social and the economic potential of data, [continua ..]


2. Personal data as contractual (counter-)performance: still an open question?

As a matter of fact, the question of whether personal data may be the object of contracts and contractual performances has been touched on by the European legislator. By adopting Directive no. 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services (hereinafter: DCD), the application of contractual provisions and remedies was extended to cases in which “the trader supplies or undertakes to supply digital content or a digital service to the consumer, and the consumer provides or undertakes to provide personal data to the trader” [Article 3(1) of the DCD]. [19] Cases in which the consumer does not pay a price in money but provides personal data to the trader are also considered by Directive no. 2019/2161 (so-called Omnibus Directive), [20] which aims at extending the scope of application of Directive no. 2011/83 (hereinafter: CRD) to transactions in which “the trader supplies or undertakes to supply digital content […] or a digital service to the consumer and the consumer provides or undertakes to provide personal data to the trader” [see Article 4(2) and Recitals 31 et seq. of the Omnibus Directive; cf. the new Article 3(1a) of the CRD]. [21] However, such legislation does not further define the supply of digital contents and services in exchange for data in terms of contract, [22] even going so far as to exclude that personal data may be considered a commodity (see Recital no. 24 of the DCD). [23] The application of the consumer (contract) law provisions to cases in which consumers receive contents and services against the disclosure of their data could be read as implicit assignment of contractual nature to such transactions: there will be a (synallagmatic) contract both when paying the price (in money) and when supplying personal data in exchange for digital content or a service [see § 327(3) of the German BGB; [24] cf. Preamble of the Spanish Real Decreto-ley 7/2021, IX 20]. [25] Nevertheless, the inclusion of those cases into the scope of application of the Directives’provisions could otherwise be considered merely the result of the European legislator’s intention to better protect consumers providing their data in order to get a content or a service (advertised as being) free of charge. [26] A more agnostic approach was taken e.g. by the Italian legislator: when implementing the two Directives it replicated the [continua ..]


3. Personal data supplying and privacy consent: the relationship between (consumer) contract and data protection law

By extending some contractual provisions to cases in which personal data are provided by consumers in order to obtain digital services and contents offered on the market and by defining set of rules to promote the sharing of data, including the personal data, the European legislator did not even clarify what personal data provision consists of in the considered cases. [31] As a combined reading of the provisions laid down in the above-mentioned legislation shows, personal data may be actually provided by different actors (data subjects or data holders) and within various relationships (it may be shared with data users directly or through a provider of a data intermediation service). Without ignoring the different perspectives from which the problem concerning personal data provision may be investigated, [32] in the following only the data subject’s point of view will be analysed. More specifically, the attention will focus on the provision of personal data made by consumers, who disclose their data directly to the supplier of content and services in order to get the provided performance in return. The selected point of view should allow us to address and to deepen a specific question–that of the bundled data subject’s consent–which is crucial and actually of preliminary nature when deciding on if and on how consumers’ personal data may legitimately enter the market and become the object of economically valuable transactions. Focusing the attention on the provision of personal data from the mentioned point of view, the first question that arises is whether such provision consists of the delivery of personal data as such or if something more than data supplying is required from the data subject acting as a consumer. In this regard, assuming the need for a specific GDPR legal basis for the processing of personal data, most scholars consider the European consumer law provisions laid down in the currently implemented DCD and Omnibus Directive to be based on the idea that consumers, by concluding the contract for the supply of digital content or service with the trader, [33] also agree to the processing of their data for accessory purposes, giving their consent under Article 6(1)(a) of the GDPR: [34] the latter is, in fact, essential to assign to the trader the right to use the information gathered, unless another legal basis for processing is applicable in the specific case. [35] As a result, scholars [continua ..]


4. The meaning of Article 7(4) GDPR and the legitimacy of a bundled consent

When determining the interaction between data protection and (consumer) contract law, there is one provision in particular that should be preliminarily considered in order to establish if, when and how consumers may lawfully give consent to the processing of their personal data by concluding a contract for the supply of (digital) contents or services. The reference here is to Article 7(4) of the GDPR, according to which “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”. In following the attention will be focused on this disposition, which apparently covers instances that fall within the scope of European consumer law and especially of the DCD. The latter, in fact, does not apply when data is exclusively processed for the purpose of supplying the content or the service [i.e. for the contractual performance, or for allowing the trader to comply with legal requirements: Article 3(1) subpara 2 of the DCD]. Moreover, traders generally accept data instead of money only if they have the possibility of monetizing it, by using information for secondary purposes which are extraneous to the performance of the contract concluded with the data subject. Such use of personal data typically requires consent according to Article 6(1)(a) of the GDPR, on which the performance of the contract is therefore conditional. Indeed, the extracontractual use of data could be also based on a legitimate interest according to Article 6(1)(f) of the GDPR, [45] which, however, does not allow the processing of all categories of personal data: for example, it is not a suitable basis for processing data according to Article 9 of the GDPR or by automated individual decision-making ex Article 22 of the GDPR. Additionally, the existence of a legitimate interest requires an assessment on a case-by-case basis in order to establish if it is overridden by other interests and fundamental rights and freedoms of the data subject. Moreover, relying on Article 6(1)(f) of the GDPR is not permitted, e.g., in case of some gatekeepers’ data processing activities [cf. Article 5(2) and Recital no. 36 of the DMA]. Following, Article 6(1)(f) of the GDPR would in many cases not constitute an appropriate legal basis for the secondary use of data, [continua ..]


4.1. A) The strict ban on tying

Supposing that the European (consumer) contract law provisions are, in principle, based on the assumption that consumers give their consent to data processing, the possibility to reconcile them with Article 7(4) of the GDPR depends eventually on whether the latter really provides for a bundling prohibition and, if so, on how such a prohibition shall be understood. [50] This has already been discussed before the GDPR entered into force. Although Directive no. 95/46/EC did not contain any provision that was analogous to Article 7(4) of the GDPR, some national legislators provided for a specific rule concerning the ban on tying within their national laws [see e.g. the former § 28(3b) of the German BDSG]. Furthermore, in some Member States which did not implement specific rules on the ban on tying, data protection authorities derived the existence of such a ban from the principle of freedom to consent [cf. Articles 2(h) and 7 of Directive no. 95/46/EC]. [51] However, even providing that a prohibition of coupling privacy consent and contract exists, there are different ways of how to interpret it. For example, some scholars, courts and authorities reckon that the bundling prohibition (does not only exist, but) should also be interpreted strictly. In this view, consent cannot be considered as freely given if the contractual performance (or the conclusion of the contract) is conditional on the data subject’s consent to process his/her data for purposes extraneous to it. [52] A similar approach was taken by the Austrian Supreme Court in 2018: [53] there would be a strong presumption of invalidity of the consent bundled with the acceptance of contractual terms and conditions that cannot be renounced (without renouncing the contract, too) and such presumption could not be overcome by simply demonstrating the lack of the controller’s monopoly position in the market. Also, according to Guidelines no. 05/2020 of the EDPB, consent bundled to the contractual performance should be presumed not to be freely given [54] (for such presumption see then Recital no. 43 of the GDPR). In fact, the data subject–not wishing to make his/her information available for uses not strictly necessary for the contractual performance–would be unable to refuse the consent without renouncing the service or the content to the supplying of which the consent is tied. In other words, if interested in the contract, he/she would be [continua ..]


4.2. B) The possibility to bypass the bundling prohibition by use of legal basis for processing other than consent

In another opinion, the ban on tying, whether existing or not, would, on the contrary, not hinder the possibility to (legitimately) use personal data in order to “pay” for the service or the content supplied. A consent according to Article 6(1)(a) of the GDPR would in fact not be necessary for the purpose. As data monetization is closely linked with the performance of the contract concluded with the trader supplying contents, services or (other) goods, [56] in the discussed cases data processing would rather find its legal basis in Article 6(1)(b) of the GDPR [cf. Article 7(b) Directive no. 95/46/EC], which provides for the lawfulness of data processing “necessary for the performance of a contract to which the data subject is party”. [57] Accordingly, the collection and use of a consumer’s data would be possible and lawful regardless of his/her consent, and Article 7(4) GDPR (which only applies “where processing is based on consent”) would play no role by determining whether the practice of “paying” with data is legitimate or not. Such interpretation is not convincing, as Article 6(1)(b) of the GDPR only considers cases in which data processing is necessary for the contractual performance and data is not used for any other purpose. However, this is not the case when a service or a content is supplied against data. As stated above, the trader is only willing to waive payment (in money), if he has the possibility to monetize data, which typically requires the possibility to process it for purposes not necessary to the performance of the contract. Consequently, Article 6(1)(b) of the GDPR does not constitute an appropriate legal basis for the processing of data provided to get content or a service. [58] The idea that consumers “paying” with personal data need to accept the use of the latter for extracontractual purposes seems also to be confirmed by the wording of Article 3(1) subpara 2 of the DCD [cf. Article 4(2) of the Omnibus Directive and the new Article 3(1a) of the CRD]. According to this provision, which clearly wants to address cases where consumers “pay” with their own data, European contract–or, rather, consumer–law does not apply where personal data are exclusively processed by the trader for the purpose of supplying the digital content or digital service in accordance with the Directive (or for allowing the trader to comply with legal [continua ..]


4.3. C) Conditionality as one of several circumstances to be considered by assessing the freedom of consent

From a different point of view, “paying” with one’s own data would also be admitted by identifying the basis of processing in the data subject’s consent. This would be possible, even though the latter is bundled up as a condition of the contractual performance. To consider the bundled consent freely given in a specific case, it would be only necessary to interpret Article 7(4) of the GDPR differently, trying a relaxation of the ban on tying. [63] One could argue, e.g., that the GDPR provision, when interpreted literally, only addresses cases in which the contractual performance and not the conclusion of the contract is conditional on the data subject’s consent, which is not necessary for the performance itself. As in many cases in which consumers “pay” with their data, the consent according to Article 6(1)(a) GDPR is essential in order to enter into the contract with the trader (rather than to perform it), Article 7(4) GDPR would therefore not apply to them. [64] However, also extending the scope of application of Article 7(4) GDPR, affirming its applicability to cases in which the conclusion of the contract is conditional on the data subject’s consent, would not prevent the consideration of such contracts in accordance with the GDPR. Whether the connection between contractual conclusion and/or performance and the data subject’s consent should be allowed or not would depend, in fact, not only on the link existing between consent and contract, but also on other circumstances: [65] among others on the data subject’s relationship to the other party (see Recital no. 43, sentence 1, of the GDPR) [66] and on the specific performance to be carried out, [67] as well as on the possibility of further access to it (see Recital no. 42, sentence 5, of the GDPR). [68] Additionally, in some scholars’ opinion, the consent would be freely given and consequently valid–independent of the trader’s monopoly position [69]–if the latter makes clear that a contract is going to be concluded between the parties (including the use of data as counter-performance within the purposes for which the data subject’s permission is given); [70] additionally, if the data subject is made aware of the possibility to withdraw the consent already given: the right of withdrawal according to Article 7(3) of the GDPR would, in fact, present the real safeguard of the [continua ..]


5. Adhesion to the opinion sub C)

The opinion on the existence of a weak ban on tying is surely preferable as it does allow better coordination with the existing consumer law provisions and with the needs rising from today’s digital and data economy. Moreover, it seems to be in line with the European data protection law and specifically with the ratio of the European Regulation, that “adheres to the freedom of contract”, considering its “illegality and voidness as the exception” (and not vice versa). [76] Also, the wording of Article 7(4) of the GDPR (cf. Recitals no. 42 and 43) does not allow an argument against the freedom and therefore the validity of the consent just because the access to information and its use is required for (the conclusion of the contract and/or for) the contractual performance. On the contrary, according to the GDPR, there is simply the need to take “utmost account” of the conditioning by determining, whether consent has been freely given or not. As the situation of tying has only to be considered “inter alia”, the link between consent and contractual performance is therefore only one of the factors that shall be taken into account when deciding about the freedom of the data subject’s consent. [77] Thus, it is not enough to conclude on its invalidity and for the illegitimacy and/or the illegality of contractual operations involving personal data. This is also what those preferring a strict interpretation of Article 7(4) of the GDPR basically admit: by confirming the existence of a strong presumption of the invalidity of the consent tied to the performance of the contract, they cannot deny that there is still a “limited space for cases where […] conditionality would not render the consent invalid”. [78] One can only ask whether the proof of the possibility for the data subject to get the identical (or at least an equivalent) content or service from the same (or from another) supplier without consenting to data use for additional purposes really represents the only exonerating circumstance for the controller [as regards gatekeepers, see, e.g., Recital no. 36 of the DMA]; [79] or whether disclosure of appropriate information about the use of consumers’ data [and the possibility of a withdrawal according to Article 7(3) of the GDPR] is enough, including by lack of alternatives, in order to ensure the data subject a genuine and free choice (see Recital no. 42, [continua ..]


6. The (ongoing) evolution of CJEU case-law

The view which considers conditionality as (only) one of the several circumstances to be considered by assessing the freedom of consent deserves approval. However, the uncertainty that still exists due to the ambiguous formulation of Article 7(4) of the GDPR, the non-binding character of the Regulation’s recitals and (consequently) due to the different opinions concerning the facts to be taken into account by assessing the freedom of the (bundled) consent would make a clarifying statement by the European Court of Justice desirable. [83] Indeed, the European judges have already taken a stand on some questions concerning the validity requirements of the data subject’s consent given in connection with the conclusion and/or the performance of a contract (especially, with a controller using so-called dark patterns). [84] For example, in Orange România, they confirmed the link between transparency and freedom of consent, stating that the latter “cannot be regarded as freely given or, moreover, as having been given in an informed manner” if the contractual terms are misleading as to the possibility of concluding the contract without giving it. [85] Nevertheless, in the case referred to the Court, the contract was not properly conditional on the consent to the processing of one’s personal data, as Orange România did not refuse to conclude contracts with those who did not allow the storage of their data. [86] On the contrary, this appeared to be the case in Planet49, where the user’s consent to the processing of his/her data for advertising purposes (given by a pre-selected checkbox) was a prerequisite to participate in a promotional lottery. [87] However, the question of whether a data subject’s consent can be tied or not has been left open by the Court, as it was not explicitly referred to. [88] Finally, the opportunity to address the issue of the validity of a bundled consent has come with the Meta Platforms case. [89] In fact, one of the questions referred for a preliminary ruling also concerns the validity of the consent to the processing of personal data. In particular, the national court is asking whether such consent may be given effectively and freely to an undertaking having a dominant position in the market. As consent to process data (from different sources) appears to be an essential requirement for using the social network operated by the undertaking involved [continua ..]


7. Final remarks

Despite the increasing attention given to the flow of personal data and especially to the phenomenon of supplying personal data in order to obtain content or a service, there are still many questions arising from the use of data instead of money and its exchange on the market that need to be answered. In particular, it is still debated whether personal data can be legitimately considered a tradeable asset or not. In this regard, the relationship between contract and data protection law is to be more precisely defined. The wording, as well as the ratio, of Article 7(4) of the GDPR does not seem to prevent a data subject’s consent from being bundled to the conclusion of a contract and/or to the contractual performance, as is usually the case when (digital) contents, services and (other) goods are supplied against data. Bundling should be taken into account by determining whether the consent can be regarded as freely given or not. However, by evaluating the freedom and therefore the validity of consent other circumstances may and should be considered as well. As scholars, courts, and national and European authorities still have different opinions not only with regard to the question of whether Article 7(4) of the GDPR provides for a (strict or weak) ban on tying, but also regarding the question of which specific facts must be considered when determining the consent’s freedom and validity (despite the link existing with the contract and the contractual performance), a clarifying statement by the European Court of Justice would be certainly desirable. [93] Additionally, as there would still be cases in which conditionality could render the data subject’s consent invalid, there would eventually be a need to confirm the application of the DCD regardless of a GDPR infringement: otherwise, consumers could be deprived from the protection provided therein and traders infringing data protection law could be put in a better position than the ones respecting it. [94]


NOTE