Update Data Protection No. 19
Data in return for services?
In the modern information world it is common practice for providers to render services free of charge, and for users to submit their personal and other data to the provider in return. Typical examples of this are services such as Google Mail, Facebook, Twitter or WhatsApp. Generally speaking, the legal basis for this type of business model is the consent of the data subject in whatever form this may happen in the specific individual case.
The European lawmaker has made this practice significantly more difficult through the EU General Data Protection Regulation (GDPR). Consent to the use of personal data beyond the extent required for fulfilment of the contractual relationship always needs to be voluntary. Even under the current legal regime, the question of whether consent can be issued in effective manner if coupled to further preconditions, is a source of contention. Art. 7 (4) GDPR now stipulates that consent that results in the data subject having to agree to processing of personal data that is not necessary for fulfilment of the contract, is fundamentally considered as not issued voluntarily and is thus ineffective. This means that the rendering of services can quite simply no longer be made conditional on the data subject agreeing to the processing of a wide range of personal and other data - that is incalculable for him/her -, in order to be able to use the services in the first place and without an alternative being available.
This standard that lays down a so-called restricted prohibition of coupling, creates major challenges, above all for providers of innovative services that typically only achieve a high level of circulation through free use. At the same time however, financing of the new-style offer must also be ensured, with the result that providers are frequently dependent on alternative forms of sales generation compared to classical remuneration models. The processing of personal data for many forms of marketing purposes is frequently used for this.
In two recent proposals for Directives, the European lawmaker now appears to again abandon its only recently established principle that data should not be used as consideration for services. In both the proposal for a Directive on specific contract-law aspects of the provision of digital content (COM (2015) 634 final) as well as in the proposal for a Directive on specific contract-law aspects of online trading in goods and other forms of distance selling of goods (COM (2015) 635 final), it expressly suggests that contracts are also possible in which, instead of payment as consideration, a consumer "actively provides consideration other than money in the form of personal or other data" (see for example Art. 3 Subsection 1 COM (2015) 634 final).
These proposals for Directives are currently under discussion and the corresponding paragraphs are also the subject of fierce criticism from data protection experts (see Opinion 4/2017 of the European Data Protection Supervisor dated March 14, 2017). For companies wishing to make regular use of data in their business operations that goes beyond what is necessary in the context of execution of a contract, continued monitoring of this discussion is however worthwhile. If the European lawmaker authorizes the use of personal data as consideration via the proposals for Directives, this would significantly limit the importance of the prohibition of coupling under Art. 7 (4) GDPR, and would offer providers of digital services further creative leeway.