Peter Hustinx, the European Data Protection Supervisor (“EDPS”) issued a preliminary opinion on 26 March 2014 (the “Opinion”) which sets out concerns regarding the exploitation of personal data by providers of online services, which are then marketed as being offered free of charge. The EDPS is responsible for ensuring EU institutions and organisations comply with their data protection obligations and works closely with each institution’s own Data Protection Officers in order to achieve this.
The Opinion explains that the exponential growth in the market value of big data has led to personal data being treated as currency. This allows online service providers to run a profitable business by offering ‘free’ services in exchange for a user’s personal data.
The EDPS is concerned that the legal and regulatory framework to protective individuals has not kept pace with the growth of big data. As a result gaps have arisen in EU competition, consumer protection and data protection policies. EU data protection has, to date, primarily focused on products and services which are traded for money, and the law has not kept pace with the increasing use of personal data as a form of currency.
Big data collection, mining and analytics form a key part of the global digital economy and, according to the EDPS, an estimated 2.3 trillion gigabytes of data are collected and combined with other data daily. These data can be used to track and predict consumer behaviour, in order to more effectively market products and services. There is also an ‘added value’ to big data, lying in the ability to use such data for purposes other than those for which it was originally collected. As a result, big data can form an extremely valuable business asset (although it is still uncommon to see this reflected on a company’s balance sheet).
Whilst the EDPS acknowledges that the competition, consumer protection and data protection frameworks all aim to promote the welfare of consumers, the lack of cooperation between the policy makers have left gaps in the legal framework which are open to exploitation. The extent to which data processing is occurring emphasises the need to “enforce competition and consumer rules more effectively and stimulate the market for privacy enhancing services”.
The Opinion concludes that there is a need for further investigation, particularly in relation to:
- Consumer awareness of services that require payment in the form of personal information but which are marketed as ostensibly being free of charge.
- Improved guidance on how relevant laws and regulations (for example, data protection, competition and consumer protection law) apply to online services which market themselves as being free, but in reality provide services in exchange for personal data.
- Consideration of how increased communication between regulators might promote consumer choice, safeguards and control.
- A review of applicable competition law so that competition remedies respect data protection principles.
- A new definition of “consumer harm” enabling regulators to impose effective enforcement measures where providers refuse access to personal information by applying complex privacy policies.
Discussions between decision-makers will be facilitated by the EDPS at a workshop which is to be held in Brussels on 2 June 2014.
Big data is, without doubt, an extremely important and valuable asset for many businesses and can be extremely valuable. Further, the amount of data generated and collected is growing exponentially, at the same time, data mining and analytics technology increases in sophistication. In this context, it is important that the legal issues arising from the asset value and commoditisation of big data are properly addressed.
It is important that individuals are made aware that a service or product not having a monetary price does not necessarily mean it is being provided free of charge. Whilst the majority of consumer end users are sufficiently savvy to realise that such services are not being provided genuinely free of charge, in practice very few actually read and fully understand the often lengthy and complex contractual terms governing data usage and distribution which they are required to agree to in order to use the service. Existing EU data protection and privacy laws have gone some way towards remedying this (and will go further under the proposed EU General Data Protection Regulation), but much remains to be done. It is also essential that data protection authorities improve their levels of cooperation and communication so that enforcement and remedies, at least within the EU, are less fragmented.
The Opinion is also interesting in that it addresses the role of competition law, stating that this area of law needs to be brought in line with data protection principles (for example, where a competition decision requires one company to sell a database to a competitor). In future such decisions should respect data minimisation principles and promote alternative remedies which respect individual privacy (for example, offering a paid alternative which does not collect and retain personal data).