In this sixth article of our "Big Data & Issues & Opportunities" series (see our previous article here), we look into the possible use of personal data as counter-performance in the context of supply of digital content and assess whether the EU is gradually opening up to the monetisation of data. Where relevant, illustrations from the transport sector will be provided.
Digital content, in short, means data produced and supplied in a digital form. Forms of digital content may include computer programs, games, music, videos, applications, cloud storage and potentially social media.
Setting the stage
The fact that digital content can be provided "free of charge" is particularly popular with consumers, who have shown a strong appetite for such content. Indeed, only a small minority of consumers pays for digital content on a regular basis. Such "free" models allow companies to reach a large pool of consumers and thereby enable them to quickly test new ideas and innovative services. In this regard, digital companies foster the common perception that such digital content is indeed provided for free, while in reality it requires users to surrender valuable personal data in exchange and provides multiple future monetisation possibilities for companies.
Illustration in the transport sector: In order to navigate the internet and to use "free" Wi-Fi services in airports or on public transport, users need to accept cookies and provide their email address. In essence, if a user wishes to make use of free internet, he or she must disclose to the supplier (who will often further share or sell such content to third parties) his or her email address, location data, history of the websites visited, etc.
Since the Cambridge Analytica data scandal, which came to light in March 2018, the provision of personal data as counter-performance for "free" digital content has gained public visibility. The extent to which personal data can be monetised by companies gives rise to heated debates.
In terms of EU law, whether personal data can be used as an economic asset in the supply of digital content is considered in the context of a 2015 proposal of the European Commission for a Directive on contracts for supply of digital content (the "Proposal"). Through this Proposal, the European Commission seeks to reconcile the EU legal framework on consumer and contract law with the economic reality.
In a nutshell, the Proposal grants the same rights to a consumer (i.e. a data subject) providing personal data to the supplier as to a customer paying money to gain access to digital content. Digital content contract rights and remedies are thus extended to data-driven transactions.
Quantifying personal data
The Proposal clearly states that counter-performance for digital content can be provided in the form of personal data. Yet, is it economically speaking possible to quantify personal data and treat it as a form of payment for digital content? Unlike money, there exists no standardised value for personal data. Data is rather a dynamic product, characterised by fluidity and intangibility.
Attaching value to personal data is however not impossible. Proof of this can be found in the different existing initiatives allowing the monetisation of individuals' personal data. Indeed, there exist several ways to assess the value of personal data. In doing so, one should take into account the expressing value of personal data ("how to express monetary value"), the pricing factors ("which object is priced") as well as the pricing systems ("how to attach value to the object"):
- Expressing value: Given that personal data change over time and has therefore the potential to become outdated and lose some of its value, personal data cannot simply be expressed in a currency. For that reason, it seems logical to express the value of data in monthly terms, i.e. per month. Importantly, data are suitable for reuse. Contrary to tangible products, (personal) data can be sold several times. By giving his/her data, an individual is indeed not deprived of the possibility to give the same data again to another provider. It may therefore be accurate to further express the value of personal data per person.
- Pricing factor: Pricing personal data does not amount to pricing the value of each individual attribute in a personal record. These attributes are on an individual basis "valueless". It is the combination of the individual attributes (i.e. datasets) that creates value. In sum, the size, the completeness and the accuracy of the datasets are playing an important role in the determination of the monetary value of personal data.
- Pricing system: Various methodologies for determining the value of personal data have already been identified by the OECD. Some of them are based on market evaluation whereas some are based on individual valuation (i.e. financial results per data record, market prices for data, cost of data breach, data prices in illegal markets, surveys and economic experiments, or data on willingness of users to protect their data).
It is therefore possible to quantify the monetary value of personal data. Nevertheless, treating data as counter-performance does present practical and legal challenges, which, if not properly addressed, could amount to a setback for big data.
One can indeed criticise the Proposal for limiting itself to extending the scope of application to digital content supplied against a counter-performance other than money, without addressing the practical implications that this extension entails, especially in relation to the following:
- Variety and specificity of data uses: Companies do not always directly monetise data. The latter is often used for a wide range of commercial purposes involving indirect monetisation, such as security or improvement of customer experience. The idea of data as a counter-performance therefore designates a catch-all term and fails to address the variety and the specificity of data uses. The question remains when a user of digital content should be regarded as having given counter-performance by providing his/her data.
- Inconsistency: Returning data to consumers in the event they exercise their right to terminate the contract also presents challenges for big data. In addition to data isolation, anonymisation and pseudonymisation could further make it impossible to return the data to the user without collecting more data than currently collected. Some speak of inconsistency in the principles of data retrieval and data anonymisation. For a dedicated analysis of the impact of anonymisation and pseudonymisation in a big data context, see our third article here.
- Inoperability: The data provided or generated by the users accessing the digital content enable the product or service to function. Attention should therefore be drawn to the potential impact of data retrieval or return on the remaining users' experience. In some cases, this could go so far as to render certain current content and services inoperable.
Illustration in the transport sector: In order to comply with the data retrieval obligation, a carpooling service may have to delete reviews users have uploaded. Returning this data would negatively alter the experience of other users of the service by affecting the featuring and star ratings of drivers.
The above mentioned, non-exhaustive, practical concerns demonstrate that further clarifications are required in order to provide greater certainty for suppliers of digital content and the big data value chain in general. The subject calls for the establishment of adequate ex ante guidelines, or similar initiatives to assist the suppliers of digital content.
By qualifying the provision of personal data as a counter-performance, the Proposal intends to codify a social practice. The legal recognition of a common social practice is likely to have legal consequences for both parties to the contract.
Consequently, in addition to practical challenges, several difficulties from a legal perspective can be identified in the Proposal:
- Accepting personal data as counter-performance in bilateral contracts intensifies the rights and duties of both parties. For the consumer, the Proposal makes clear that the data subject providing his/her personal data to the supplier shall have the same rights as a consumer paying money to the supplier. However, the Proposal says nothing about the duties of the consumer and the rights of the supplier. Those will therefore be regulated by national law. In the same vein, while the Proposal provides detailed rules for termination of the contract by the consumer, the Proposal remains silent on the termination rights of the supplier.
- The combination of EU law for the rights of one party (the consumers) and national law for the rights of the other party (the suppliers) raises a number of fundamental challenges, especially in light of the harmonisation attempt of the Proposal and the principle of effectiveness of EU law.
- Whether the Proposal will finally improve the legal situation of consumers on the digital markets will also depend on the protection given to the supplier at national level. On the one hand, it will hardly be acceptable to give full protection to the consumer “paying with his/her personal data” without looking at the same time at the suppliers' rights in such contractual settings. On the other hand, the rights of the supplier in application of national contract laws should not be able to undermine the legislative purpose of the Proposal.
- The Proposal does not harmonise the rules on the formation of contracts, nor on the validity of the contract for the supply of digital content. Hence, these issues will also remain in the realm of autonomous national contract law.
Is there a need to monetise data?
Some commentators, such as the European Data Protection Supervisor, have been critical vis-à-vis the introduction of the explicit possibility to use personal data as a counter-performance. They argue that personal data cannot be monetized and the Proposal, covering the field of contract law, is not the adequate instrument to regulate the use of personal data. In particular, protection is already granted by the existing legislation on personal data protection, and in particular the GDPR. Some stakeholders do essentially not see the need to attach legal consequences to a practice which may be observed everywhere in the digital environment.
The recognition of personal data as counter-performance for the first time indicates the desire of the EU legislature to take into account an underlying economic reality of transactions using personal data and to express, once again, its concern regarding the protection of individuals with regard to the processing of their personal data. Such acknowledgment is per se welcome as this concept will increase transparency, raise awareness of the economic value of personal data, and foster the rational behaviour of consumers (the so-called "educational" dimension).
However, as demonstrated through this article, legalising this economic reality generates practical and legal concerns. Accordingly, clarifications and guidelines are necessary to allow a greater degree of predictability for digital market actors and to ensure the usefulness of big data.
Our next article will address the free flow of data, with illustrations drawn from the transport sector.
This series of articles has been made possible by the LeMO Project (www.lemo-h2020.eu), of which Bird & Bird LLP is a partner. The LeMO project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement no. 770038.