Governing Big Data in the Digital Single Market: Towards a Proprietary Approach

(1)

Snr. 12798517|Email: kdimou165@gmail.com

Governing Big Data in the

Digital Single Market:

Towards a Proprietary Approach

by

Konstantina Dimou

Master Thesis

LL.M. European Private Law

Amsterdam Law School

Supervision: Prof. dr. M.B.M. (Marco) Loos

(2)

ii

(3)

iii

Acknowledgements

This thesis marks the end of my journey as an LL.M. student at the University of Amsterdam. The path towards the completion of this research has been challenging, in principle due to unfortunate circumstances of the COVID-19 pandemic, and would not have been possible without the support of special people.

First of all, I would like to express my sincere gratitude to my supervisor, Prof. Dr. Marco Loos, for his professionalism and for guiding me though the research and writing process. His insightful comments made a profound impact on my legal thinking and reasoning. Furthermore, I would like to thank my lecturer Ms Candida Leone, for her valuable advice and support.

Last but not least, I would like to thank my family for their constant confidence in me and Dimitris for standing next to me in every failure or success. I dedicate this thesis to him.

(4)

iv Preface

Abstract:

Following the rapid technological development, Big Data applications impact private interests as data constitute a(n) (immediate) source of economic wealth for businesses. However, in the absence of a specific set of rules regulating the multiple Big Data uses, the rights of individuals, who act under multiple capacities in the digital environment - yet remain the more vulnerable party - are exposed in a variety of possible abuses. This contribution suggests that institutional adaptations similar to property rights can empower individuals to promote their data related interests in the digital environment.

(5)

v Table of content Acknowledgements ... iii Preface... iv List of Abbreviations... vi Introduction ... 3

I. Defining Big Data ... 5

a. In search of an interdisciplinary definition ... 5

b. Distinguishing data from information and knowledge ... 7

c. Diversity of Big Data ... 8

II. Property Rights Relating to Big Data ... 8

Intellectual Property Rights ... 9

a. Copyrights’ oxymoron: From its inapplicability to Big Data to the issue of Text and Data Mining (TDM) ... 9

b. Database right ... 15

c. Trade Secret Protection ... 18

III. Personal Data Protection ... 19

a. The objective scope of Personal Data protection ... 19

aa. The notion of “personal data” in the GDPR ... 19

bb. Distinguishing Personal Data protection from Intellectual Property rights ... 22

cc. Anonymized and Pseudonymized data ... 22

b. The right to data portability: A property-like regime on personal data?... 23

IV. The contractual acquisition of personal data by online businesses ... 26

a. The economic reality ... 27

b. Formation ... 28

c. Consent as the legal basis for data processing... 29

d. Personal Data as Counter-Performance ... 30

aa) The Draft Digital Content Directive ... 31

bb) The EDPS Opinion ... 32

e. Contract law issues: How tradable are personal data? ... 34

Conclusion ... 37

(6)

vi List of Abbreviations AI Art. B2B B2C DCD DSM ECFR EDPS EU EUCJ GDPR IP Par. TDM Artificial Intelligence Article Business-to-Business Business-to-Consumer Digital Content Directive Digital Single Market

European Charter of Fundamental Rights European Data Protection Supervisor European Union

European Court of Justice

General Data Protection Regulation Intellectual Property

Paragraph

(7)

3 Introduction

Data are widely regarded as the emerging currency of the digital economy, commonly described in terms of “new oil”1_{. However fascinating, this analogy is deeply misleading in economic terms.} Data are non-rivalrous2 goods, and their amount is virtually infinite. Crucially, the value of data is determined ex-ante according to the context in which they interact (while oil, among other economic units, has a partially pre-fixed value on the world market, even if it can fluctuate over time). In other words, data may constitute a valuable resource or not, depending on their holder and how she can use them to draw conclusions.

That said, we must not over-see that data emerge as a valuable resource in digital markets creating new infrastructures and business models. Following the development of Big Data3 analysis, the large digital service providers are collecting and processing masses of data shared online for promoting tailored products and services to users4_{. The renewed value chain around data has led} to the need of a new regulative approach in the European Union (hereinafter EU). In this context, a strong debate emerged regarding the main objectives of the new measures. Proponents of the free flow of data in the internal market5_{support the idea of Open Data policies}6_{, while more}

1_{See “Data Is The New Oil And That’s Good” by Kiran Bhageshpur, Forbes, 15 November 2019. Available at}

www.forbes.com/sites/forbestechcouncil/2019/11/15/data-is-the-new-oil-and-thats-a-good-thing/#1950c8487304 Accessed on 27 February 2020.

2_{A good is rivalrous when its use by someone reduces someone else’s possibility to benefit from the same good.}

See Weimer, David L., and Aidan R. Vining. Policy analysis: Concepts and practice. Taylor & Francis, (2017):72.

3_{“Big Data can be defined as the information asset characterised by such a high volume, velocity and variety to}

require specific technology and analytical methods for its transformation into value”, See De Mauro, Andrea, Marco Greco, and Michele Grimaldi. "A formal definition of Big Data based on its essential features." Library Review (2016):65.

4_{The present thesis uses the term “users” as a more inclusive one to refer to individuals acting under the capacity}

of data subjects/consumers/authors.

5_{Art. 26 of the Treaty on the Functioning of the European Union (TFEU).}

6_{European Commission, “Shaping Europe’s Digital Future: Open Data”, Last update: 8 March 2020, Available at}

(8)

4 preservative forces suggest institutional adaptations similar to property rights (i.e., proprietary rights) to organize this new type of resource.7

The present contribution indicates that property is an appropriate institution for organizing the use of Big Data, as a new type of resource, in a pro-individual context that promotes individual control. Under the current legal framework, there is no such thing as property on data. Thus, the concept of property rights herein refers to “institutions for organizing the use of resources in society”. 8 This is the case with Intellectual Property rights. 9 The need to shape the way property is conceived - and categorize Intellectual Property as property - reflects the multiple legal challenges linked to the digitization.

The comparative methodology is followed. Throughout a comparison of legislation from separate -prima facie- fields, I will outline how institutional adaptations similar to property rights can promote individual interests related to Big Data. The state of data regulation is only addressed within the European legal framework.

The thesis consists of 4 Chapters. The first chapter sets the background of our research: What is Big Data? Which types of data exist, and which are the legal consequences of this distinction? Following that, Chapter 2, reviews three property-like regimes affecting data control and access under the IP Law (copyright, database right, trade secrets protection). In a similar context, Chapter 3 focuses on personal data regulation under the GDPR and challenges the property-like nature of the right to data portability. Chapter 4 takes the analysis one step further dealing with a

7_{Strowel, A. "Big data and data appropriation in the EU." Research Handbook on Intellectual Property and Digital}

Technologies. Edward Elgar Publishing, 2020.

8_{Merrill, T. W. (2011). The Property Strategy. U. Pa. L. Rev., 160, 2061.}

9_{About the practical and doctrinal irrelevance of the traditional debate on whether IP fits with the common}

definition of property in the digital era, See Carter, S. L. (1992). Does It Matter Whether Intellectual Property Is Property. Chi.-Kent L. Rev., 68, 715. About the need to reform IP law and policy and the existence of a broad horizon for creativity in the IP legal field See Cohen, J. E. (2014). What Kind of Property Is Intellectual Property. Hous. L. Rev., 52, 707.

(9)

5 controversial aspect of the data-driven economy; the tradability of personal data in B2C digital contracts. The research in this chapter is focused on the nature of contracts falling under Art. 3 (1) of the Digital Content Directive10 (hereinafter DCD) based on which consumers’ personal data may constitute a counter-performance for the provision of digital services. It then reviews the legal issues arising from the “commodification of personal data.”11 In conclusion, the need to safeguard individual interests in the digital era based on institutional adaptations of the traditional private rights is underlined.

I. Defining Big Data

This chapter aims to clarify what it is to be considered as Big Data,12 the core concept of the present research. It first aims to establish a common definition for Big Data. Then, it compares data with the related concepts of information and knowledge. Finally, it distinguishes between different types of data and reviews the legal consequences of these distinctions.

a. In search of an interdisciplinary definition

Big data is an emerging research area where common terminology is still evolving. The pervasive nature of digital technologies and the broad range of data-reliant applications have made this expression widespread across multiple disciplines. However, a broadly accepted definition of Big Data does not exist13_{. Indeed, the level of consensus shown by a scientific community when}

10_{Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects}

concerning contracts for the supply of digital content and digital services. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32019L0770 Accessed on 27 February 2020.

11_{EDPS, “Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of}

digital content” Available at https://edps.europa.eu/sites/edp/files/publication/17-03 14_opinion_digital_content_en.pdf Accessed on 20 May 2020.

12_{The terms “Big Data” and “data” are used interchangeably in the present thesis meaning both structured and}

unstructured piece of information.

13_{Ylijoki, Ossi, and Jari Porras. "Perspectives to definition of big data: a mapping study and discussion." Journal of}

(10)

6 defining a concept is a proxy of the development of a discipline.14 The chaotic evolution of Big Data literature has, thus, impeded the development of an interdisciplinary and formally accepted definition for Big Data.

According to the most repeated definition in literature as well as among practitioners, Big Data is “the information asset characterized by such a high volume, velocity, and variety to require specific technology and analytical methods for its transformation into value”.15_{I will use the notion in this} sense.

The purpose of data science16 is to realize the value17 of Big Data. Data analysis requires the identification of patterns and correlations, aiming to produce a certain prediction.18_{Therefore, the} value of data is not located in the data itself but follows from fluctuating factors such as their use or the timing of that use.19

Big Data can have a different meaning depending on the selected viewpoint.20_{In other words, data} are always the outcome of an intellectual process (i.e., data analysis). Therefore, they are never

14_{Ronda‐Pupo, Guillermo Armando, and Luis Ángel Guerras‐Martin. "Dynamics of the evolution of the strategy}

concept 1962–2008: a co‐word analysis." Strategic management journal 33.2 (2012): 162-188.

15_{De Mauro, Andrea, Marco Greco, and Michele Grimaldi. "A formal definition of Big Data based on its essential}

features." Library Review (2016). See also Kitchin, Rob. “The data revolution: Big data, open data, data infrastructures and their consequences”. Sage, 2014: in that author’s words, it refers to “vast quantities of dynamic, varied digital data that are easily conjoined, shared and distributed across ICT networks, and analysed by a new generation of data anylitics designed to cope with data abundance”.

16_{Data science is an inter-disciplinary field that uses scientific methods, processes, algorithms and systems to}

extract knowledge and insights from many structural and unstructured data. There is still no consensus on the definition of data science and it is considered by some to be a buzzword. See Dhar, Vasant. "Data science and prediction." Communications of the ACM 56.12 (2013): 64-73.

17_{Five steps are required to create value from data: gather, organize, select, synthesize, and distribute, See Ylijoki,}

Ossi, and Jari Porras. "A recipe for big data value creation." Business Process Management Journal (2018).

18_{The bigger the data, the more accurate the results and predictions, See ibid} 19_{In other words, the velocity aspect is central to Big Data applications.}

20_{“Data proceed by abstracting the world into categories, measures and other representational forms-numbers,}

characters, symbols, images sounds, electromagnetic waves, bits-that constitute the building blocks from which information and knowledge are created” See Kitchin, Rob. “The data revolution: Big data, open data, data infrastructures and their consequences”. Sage, 2014.

(11)

7 neutral or objective; they are framed by the instruments, practices, contexts used to generate, select, represent, and analyze them. 21 Thus, relying solely on data can lead to biased and discriminating outcomes22, as the way data are extracted, selected, and represented is already the result of complex humanmade valuation systems.

b. Distinguishing data from information and knowledge

It follows from the definition adopted above that the notion of Big Data is broader than those of information and knowledge. In a more illustrative representation, data could be considered as the base of a pyramid whose higher levels consist of information, knowledge, and understanding, respectively. Information is often assimilated to data, and those terms can, indeed, be used interchangeably in certain contexts. However, information and data are not synonyms. Information is the result of accumulating and organizing data. In other words, information is data structured and put in context.

Finally, focusing on the higher levels of the pyramid, knowledge, and understanding, they result from an additional process of “distillation”23_{that adds meaning and value to information by} revealing facts (relationships and truths) about the world. Knowledge will, then, make it possible to convert information into instructions. Thus, knowledge is “actionable information”.24

21_{Yu, Shui, and Song Guo, “Big data concepts, theories, and applications”. Springer, 2016.}

22_{Couldry, Nick, and Ulises A. Mejias. "Data colonialism: Rethinking big data’s relation to the contemporary}

subject." Television & New Media 20.4 (2019): 336-349.

23_{Reducing, abstracting, processing, organizing, analyzing, interpreting, applying.}

(12)

8 c. Diversity of Big Data

Data are otherwise very diverse. Two broad categories are commonly distinguished: quantitative and qualitative data.25_{Quantitative data is made of numeric records (figures). This applies, for} instance, to the properties of objects (e.g., length, height, distance, weight). Industrial non personal data, which is usually – but not always – not confidential fall under this category. Qualitative data are nonnumeric such as texts, pictures, sounds or videos and usually qualify as confidential (see chapter II).

A second distinction that can be found in literature refers to indexical and attribute data.26 On the one hand, indexical data “enable identification and linking, and include unique identifiers, such as passport or social security numbers and credit card numbers”.27_{Indexical data relatable to natural} persons fall under the scope of personal data legislation in the EU (see chapter III). On the other hand, attribute data represent some aspects of the facts without being unique. In other words, the relatability of attribute data is reduced compared to indexical data. One can, thus, distinguish indexical data such as fingerprints or DNA, from attribute data being the age, sex or eye color of a person. Both indexical and attribute data are subject to confidentiality under European privacy legislation. The practical importance of this distinction refers to the legal categories of personal data (normal, pseudonimized, anonymized) which implies a differentiated legal approach (see chapter III).

II. Property Rights Relating to Big Data

25_{Kitchin, Rob. “The data revolution: Big data, open data, data infrastructures and their consequences”. Sage, 2014} 26_{Strowel, A. "Big data and data appropriation in the EU." Research Handbook on Intellectual Property and Digital}

(13)

9

Intellectual Property Rights

As mentioned above, Big Data have become a buzzword interfering with many discourses. Indicating new ways of successfully dealing with multiple aspects of human life (whether economic, social or political), Big Data have emerged as a promising phenomenon that urges to be addressed by law. The demand for data control can be addressed on first basis by Intellectual Property (hereinafter IP) Law. The present chapter is divided into three sections. Each sub-section reviews how different IP rights (Copyright, Database right and Trade Secret protection) balance conflicting interests arising from Big Data applications.

a. Copyrights’ oxymoron: From its inapplicability to Big Data to the issue of Text and Data Mining (TDM)

aa. Data are outside the scope of Copyright Law (?)

Big Data a fortiori should be excluded from copyright’s realm. As seen in chapter I (section b) data are even more basic components compared to information and knowledge, in terms that the latter embeds the first following a process of distillation. In principle, copyright law does not confer any control on data; introducing the idea-expression dichotomy, copyright only applies to an original form of expression, not to the ideas or “raw”28 information themselves embedded in a creative work.29 However, in most cases, there is an overlap, if not a merger, between many forms

28_{Meaning “simple”, “without been processed”.}

29_{See Art. 9 of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) Available at}

https://www.wto.org/english/docs_e/legal_e/27-trips_03_e.htm Accessed on 4 June 2020. See also Art 2 of the World Intellectual Property Organization Copyright Treaty (WIPO Copyright Treaty or WCT). See also Art. 1 par. 2 of the Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs (Software Directive) Available at

(14)

10 of expression and the underlying data.30 Thus, when an entity holds the right to control a form of expression, it can also prohibit the reuse of the unprotected content. In other words, it is impossible to access the data embedded in copyright protected content if reproducing (part of) that content requires authorization.

In this context, framing the issue requires the analysis of the reproduction right. As defined in Art 2 of the 2001/29/EC InfoSoc Directive31, the reproduction right is “the exclusive right to authorize or prohibit direct, or indirect, temporary or permanent reproduction by any means and in any form, in whole or in part” of the authors’ work32_{. It is worth mentioning that this broad notion of} reproduction is ill suited to the digital realm where a plethora of technology-driven reproduction possibilities exist.33

Apart from the practical difficulties to efficiently control digital reproductions of copyright protected content, in many cases, a mere copy may not constitute a copyright infringement. Thus, it seems necessary to differentiate between copyright-related copies and those that should remain outside the scrutiny of Copyright Law.34_{To achieve this, it appears essential to revisit the concept} of copyright infringement.

31_{Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonization of}

certain aspects of copyright and related rights in the information society. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32001L0029 Accessed on 4 June 2020.

32_{The authorial work constitutes the subject matter protected by Copyright Law. An authorial work for copyright}

purposes is an expressive production of any mode or form that is original, in the sense of constituting an author’s own intellectual creation. See Art 2 par. 1 of the Berne Convention for the Protection of Literary and Artistic Works (adopted 9 September 1886, last revised 24 July 1971) 828 UNTS 221, as amended (Berne Convention). Available at https://www.wipo.int/treaties/en/ip/berne/ Accessed on 4 June 2020.

33_{Hugenholtz, P. Bernt, ed. “Copyright Reconstructed: Rethinking Copyright’s Economic Rights in a Time of Highly}

Dynamic Technological and Economic Change”. Vol. 41. Kluwer Law International BV, 2018.

(15)

11

bb. Copyright infringement and the communicative aspect of the work

There is no explicit case law of the European Court of Justice (hereinafter EUCJ) providing guidelines for assessing copyright infringements. Copyright Law, entirely relies on the notion of a work and on the principle of authorship, which constitute the rational prerequisite for the assessment of copyright infringements.35 Revising these concepts can provide valuable insight into the objective scope of copyright protection in the digital era.

A work exists where an individual becomes an author by creating a form of expression which shows the imprint of her personality.36_{There is no work without an original expression, and the} copyright is a right enjoyed by authors in respect of their works.37_{A work is not an object, even} less a tool, it is a human act “whereby a person addresses others through speech”38_{. The work of} an author is, thus, the nexus for communication (a communicative act) between the author and a public and constitutes an attribute of her personality. In fact, by protecting the originality of this communicative dimension of the work, copyright provisions protect author’s personality.39

In this context, according to Strowel the assessment of copyright infringement should reflect the above-mentioned aim of copyright law to protect the communicative aspect of the work.40 To

36_{Pila, Justine. “The subject matter of intellectual property”. Oxford University Press, 2017.}

37_{See Art. 2 par. 6 of Berne Convention: “The works mentioned in this Article shall enjoy protection in all countries}

of the Union. This protection shall operate for the benefit of the author and his successors in title”. Available at https://www.wipo.int/treaties/en/ip/berne/ Accessed on 4 June 2020.

38_{From this perspective, copyright law appears as “a form of speech regulation, since it protects the integrity of the}

work as a communicative act”. See Drassinower, Abraham. “What's wrong with copying?”. Harvard University Press, 2015, See also Craig, Carys J. Copyright, communication and culture: Towards a relational theory of copyright law. Edward Elgar Publishing, 2011.

39_Ibid.

(16)

12 reproduce is to recommunicate, while to copy is to repeat an author’s speech as such. 41 Under this view, noncommunicative uses do not qualify as copyright infringements. In fact, according to Drassinower, noncommunicative uses should not fall in the scope of copyright law at all, since they are equivalent to “a nonuse of the work”.42

Many digital reproductions constitute noncommunicative uses as they only have a technical purpose, attributing to the functionality of a “digital machine”.43The copy is just a tool, not an expression addressed to other humans. In other words, the copy does not constitute a communicative act and no copyright infringement occurs.44 These apply to uses such as copying a text or corpus for a data mining exercise (see next section), but also to making a technical copy on a router for the transmission of content on the internet. In a similar context, making a copy of a student’s paper for the purposes of detecting plagiarism does not qualify as a copyright infringement.45_{In all those cases, the digital embodiment of the work (as a series of data) is indeed} reproduced, but there is no use “as a work” in the absence of a human public to decipher it.46

41_{“Uses of the work as a mere pattern of ink, so to speak, in the absence of recommunication are not uses of the}

work as a work”. See Drassinower, Abraham. “What's wrong with copying?”. Harvard University Press, (2015): 111.

42_Ibid.

43_{The phrase is use in a broader sense to indicate both computer software and hardware.}

44_{R. H. Rotsein suggests recognizing that “work” is a process of speech rather than an object as means of}

reconciling copyright law and the current literary thought. See Rotstein, R. H. (1992). Beyond Mataphor: Copyright Infringement and the Fiction of the Work. Chi.-Kent L. Rev., 68, 725.

45_{See A.V. v iParadigms LLC, 562 F.3d 630 (4}th_{Cir. 2009) 640: “iParadigms use of these works was completely}

unrelated to the expressive content and was instead aimed at detecting and discouraging plagiarism”. Available at https://www.courtlistener.com/opinion/1028513/av-ex-rel-vanderhye-v-iparadigms-llc/ Accessed on 4 June 2020.

(17)

13

cc. The Text and Data Mining exception in the Directive (EU) 2019/790

Text and Data Mining (hereinafter TDM) is a research process that extracts data from large datasets. TDM is structured on the use of automated software tools i.e., Artificial Intelligence (AI) algorithms.47 _{This processing of Big Data (i.e., data analysis) aims to find links and draw} conclusions or other valuable analytical insights (see Chapter I). These analytical outcomes can be used for various purposes, including surveillance and targeting advertising.

As mentioned above, under the fundamental principle of originality, (raw) data fall outside the scope of copyright law. It follows that TDM should not be a use covered by any exclusive IP rights, whether copyright or other sui generis rights (see below section). It could even be argued that the TDM research activity is incompatible with the notion of exclusivity and that any restriction would amount to undermining the core concepts of copyright law or lead to an unacceptable restriction of the freedom of expression and information.48 Nevertheless, during the series of technical activities required for the TDM process, some Intellectual Property right relevant uses are needed so that, in the absence of specific license, TDM can amount to an infringement. For instance, TDM frequently involves some copying, which, even in case of a limited extract might infringe the reproduction right (see above). In fact, the EUCJ has held that even an excerpt of eleven (11) words from a text protected by copyright law may constitute an infringement. 49 Therefore, “only TDM

47_{The Artificial Intelligence (AI) algorithm enables the machine to learn while analyzing the Big Data corpus. While}

processing Big Data, the machine learns and ameliorates its analysis techniques. This process often requires human interference to assist the machine in correcting potential errors, such as biased outcomes. See Gervais, Daniel. "Exploring the interfaces between big data and intellectual property law." J. Intell. Prop. Info. Tech. & Elec. Com. L. 10 (2019): 3.

48_{See Art. 11 EUCFR. See also more broadly on the importance of safeguarding the right to information particularly}

in the context of copyright law: Geiger, Christophe, and Elena Izyumenko. "Copyright on the human rights’ trial: redefining the boundaries of exclusivity through freedom of expression." IIC-international review of intellectual property and competition law 45.3 (2014): 316-342.

49_{See CJEU, C-5/08, Infopaq International A/S v. Danske Dagblades Forening ECLI:EU:C:2009:465, (16 July 2009)}

par. 54–55. Available at

(18)

http://curia.europa.eu/juris/liste.jsf?oqp=&for=&mat=or&lgrec=el&jge=&td=%3BALL&jur=C%2CT%2CF&num=C-14 tools involving minimal copying of a few words or crawling through data and processing each item separately could be operated without running into a potential liability for copyright infringement”.50

In 2016, the EU Commission introduced a TDM exception as part of its digital copyright reform efforts. Art. 3 of the Proposal for a Directive on Copyright in the Digital Single Market51, which provides for the envisaged TDM exception, has been subject of an intense debate. While the proposed exception was limited to scientific research organizations with a public interest, it restricted TDM processing when it leads to a publication or when it is conducted for commercial purposes. Academics have intensively criticized the narrow scope of the Proposal, arguing that it would result to injustices. For instance, the application of Art. 3 would lead to the paradox of restricting data analysis for the purpose of journalism, even if the researchers had lawful access to the Big Data corpus. Furthermore, TDM analysis would not be allowed to independent researchers (i.e., non affiliated with a research organization). Thus, the European Copyright Society declared that "data mining should be permitted for non-commercial research purposes, for research conducted in a commercial context, for purposes of journalism and for any other purpose".52

The final version of the Digital Single Market (hereinafter DSM) Directive impels the Member States to provide for an exception covering “reproduction and extractions for lawfully accessible

5%252F08&page=1&dates=&pcs=Oor&lg=&pro=&nat=or&cit=none%252CC%252CCJ%252CR%252C2008E%252C% 252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&language=en&avg=&cid=2 697754 Accessed on 4 June 2020.

50_{Geiger, C., Giancarlo F., and Oleksandr B. "The Exception for Text and Data Mining (TDM) in the Proposed}

Directive on Copyright in the Digital Single Market-Legal Aspects." Centre for International Intellectual Property Studies (CEIPI) Research Paper 2018-02 (2018).

51_{Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market}

COM/2016/0593 final - 2016/0280 (COD), Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52016PC0593 Accessed on 4 June 2020.

52_{European Copyright Society, General Opinion on the EU Copyright Reform Package, 24 January 2017. Available}

(19)

15 works […] for the purpose of text and data mining”.53_{It is worth mentioning that, although the} Council proposed for this exception to be optional,54 it, finally, became mandatory.

The concept of exceptions and limitations reflects the policy objectives of IP law. IP law constitutes a “system that promotes, or at least, aspires to promote knowledge by restricting it”.55 This paradox illustrates the tension between public and private interest, which is inherent to IP policy.56 This tension has been culminated following the digitization and the emergence of new types of uses. In this respect, exceptions and limitations allow, for instance, for the use of authorial works without a license from the copyright holder to the extent that the use serves public interests or guarantees the safeguarding of the fundamental principles of the European Union (e.g., freedom of expression and information).57_{Finally, the paradox of TDM exception lies in its mandatory} nature; in EU law, exceptions and limitations are usually implemented by the Member States under a voluntary scheme, with very few exceptions provided as mandatory.

b. Database right

53_{Art. 4 of the Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on}

copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC Available at https://eur-lex.europa.eu/eli/dir/2019/790/oj Accessed on 4 June 2020.

54_{The Parliamentary version and the Commission's proposal are compared in amendments 64 and 65 of the}

document 'Amendments adopted by the European Parliament on 12 September 2018 on the proposal for a directive of the European Parliament and of the Council on copyright in the Digital Single Market'

(COM(2016)0593- C8-0383/2016 - 2016/0280 (COD)) (1). Available at: https://bit.ly/2SS3HYA Accessed on 27 February 2020.

55_{Geiger, C., Giancarlo, F., and Oleksandr, B. "The Exception for Text and Data Mining (TDM) in the Proposed}

Directive on Copyright in the Digital Single Market-Legal Aspects." Centre for International Intellectual Property Studies (CEIPI) Research Paper 2018-02 (2018).

56_{Geiger, C. "The future of copyright in Europe: striking a fair balance between protection and access to}

information." Intellectual Property Quarterly 1 (2010): 1-14.

57_{Geiger, C., "Intellectual Property and Access to Science and Culture: Convergence or Conflict." CEIPI/ICTSD}

(20)

16 Not all IP rights are subject to the originality requirement. The sui generis right in databases, introduced by the Directive 96/9/EC on the legal protection of databases,58 has a mainly economic nature59, therefore, it is less subject-related than copyright provisions.

The Directive refers to the database maker’s investment in “obtaining, verification or presentation of the contents” and then provides a right “to prevent extraction and/or re-utilization of the whole or of a substantial part, evaluated qualitatively and/or quantitatively, of the contents of that database”.60_{The Directive also mentions in its recitals that a database includes "collections of} independent works, data or other materials which are systematically or methodically arranged and can be individually accessed."61 In addition, following the EUCJ case law,62 the database right in principle does not protect the substantial investment in data creation, but only the active collection or assembling of existing data.

In the world of digital innovation and behavioral algorithms, distinguishing between “creating” and “obtaining” data is a difficult, if not impossible, task. However, the afore-mentioned demarcation, “squarely rules out protection - whether by copyright or by the sui generis database right - of raw machine-generated data63_”.64_{Thus, it seems legit to consider that machine produced} outputs based on analyses of Big Data are neither “obtain” nor “collected”, rather they constitute

58_{Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of}

databases. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31996L0009 Accessed on 4 June 2020.

59_{Ibid, Recitals 10-12.} 60_{Ibid, Art. 7(1).} 61_{Ibid, Recital 7.}

62_{See C-203/02 BHB Horseracing v William Hill ECLI:EU:C:2004:695, par. 31, Available at}

http://curia.europa.eu/juris/liste.jsf?oqp=&for=&mat=or&lgrec=el&jge=&td=%3BALL&jur=C%2CT%2CF&num=C-203%252F02&page=1&dates=&pcs=Oor&lg=&pro=&nat=or&cit=none%252CC%252CCJ%252CR%252C2008E%252C %252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&language=en&avg=&cid= 2699715 Accessed on 4 June 2020.

63_{The notion of raw data here refers to data automatically generated by sensors or other machines.}

64_{P. Bernt Hugenholtz, 'Data Property: Unwelcome Guest in the House of IP', [2018] Kritika. Essays on Intellectual}

Property, vol. III. See also Estelle Derclaye 'The Database Directive', in Irini Stamatoudi and Paul Torremans (eds), EU Copyright Law (E. Elgar, 2014): 302-303.

(21)

17 themselves a by-product.65 It is worth mentioning that any relevant interpreting difficulties may be circumvented by a clear-cut distinction of data generation, data processing and data organization activities.

While the data base right does not apply to raw data, but only to substantive parts of the database (i.e. parts that require substantial investment), repeated and systematic use of raw data (i.e. data which do not qualify as substantive part), could in certain conditions infringe the database right.66 Although Art. 1(2) of Directive 96/9/EC defines a database as “a collection of independent works, data or other materials arranged in a systematic or methodical way”, under Art. 7, the sui generis right only applies to “the whole” or “a substantial part” of database. In addition, recital 46 adds that the database right “should not give rise to the creation of a new right in the data themselves”. Finally, as is the case with the reproduction right under copyright law (see above), the scope of the database right (covering extraction and reutilization) is quite broad. For instance, in Innoweb v Wegener, the EUCJ established a broad interpretation of the notion of reutilization in the context of a search engine implying that the translation of the queries from end-users into the search engine for the database site “in real time” is to be considered as a reutilization.67_{Therefore, a certain} interpretation of the conditions of protection (allowing for the protection of generated data), of the subject matter (extending to individual data in case of repeated extraction), and of the scope of protection (extraction and reutilization rights) under the database right may prohibit some extra reuses of data.

65_Ibid.

66_{Art. 7 (5) of the Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal}

protection of databases. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31996L0009 Accessed on 4 June 2020.

67_{See C-202/12 Innoweb v Wegener (2013) ECL:EU:C:2013:850. Available at}

http://curia.europa.eu/juris/liste.jsf?oqp=&for=&mat=or&lgrec=el&jge=&td=%3BALL&jur=C%2CT%2CF&num=C-202%252F12&page=1&dates=&pcs=Oor&lg=&pro=&nat=or&cit=none%252CC%252CCJ%252CR%252C2008E%252C %252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&language=en&avg=&cid= 2699811 Accessed on 4 June 2020.

(22)

18 c. Trade Secret Protection

As is the case with Copyright Law and database protection, the existing EU legal instruments regarding trade secrets do not explicitly refer to Big Data. The Trade Secret Directive68_{aims to} harmonize the protection regarding a category of confidential information that qualifies as trade secrets.69 More specifically, as trade secret qualifies the information which meets the following cumulative criteria: “(a) it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; (b) it has commercial value because it is secret; (c) it has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret”.70

Information, which is valuable because of its confidential nature, i.e., trade secrets, constitutes a broad notion; it “extends beyond technological knowledge to commercial data”.71_{Therefore, next} to more elaborated commercial information, such as business plans and market strategies72, data analysis techniques fall under the objective scope of the Trade Secret Directive as well.73 Furthermore, as indicated in Chapter I, based on the applications of Big Data compilation and analysis tools, any data collected, even if considered trivial, might gain value. Indeed, recital 14 of

68_{Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of}

undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and

disclosure. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016L0943 Accessed on 4 June 2020.

69_{See also Art. 39 (2) of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS). Available}

at https://www.wto.org/english/docs_e/legal_e/27-trips_03_e.htm Accessed on 4 June 2020.

70_{Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of}

undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure, Art. 2(1). Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016L0943 Accessed on 4 June 2020.

71_{Ibid, Recital 2.}

72_{Ibid, Recital 1 referring to “know-how and information which is the currency of the knowledge economy”.} 73_{For instance, data analysis techniques can find patterns and accordingly propose advertisements or services.}

(23)

19 the Trade Secret Directive includes in its protective scope information that “should have a commercial value, whether actual or potential”.

III. Personal Data Protection

While Big Data emerge as a valuable resource in the digital environment, the demands for control of data evolve from the defined categories of information protected by existing IP rights to the special category of personal data. This chapter focuses on the General Data Protection Regulation74(hereinafter GDPR), which contains the personal data protection regime applicable in Europe as of 25 May 2018. It first examines the objective scope of the GDPR. Then, the analysis focuses on Art. 20 GDPR (the right to data portability) which has mainly a pro-individual justification and is arguably claimed to have a property-like nature.

a. The objective scope of Personal Data protection

aa. The notion of “personal data” in the GDPR

Contrary to the broader privacy protection, which is the freedom against any unjustified interference of the State or private parties in someone’s private sphere, personal data protection is construed around a narrower reference point: personal data. Indeed, while the right to privacy, as enshrined in Art. 7 of the European Charter of Fundamental Rights (hereinafter ECFR), refers to every subject’s “right to respect for his or her private and family life”, Art. 8 (1) of the ECFR provides for the specific “right to the protection of personal data”. The latter is a “third generation”

74_{Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of}

natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Available at

(24)

20 fundamental right, elevating data protection into a self-standing right. Before the introduction of Art. 8(1) ECFR, the right to privacy, was broadly interpreted to cover inter alia the protection of personal data. 75

As indicated in Chapter I, Big Data is a broader notion compared to information, since the latter is the outcome of data processing. The GDPR defines personal data as “any information relating to an identified or identifiable natural person”76_{. This definition implies that in the field of personal} data protection, the distinction between data and information is significant since it marks the objective scope GDPR. More specifically, the object of personal data protection in the EU is any identifiable information, while non-identifiable information or raw data77 qualify as non-personal data78_{, thus, falling outside the scope of GDPR. In addition, not all identifiable information} qualifies as personal data, but only subject-related information, i.e., information that leads to the identification of a natural person.79

The notion of subject-related identifiable information has various applications in the digital environment. Any information that directly identifies a person such as a name or contact

75_{Oostveen, M., & Irion, K, "The golden age of personal data: How to regulate an enabling fundamental right?."}

Personal Data in Competition, Consumer Protection and Intellectual Property Law. Springer, Berlin, Heidelberg, (2018): 7-26.

76_{Ibid Art. 4 (1).}

77_{Meaning Big Data that have not been processed.}

78_{“i.e. data that has not been processed or changed since its recording by machines”, See EU Commission,}

“Building a European Data Economy” (Communication) COM (2017) 9 final. Available at

https://ec.europa.eu/digital-single-market/en/news/communication-building-european-data-economy Accessed on 16 May 2020.

79_{Under the Art. 4 (1) GDPR “An identifiable natural person is one who can be identified, directly or indirectly, in}

particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. See also Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, European Commission (20 June 2007). Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf Accessed on 16 May 2020.

(25)

21 information, or that can indirectly be linked to a person, such as dynamic IP addresses80, constitute personal data. It is worth mentioning that in the Breyer case,81 the EUCJ used an objective criterion to determine identifiability. It held that Big Data might be treated as data relating to an “identifiable natural person” (i.e., as personal data), where the additional data necessary for the identification are held by a third party.82 What is important is whether the combination of available data “constitutes a means likely reasonably to be used to identify the data subject”.83_{In fact, following} the rapid technological developments, more and more new identifiers, such as location data, are included in the list, which leads to broadening the objective scope of the GDPR.

In the similar context, according to recital 26 GDPR, to conclude whether data is personal, “account should be taken of all objective factors, such as the costs of and the amount of time required identification, taking into consideration the available technology at the time of the processing and technological developments”. Therefore, personal data is a rather vague and evolving notion, largely dependent both on the available technologies and the effectiveness of the identification procedure.84

80_{These IP addresses can constitute personal data if a website operator has the means to identify the data subject.}

This implies a broad interpretation of the notion of personal data. See Court of Justice of the European Union, Case C-582/14, Patrick Breyer v. Bundesrepublik Deutschland, judgment of 19 October 2016, ECLI:EU:C:2016:779, Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62014CJ0582 Accessed on 16 May 2020. It was already anticipated by an obiter dictum in Case C-70/10 Scarlet Extended v SABAM ECLI:EU: C: 2011:771, par. 51. Available at http://curia.europa.eu/juris/liste.jsf?language=en&num=C-70/10 Accessed on 16 May 2020. For an analysis of the Breyer case see Zuiderveen Borgesius, Frederik. "Breyer Case of the Court of Justice of the European Union: IP Addresses and the Personal Data Definition (Case Note)." European Data Protection Law Review 3.1 (2017). Available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2933781 Accessed on 4 June 2020.

81_{Court of Justice of the European Union, Case C-582/14, Patrick Breyer v. Bundesrepublik Deutschland, judgment}

of 19 October 2016, ECLI:EU:C:2016:779. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62014CJ0582 Accessed on 16 May 2020.

82_{Ibid par. 41, 43.} 83_{Ibid par.45.}

(26)

22 bb. Distinguishing Personal Data protection from Intellectual Property rights

Both personal data protection and IP rights provide the legal grounds for individuals to claim control over Big Data. Following the analysis in Chapter II, it became clear that the application of IP law on Big Data requires the fulfillment of specific substantive criteria (e.g., the originality of a work). In contrast, as indicated in the previous section, data protection subsists without any requirement of creativity, intellectual effort, inventive or individual character – which are all traditional standards for IP rights on creations such as works protected by copyright or inventions by patents. What matters in the privacy field is merely the capacity of the information to lead to the identification of a natural person, which depends on various factors and is deeply context-related (see above). Hence, the information protected by IP law appears more qualified than the subject-related identifiable information protected by the GDPR.85

cc. Anonymized and Pseudonymized data

Only natural persons “are considered free agents and can enjoy copyright protection ab initio”.86 Similarly, personal data protection qualifies as a fundamental human right, laid down in the ECFR (see above). Its final justification is the principle of informational self-determination, which arises from private autonomy.87 More specifically, the right to informational self-determination is understood as “the capacity of the individual to determine in principle the disclosure and use of

85_Ibid. 86_Ibid

87_{“The objective to preserve personal autonomy influences the interpretation of the guarantees of the}

Convention’s right to privacy. The ECtHR has even stated that there is a right to personal autonomy included in Art. 8 ECHR. In German constitutional law, the fundamental right to informational self-determination is derived from the protection of human dignity.” See Oostveen, Manon, and Kristina Irion. "The golden age of personal data: How to regulate an enabling fundamental right?." Personal Data in Competition, Consumer Protection and Intellectual Property Law. Springer, Berlin, Heidelberg, 2018. p. 6.

(27)

23 his/her personal data”.88_{This objective of data protection explains both why anonymous data are} excluded from the protective scope of GDPR, and the intermediary legal status of pseudonymized data.

Pseudonymization techniques differ from anonymization techniques. On the one hand, with anonymization, the data is scrubbed for any information that may serve as an identifier of a data subject.89 Pseudonymization, on the other hand, results from the processing of personal data, after which it “can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.90_{Thus, “pseudonymization does not remove all identifying} information from the data but merely reduces the linkability of a dataset with the original identity of an individual. As a result, pseudonymous data still allows for some form of re-identification (even indirect and remote), while anonymous data cannot be re-identified”.91_{As a result,} pseudonymized data may qualify as subject-related identifiable information and fall within the scope of GDPR, while anonymized data is equivalent to non-personal data (see above).

b. The right to data portability: A property-like regime on personal data?

88_{Purtova, N.. "Do Property Rights in Personal Data Make Sense After the Big Data Turn?: Individual Control and}

Transparency." Individual Control and Transparency (November 13, 2017). N Purtova'Do property rights in personal data make sense after the Big Data turn (2017).

8989_{“By definition, data anonymization techniques seek to conceal identity and thus identifiers of any nature.}

Identifiers can apply to any natural or legal person, living or dead, including their dependents, ascendants and descendants. Included are other related persons, direct or through interaction”. See PrivSecReport, “Data masking: Anonymisation or pseudonymisation?”, 7 November 2017. Available at:

https://gdpr.report/news/2017/11/07/data-masking-anonymisation-pseudonymisation Accessed on 9 May 2020.

90_{Art. 4 (5) GDPR.}

91_{See PrivSecReport, “Data masking: Anonymisation or pseudonymisation?”, 7 November 2017. Available at:}

(28)

24 In the US, there is no horizontal protection of personal data, rather a protection of a limited category of sensitive data.92 Those advocating broader privacy protection tend to rely on property rights93 as a convincing rhetorical tool.94 In Europe, the proprietary approach of personal information seemed irrelevant before the massive evolution of Big Data processing technologies95 (see Chapter I).

The purpose of introducing a proprietary approach in personal data protection is to strengthen the legal position of individuals by giving them the legal tools to fully control their personal data.96 In this context, the proprietary approach of personal data should be compatible with the underlying rationale of personal data protection; the principle of informational self-determination (see above). Indeed, what makes property rights a suitable legal instrument to promote individual control over personal data is their erga omnes effect97_{, which entails that data subjects can enforce} their privacy related rights against any party. This is crucial under the complex circumstances of the modern data flows “where the location of data and the chain of control over it are often hard

92_{See for a summary: Maxwell, W. J. "La protection des données à caractère personnel aux États-Unis:}

convergences et divergences avec l’approche européenne." Le cloudcomputing», Société de législafion comparée, collecfion colloques 22 (2014). Available at:

https://www.hoganlovells.com/~/media/hogan-lovells/pdf/publication/6bis-wmaxwell_pdf.pdf Accessed on 10 May 2020.

93_{Purtova, N., "Property in Personal Data: A European Perspective on the Instrumentalist Theory of}

Propertisation." Eur. J. Legal Stud. 2 (2008): 193. Available at:

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2363634. Accessed on 10 May 2020.

94_{See ibid where N. Purtova quotes Lawrence Lessig, “Privacy as Property?”(2002) 69(1) Social Research: An}

International Quarterly of Social Sciences 247-69: “Property talk is just how we talk about matters of great importance…If you could get people (in America at this point of history) to see certain resources as property, then you are 90 percent to your protective goal”.

95_Ibid. 96_Ibid.

97_{“This meaning of property rights is not attached to any one jurisdiction, but derives from studies in comparative}

European property law. Property rights understood as the rights to exclude, alienability, or the ability to sell, is therefore not a necessary defining characteristic of property” See ibid.

(29)

25 to trace to known contract parties”98_.99

According to the European Commission, one of the main objectives of the data protection reform introduced by the GDPR, was “to increase the effectiveness of the fundamental right to data protection”, which implied, among others, “that individuals are in control of their personal data and trust the digital environment”.100_{Therefore, the GDPR contains new rights considered by some} academics101 to have a property- like nature due to their similarities with property rights, such as the right to data portability laid down in Art. 20 GDPR.

Under Art. 20 GDPR, a data subject is entitled “to receive the personal data concerning him or her, which he or she has provided to a controller102, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”. This right, according to the

98_{Purtova, N., M. Kim, and H. Kwon. "Do property rights in personal data make sense after the Big Data turn?." JL}

ECON. REG. 10 (2017): 208-214.

99_{According to N. Purtova, a system of personal data licenses based on the default control rights of the data}

subjects would create a coherent and more articulate framework for personal data management that allows data use but also is respectful of the principle of informational self-determination.

100_{European Commission, ‘Impact Assessment Accompanying the document Regulation of the European}

Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data’ Commission Staff Working Paper SEC (2012) 72 final, Brussels, 25.1.2012, 43.

101_{Purtova, N. "Property in Personal Data: A European Perspective on the Instrumentalist Theory of}

Propertisation." Eur. J. Legal Stud. 2 (2008): 193. Available at:

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2363634. Accessed on 10 May 2020. See also Strowel, A. "Big data and data appropriation in the EU." Research Handbook on Intellectual Property and Digital Technologies. Edward Elgar Publishing, 2020

102_{Controller is any person or legal entity who determines the purposes and means of data processing. See Art. 4}

(30)

26 Art. 29 Working Party, the EU advisory authority on data protection, aims in enabling data subjects to “play an active role in the data ecosystem”.103

The right to data portability is a step forward to treating personal data as property, meaning that it promotes property-related actions over data such as trading or exchanging data. However, it lacks the defining element of property rights, i.e., the right to exclude104. In this context, its proprietary nature is at stake. Although not relating to the right to exclude, the right to data portability implicitly acknowledges the economic impact of personal data in the digital economy and can lead to increasing the welfare of consumers in the digital environment. In fact, the right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services; therefore, it establishes the means for Big Data industry to share the wealth created from personal data with data subjects (in a reusable format). This is very important in the light of Art. 3 (1) of the Digital Content Directive, where personal data is acknowledged as a possible counter-performance for the provision of digital goods or services (see Chapter IV).

IV. The contractual acquisition of personal data by online businesses

As indicated above, the demand for individual control over data arises from the economic impact of Big Data applications. The most prominent example of the economic exploitation of Big Data is the contractual acquisition of personal data by online businesses that leads to increasing their efficiency by offering personalized advertisements or services. The present chapter reviews the formation of these contracts, where personal data disclosures act as a counter-performance. Then, it examines the EU legislative initiatives in the area of personal data-related transactions. Finally,

103_{Article 29 Working Party, “Guidelines on the right to data portability”, 5 April 2017, 16/EN WP 242 rev.01.,}

Available at https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611233 Accessed on 6 May 2020.

104_{“A right to exclude is any right to forbid a use or set of uses of a particular resource by one or more people;}

more formally, it is any negative claim-right concerning the use of a discrete thing.” See Stern, James Y. "What Is the Right to Exclude and Why Does It Matter?." Property Theory: Legal and Political Perspectives (MH Otsuka & JE Penner eds., Cambridge University Press 2018) (2018).

(31)

27 it reviews the challenges arising from treating personal data as a commodity and suggests that an efficient regulative approach that promotes consumer interests, should not be too affected by the conceptual barriers between data protection law and contract law.

a. The economic reality

The most prominent example of the (contextual) economic value of Big Data - as analyzed in Chapter I - is the tradability of personal data in B2C relationship, i.e., between consumers and digital service providers. In the digital environment data subjects105, commonly consent to make their data available to online traders in exchange for access to “free” online services. This kind of digital content106 is often advertised as "free"107 just because consumers do not have to pay a monetary price; they are only asked to disclose their personal information108 . In a standard digital business model, these data are used by traders to offer to target advertising for third party products or services. Thus, the exploitation of personal data benefits both the digital service providers –

105_{In this chapter the terms “user”,”data subject”and ”consumer” are used interchangeably meaning the subject}

of rights in the digital environment. It is worth mentioning that in the digital environment individuals act under variable capacities.

106_{In digital content contracts the distinction between goods and services, which is key to European consumer law,}

is rather irrelevant. There is a need for a pragmatistic approach. See Loos, M. B.M. , Guibault, L., Helberger, N., Mak, C., Pessers, L., “Digital content contracts for consumers”. Journal of consumer policy, 36(1), (2013). 42-44.

107_{It is disputed whether this commercial practice can be considered misleading under the Unfair Commercial}

Practices Directive (Directive 2005/29/EC). About the No 20 of Annex I of the Directive, referring to ‘free’ digital services, see Commission Staff Working Document of 25 May 2016, ‘Guidance on the implementation/application of Directive 2005/29/EC’, SWD(2016) 163 final, 88– 89. In the European doctrine, see J. Luzak, M.B.M. Loos, “Wanted: a Bigger Stick. On Unfair Terms in Consumer Contracts with Online Service Providers” Journal of Consumer Policy (2016) 67 (footnote 15); L. Guibault, N. Helberger, M.B.M. Loos, C. Mak, L. Pessers and B. van der Sloot, “Digital Consumers and the Law – Towards a Cohesive European Framework” (The Hague: Kluwer Law International, (2013): 164.

108_{Versaci, G,. "Personal Data and Contract Law: Challenges and Concerns about the Economic Exploitation of the}

(32)

28 sometimes acting as intermediaries – and the third business parties, offering the advertised products and services.

A plethora of new business models are based on users' personal data. Consumers, in the online environment, can choose between “on-demand” offerings, “near-on-demand” content, on-demand downloading, streaming, webcasting, apps etc.109 There are at least two online business models that are most relevant to the analysis herein: a. the "free" provision of online services, b. the "free" provision of (valuable) online content.110 Regarding the first business model, an example is the "free" Wi-Fi services offered in public spaces, such as in airports, where users have to disclose personal information in order to navigate on the web. Similar considerations can be made for social networks, such as Facebook. An example of the second business model is a digital music platform, such as Spotify, where consumers can access music pieces at high quality, even if protected by copyright, for free.111

b. Formation

From a legal perspective, the acquisition of personal data by the digital platforms has a contractual basis: users enter into a contract with the digital platforms by agreeing to their standard terms of online use.112_{The digital contracts are pre-fixed (non-negotiated), presented to the consumer at a} distance on a “take-it-or-leave-it” basis; where the consumer would not accept the contract or the terms thereof, no contract is concluded, and the consumer is prevented from making use of the digital service.113

109_{Loos M.B.M., Helberger N., Guibault, L., Mak, C., & Pessers, L. “Digital content contracts for consumers”. Journal}

of consumer policy 36.1 (2013): 37-57.

110_{Malgieri, G., and Bart C., "Pricing privacy–the right to know the value of your personal data." Computer Law &}

Security Review 34.2 (2018): 289-303.

111_Ibid.

113_{Loos, M. B.M., Guibault, L., Helberger, N., Mak, C., Pessers, L., Cseres, K. J.,Van der Sloot, B.. & Tigner, R.,}

(33)

29 The digitization has led to the emergence of new ways of concluding contracts. Most digital contracts are concluded through the use of opt-in mechanisms, the most prominent of which are the “clickwrap” and “browse-wrap” licenses.114_{In a “click-wrap” license, the standard contract} terms are presented to the user digitally, and the user agrees to these terms by clicking on a button or ticking a box labeled “I agree” or by some other equivalent electronic action.115_{In addition,} online traders may present standard terms to consumers through the “browse-wrap” mechanism, where the terms of the agreement are simply accessible via a hyperlink on the website of the trader. Contrary to the click-wrap method, in case of a browse-wrap licence, the consumer does not get the possibility to “agree” to the terms by actively clicking on a button or ticking a box. Instead, the user is presumed to assent to the terms by merely using the website. Paradoxically, the website must be used in order to read the contract, or even become aware of its existence.116

c. Consent as the legal basis for data processing

Through the above-mentioned opt-in mechanisms, data subjects give their consent to the conclusion of the digital contract for the supply of digital services. This is a separate legal act from the consent of data subjects required for the lawfulness of personal data processing, according to

protection in relation to digital content contracts. Final report, comparative analysis, law & economics analysis, assessment and development of recommendations for possible future rules on digital content contracts” Amsterdam: University of Amsterdam, Centre for the Study of European Contract Law, 2011.

114_{Loos, M., Guibault, L., Helberger, N., & Mak, C.,“The regulation of digital content contracts in the optional}

instrument of contract law”. European Review of Private Law, 19(6) (2011): 729-758.

115_{Depending how the click-wrap licence is technically set up, the consumer’s consent may be required either at}

the download or at the installation of the software, or sometimes at both stages. See ibid.

116_{Whether the presentation of licence terms through click-wrap or browse-wrap is sufficient to give rise to a legal}

act is a question that receives varying answers depending on the applicable contract laws. For an analysis of the issue under different jurisdictions See Loos, M. B.M, Guibault, L., Helberger, N., Mak, C., Pessers, L., Cseres, K. J., Van der Sloot, B.... & Tigner, R., “Analysis of the applicable legal frameworks and suggestions for the contours of a model system of consumer protection in relation to digital content contracts. Final report, comparative analysis, law & economics analysis, assessment and development of recommendations for possible future rules on digital content contracts”Amsterdam: University of Amsterdam, Centre for the Study of European Contract Law, (2011) 59-72. Available at https://uba.uva.nl/en/home?1570832476503 Accessed on 4 June 2020.