Master Thesis
BIG BROTHER AS A TRADER:
EXCHANGE OF PRODUCTS FOR PERSONAL DATA
UNDER EU CONSUMER LAW
Daniela Čičkánová daniela.cickanova@gmail.com
Student Number
Supervisor: Candida Leone, LLM
Master Programme: European Private Law
Faculty of Law University van Amsterdam
ABSTRACT
Master thesis focuses on unequal and weaker position of natural persons in relation to businesses trading with personal data in the cases of bargain of personal data for goods and services. It seeks to prove a hypothesis that this relationship is tantamount to the consumer relationships and, therefore, should be covered by EU consumer law. This normative argument is based on an internal perspective, considering the objectives and contextual presuppositions of EU consumer law. Regarding this, the thesis deals with the normative research question worded as “Why should exchange of products for personal data of natural persons be covered by EU consumer law?”.
The thesis is comprised of three chapters. The first chapter aims to justify main hypothesis of application of consumer protection on the relationships of exchange of personal data for products in three subchapters. They deal with the issues of the basic framework of EU consumer law and its objectives, the problems that data subjects in the discussed relationships face and with the current data protection framework. The second chapter is also divided into the three subchapters and it seeks to prove the proximity of the discussed relationships in their subjects (data subject vs. consumer, controller vs. trader) and objects (personal data as a counter-performance as effective as money). Last chapter analyses the critique of the stated hypothesis represented by the selected EDPS´s arguments that state that it is not desirable to recognize personal data as counter-performance and that it would undermine current data protection legislation.
The results of research showed that the consumer relationships and the relationships of exchange of products for personal data differs only in a counter-performance in the form of personal data and that does not cause any significant obstacles for the application of EU consumer law. Consequently, based on the objectives of EU consumer law, the discussed relationships should belong in its scope, because there are no relevant arguments that justify different treatment of the subjects of the same relationships.
TABLE OF CONTENTS
INTRODUCTION ... 4
CHAPTER 1:NO FREE LUNCH ON THE HORIZON ... 8
1.1 Objectives of EU Consumer Law ... 8
1.2 The Troubles of the Unrecognized Consumers in the New Cybernetic World ... 11
1.3 Current Framework of Data Protection ... 14
CHAPTER 2: EU CONSUMER AND DATA PROTECTION LAW IN TRADE: DIFFERENT RULES FOR THE SAME PROBLEMS? ... 20
2.1 A Data Subject as a Consumer ... 20
2.2 A Controller as a Trader ... 21
2.3 An Exchange of Personal Data for Products as a Trade ... 23
2.3.1 What Can Trader Exchange for Personal Data? ... 24
2.3.2 Why Are Personal Data as Suitable Counter-Performance as Money? ... 25
CHAPTER 3: DISCUSSIONS ABOUT THE OTHER SIDE OF THE COIN: RELEVANT BUT SOLVABLE COUNTER-ARGUMENTS ... 32
3.1 Desirability of Commercialization of Personal Data as an Object of the Fundamental Right………..32
3.2 Feasibility of Free Consent and Its Withdrawal under the Consumer Law Regime ... 34
3.2.1 Freedom of Consent to the Processing of Personal Data Used as a Counter-Performance ... 35
3.2.2 Freedom of Withdrawal of Consent to the Processing of Personal Data Used as a Counter-Performance ... 37
CONCLUSION ... 39
LIST OF ABBREVIATIONS
Commission = European Commission
CRD = Directive 2011/83/EU of the European Parliament and of the Council of 25 October
2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council
EDPS = European Data Protection Supervisor
ePrivacy Directive = Directive 2002/58/EC of the European Parliament and of the Council
of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector
ePrivacy Regulation =Proposal on Regulation on Privacy and Electronic Communications which is expected to replace ePrivacy Directive, published on 10th January 2017
EU = European Union
Charter =The Charter of Fundamental Rights of the EU
GDPR = Regulation (EU) 2016/679 of the European Parliament and of the Council
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
Member States = Members states of the European Union
PLD = Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws,
regulations and administrative provisions of the Member States concerning liability for defective products
Proposal for a Digital Content Directive = Proposal for a Directive of The European
Parliament and of The Council on certain aspects concerning contracts for the supply of digital content, published on 9th December 2015
TFEU = Treaty on the Functioning of the European Union The Court = the Court of Justice of the European Union
UCPD = Directive 2005/29/EC of the European Parliament and of the Council of 11 May
2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council
INTRODUCTION1
“Homo economicus is an entrepreneur, an entrepreneur of himself … being for himself his own capital, being for himself his own producer, being for himself the source of [his] earnings.”2
Mankind lives in a curious age when a significant part of its life is being moved from a real world to a new virtual one. Throughout history, many useful rules were established to regulate both personal and long distance human interactions. However, many issues still remain unsolved in this modern era of society. Nowadays, information and smart technology are ahead of legal scholars and lawmakers and there is hardly any potential for improvement, since the development of technology is fast and unpredictable. The only thing that seems to be quite clear right is that modern progress will be led by automatization, informatization and surveillance of everything that can serve these purposes3 and, therefore, inevitably
by collection and processing of myriads of data.
Moreover, without any significant obstacles from legislators, companies at the Internet have gained powerful control over many aspects of daily life in society in the last few decades, sometimes in ways that are not easy to comprehend. For example, people often fail to understand that they expose their privacy in return for using web services and that this conduct can have severe consequences for their lives. However, even if they understand it, there is not much they can do about it. People cannot simply turn off all cookies or stop using Internet services because that would amount to a certain way of “civil death”.4
The above example indicates in outline a focus of this thesis that is aimed at unequal and weaker position of people who exchange their personal data for products sold
1 I would like to thank Ms. Leone for helpful comments, discussions and all her precious time she spent with me because of this thesis.
2 Michel Foucault, 19th March 1979, in: Foucault, 2008, p. 226.
3 This idea is substance of three Zuboff´ laws in: Zuboff, 2013. It is also supported by the analyse of Deloitte which stated that 90 % of the data in the world was created between 2011 and 2013. It is expected, that in the following seven years (till 2020) the global volume of digital data “multiply another 40 times or more’’. In: Eggers, Hamill, Ali, 2013, p. 21.
by businesses that collect, process and trade with it. I will advocate the position that the EU5 has already created a system that can, at least partially, deal with these issues - EU consumer law (the term “consumer law” used in this text always refers to EU level). Regarding this, the research question of this thesis is “Why should exchange of products for personal data of natural persons be covered by EU consumer law?”. The objective of this thesis is, therefore, to demonstrate a normative argument that especially from the point of view of EU consumer law, it should cover exchange of products for personal data of natural persons (the term „product“ is used in this text together for goods and services).6 This normative argument is based on an internal perspective, considering the objectives and contextual presuppositions of EU consumer law. But even though the objectives of consumer law are the main criteria to answer the research question, the proposed solution is beneficial for the natural persons also from the perspective of data protection law. This is because they could gain more rights and legal certainty under consumer law and, moreover, it is also possible that market with personal data could become more transparent if personal data were recognized as a counter-performance in comparison with the current situation when bargains for personal data are incorrectly considered to be for free. The thesis also seeks to address the main criticisms raised against this idea by its critical analysis. The discussed issues will be a denial of commercialization of data protection as a fundamental right and concerns that application of consumer law on the examined relationships would imperil current data protection law.
There is no comprehensive evaluation of specific benefits and risks of the discussed topic at the EU level, but there are fundamental disagreements about partial issues between the institutions of the EU concerning predominantly economic development - Commission7 that has already proposed a directive that includes personal data as counter-performance for digital services and data protection - EDPS8 who criticizes this idea in his opinions
5 European Union
6 It is necessary to highlight that this hypothesis is relevant only in situations when personal data is not part of the contract because it is necessary for its conclusion or performance or because personal data is required by law, public policy or interest. This is because this kind of personal data does not serve as a counter-performance if it is not used for benefit of the traders at the market.
7 European Commission
for the reasons that are discussed in the third chapter. Therefore, analysis of these problems provided in the three chapters can serve as an invitation for further discussion.
The first chapter will successively introduce three issues necessary to justify the application of consumer protection to the relationships of exchange of personal data for products. In the first subchapter, I will identify the objectives of EU consumer law via EU primary and secondary legislation. This step will be needful while proving that this field of law has suitable goals and instruments to deal with the issues of natural persons exchanging their personal data for products. However, secondary legislation states different functions and creates different tools in the various directives. Since it is not possible to analyse all of them, the scope will be limited to the CRD,9 UCPD,10 UCTD11 and PLD.12 These directives are considered to be the general core of EU consumer law, so they serve to the purpose of the analysis that is not directed to the specific agenda better than sector directives. In the second subchapter, I will describe the issues that natural persons that are only in the position of the data subjects in the discussed relationships face and demonstrate that they are the same as problems that justify the existence of EU consumer law. In the third subchapter, I will shortly introduce current data protection framework and its available tools to demonstrate that, unlike consumer protection, these instruments are not sufficient and also do not have any ambition to solve the problems described in the previous part.
In the second chapter, the thesis will seek to prove the proximity of the discussed relationships in their subjects and objects. Consequently, it will be analysed if (1) a data subject exchanging his or her personal data for products fits into the position of consumer within its general definition, (2) a business that collects personal data for use of its products
9 Directive 2011/83/EU on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council
10 Directive 2005/29/EC concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council
11 Council Directive 93/13/EEC on unfair terms in consumer contracts
12 Council Directive 85/374/EEC on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products
and trades with them is in the same position as a trader under consumer law and whether (3) exchange of products for personal data is equivalent to exchange of products for money. To do so and by using the framework introduced in the previous chapter, I will describe and compare the respective terms used in consumer and data protection law in every subchapter. Furthermore, to fully understand the notion of trade and to prove that monetary payment is equivalent to counter-performance by personal data, I will analyse economic literature. The extensive analysis is required because the payment of price seems to be considered as a condition for a contract to be defined as a consumer contract. Despite this, the abovementioned directives do not pay more attention to that term and neither does private law, which usually discusses only notion of general counter-performance. Overall, this chapter aims to prove that the discussed relationships are so similar that they should not be treated in a different way if there is no relevant reason for that.
Consequently, the third chapter will search for the arguments that could justify a different approach of the EU to the discussed relationships. The hypothesis of this thesis causes concerns about destabilisation of long-built system and degradation of fundamental rights. Regarding this, if the thesis aims to be more than one-sided opinion, this aspect of the discussed topic cannot be ignored. The strongest opposition can be found in the EDPS´s opinions. I will, therefore, use them to analyse (1) if it is desirable to recognize personal data as counter-performance and (2) if it is feasible to introduce exchange of products for personal data to consumer contract law within current data protection framework with emphasis on the institute of consent.
It must be noted that this thesis does not include my personal evaluation of the scope and tools of EU consumer law. Its aim is only to state that if one contract is considered to be a consumer contract and another differs from it only in a counter-performance in the form of personal data provided by person otherwise in the position of consumer, the issues of the latter relationship are consistent with the objectives and scope of EU consumer law, and its subjects should be covered by it. At the same time, I will argue that the arguments against this hypothesis analysed in the third chapter are not relevant enough to justify such a different approach to the same issues.
CHAPTER 1
NO FREE LUNCH ON THE HORIZON
As discussed in the introduction, this chapter aims to justify in three steps the relevance of the hypothesis that exchange of products for personal data of natural persons should be covered by EU consumer law. The fist subchapter offers a brief outline of the objectives of EU consumer law to establish a matrix for proving the point of the second subchapter. This is because the latter analyses issues that natural persons who exchange their personal data for products (supposedly for free) have to deal with and associates them with the relationships protected by EU consumer law. The last subchapter closes the question of justification by proving that EU data protection law has completely different objectives as consumer law and, therefore, offers nothing to help natural persons with the aforementioned issues.
1.1 Objectives of EU Consumer Law
The EU declares in Articles 4(2f), 12, 101, 102, 114(3) and 169 TFEU13 and Article 38
of the Charter14 as its objective a high level of consumer protection, taking into account any new development based on scientific facts. That means that the EU aims to contribute to the protection of the health, safety and economic interests of consumers and to promote their rights to information and education, as well as to enable them to organise themselves to safeguard their interests. This goal includes an objective of law-making which serves to promote consumer confidence.15 The justification for the stated objectives is that consumers are not able to deal with “serious risks and threats” of the market individually.16 The general
reasoning behind this is the belief that consumers are in a weak position vis-à-vis the trader as regards both bargaining power and level of knowledge, and consumer protection establishes equality and balance in these relationships.17 Consumer protection should therefore strengthen the weak average consumer and enable him or her to decide freely, intelligently and rationally due to a transparent market and the sufficiency of the
13 Treaty on the Functioning of the European Union 14 The Charter of Fundamental Rights of the EU
15 Weatherill, Stephen in: Grundmann, Kerber, Weatherill, 2001, p. 194. 16 European Parliament, Policy Overview, 2015, p. 3.
information.18 However, there are many other partial objectives justifying EU consumer protection and they can be found, inter alia, in the secondary legislation.
By the CRD, the EU fights disproportionate fragmentation and undermining of consumer confidence,19 requires traders to carefully consider the specific needs of their clients, especially the vulnerable ones20 and, among others, guarantees them an efficient and easily performed right of withdrawal in the case of distance sales.21
The UCPD also aims to provide consumers with confidence,22 to develop the fairness of commercial practices in the internal market,23 to protect their economic interests,24 to secure legal certainty25 and to make sure they will not be cheated by misleading commercial practices.26 Moreover, it calls for effective legal remedies and a simplified
procedure for access to justice27 and sets basic standards in its Annex I, where it, inter alia,
forbids misleading description of the products as “gratis, free, without charge or similar if the consumer has to pay anything other than the unavoidable cost of responding to the commercial practice and collecting or paying for delivery of the item”.28
The UCTD’s objective is to remove unfair terms from consumer contracts, to protect the economic interests of consumers in a weak position as regards bargaining power and level of knowledge,29 to balance the relationship in compliance with the principle of good faith in the most pro-consumer interpretation and to offer remedies like the impossibility of consumer to be bound by unfair terms.30
18 Reich, Micklitz, Rott, Tonner, 2014, p. 77 - 78. 19 Recital 6 CRD
20 Recital 34 CRD 21 Articles 9 to 17 CRD 22 Recital 4 UCPD
23 Reich, Micklitz, Rott, Tonner, 2014, p. 77. 24 Recital 8 UCPD
25 Recital 12 UCPD 26 Recital 7 UCPD 27 Recital 21 UCPD
28 Commission, Guidance, SWD(2016) 163 final, p. 94. 29 Case Asturcom v. Nogueira, C-40/08, paragraph 29. 30 The Preamble does not contain numbers of the recitals.
The PLD applies to damage caused by death, personal injuries or to private property if caused by a defective product and guarantees liability of producer or suppliers in such cases.31
Another legislative act that has to be mentioned is for the time being only in the form of a proposal drafted by the Commission. The Proposal for a Digital Content Directive32 should deal with contracts for the supply of digital content to consumers.33 Article 3(1, 4) of this Proposal declares as a counter-performance for digital content not only money, but also “(personal and other) data provided by consumers”. An exception is made (similarly with the limits of this thesis) if data is not supposed to be used for commercial purposes, but only to meet legal requirements of relevant contract without further processing. However, even if counter-performance in the form of personal data would be accepted as the part of the proposed directive, it would not solve the issue of this thesis. This is because this thesis seeks to prove that exchange of personal data for any products (not only digital ones) should be covered by consumer protection if the objectives of EU consumer law are met.34
The above summary serves only to shortly outline the extent of the protection that one obtains if he or she has a status of the consumer. But the list of the rights in favour of consumers or their associations would be much longer and would include not only substantive but also procedural rights, e.g., ex officio control of unfair terms in consumer contracts.35
31 The Preamble does not contain numbers of the recitals.
32 Proposal for a Directive of The European Parliament and of The Council on certain aspects concerning contracts for the supply of digital content, published on 9th December 2015; in accordance with the Proposal it should supplement Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amend Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repeal Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council 5.
33 Article 1 of this Proposal
34 The very interesting approach to this topic is taken in Narciso, 2017, p. 200 - 202. The method is different from this thesis since the author searches for rights that natural persons using their personal data to get services should have under EU consumer law if these relationships are considered to be gratuitous.
1.2 The Troubles of the Unrecognized Consumers in the New Cybernetic World
Nowadays, people live in a “stalker economy.”36 Surveillance is the business model for the Internet37 and data controllers are “like the Wild West – untamed and without governance.”38 Many companies consider business with data as their biggest asset.39 This new kind of economy is based on Big Data; large amounts of different types of data produced from various sources40 that can prove some patterns or information about social behaviour. It is not disputable that Big Data could be very helpful for the development of society and economic growth; algorithms can identify people with suicidal tendencies, help in the search for terrorists,41 enhance urban planning42 or simply make human lives more entertaining.43 However, “many things start off with the best of intentions, but sometimes intentions turn.”44
One of the most popular ways to collect Big Data is by using an “economic model’’45
of providing natural persons with Internet or smart-device services supposedly “for free” but in reality in exchange for personal data. Moreover, such a counter-performance in the form of personal data is used not only in the respective “transaction” but also follows the data subject everywhere in cyberspace. The concerns accompanying these practices can be explained through profiling. During this process, algorithms monitor the active conduct of a profiled person and also identify offers he or she does not respond to. Subsequently, due to these findings, the algorithms generate new correlations46 and patterns of the individual´s behaviour. Profiling then can create a number of complications in the internal market based on informational asymmetry and inequality in bargaining power between a profiled person and the entity that has the respective profile available.
36 Wyatt, 2013.
37 Schneier, Bruce in The Commissioner for Human Rights, Opinion, 2014, p. 32. 38 Lee, 2014, p. 141.
39 Andrew W. Lo in MIT, ORACLE, 2016.
40 Commission, ‘The EU Data Protection Reform and Big Data’, 2016. 41 The Commissioner for Human Rights, Opinion, 2014, p. 32. 42 Commission, ‘The EU Data Protection Reform and Big Data’, 2016.
43 Netflix used data of her customers to choose its first production. The series is called ‘House of Cards’ and it became most popular show that was ever offered by Netflix. Blake, Ellis in: Eggers, Hamill, Ali, p. 26. 44 Said by Adam Levin in: Francis, Jarvis, 2017.
45 EDPS Opinion 4/2017, p. 7. 46 Moerel, Prins, 2016, p. 14.
Firstly, profiling generates issues and biases in decision making on the both sides of consumer and trader,47 e.g., potential discrimination in the credit loan industry.48 Secondly, if a consumer cannot estimate the extent of knowledge of a trader, he or she is disadvantaged in decision-making, planning or freedom49 because the trader is able to prepare its communication strategy to manipulate consumer’s contractual and bargaining autonomy.50 In more poetic, but accurate words, if someone has access at least to the smartphone of a data subject, “they have more than just a little bit of evidence, they have a window to your soul”.51
Thirdly, the trader is able to target the consumer’s interests or even create them in advance of the potential transaction via techniques like behavioural advertising. To really understand the influence of the latter on the global market and its stakeholders, it is necessary to realize, that Google alone is used on average 40.000 times every second, which means 3.5 billion searches daily, i.e., 1.2 trillion searches per year worldwide.52 All this information
is continuously processed and algorithms update respective advertisement in all the devices of every single user. And even if 64 % of EU citizens consider their tracking in exchange for online services as “unacceptable”, they enable it daily.53
The phenomenon of behavioural advertising deserves more attention, because via its characteristics, it is possible to illustrate further risks that natural persons face. Due to this form of marketing, commercials that Internet users see are constantly personalised and synchronised so they can be targeted in the most effective manner. Certainly, there is a positive side of this trend; people can see advertisements they are interested in and get numerous discounts from sellers. However, as I have already mentioned, these price reductions are usually not donated but bartered for personal information and the tracking of the respective person to use collected information in different ways, e.g. to influence his or her buying habits in favour of businesses. It is important to realize that profiling
47 Luth, 2010, p. 23.
48 Crawford, Schultz, 2014, p. 101.
49 The idea originates in the decision of Bundesverfassungsgericht, 15.12.1983, No. BVerfGE 65, 1. In this decision, the term “right to informational self – determination“ was used for the first time, again within the vertical relationship of government and its citizens.
50 Tretter, 2010, p. 170.
51 Opsahl, Kurt during the discussion ‘The Fight for Encryption in 2016 Crypto fight in the Wake of Apple v. FBI’, December 2016.
52 Google Search Statistics.
of people to offer them products or discounts is not led by the altruistic intention of commercial companies to raise the quality of life in society. Their objective is to ensure the highest possible profit and behavioural advertising helps them to persuade people to buy and pay more by personalizing their marketing strategy. Traders then do not offer consumers the best or at least neutral alternatives, but the ones most favourable for raising their profit. This is closely connected with the techniques adopting psychological insights to influence consumption, i.e. behavioural pricing.54 Another threat of this marketing is based on the idea, that people can “be taught what to want” over time and without proper knowledge about the practices of their counterpart they can be manipulated to draw their attention to “non-authentic” interests (the so-called “corrupt personalization”).55 The autonomy of individuals
is then endangered even in simple tasks like choice of the book to read if its context is controlled by others.56 For example, a controversial experiment proved that Facebook
is able to psychologically manipulate its users by adjusting its algorithms to specific topics, e.g. showing them mostly negative news or vice versa. This social phenomenon is called “emotional contagion” and is well known from the real world (e.g., a smiling waiter can make customers smile and feel comfortable), but until the experiment, it was not known that it was possible in computer-mediated communication.57 It is claimed that manipulation of consumers by sellers is an inevitable result of the competitive market.58 But if businesses can manipulate people due to this informational asymmetry to make unqualified and detrimental decisions, the other side-effect is that need for competition by innovation or quality is weakened.
The aforementioned situations could explain the phenomenon of decreasing confidence of consumers in online services59 and the fact that they feel that they are becoming products to be sold for advertisers.60 Only 26 % of users of social networks in the EU have a feeling of control of their personal data61 and only 24 % trust online businesses.62 This development
54 Boom, 2011, p. 362.
55 Author of this concepts is C. Edwin Baker, 1998, in: Sandvig, 2014. 56 Lynskey, 2015, p. 211 - 213.
57 Kramer, Guillory, Hancock, 2014. 58 Hanson, Kysar, 1999, p. 726.
59 More than six out of ten users say that they do not trust landline or mobile phone companies and internet service providers (62%) or online businesses (63%). In: Commission, ‘How will the data protection reform affect social networks?’, 2016.
60 Discussion ‘What If: Privacy Becomes a Luxury Good?’, 2017. 61 Commission, ‘Special Eurobarometer 359’, 2011, p. 148.
can also lead to slowing down economic growth and innovation. The other option is that people will insert fake data to protect their real identities in virtual world. Even without that 2% of data in consumer databases become obsolete every month and their poor quality costs US businesses $611 billion a year.63 And this is not only exactly the opposite of what advertisers need since their aim is to know their customers but it can also eliminate the previously mentioned positive impact of Big Data.
To sum up the above discussed problems in the relationship of natural person giving personal data in exchange for the products in the EU internal market, these are: (1) misleading offering of products for free; (2) creation of biases and discrimination possible to hinder access to products; (3) information asymmetry to the detriment of bargaining power of data subjects and in favour of providers of products; (4) manipulation of natural persons by behavioural advertising in the hope to change their market behaviour in favour of traders; (5) negative effect of these practices on competition and innovation and, last but not least; (6) lowering of the trust and confidence of natural persons in many areas of their lives, including their market behaviour.
The main arguments that justify EU consumer law, as stated in the subchapter 1.1, are the serious risks and threats of market mirrored in the weaker position of the consumers in relation to the trader in bargaining power and in level of knowledge, fragmentation and undermining of consumer confidence or unfair and misleading commercial practices and terms. It is therefore apparent that the problems that data subjects have to face in the cyberspace are the same ones that the EU aims to solve in “offline” world by the consumer protection rules.
1.3 Current Framework of Data Protection
The EU aims to achieve diverse scale of objectives in personal data protection. It purports to protect the fundamental right to the protection of personal data64 and at the same time support free trade and establish a digital single market to boost the economy by up to 250 billion EUR.65 This is already a complicated situation and, moreover, outside of economic and 62 Commission, ‘The EU Data Protection Reform and Big Data’, 2016.
63 Research was conducted in 2012. In: Li, Li, 2016, p. 813. 64 Article 8(1) of the Charter and Article 16(1) of TFEU 65 Juncker, ‘Setting Europe in Motion’, 2014, p. 6.
legislative planning, real people are concerned about some aspects of digital development. Even though they accept partial disclosure of personal data as a component of modern life,66 this should not be confused with permission for uncontrolled personal data collection and its further proceedings or, in other words, with consent to the unlimited breach of right to informational self–determination. The objective of this right is to secure that every individual can determine which personal data about him or her would be revealed, to whom, how and under what conditions it may be used,67 i.e., that he or she has an authority over disclosure and use of personal data.68 This right should be carried out freely and any obstacles to it have to be based on valid law, because strong protection of personal data “is a question of human dignity.”69 Furthermore, the stated right has far reaching implications because individuals will not feel safe in society if they do not know the extent of information that a person they have to deal with knows about them. Consequently, they will inevitably lose the feeling of their freedom of conduct.70 Therefore, the protection of this right and personal
data in general is also prerequisite of a healthy democratic society.
The EU is aware of abovementioned facts and to protect personal data of its citizens, it has recently adopted the GDPR.71 This regulation tries to prevent abuse of personal data, especially by its Article 6, which declares possibilities of a lawful basis for processing with emphasis on the institute of informed consent – generally the one when the data subject understands the information and agrees to participate.72 In accordance with its Article 4(11) and Article 7, consent has to be given freely and transparently, i.e., specifically, unambiguously and based on a sufficient amount of information in clear and plain language. Many aspects have to be taken into consideration when assessing the freedom of the consent, inter alia, if the performance of the contract is conditioned by giving the consent. Furthermore, it has to be provable, easily revocable and its parts that are in breach
66 According to the Eurobarometer, this statement is true for 74 % of EU citizens. In: Commission, ‘Special Eurobarometer 359’, 2011, p. 148.
67 Kokeš, Marian in: Šimíček (ed.), 2011, p. 125. 68 Staben, 2012, p. 1 - 2.
69 Commission, Communication, SWD(2017) 2 Final, p. 3.
70 The specific examples are illustrated in the following paragraphs.
71 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
of the GDPR are not binding. It will be very interesting to observe practical application of consent. However, it does not seem that it targets one of the crucial issues of its current form – the objective impossibility of data subjects to comprehend the offered information. This concept appears to be based on the traditional economic idea that people make rational decisions if they are well-informed about their possible consequences.73 However, this tool, if not handled correctly, can be only the easiest possible option to do something and at the same time do not annoy anyone too much.74 Furthermore, empirical studies have already proved that “users neither read nor understand privacy policies”.75 Despite this, their conduct cannot be simply labelled as irresponsible. In 2008, researchers found out that “reading privacy policies carries costs in time of approximately 201 hours a year”, and if US citizen would decide to do so, the evaluation of time lost would be approximately $781 billion annually.76 There is no reason to be overly optimistic that this is US-specific problem with no connection to the EU. In addition, these alarming findings are not exceptional; another study revealed that half of its respondents did not read privacy terms at all either because of their length, complicatedness or ambiguity.77 It is therefore important to deal with the issues of informed
consent effectively, because otherwise can the increasing complexity of data protection law result only in more paperwork without real effect, i.e., “the law being a zombie: it seems to live, but lacks a vital spirit”.78
But there are also different grounds for lawful processing and these do not depend on the will of the data subject. These are for example cases when processing is necessary for the performance of the respective contract, legal obligations of the controller or their legitimate interests. The last one can be interesting in practice, because it is quite vague and from the opinion of the Article 29 Data Protection Working Party, one legitimate interest of the controllers is also “to know their customers' preferences so as to enable them to better personalise their offers, and ultimately, offer products and services that better meet the needs
73 Busch, 2016, p. 223 - 226. 74 Busch, 2016, p. 223 - 224. 75 Heeger, 2015, p. 2. 76 McDonald, Cranor, 2008, p. 19. 77 Moerel, Prins, 2016, p. 9. 78 Koops, 2014, p. 256.
and desires of the customers”.79 It is, therefore, possible that a broader interpretation of this institute can restrict the application of consent, e.g., in the area of behavioural advertising.
A further objective of the GDPR is to provide data subjects with additional protection through such rights as transparent access to their personal data,80 the right to rectification81, or the right to be forgotten.82 In compliance with the aim of this thesis, second chapter will discuss more provisions of the GDPR, especially the subjects and object of data protection relationship. To avoid repetition, these terms will be analysed along with their consumer counter-parts in the following chapter.
However, the GDPR is not the only important legislative act with aim to protect personal data. With the respect to the electronic communication, individuals are guaranteed rights enacted in ePrivacy Directive83 (expected to be replaced by an ePrivacy Regulation84), which defines
consent in compliance with the GDPR85 and, therefore, will not be further analysed.
But neither primary nor secondary EU data protection legislation guarantees data subjects the scope of the rights warranted to consumers, e.g., to the products if they exchange them for their personal data. This is not surprising since these issues are not object of data protection law, but are normally governed by contract law, in this case specifically consumer law. But the practice does not have to get along with theory and, consequently, the solution of the problems of data subjects can be found in the different area of law. In other words, if the consumer is offered a mobile phone service for free, and after accepting it, he or she finds out that monetary payment is necessary, it is considered to be an unfair commercial practice.86 If the consumer were required to be tracked after he or she decides to accept
79 Article 29 Data Protection Working Party, Opinion 06/2014, p. 25. 80 Article 15 GDPR
81 Article 16 GDPR 82 Article 17 GDPR
83 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector
84 Proposal on Regulation on Privacy and Electronic Communications which is expected to replace ePrivacy Directive, published on 10th January 2017
85 Article 2 (f) of the ePrivacy Directive.
86 Decision of Lietuvos Respublikos konkurencijos taryba (Vilnius), defendant: UAB “Bitė Lietuva“, 30th September 2010, National No. 2S-23.
a “free” offer it would be considered in compliance with law. Even if the performance would be defective, the most serious consequences that provider could face would be that some consumers as data subjects would withdraw their consent under Article 7(3) GDPR. But it is reasonable to predict that most consumers would continue to be bound by the contract because even if the service would be of poor quality. It would be for free, so on what grounds could the customers complain? Moreover, if the consent is withdrawn it “may provide may provide the business with a right to terminate (contract) under certain circumstances”.87 These factors can be taken into account under the criteria of Article 7(4) GDPR in evaluation of the freedom of giving consent. However, in practice, this provision can be ineffective in many areas. For example, it could be applied in an individual court case, but even if it would be held that the termination in disputed case was unlawful, the result of the case could not be generally applied in the effect that is tantamount to the sanctions under the UCPD. Therefore, it is not surprising that in academic dispute, it can be heard that consumer law can help to secure more protection for data subjects.88
It cannot be omitted that the EU and its Member States are starting to understand the correlation between the reality of abuse of personal data and need of consumer protection. For example, in Italy, an Internet service provider was even prevented from claiming free services that were exchanged for tracking and targeting by advertising. The important fact is that this case was decided on the grounds of consumer protection and not data protection.89 The EU even made (isolated) reference to the UCPD in Recital 42 GDPR requiring “a declaration of consent pre-formulated by the controller … not contain unfair terms.” The European Parliament also categorized a predecessor of GDPR (Directive 95/46/EC) under the general consumer protection measures.90 However, there is no other binding information about this condition in the remnant provisions of the regulation. To stay with the example of mobile services offered for access to personal data, the Commission acknowledges that these kinds of cases could potentially be considered as a misleading
87 Langhanke, Schmidt-Kessel, 2015, p. 222 - 223.
88 Helberger, Borgesius, Frederik, Agustin, 2017, p. 1441 or Koops, 2014, p. 258, 260.
89 Decision PI2671 – Libero Infostrada para. 6, 5th indent by the AGCM. It was taken in the year 2000 before the adoption of the UCPD and based on the national provisions implementing Directive 84/450/EEC on misleading advertising.
practice under the UCPD.91 Regarding this, it is obvious that knowledge, that data protection law is not suitable to solve problems of natural persons exchanging their personal data for products, is widespread as well as the knowledge that consumer law is able to deal with these issues.
CHAPTER 2
EU CONSUMER AND DATA PROTECTION LAW IN TRADE: DIFFERENT RULES FOR THE SAME PROBLEMS?
The previous chapter demonstrated that data subjects have to deal with the many same issues that EU consumer law was created to address. However, to justify the need for application of consumer protection in the stated cases, it is also necessary to discuss whether the character of the relationships that should be submitted under that concept is suitable. In accordance with the introduction, three relevant terms have to be analysed: the notion of consumer, trader and trade, and compared to their closest counterparts in data protection law. The aim of this analysis is to prove the proximity of the discussed relationships in their subjects and objects and to support the hypothesis that there are no relevant reasons to provide relationships concerning exchange of products for personal data a lower or no level of protection. If this conjecture is right, denying data subjects the protection of consumer law in relationships in issue is in conflict with the stated objective of a high level of consumer protection.
2.1 A Data Subject as a Consumer
The term “consumer” is defined in the secondary legislation. According to Article 2(1) CRD, Article 2(a) UCPD and with non-significant differences in Article 2(b) UCTD, a consumer is any natural person who is acting for purposes which are outside his trade, business, craft or profession in contracts covered by the respective directive. The same definition is proposed in Article 2(4) of the Proposal for a Digital Content Directive. The PLD does not define either the term consumer or the term injured person but from the context of their use (especially in the Preamble), it can be concluded that it has the same meaning as in the other discussed directives.
The Court92 introduced some more essential characteristics of the EU consumer. In the Gut
Springenheide case93 it defined a model of “average consumer” who is reasonably well informed, reasonably observant and circumspect. Every consumer is considered to be average unless he or she is (particularly) vulnerable, i.e. less able to evaluate the situation and his
92 The Court of Justice of the European Union
93 Case Gut Springenheide, Tusky v. Oberkreisdirektor des Kreises Steinfurt, C-210/96, paragraph 31, the origins of the term tracked in: Incardona, Poncibò, 2007, p. 22.
or her conduct as a result of his or her mental or physical infirmity, age or credulity could be reasonably recognizable by the trader.94
Data subject is defined in Article 4(1) GDPR as a natural person that is identified or identifiable and his or her personal data amounts to any information that can be attributed to such person. Recital 75 of the GDPR also recognizes the different scale of risks that processing of personal data of various categories can mean for diverse groups of people, vulnerable ones included (especially children). This can also lead to the conclusion that there is a notion of “standard” or “average” data subject until he or she belongs to the vulnerable category.
Comparison of the two definitions shows that either a consumer or a data subject has to be a natural person. However, in contrast with consumer law, a data subject can act within his or her profession and does not lose personal data protection. In the definition of consumer, the character of the counter-performance (personal data or money) is not a decisive factor, only the purpose of purchase is relevant criterion. Consequently, within current EU consumer protection law, the data subjects who exchange their personal data for products for their trade, business, craft or profession have to be excluded from the proposed hypothesis.
But in the rest of the requirements, the discussed definitions do not manifest any special characteristics that would prevent data subject to be concurrently in the position of consumer if he or she would counter-perform by personal data. In conclusion, according to the discussed definitions, a natural person exchanging personal data for products and giving consent to process his or her personal data can be concurrently in the position of consumer under the condition that this person acts outside of his or her trade, business, craft or profession.
2.2 A Controller as a Trader
The identification of a natural person exchanging personal data for products as consumer is conditioned by the status of his or her contractual partner,95 i.e., the other party of the contract (or commercial practice) has to be a trader. Consequently, the next variable
94 Article 5(3) UCPD. But the vulnerability is not an intrinsic feature of the respective person but arises from the environment, i.e. it is “a social construction”. In: Waddington, 2013, p. 4.
in an equation that tries to figure out if the disputed relationship amounts to the one under consumer protection, is the notion of a trader.
To fulfil the objectives of EU consumer law described in subchapter 1.1, the interpretation of the “trader” has to be broad to effectively protect consumers in the fast developing cyber world with growing number of new business models and also to embrace liberal professions or cultural organizations.96 The CRD defines trader in Article 2(2) as “any natural person or any legal person, irrespective of whether privately or publicly owned, who is acting, including through any other person acting in his name or on his behalf, for purposes relating to his trade, business, craft or profession in relation to contracts covered by this Directive”. The UCPD adjusted this definition for commercial practices in Article 2b and, even though it left out the irrelevance of public or private character of trader, this clarification was supplemented by the Court.97 Moreover, the Commission stated as relevant factors
to be considered to whether a person is a trader his or her motives, purchase of products with intention to sell them for higher price, number, amount and frequency of transactions and turnover.98 The UCTD does not recognize term “trader” but in Article 2c defines that person as “seller or supplier” in the essentially same meaning as the former directives. Also the definition of “supplier” in the Proposal for a Digital Content Directive that amounts to the CRD’s conditions.
The PLD uses term “producer” and “supplier” defined in Article 3. The different notion of the counter-part of the consumer is justifiable by its aim and does not contradict the former definitions. The producer is a manufacturer of a finished product, material or a component and also persons that present themselves as producers of products by any distinguishing features as trade mark or the importer of products into the EU. The producer is the primarily liable person even if he or she is not a party to the contractual relationship with the consumer but is only part of the contractual chain via, e.g., a supplier. Only if the producer cannot be identified, the supplier of the respective product is assumed to be the producer for the purposes of liability (with possible exceptions).
96 Stuyck, 2015, p. 734.
97 The Court recognized the term “trader” as a very broad one including everyone whose activity is “gainful”, even if the subjects in question are “pursuing task of public interest or those which are governed by public law”. In: Case BKK Mobil Oil v. Zentrale zur Bekämpfung unlauteren Wettbewerbs, C-59/12, paragraph 32.
The GDPR recognizes three potential counter-parts of the data subject in its Article 4. These are controller (par. 7), processor (par. 8) and recipient (par. 9).99 The controller is a subject which determines the purposes and means of the processing of personal data if not established by EU or state law. He or she is also the one who is accountable for compliance of processing of personal data with principles stated in Article 5 GDPR and has to prove it if necessary. Throughout the whole GDPR, numerous obligations of the controllers can be found, e.g., providing the data subject with transparent information, communication and modalities for the exercise of the rights of the data subject100 or liability for material or non-material damage in the case of breach of the GDPR.101 The other two subjects play a little bit less significant role in the GDPR in the relationship that is in the spotlight of this thesis. The processor is a subject which processes personal data on behalf of the controller and his or her obligations are stated mainly in Article 28 GDPR. The recipient is a subject to which the personal data are disclosed with special regime for public authorities.
Regarding the abovementioned, the controller is the subject that is mainly responsible for processing of personal data and providing data subjects with most of the rights granted under the GDPR and, therefore, is the most significant counter-part of the data subject within this framework. The term is defined by its function in the data protection network, so naturally it is different from the definitions of trader or in the respective context as a seller, supplier or producer (in the following text, I will refer only to the term of trader solely for the purpose of clarity) in the discussed directives. However, the GDPR does not provide a special definition or regime for the controllers that carry on business with personal data. And it is not necessary since a person who partially or fully trades products for personal data of natural person — consumer for a business purpose can be defined as a trader under consumer law. And if the business receiving personal data as a counter-performance from its clients fits the definition of a trader under the discussed directives, it seems to be in the line with the objective of high level of consumer protection to recognize it.
2.3 An Exchange of Personal Data for Products as a Trade
The two previous subchapters demonstrated that subjects of the exchange of personal data for products can be, in theory based on their definitions, concurrently under the regime
99 Potentially third party defined in par. 10. 100 Article 12 GDPR
of consumer and data protection law. Lastly, it ought to be established that the performance and counter-performance of the consumer and trader are the same even if the consumer’s obligations are fulfilled in the form of personal data. There are two points that have to be addressed: the first one is the performance of trader and the second one is the counter-performance made by consumer.
2.3.1 What Can Trader Exchange for Personal Data?
The first question should clarify if the objects of standard consumer contracts can be bargained for personal data or whether there are some limits that makes this proposal appropriate only for part of consumer protection. In accordance with Article 2(3) CRD, the object of trade is “goods” in the form of tangible movable articles excluding listed items such as water or electricity and digital content.102 Even though it does not define services,
it is apparent from the context103 that with some exceptions, these are also covered by the
directive. Consequently, the scope of the CRD includes all consumer contracts if they are not expressly excluded.104 Under the condition that there is “the direct connection of the trader´s
practice with consumers”,105 the UCPD covers commercial practices relating to all products in the meaning of its Article 2c, i.e. any goods or services inclusive of immovable property, rights and obligations. The UCTD implements the same approach and pursuant to Article 4 applies to the contractual terms of contracts for both goods or services. The PLD also uses term “product”, but only in the sense of movables with exception of primary agricultural products and game.106 As already mentioned in subchapter 1.1, the Proposal for a Digital Content Directive recognizes trade for personal data for digital content, but I will advocate a statement that there are no potent arguments why personal data could not be exchanged also for all other goods and services covered by the aforementioned directives.
To prove that personal data can be suitable counter-performance for any products, empirical examples can be used. For example, besides digital content, consumers could bargain their personal data for groceries. This was tried in Datenmarkt in Hamburg, Germany, only as an art experiment, but was observed as a feasible business model. The consumer needs only
102 Article 2(11)CRD
103 Article 2(6) and Article 5 CRD 104 Article 3 CRD
105 Case Nemzeti v. UPC, C-388/13, paragraph 35. 106 Article 2 PLD
to register there with a Facebook account, and if there is enough information asked for selected goods (e.g. eight likes for bread), personal data is downloaded and he or she gets a receipt that contains the relevant counter-performance: real photos, messages, likes or comments.107 Moreover, in the near future, the use of a similar model can be expected for any goods in the effort to enlarge the model of the Internet of Things. Technological innovations will be traded at least partially for a consumer’s personal data and smart forks will monitor how and what we eat, smart toothbrushes will be interested in how often we brush our teeth108 and Google Glasses will probably collect personal data about everything and everyone. There are no limits to products that people can bargain for their personal data.
The provision of services also does not seems to be impossible if the counter-performance consists of personal data. Firstly, the definition of services is very broad under Article 57 TFEU. Secondly, there already exist many empirical examples of this business model, e.g. social networks. But also popular cellist and composer Zoë Keating suggested that streaming music services could provide her with data about her listeners instead of usual royalties.109
These empirical examples were described to prove that there are neither technical nor legal barriers that would exclude exchange of goods or services for personal data from the scope of EU consumer law.
2.3.2 Why Are Personal Data as Suitable Counter-performance as Money?
Consumer contracts are synallagmatic in their nature. Consequently, the last question that has to be answered within this chapter is what the counter-performance discussed in the directives requires from consumers and if personal data has the attributes that are necessary to be used in this way.
The CRD does not exactly state in its definitions or scope that the counter-performance provided by consumer has to be in monetary form. However, in Article 5(1c) it clearly requires from traders to inform consumers about “the total price” or the manner in which it “will be calculated”. The UCPD proceeds in the same way; even though there is no explicit
107 YQP, 2016. 108 Morozov, 2013.
definition of the consumer’s performance, it can be deduced from the context that he or she is expected to pay some price110 that can be “calculated” and “taxable”. The UCTD also does not pay special attention to the consumer’s obligations in this sense, but in its annex it repeatedly refers to “price of goods”. The PLD is not relevant within this meaning, since it is focused on damages. Therefore, in search for the definition of “price” within EU consumer protection framework, the Directive on consumer protection in the indication of the prices of products offered to consumers111, regarding its aims and broad scope, appears to be a helpful source for further analysis. This directive defines selling price and unit price,112 which have to be “unambiguous, easily identifiable and clearly legible”,113 however, it does not express in what units has the price be paid. Finally, the Proposal for a Digital Content Directive is more straightforward and in its Article 2(6) unambiguously states that price amounts to “money that is due in exchange for digital content supplied”.
Regarding this, consumers are required to pay a price as their part of performance in consumer’s contracts and because of its above identified features and, needless to say, regarding practice, it can be concluded that the price is expected to be monetary and paid in currency accepted in the EU territory. It is certainly not reckoned that consumers should counter-perform for products and services from traders by in-kind barters. Consequently, it is opportune to explain why this rule should be different in the case of personal data and if it possesses attributes that are able to make it as efficient and suitable a counter-performance as money. I analyse personal data in the relation to monetary currency as it is used in daily lives of EU consumers. However, money, currency or even characteristics of counter-performance are not usual points for discussion between the consumer law experts. Consequently, the topic has to be analysed in broader scope then two previous definitions.
The Proposal for a Digital Content Directive has already highlighted in its Recital 13 that “information about individuals is often and increasingly seen by market participants as having a value comparable to money” but does not further develop this idea. Money is usually identified with currency which is “a generally accepted form of money … issued
110 Articles 2i, 2k, 6(1d) and 7(4c) UCPD
111 Directive 98/6/EC of the European Parliament and of the Council of 16 February 1998 on consumer protection in the indication of the prices of products offered to consumers
112 Article 2a, b Directive 98/6/EC 113 Article 4(1) Directive 98/6/EC
by a government and circulated within an economy’’.114 Even though there are theories that currency can be literally anything “that can be “cashed out” for goods and services, or used to pay debt or to store value for future use’’115 it is possible to find some attributes that money needs to have to become a good currency. Probably the most used ones are “divisibility, durability, recognisability, portability and scarcity”.116 Anything that possesses these characteristics is suitable for use as counter-performance in the sense of objective reality. The question that arises is whether personal data is endowed with these properties.
Divisibility means the ability of the respective object to be divided into more parts.117 To be more specific, it has to be analysed if personal data could be separated to the groups of different values and re-combined without affecting their fundamental characteristics.118 “One personal data” de facto exists in a form of information about the respective natural person who can be identified or identifiable by it.119 From its character, it is obviously feasible
to divide personal data in the various groups that would consist of 10, 100 or 1,000,000 items of personal data.
Even though it has been proven that durability is not a necessary attribute of currency,120 it is nevertheless considered to be important attribute of its stability. The present practice of traders proves that personal data is possible to be collected, stored and used repeatedly in many ways and, therefore, is a durable item.
Recognisability is important from the point of view of the receiver of a chosen currency, because he or she needs to be persuaded that the goods or services are exchanged for a real value.121 Currently, all sorts of businesses try to enlarge their databases of personal data by its collection or trade as much as possible because of its rising value, e.g. retailers paying major US banks $1.7 billion a year by 2015 “to send targeted discount offers to customers, based on
114 Investopedia, ‘Currency’. 115 Eggers, Hamill, Ali, p. 21. 116 Hoppe, 1990, p. 55.
117 Cambridge Dictionary, term “divisible”. 118 Lee, 2009.
119 Article 4 par. 1 GDPR
120 Cuadras-Morató, 1997, p. 103 – 125. 121 North, 1986, p. 10.
information on shopping habits gleaned from credit card records”.122 Consequently, the value of personal data is highly appreciated and recognized in the modern world.
Portability or transferability is not an absolute requirement for specific and rare currency,123 but it is necessary in the case of large-scale use. Legally, alienability is question of property law. Personal data has personal character, belongs to the respective data subject and is an object of a fundamental right. Consequently, it cannot be fully alienated. Moreover, it is both non-rivalrous, i.e., it can be given to more companies or used by more traders at the same time,124 and non-exclusive.125 Despite this, people use Internet services and provide controllers with their personal data every second in modern world. There are a few theories to solve this controversy. It can be argued that individuals can extract the fully alienable economic value of their data and keep the moral rights126 or, similarly, that
information about a person can be separated from that person as an independent object.127
I advocate the position that it is possible to transfer the right to use an information contained in personal data and it can be further transferred to the third parties in a way similar to the non-exclusive licences. Even though this system is very different from the monetary one (once owner of money pays by it, it cannot be used again), it is still possible to transfer use of personal data and use their value, so this regime is in this way suitable for commercial environment.
The fifth characteristic that should be considered before it can be stated that personal data can be used in equivalent way as currency is its scarcity, even though some rare exception can be detected.128 In the economic terms scarcity means high value in relation to volume and weight.129 It has worth in its subjective limits, e.g., money is scarce because there is never enough for everything people need.130 The point of view on personal data’s scarcity has to be one of the traders as the ones who has to accept the counter-performance — so personal
122 Blake, Ellis, ‘The Banks' Billion-Dollar Idea’ in: Eggers, Hamill, Ali, p. 21. 123 North, 1986, p. 9 - 10.
124 Not like e.g. dollar that can be used in only one opportunity at time: MIT, ORACLE, 2016, p. 4. 125 The same conclusions about information in general in: Zech, 2015, p. 195.
126 Samuelson in Lynskey, 2015, p. 237. 127 Zech, 2015, p. 195.
128 E.g. mutual credit currencies in: Hallsmith, Lietaer, 2011, p. 59. 129 North, 1986, p. 9.
