Data as counter-performance for the supply of digital content – Is restitution possible?

European Private Law (LLM)

Master Thesis

Data as counter-performance for

the supply of digital content – Is restitution possible?

by

Alexander Mutafchiyski

June 2018

12 ECTS-credits

Date of submission: 19.06.2018

Supervisor:

Abstract

With the introduction of the proposal for a directive concerning certain aspects of contracts for the supply of digital content (hereinafter DSDC), new types of contracts are being introduced, namely, data contracts, for the conclusion of which digital content is supplied in exchange of remuneration in the form of personal or any other data. Notably, the DSDC is one of the instruments that are being part of the execution of the Digital Single Market Strategy, initiated by the Commission in 2015, and as a full harmonising directive it is supposed to level the playing field across the EU, as well as regulate the digital environment and provide high level of consumer protection within that environment. This thesis is specifically concerned with the introduction of data contracts in the realm of consumer contracts, and restitutionary effects of extinction and their enforcement in such contracts. The paper discusses data contracts from a Member State, EU and CJEU perspective, in order to determine the status of the directive within the consumer acquis and the interaction between the new rules and the already existing ones. Consequently, by analysing how the right of withdrawal and law of restitution application post termination of data contract would work, the paper reflects on whether the enforcement of restitutionary effects is feasible. The thesis determines how the new data contracts fit within the EU legislative framework of consumer protection, hence, indicates the risk of unjust enrichment that can occur under a data contract, if the rules of restitution are not adequately enforced, while at the same time shows that the volatile and fluid nature of the digital environment makes contractual relationships in a data contract difficult to be regarded from a legislative point of view as similar to ordinary contracts. This proves that the restitutionary effects of extinction are not able to be applied to data contracts as to normal consumer contracts. Finally, the thesis concludes that the DSDC and the attempt to regulate a legal relationship where data has been provided as counter-performance as a contract has left gaps that require particular attention, in order the EU to ensure high level of consumer protection and establish a coherent legislative framework.

Table of Contents

Abstract...2

1. Introduction...4

1.1. Contextual background...4

2.2. Research Question...5

Chapter 1. The DSDC within the consumer acquis...8

Section I. Data contracts within the realm of general consumer law...8

Section II. Member States and the DSDC...10

Section III. CJEU and the interpretation of the DSDC...12

Section IV. Conclusion...14

Chapter 2. Withdrawal rights and termination of data contracts...15

Section I. The new data contracts - data as counter-performance...15

Section II. Right of withdrawal...18

I.1. Information asymmetry and the right of withdrawal...18

I.2. Restitutionary effects following right of withdrawal...21

Section III. Termination of data contract and restitution...23

Section IV. Conclusion...26

Chapter 3. Unjustified enrichment...27

Section I. Unjustified enrichment under the DCFR and English law...27

I.2. DCFR...27

I.2. English law...29

Section II. Unjustified enrichment in data contracts...31

Section III. Conclusion...34

Conclusion...35

1. Introduction

1.1. Contextual background

“Personal data is the oil of the digital age.”1

- Howard

Tullman-The internet has changed the way people socialise, buy goods, pay for services, as well as the way they do business. This has led to a massive amount of data being uploaded each day on the internet. It grows each day, from 2014 (2.4 billion users) there was a marked 42% increase to 2017 (3.8 billion users) in the number of internet users. Each user produces staggering amount of data, that is fed to the internet. The amount produced on a daily basis today tops 44 billion gigabytes, with an estimate to reach 463 billion gigabytes in 2025.2 _A

big part of that data is categorised as being personal data i.e. data that identifies a person. Howard Tullman was correct to say that personal data is the oil of the digital age and the amount increases rapidly.3 _{Personal data fuels many businesses that function solely on the}

processing of data and using it in advertising e.g. Facebook and Youtube etc. For online advertisers, businesses, shops, every kind of data is crucial. The more data they have, the wider audience they can reach with their ads, easier to establish the models of the perfect consumer, more engagement, smaller price paid for ads etc. The internet created the so called digital marketing, which turned out to be very profitable. Thus, because of the importance of personal data, its demand is very high, which makes its ‘value’ high. When the high value of something concerning people’s lives becomes prominent, the need for regulation within the digital environment became fundamental.

Therefore, the EU Commission initiated the Digital Single Market Strategy in 2015 aimed at facilitating the internal market, cross-border trade, as well as ensuring high level of consumer

1 Howard Tullman, Tools & Technology in the Digital Age: You get what you work for, not what you wish for (BlogIntoBook.com, 2015) 60.

2 Jeff Schultz. ‘How much data is created on the internet each day?’ (MicroFocus Blog, 10 October 2017) <https://bit.ly/2jNR9SO> accessed 15 April 2018.

protection.4 _{The rationale behind it is acknowledging the economic reality and the fast}

developing digital sphere requires regulatory intervention to prevent consumers’ data being exploited and misused by online businesses,5 _{dealing with such data.}6 _{The issues is that}

internet users are unaware of how their data is processed, especially when provided for ‘free’ services. Thus, the Commission determined that such ‘free’ services ought to be regulated, not only under data protection law, but also under consumer law, in order to ensure high level of consumer protection, which ought to be considered whenever new measures and policies are introduced.7 _{The proposal for a directive on certain aspects concerning contracts for the}

supply of digital content (DSDC hereafter)8 _{published in 2015 focuses on the all contracts for}

the supply of digital content, but the most significant is the creation of a contract when a consumer actively provides his/her personal or other data instead of monetary remuneration for the supply of digital content.9 _{These contracts will be referred to as ‘data contracts’ for the}

sake of clarity. Despite being a step forward for consumer protection, it is still unclear how the application of the DSDC rules concerning data contracts will play out in practice.10 _{It is}

difficult to assess whether, the new rules are sufficient to ensure high level of consumer protection due to the fluid digital environment and the rapid development of the digital business practices.

2.2. Research Question

The question examined in this thesis is whether the enforcement of restitutionary effects of extinction under general contract rules is feasible in data contracts or these contracts may appear to be inconsistent with the existing consumer acquis? The methodology applied to the research question will follow mainly argumentative legal dogmatic approach, while normative approach will be applied to the EU-law provisions, the DCFR11 _{provisions and to}

4 Gebhard E. & Voss A., ‘Working Document on the directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content’ PE585.510v01 [2016].

5 ibid.

6 EmmaGraham-Harrison, Carolina Cadwalladr, Hilary Osborne, ‘Cambridge Analytica boasts of dirty tricks to swing elections’ (The Guardian, 19 March 2018) <https://bit.ly/2G8zG3V> accessed 13 April 2018.

7 Consolidated Version of the Treaty on European Union [2008] OJ C115/13, arts 114(3) & 12.

8 Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content (DSDC) [2015] 0287 (COD).

9 DSDC, art 3.

10 Madalena Narciso, ‘Gratuitous’ Digital Content Contracts in EU Consumer Law' (2017) 6(5) JECML 198. 11 Christian von Bar & others, ‘Principles, Definitions and Model Rules of European Private Law Draft Common Frame of Reference (DCFR) (Sellier European Law Publishers, 2009).

English law12_{, in order to demonstrate how they ought to be applied in the situation of data}

contracts. The purpose of the thesis is to show that regulating a fluid environment such as the Internet is not an easy task, with central focus on Article 3 of the proposal concerning contracts where the consumer actively provides personal or any other data as a counter-performance in exchange for the supply of digital content13_{, including all other provisions that}

relate to that type of contract and the terminology of the proposal. The link between the proposal and the Regulation on Data Protection14 _{will not be analysed in depth, but the GDPR}

will be used to express the complexity of regulating the digital environment and the legal relationships within it. The restitutionary effects of extinction are one way of proving through a comprehensive analysis that the rules under the DSDC are not as clear as they seem and their application once in force would prove to be a difficult task. The scope of the directive is not expressly defined; hence, it may turn out to be inconsistent with the existing consumer acquis. This brings up the following sub questions, which will assist in providing a coherent answer to the main research question.

Chapter 1 provides a starting point of a comprehensive analysis by answering whether the rules of the proposal will be considered as stand-alone, separate from the existent ones, or they will cause a double-sided spill-over effect that will add to the notion of safeguarding consumers. On the one hand, the rules of the DSDC could be merged with general contracts rules, especially when implemented into national laws of Member States and interpreted by the CJEU, while on the other, consumers can rely only on the rules under the DSDC, despite data contracts being accepted as valid contracts. The aim is to identify the feasibility of enforcing general restitutionary effects of extinction against a supplier. The approach of the CJEU will be discussed, in order to test the validity of the rules as part of the EU legislative network. In this way, the chapter provides the necessary basis to test the validity of enforcing the law of restitution in data contracts.

12 It is not certain how Brexit will affect the legislative framework of the UK. The Government intends to introduce the European Union (Withdrawal Bill and convert the EU-derived laws into domestic ones, but also decide, which laws to retain or/and to replace. In any situation, the EU-derived laws ought to be at least amended. Josje Hamilton & Andrew Sheftel, ‘Brexit - UK & EU legal framework’ (Norton Rose FulBright, April 2018) <https://bit.ly/28Qk4zE> accessed 2 April 2018, Since the UK has been a longtime Member of the EU, its common law system has contributed significantly to the shaping of the EU legislative framework. 13 DSDC, art 3(1).

14 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) (GDPR) [2016] OJ L 119.

Chapter 2 is aimed at answering when and what ‘actively’ provided data is to be treated as counter-performance to form a contract for supply of digital content to explain the terminology of the DSDC. Then the chapter answers how general contracts rules are to be applied and whether the requirement of restitution can be enforced against a supplier in a data contract. The focus will be on the restitutionary effects of extinction following the exercise of withdrawal rights and termination for non-conformity. The withdrawal rights as an overarching set of rules were specifically created and mainly focused on contractual relationship made online, are not included under the new proposal. On the other hand, the proposal contains rules on termination for non-conformity and indicates that general rules on restitution are to be applied. The Chapter has the aim to show that there is a lack of legal clarity that impedes the application of general consumer law rules. Sources of analysis will be the DSDC and the Consumer Rights Directive15_.

Lastly, Chapter 3 focuses on the risk of unjustified enrichment when general rules of restitution are applied to data contracts, as well as the difficulty of calculating the value of benefit, hence, adding up to the analysis of whether data to be used as counter-performance is feasible in the event when restitution is required. Comparative functional method will be adopted, comparing DCFR and English law rules on unjust enrichment. Accordingly, it will demonstrate the volatile nature of data within the digital environment and try to prove that characterising actively provided data as means of counter-performance in contracts for the supply of digital content is not as effective as it seems.

The conclusion will present the findings of the thesis by summing up the key points of the chapters and presenting that the rules under the new proposal are not as effective as they seem.

15 Directive 2011/83/EU of the European Parliament and of the Council on consumer rights (CRD) [2011] OJ L 299.

Chapter 1. The DSDC within the consumer acquis.

The chapter discusses how the DSDC would fit in the current EU legislative framework, whether the rules on data contracts would be interpreted within their own realm or be intertwined with the already established framework. That will allow to suggest whether restitutionary effects of extinction would be applied to such contracts, hence, determine the feasibility of enforcing restitution rules to data contracts.

Section I. Data contracts within the realm of general consumer law.

The EU has been heavily criticised due to its piecemeal approach towards the consumer acquis, which before the CRD was a patchwork of directives. The Commission has identified two approaches for revising and improving the consumer acquis.16 _{Initially, the vertical} approach was preferred. It focuses on different issues in certain directives resulting in separate amendments with the aim of filling the gaps i.e. adopting rules with the hope of being effective enough and to match the market and technological developments.17 _However,

this approach is too time-consuming focusing on each separate legislation, amending it to match the current legislative framework and eliminating inconsistencies with other directives.18 _{These directives were mostly minimum harmonization ones, which allowed}

Member States to have a significant discretion when transposing them, in terms of level of protection, definitions etc. This obliged the Commission to review each transposition

16 Commission, ‘Green Paper on the Review of the Consumer Acquis’ (2006) COM 744 final 8.

17 Christian Twigg-Flesner, ‘Disruptive Technology - Disrupted Law? How the digital revolution affects (Contract) law’ in A. De Franceschi, European Contract Law and the Digital Single Market (Intersentia, 2016). 18 Jana Valant, ‘Consumer Protection in the EU, Policy Overview’ (2015) PE 565.904 <https://bit.ly/1hToQyH> accessed 3 March 2018.

separately and for each Member State.19 _{It proved to be not only time-consuming, but also}

resulted in different variations of each directive across the EU. The acquis was complex and sometimes inconsistent, which created difficulties, requiring both consumers and traders to be aware of the national legislations.20 _{With the CRD, the Commission took a horizontal}

approach to tackle issues within the consumer acquis, not only on EU level, but also on national level by introducing the directive as a full harmonising one. Furthermore, the Commission decided that, as part of its Digital Single Market Strategy, maximum harmonisation directives are the best choice. However, such a directive still leaves room for divergence. Under Article 288 TFEU21_{, each Member State can choose the form and methods}

of transposing the directive regarding a particular area. This leaves the EU with 27 diverging legal regimes, hence, diverging interpretations of the DSDC rules. It seems that on a European level the directive is supposed to be a stand-alone one, drawing up the rules and remedies regarding contracts for the supply of digital content.22 _{It is aimed at filling the gap in}

the consumer acquis where no rules currently exist, according to the explanatory memorandum.23 _{However, that is not entirely true. The CRD contains rules applicable to a}

digital content, supplied on a tangible medium or through streaming, downloading etc. Despite the focus being on digital content supplied on a tangible medium, it inspired some Member States to introduce more detailed rules regarding digital content. Now with the DSDC, the scope is broader regarding digital content, but the rules under the CRD apply in conjunction with the DSDC in regard to digital content supplied on a durable medium such as DVDs and CDs.24

However, the DSDC does not address whether other rules under the CRD are applicable to data contracts. The last sentence of recital 1125 _{states that the rules of the proposal will not}

apply to goods with embedded digital content where it is an integral part of the goods, their functions and their operability, but they remain within the scope of the CRD. Hence, CRD rules applicable to services and goods should not be applicable to the sui generis data contracts. Another indicator is that all directives and regulations that may be affected by this

19 Commission (n 16). 20 Valant (n 18). 21 TFEU, art 288.

22 Christian Twigg-Flesner, A Cross-Border-Only Regulation for Consumer Transactions in the EU: A Fresh Approach to EU Consumer Law (Springer, 2012) <https://bit.ly/2IUcPXS> accessed 9 Aprl 2018.

23 DSDC (n 8), Explanatory Memorandum. 24 DSDC, recital 12.

directive have to be included by a reference in the DSDC to ensure its proper enforcement26

i.e. a contract for the supply of digital content has to be expressly interpreted and judged in light of those instruments, unless stated otherwise. However, there is a lack of clarity between the recitals and the explanatory memorandum. On the one hand, the proposal turns out to be a targeted harmonisation instrument aimed at key mandatory consumer EU rights, for which there were no rules established,27 _{while on the other, under the recitals existing legal}

instruments do contain rules regarding contracts for the supply of digital content. Ultimately, the proposal creates a distinct type of contracts with separate set of rules, and according to the recitals as the guidance on application of the DSDC, these novel rules are to supplement and be supplemented by the existing rules. This contradicts with the horizontal approach taken by the Commission with the CRD and contributes to the fragmentation of the law. The Commission decided to switch back to a vertical approach. Namely, not to include digital content contracts within the scope of the CRD, but to create a new fully harmonising directive. That paves the road for new issues to emerge such as fragmentation of the legal environment and not establishing a coherent framework. Nevertheless, the DSDC is expected to be applied in conjunction with the existing rules. Data contracts would be subject to the Unfair Terms Directive and the new GDPR, because data protection law can aid interpretation of consumer law. Thus, the consumer should be able to object against a disproportionate and excessive data processing and against terms that require consumers to disclose excessive amount of personal data is considered unfair, respectively. However, in the past such connection between directives has been made through judgments of the CJEU, but it is also a task of national courts to decide on that issue. The CJEU may provide guidance or declare a national measure as precluding an EU provision but cannot provide final judgments. It is up to the Member States’ implementation that would show by how much the DSDC would be merged with the existing legislative framework.

Section II. Member States and the DSDC

A directive has to be transposed into national laws of the Member States. Each state has the freedom to choose the form and methods for doing so. Yet, minimum harmonisation has been long criticised due to its residual variation among national laws and the different levels of

26 DSDC, recitals 49 & 52. 27 Memorandum (n 23).

protection offered, which carries the risk of creating race to the top and not in any case a level playing field.28 _{On the other hand, full harmonisation provides the same level of protection}

across the whole European Union, thus, simplifying and reducing the existing legal barriers and cross-border transactions. But the full harmonization approach has its flaws.29 _Full

harmonisation directives still do not create one consistent and coherent set of rules regarding consumer transactions.30 _{The result post transposition is a regulatory mix of EU-based and}

national rules across the 27 Member States i.e. 27 different sets of rules with core notions.31

Evidently, a new directive introduces core notions regarding a particular area of consumer law, but the way Member States interpret them, transpose them and include them into their national laws, causes legal fragmentation. For example, when the CRD was introduced it was transposed by the Member States, but later some of them, UK and the Netherlands, adopted legislation that goes beyond the subject of the directive, namely, the supply of digital content, an area implied under the CRD through supply of digital content specifically on a durable medium. Thus, even more fragmentation occurs on national level, but it shows that Member States would blend the rules under the DSDC with the current rules add up to their coherent structures of consumer law. They are able to do so since the CJEU ruled in Di Pinto that they cannot be precluded from introducing measures in areas not concerned by a directive.32 _For

example, the UK decided that there should be a distinction between data contracts and normal contracts for the supply of digital content under the Consumer Rights Act 201533_{. The rules}

under the national digital consumer rights regime were applicable only to transactions with monetary payment.34 _{Thus, different national legal regimes perceive the digital environment}

differently and one rule could be interpreted and transposed in many different ways. Moreover, under Article 3(9) DSDC35 _{national contract rules are not regulated, nor affected}

by the DSDC. Hence, existing legal rules would have to be applied to data contracts, resulting in unification of the new rules with national rules. Full harmonisation approach would not reduce the legal diversity and would not prevent Member States from merging the new rules into their legal systems. However, this current legal regime of fragmentation across national

28 Twigg-Flesner (n 22).

29 Geraint Howells & Gert Straetmans, ‘The Interpretive Function of the CJEU and the Interrelationship of EU and National Levels of Consumer Protection’ (2017) 9(2) <https://bit.ly/2kuIyV2> accessed 21 April 2018. 30 Twigg-Flesner (n 22).

31 ibid.

32 Case 361/89 Criminal proceedings against Patrice Di Pinto [1991] ECR I-01189. 33 Consumer Rights Act 2015.

34 ‘Position of FEDIL - contract rules for the supply of digital content and online sales’ (2016) <https://bit.ly/2GXHFgC> accessed 1 March 2018.

laws is unsatisfactory for creating one coherent consumer acquis. There is a need for reform considering the detailed texts of the directives regarding consumer law by introducing a new legal structure,36 _{e.g. in the form of regulations concentrated on the cross-border transactions}

within the digital environment.37 _{Yet, the current lack of legal clarity should not in any way}

prevent any improvements that provide legal certainty and contribute to the quality of law to be introduced.

Section III. CJEU and the interpretation of the DSDC

The last point regarding the application and interpretation of the DSDC concerns the CJEU approach. The CJEU is known for its judgments, composed in a way open to interpretation. The Court adheres to guiding national courts to adopt proper interpretation of EU law and they to enforce it. It does not cross the line between interpretation and enforcement. Both in Océano38 _{and RWE}39 _{the Court stated the ex officio authority of national courts, while it} assists in the interpretation of the EU legislative acts and policies.40 _{It develops general}

principles, which allow room for national diverging interpretations.41 _{Thus, the CJEU does}

not impose rules on national laws, it focuses on whether EU rules are correctly transposed and are not precluded by national measures. It is so, because the jurisdiction of the Court does not extend to ‘telling' Member States how their national laws should be. However, despite the CJEU approach being criticized of contributing to fragmentation, it does the opposite. The Court seems to nudge Member States towards convergent interpretation, while allowing for national divergence in terms of a national legal approach or a national model of legislation. The Court has contributed greatly to the convergence of consumer protection throughout the EU, despite being criticised for taking a pro-consumer stance e.g. the notion of the average consumer in Gut Springenheide42 _{that has been extended to different areas of consumer law.} In the judgement of Douwe Egberts43 _{the CJEU noted that in any doubtful situations, the} national courts have to consider the consumer as being reasonably informed and

36 Lucie Guibault & others, Digital Consumers and the Law. Towards a Cohesive European Framework (Kluwer Law International, 2012).

37 Valant (n 18).

38 Case 240/98 Océano Grupo Editorial & Salvat Editores [2000] 39 Case 92/11 RWE Vertrieb [2013] ECLI:EU:C:2013:180. 40 Straetmans (n 29).

41 ibid.

42 Case 210/96 Gut Springenheide & Tusky v Oberkreisdirektor des Kreises Steinfurt [1998] ECR I-04657. 43 Case 239/02 Douwe Egberts [2004] ERC I-07007.

circumspect.44 _{Furthermore, in Estée Lauder Cosmetics}45 _{the court focused on that} consumers’ perception should be judged by considering social, cultural and linguistic factors.46 _{Interestingly, all these cases concern different areas of law, but the Court stayed true}

to its line of reasoning by focusing on protecting consumers as the ultimate goal of EU law. On another occasion, the Court extended the notion of a seller under Article 1(2)(c) of Directive 1999/44/EC47_{, due to the information asymmetry that would be created in the}

situation where a trader acts as an intermediary on behalf of one individual in a sales contract.48 _{The CJEU noted that in such situation all circumstances must be taken into}

account, in order to determine whether the buyer would have known that he is contracting with an individual and not a trader, including the perception of the buyer as a consumer, whether as a reasonably informed and circumspect, he would have known that the trader is acting as an intermediary, while considering the information given and the behaviour of the intermediary.49

Accordingly, this approach can be seen as pushing for convergence of existing directives into one general legal framework, where everything is intertwined, and the rules are aimed at achieving the desired level of consumer protection across the EU. Therefore, the CJEU would probably adopt a similar approach with the DSDC and data contracts. It would allow for national divergence, but through its guiding judgements it will reveal the contours of the European consumer protection framework that the directives aim at creating50 _{e.g. as with the}

Unfair Commercial Practices Directive51_{. Under the DSDC and the GDPR data contracts will}

not be considered gratuitous, gratis, nor free and under Annex I №20 of the UCPD it is unfair to describe something as ‘free’ or to make the consumer to believe that he will not pay anything except of unavoidable costs such as delivery or collection.52 _{This provision is}

sufficiently broad to encompass contracts where non-monetary form of counter-performance has been provided as remuneration to the supplier.53

44 ibid.

45 Case 220/98 Estée Lauder [2000] ERC I-00117. 46 ibid.

47 Directive 1999/44/EC of the European Parliament and of the Council of 25 May 1999 on certain aspects of the sale of consumer goods and associated guarantees [1999] OJ L 171, art 1(2)(c).

48 Case 149/15 Wathelet [2016] ERC ECLI:EU:C:2016:878. 49 ibid.

50 ibid.

51 Directive 2005/29/EC on unfair commercial practices (UCPD) [2005] OJL 149. 52 UCPD, Annex I №20.

53 Natali Helberger, Frederik Zuiderveen Borgesius, Agustin Reyna, ‘The Perfect Match? A Closer Look at the Relationship between EU Consumer Law and Data Protection Law’ (2017) 54(5) CMLR.

Also, if the supplier fails to identify how the consumer’s personal data, preferences and user-generated content are going to be used, it might be classified as a misleading practice, as well as omitting to specify the commercial intent of the commercial practice is classified as a misleading commercial practice.54 _{Therefore, a supplier classifying a digital content as ‘free’}

not informing the consumers about the purpose of collecting particular type of data or how the generated content will be used, may fall under the scope of the UCPD. Thus, the CJEU might follow a pro-consumer approach and determine that data contracts fall within the general scope of the UCPD. There are still gaps to be filled regarding application of general rules to data contracts but lately the CJEU has taken the first steps towards conceptualisation and fine-tuning of the consumer acquis.55 _{Simultaneously it defines the scope of judicial} interpretation and indicates the purpose of the legislative instruments.56 _{The Court}

acknowledges the need of protecting consumers, while at the same time facilitating the internal market. It would interpret a directive in a generous way in terms of consumer protection sometimes even going to extremes.57 _{However, it has been criticised for using}

excessive language to evade a question, rather than providing a clearly stated reasoning.58 _The

purpose of the extensive judgments, however, is to provide guidance where a legislative guidance is missing both at European and national level. The national courts are informed, in order to initiate and fulfil ‘clearly desirable and common expectations’59 _{by developing a}

coherent legal framework with a high level of consumer protection.

Section IV. Conclusion

According to the analysis of the chapter, the Member States and the CJEU would push the DSDC, including data contracts, on being merged into general consumer law. It further shows that this integration would provide more flexibility in protecting consumers and in assessing fairness of data contract, especially through the supplementation from data protection law.60

54 Commission Guidance on the UCPD (2016) 0163, 89. 55 Helberger (n 53).

56 Straetmans (n 29).

57 Case 428/11 Purely Creative & Others [2012] ECR ECLI:EU:C:2012:651 in Alber Sanchez Graells, ‘The CJEU overshoots the mark of consumer protection: ‘Winner’ means winner and ‘prize’ means free prize’ (European Law Blog, 2012) <https://bit.ly/2snTcR7> accessed 2 March 2018.

58 Straetmans (n 29). 59 ibid.

This interplay provides new mechanisms of addressing detrimental and unfair situation for consumers within the digital environment.

Chapter 2. Withdrawal rights and termination of data contracts

Chapter 2 dicusses the terminology under the DSDC and answers the questions how general consumer law rules are to be applied and whether the requirement of restitution can be enforced against a supplier in a contract for the supply of digital content. It analyses the enforcement of restitutionary effects of extinction following the enforcement of the right of withdrawal and termination of contract.

Section I. The new data contracts - data as counter-performance

The Commission introduced the DSDC as a full harmonisation directive61 _{to facilitate its}

implementation into the national laws of the Member States.62 _{The harmonising character of}

the Directive is necessary to reduce the fragmentation across the EU. In some Member States specific laws on digital content are non-existent, while others, such as the UK and the Netherlands, have already adopted legislation on digital content63_{. The new proposal aims at}

reducing fragmentation, as well as provide a leeway for Member States to adapt the new rules to their national rules with less interference from the EU.64 _{Another reason for introducing a}

directive is because a regulation requires a more in depth regulatory mix, as well as it does not provide a margin of adaptation for its rules to the fast-changing and evolving market like the digital one.65

61 DSDC, art 4 & recital 5.

62 Gerald Spindler, ‘Contracts For the Supply of Digital Content – Scope of application and basic approach – Proposal of the Commission for a Directive on contracts for the supply of digital content’ (2016) 12(3) ERCL 185.

63 Memorandum (n 23). 64 ibid.

Accordingly, the proposal does not distinguish between contracts for goods and services such as the Consumer Sales Directive66_{, but it categorises contracts only by such for the supply of}

digital content, to prevent itself from becoming outdated in the future due to the technological advancement of the digital environment.67 _{The proposal aims at supplementing the Consumer}

Rights Directive, in order to prevent legal fragmentation that already has occurred due to Member States adopting legislation on digital content contracts i.e. it adds up to the general framework, but does not answer whether the rules are intertwined and that rules from the CRD apply to the DSDC and vice versa.68

The biggest novelty is under Article 3(1). The directive applies to any contract where the supplier supplies or intends to do so with a digital content in exchange of personal or any other data that the consumer actively provides. The proposal does not define clearly what is meant by personal or other data. Under recital 22 the application of this Directive is to be made in full compliance with the existing framework on personal data protection, established by the ePrivacy Directive69 _{and Data protection directive, repealed by the GDPR.}70 _{Thus, the}

rules of these legal instruments ought to coincide.71 _{Meaning that, the definition of personal}

data in light of the new proposal is the one found under Article 4 of the GDPR,72 _{hence, as}

long as data relates directly or indirectly to a person or in some way identifies the person, it is categorised as personal data.73 _{However, the directive does not apply to personal data strictly}

necessary for bringing the contract in conformity by the supplier, provided that the supplier does not process the data further, that is incompatible with the purpose of the contract i.e. does not use the strictly necessary data for commercial purposes.74 _{The provision is}

introduced because of the risks of misuse and unfair processing of data given in exchange for ‘free’ content, as well as due to the consumers’ apathy, when engaging in such ‘free' agreements. They give out their data without any consideration and without being properly informed of the consequent use of that data.75 _{The concept of data being actively provided is}

66 CSD (n 47). 67 Spindler (n 62). 68 Memorandum (n 23).

69 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L 201.

70 DSDC, recital 22. 71 Narciso (n 10). 72 GDPR, art 4.

73 Uzun v. Germany App no 35623/05 (ECtHR, 2 September 2010). 74 DSDC, art 3(4).

rather unclear76_{, however, the term is more focused on the consumer being aware that he is}

providing his data as a counter-performance, instead of requiring? him intentionally to provide the data.

Accordingly, ’actively providing’ does not only connect to the awareness of providing data, but also corresponds to the perception of the consumer that he is concluding a data contract. Namely, ‘actively’ ought to be interpreted as the consumer is informed that his data serves as counter-performance for the supply of ‘free’ digital content that in exchange creates a contract between him and the supplier, to which duties and remedies apply. The data necessary for functioning of the digital content falls outside the scope of the directive77_{, e.g.}

in a service such as Instagram the consumer actively allows access to his private photos, that is not covered by the DSDC, because that is the sole purpose of Instagram. However, the provision of an email address, phone number and gender are not strictly necessary for a profile to function, because a user is identified by his/her username and not email address, hence, such data categorised in Instagram as private, but required by the supplier, ought to fall within the scope of the directive. The directive encompasses also indirectly provided data, which again is actively provided e.g. by ticking a box, allowing access, agreeing with the use of the data through a pop-up message.78 _{Furthermore, the Facebook Messenger}

application's primary purpose is to send messages and the data required for that is a phone number or an email address and password used for the user’s Facebook account. The app requires access to microphone, photos, camera of the user, even if the photo is not taken through the app, hence, the consumer actively and indirectly provides data and access to the supplier. ’Actively’ refers to the authorisation by the consumer to deliver the data and ‘directly’ refers to the consumer uploading the data himself or inputting the data onto the digital content i.e. the positive action taken by the consumer to provide his data. ‘Indirectly’ refers to the user actively authorising the supplier to access his/her data, while making use of the digital content, without the need of a positive action by the consumer to deliver the data. Accordingly, ‘actively’ and ‘directly’ are not to be used interchangeably. ‘Active’ provision of data occurs where the consumer provides data as counter-performance directly and/or indirectly. These rules do not apply to data generated through cookies, geographic position, IP address i.e. data not generated by the consumer himself.79 _{It has been argued that Article}

76 ibid

77 DSDC (n 73). 78 DSDC, recital 14. 79 ibid, Narciso (n 10).

2280 _{contradicts with recital 14, because indirectly collected data under Article 22 fall outside}

the scope of the directive and under the recital it falls within the scope.81 _{The data referred to}

in Article 22 is the data generated through advertisements that are tightly connected to the data generated by the web browser. Lastly, such interpretation of the DSDC terminology clearly shows that digital content is treated differently than tangible goods or online services, it is a sui generis type of contract.82 _{Nevertheless, if not specifically specified under the} directive, the rules on formation, validity, effect and termination of a data contract are to be regulated by national general contract law83_{, hence, general contract rules supposedly should}

apply to such contracts, including the rules regarding the main characteristics of the contract under the Consumer Rights Directive84_.85 _{However, how achievable is that considering the sui}

generis type of contracts?

Section II. Right of withdrawal

I.1. Information asymmetry and the right of withdrawal

It is difficult to define which rules are applicable to a counter-performance that replaces money.87 _{Under recital 10 of the new proposal the directive should not influence the}

application of national contract rules regarding the formation, validity and qualification of the contract, but also allow Member States to introduce rules following termination of a contract, applying simultaneously with restitutionary rules, regulated by the directive.88 _{However, this}

recital focuses on the obligations of consumers and not suppliers, which raises the question, whether the general contract rules regarding suppliers’ obligations, derived from the CRD can be applied in a data contract or not. Under recital 19 contracts for the supply of digital content are not to be regarded neither as sales contract (tangible goods) nor as service

80 DSDC, art 12; Gebhard & Voss (n 4).

81 ETNO, ‘Position on Draft Directives on certain aspects concerning contract for the online and other distance sales of goods and of digital content’ RD429 (2016/05) <https://bit.ly/2L3G3UK> accessed 10 March.

82 Narciso (n 10). 83 DSDC, art 3(9). 84 CRD (n 15). 85 ETNO (n 81).

86 CRD, art 9, possibility of withdraw without any reasons given, for 14 days after receipt of goods, conclusion of contract etc. depending on the type of service/good/content supplied. Withdrawal rights and other rules that accompany them (information duties, formal requirements, effects, exercise, obligations and exceptions. 87 Juliette Sénéchal, 'The Diversity of the Services provided by Online Platforms and the Specificity of the Counter-performance of these Services—A double Challenge for European and National Contract Law’ (2016) 5(1) JECML 39.

contracts,89 _{but as a separate category, while when digital content is supplied on a tangible}

medium is regarded as a sales contract. However, under the DSDC recital 11 and 12 such fragmentation between types of contracts is not desirable, therefore, all types of digital content ought to fall under one and the same category i.e. contracts for the supply of digital content, irrespective of the means of transmission that are used. Under the DSDC tangible mediums are means of transmission and would not provide any substance to the rules and obligations applying to the contract.90 _{This change prevents discrimination between suppliers}

and avoids complexity, but the directive still acknowledges goods where the tangible medium itself is an integral part of the digital content and vice versa. Furthermore, under recital 12 the DSDC rules apply to all digital content where the tangible medium is just the carrier of the content, but the rules under the CRD must continue to apply. It can be deducted that in light of the considerations above the rules under the two directives supplement each other and the obligations of the supplier can be derived from the CRD and the DSDC, likewise as the rights of consumers can be derived from both directives. The DSDC treats monetary and non-monetary forms of counter-performance identically91_{, therefore, general contract rules ought}

to apply to data contracts the same way as to a contract where money has been paid. Despite data contracts and premium (where money has been paid) contracts being treated the same way, theoretically, in practice the data ones might be subject to complexities, especially, when the right of withdrawal is exercised by the consumer.

It is important to assess the application of right of withdrawal through information duties until the conclusion of the contract and then establish whether the exercise of the right is feasible with the restitutionary effects of extinction. General contract rules in consumer law have the main role of balancing the information asymmetry between the parties, thus, protect the weaker party against the better informed and more experienced one.92 _{The need for}

protection is even more desired when the contract is negotiated away from business premises. Thus, to prevent the imbalance between the consumer and the supplier, the right of withdrawal was introduced in 1997 by the Distance Selling Directive and later developed by the Consumer Rights Directive, which also applies to digital content contracts.93 _{The purpose}

89 CRD, recital 19. 90 DSDC, recitals 11 & 12.

91 Stefan Grundmann & Phillip Hacker, ‘Digital Technology as a Challenge to European Contract Law – From the Existing to the Future Architecture’ (2017) ERCL.

92 Helberger (n 53).

93 Reinhard Steenot, ‘The right of withdrawal under the Consumer Rights Directive as a tool to protect consumers concluding a distance contract’ (2013) 29(2) CLSR 105.

of withdrawal rights is to protect the weaker party that consumers always are, but due to their overarching nature, they are more apt to be categorised as general contract rules and their purpose may extend to protecting any disadvantaged party at the conclusion of the contract.94

The more distant the contract is from the business premises, the more protection is needed.95

However, under article 16 (m) Member State shall not provide the right of withdrawal in regard to the supply of digital content, not supplied on a tangible medium, “if the performance has begun with the consumer’s prior express consent and his acknowledgment that he hereby loses his right of withdrawal.96 _{This means, that the consumers cannot make}

use of the right of withdrawal when they conclude contracts for the supply of digital content, but they have to be expressly informed about that situation and they have to provide their express consent prior the performance of that contracts. As discussed, the data contracts fall under the definition of contracts for supply of digital content, hence, consumers providing their data as counter-performance ought to be informed and to agree to those terms as well. So, what is considered to be an express consent by the consumer? In the case of Content services97_{, the CJEU held that a passive conduct from the consumer is sufficient, when it} comes to receiving and accepting information i.e. the consumer is not obliged to actively seek his contractual obligations and rights regarding the contract, but the supplier has to provide them in a particular way, a hyperlink will not suffice.98 _{Suppliers usually provide that}

information just before the conclusion in a separate window or as a pop-up presented directly to consumers, but still they use the tactics of overflow of information and extensive irrelevant information, thus, consumers overlook the important information, despite it being written in plain, legible and intelligible language.99_{Thus, the consumer has not properly been informed}

that he will not be able to make use of his right of withdrawal.

The lack of a right to withdrawal brings further complexity for the consumers. It amounts to how the consumer perceives the ‘free’ supply of the digital content, which reflects the discussion on the established notion of the average consumer, developed in the case of Gut Springenheide100_.101 _{Hence, the question how an average user of data-driven digital content}

94 DCFR (n 11). 95 ibid.

96 CRD, art 16(m).

97 Case C-49/11 Content Services Ltd v Bundesarbeitskammer [2012] ECLI:EU:C:2012:419. 98 ibid para 35.

99 CRD, arts 7(1) & 8(1). 100 Gut Springenheide (n 42).

101 Prof. Dr. Alex Metzger, ‘Data as Counter-Performance What Rights and Duties do Parties Have?’ (2017) 8(2) JIPITEC 1.

understands the supply of a ‘free’ content: can he honestly believe that the payment for the ‘free’ content is his personal data? Consumer’s perception is crucial in the pre-contractual process, because then is established his awareness regarding the consequences of the contract’s terms. This intensifies the information asymmetry and highlights the need for consumer protection. Nevertheless, under 16(m) CRD consumers concluding a digital content contract cannot rely later on their right of withdrawal, but that must not allow a supplier to conceal information or falsely represent that active provision of data does not have the binding force of a contract. Presenting the digital content with all the necessary information provides the legal certainty for concluding the contract i.e. the consumer being aware of the absence of withdrawal rights can undertake the necessary measures to terminate (to inform the supplier by giving notice) the contract and receive back his data. Otherwise, due to lack of knowledge regarding the rights and obligations conferred, the consumer could simply delete the digital content, thinking that he is withdrawing from the contract without knowing that the agreement has a binding effect. Then the supplier could continue to use the data of the consumer, even though the consumer has deleted the digital content. Such situations may turn out to be an incentive for suppliers to exaggerate the ‘freemium’102 _{character of the digital}

content and receive access to consumers’ data for an indefinite period and abuse their position as suppliers. For consumers the very substance of having withdrawal rights and being able to use them is crucial regarding the information that they will receive and the way they will perceive the data contract. By having the right of withdrawal, the information asymmetry would be decreased or even overcome. By supplementing the data contracts with the information regarding their right to withdraw will not only recognise their position on the digital market but will also contribute to the development of the notion of the average user of data-driven digital content that would aid the establishment of a legal framework fit for the digital era, especially in the situation where the right of withdrawal in digital content contracts shall not be provided by the Member States under the CRD.

I.2. Restitutionary effects following right of withdrawal

The issue is how the application of withdrawal rights will occur in practice. Generally, restitutionary effects following withdrawal from a contract are not explicitly mentioned under the CRD, nor under the DSDC, but their effect consists of both parties returning any benefit

102 Free to download digital content, but to use certain features the consumer has to pay (micro transactions).; the definition can encompass data contracts.

received in the course of performing their obligations under the contract. Under the DSDC the restitution is triggered upon termination of a data contract benefits are not reciprocally returned, but are deleted, the consumer deletes the digital content and the supplier - the provided data, respectively.103 _{The supplier has to provide means for the consumer to retrieve}

all of his data back, refrain from using that data and any data generated and uploaded throughout the duration of the contract.104 _{The requirement of no further use could be}

accepted as the equivalent of refunding the money.105 _{Accordingly, restitution of actively}

provided data following the exercise of withdrawal rights could be possible under the DSDC for data contracts, i.e. the digital content is deleted by the consumer or sent back to the supplier and the data is deleted by the supplier or sent back to the consumer. However, what if the consumer is not aware of the lack of his withdrawal rights and simply deletes the digital content without giving notice to the supplier?

Another way for consumers to withdraw from the contract and demand that the provided data is not used, can be found under Article 7(3) GDPR; the user can withdraw his consent for the processing of his data, the withdrawal ought to be as easy as giving consent and the user still has to be informed about his rights prior to giving consent.106 _{The question, however, is}

whether data protection law can be applied to data used as counter-performance, because of its remuneration character. This may cause a separation between types of data, the one gathered through use and the one of remunerating character. Having one type of data subject to the GDPR and one that is being treated equal as to monetary remuneration would deem to be complex and uncertain. Under data protection law all data is inherent to people’s human rights, hence treating actively provided data as a commodity, having monetary value would be conflicting human rights107_{. Treating such data as a separate element of the digital}

environment would legitimize a practice that disregards the special nature of data and undermine the balance struck by the GDPR and the purpose of the DSDC.108 _Therefore,

restitution in the case of withdrawal from a data contract is not possible, but also undesirable, which prevents the data protection law of supplementing the interpretation of the DSDC by

103 DSDC, art 13(2)(b), (d). 104 DSDC, recitals 39 & 40. 105 Helberger (n 53). 106 GDPR, art 7(3). 107 Helberger (n 53).

108 EDPS Opinion 4/2017 on the Proposal for a Direcrive on certain aspects concering contracts for the supply of digital content <https://bit.ly/2pBrdLR> accessed 24 May 2018.

providing the consumer with the necessary tool box109 _{to challenge the disclosure and}

processing of excessive amounts of data, detrimental to him and contrary to good faith, hence, ensuring high level of consumer protection within the digital environment at an EU level.110

Section III. Termination of data contract and restitution

The DSDC contains extensive and detailed rules regarding termination for non-conformity. Its primary focus is on harmonising rules on obligations and remedies in contractual relationships for the supply of digital content.111 _{Article 13}112 _{explains in detail the}

consequences following termination for lack of conformity; the consumer should refrain from using the digital content and the supplier has to return any counter-performance received or refrain from further using the data, if the counter-performance has been actively provided data.113 _{Article 16 contains the consequences of terminating long-term contracts; the}

consumer has to give a notice 14 days prior before terminating the contract; if the contract is for an indefinite period or period exceeding 12 months, the consumer can terminate the contract any time after the expiration of the first 12 months.114 _{Termination rules are broad}

and encompass all contracts for the supply of digital content, they do not consider the different character and features of data contracts, which themselves are different categories e.g. social networks, websites, online stores, smart phone apps, video games, streaming services. It is difficult to define, whether the termination rules under the DSDC are easily applicable to all these types, especially when it comes to restitution claims.

The consumer is entitled to terminate the contract immediately according to Article 11 (failure to supply)115 _{and Article 13 and under Article 12(3)}116 _{be able to terminate the}

contract for lack conformity.117 _{The provisions regarding remedies for lack of conformity do}

109 Philipp Hacker, ‘Personal Data, Exploitative Contracts, and Algorithmic Fairness: Autonomous Vehicles Meet the Internet of Things’ (2017) 7 IDPL 266.

110 Helberger (n 53).

111 ‘Digitaleurope’s comments on the proposed Directive on contract rules for the supply of digital content’ (2016) <https://bit.ly/2sfw7Qq> accessed 14 February 2018.

112 DSDC, art 13. 113 Memorandum (n 23).

114 DSDC, art 16(1) & (2) & Memorandum (n 23). 115 DSDC, art 11.

116 DSDC, art 12(3). 117 Metzger (n 101).

not specify what happens in the case of a data contract. It is simply stated that the supplier must refrain from further use of the data provided as counter-performance.118 _Nonetheless,

under recitals 36 and 37 the consumer should be able to terminate only after bringing the contract to conformity is impossible, which given the diversity of digital content is expressed in issuing updates or sending new copy that equals efforts of bringing the contract in conformity.119 _{However, the lack of clarity regarding the scope of the rules may turn out to be}

disproportionate for consumers, because they do not reflect properly their expectations regarding the digital content, nor the industry.120 _{Data contracts would usually be concluded}

for a particular digital content that is subject to long and constant use by the consumer i.e. considering the economic and digital reality data contracts would be concluded for content that is to be used for an indefinite period by the consumer. For example, when the user downloads an application or signs up for a website it is not a one-time transaction, because the applications and the websites are subject to continued use and require internet connection not only to collect the data provided or to refresh and improve the experience, but also to fulfil their purpose, namely the user to be able to generate content. Online games are a good example. The user constantly generates data through his actions, and internet connection is required to access, use, delete or improve the generated data. Such digital content is based on the profile model, where users create a profile and overtime amend it the way they like. These are not one-off contracts and supposedly will not be treated as such. If they were it might increase the risk for fraud and potential abuse by consumers, providing false data or misusing someone else’s data to gain one-time access to the content, without the need of personalisation.121

While the long-term contracts’ refreshing, uploading, creating and generating of data decreases that risk, there needs to be clarification regarding where to draw the line between the one-time and long-term contracts. Thus, data contracts would fit better under the definition of long-term contracts and the rules on termination that apply to them under Article 16. These are not one-off contracts and supposedly will not be treated as such. They can be terminated only after the first 12 months have passed, which may contradict with consumers’ expectations: they would believe that deactivating their profile or deleting the application would be sufficient to terminate the contract. The supplier has to inform consumers about these terms, otherwise the conditions of the contract would strongly favour the supplier, giving him the possibility to use as much data as he wants during the initial 12 months,

118 DSDC, art 13.

119 DSDC, recitals 36 & 37. 120 Digitaleurope’s (n 111). 121 FEDIL (n 34).

without the consumer being aware. This amplifies the need for withdrawal rights, consumers to be able to withdraw during the initial 14 days of concluding the contract and for clearer rules. However, under the DSDC, if a user terminates a long-term contract, how can he be ensured that all generated and provided data is not misused by the supplier?

The directive does not expressly provide restitution rules for data contracts, nor does it provide the possibility for a claim for restitution on the generated profits and contents based on the consumer’s data before the termination of the contract. It seems unlikely that courts would go outside the scope of the directive for such claims, due to the specific nature of the contracts and personal data.122 _{The rule of restitution following termination is found under}

Article 13(2)(c) & (d) of the DSDC and its enforcement is reciprocal, namely, a consumer would give back or deletes what is delivered by the supplier as he returns the payment to the consumer.123 _{However, after 12 months of using the digital content, more data has been}

generated and also a lot is deleted, but the supplier the supplier has the obligation to return all data that has been generated through the consumer’s use.124 _{This data could be defined as any}

content that could be traced back to the consumer and as being the returnable subject matter.125 _{In other words, consumers generate similar data, but the data that contains}

information regarding a particular consumer should be returned back to him, despite the initially provided data being modified or deleted. The subject matter is the data identifying the consumer and the things attached to the subject matter are the generated digital content. Hence, that content ought to be returned. However, the data generated is inherent to the digital content and outside the context of the digital content it would be useless or even non-identifiable vis-à-vis the user. If all ‘things’ connected to the user are deleted and returned, then reviews in online shops and websites have to be deleted,126 _{which are for the benefit of}

potential and future consumers. Evidently, the restitution of such data would not be adequate, but also detrimental to both consumers and suppliers, because suppliers rely heavily on reviews to attract new consumers. It can be suggested that the supplier can return the value of the data that has become integral of his digital content, but as discussed in the previous section II, that may lead to complexity in the regulation of the digital environment and bears the potential risks of putting a price tag on personal data.

122 Metzger (n 101).

123 DSDC, art 13(2)(c) & (d). 124 ibid.

125 DCFR, 912-917.

126 Anja Hoffman & Bert Van Roosebeke, ‘Contract law for the supply of digital content’ (Policy Brief, 2016) 22.

Section IV. Conclusion

To conclude, the application of general contract rules to data contracts is not very clear, as well as the new rules regarding termination of contract and the enforcement of withdrawal rights would create difficulties, particularly with the enforcement restitutionary effects of extinction. It is still uncertain how the rules will play out in practice, since their application may create friction with data protection law, but also turn out to be detrimental to suppliers. However, without withdrawal rights consumers are put in a disadvantageous position, especially in long-term contracts, which would be most of the data contracts. Withdrawal period would balance the bargaining powers in a data contract, where termination is possible after the initial 12 months. Hence, consumers will be allowed to test and check the credibility and functionality of the digital content before making the choice of actively providing their data to be processed by the supplier for an indefinite period in combination with any other data generated throughout the use of the digital content.

Chapter 3. Unjustified enrichment

This chapter is divided in 3 sections, which follow the model of a comparative functional method, in order to establish whether the enforcement of restitutionary effects of extinction is feasible considering the risk of unjustified enrichment. The chapter explores whether a consumer being party to a data contract may have a claim for unjust enrichment following the enforcement of restitutionary effects of extinction after the data contract has been terminated. This aims to show that there are still gaps under the DSDC regarding data contracts and that legal certainty is necessary to provide for the attainment of high level consumer protection under the EU consumer acquis. It may prove that the unfeasibility of a proper enforcement of restitutionary effects against a supplier creates a gap in the consumer acquis and ultimately decreases the level of consumer protection across the EU.

Section I. Unjustified enrichment under the DCFR and English law

I.2. DCFR

Generally, unjust enrichment is part of the law of restitution and it is defined as; a person obtaining unjustified enrichment, attributable to another’s disadvantage, is obliged to that the other to reverse the enrichment.127 _{Unjustified enrichment may occur also in a contractual}

situation where one party has exploited a right of the other party or used in such a way to gain enrichment that was not negotiated and the disadvantaged party has not consented to it.128

Enrichment within the meaning of the DCFR is described as a person gaining an increase in assets and a decrease in liabilities or using another’s assets, while disadvantage - when a person suffers decrease in assets or increase in liabilities or another person makes use of

127 DCFR, VII.1:101.

his/her assets.129 _{The enrichment is attributable to a person’s disadvantage particularly where}

the enriched person uses the other’s assets and/or infringed the other person’s rights or legally protected interests and the assets of the enriched person improved thereof130 _{e.g. f a seller}

uses assets belonging to the consumer, in order to generate profit and the consumer has not consented to that use, then unjustified enrichment has occurred. Moreover, if a personal right is infringed for generating profit, the enrichment would not be justified either, meaning a right such as intangible property rights, but also could be extended to personal data. Under the GDPR, processing and use of personal data has to be in line with Article 8 of the European Charter131_{. It has to be processed fairly and for each action of processing one’s}

personal data has to be granted consent by the owner of that data. Hence, even without the protection granted to consumers in data contracts, unjustified enrichment may occur on a basis of infringing the personal right under Article 8, because a consumer’s personal data is something integral of being a member of society and somebody exploiting that data would be disadvantageous to him, but it will enrich the exploiter of that data by increasing his assets. Personal data is created not only by the user, but also by the data controller. Having a right over the data would create friction and over-simplify the situation, as well as create a risk of data being treated as a property.132 _{Recently, Facebook allowed Cambridge Analytica to}

harvest and use users’ data for pre-election campaigns without the consent of the consumers. The enrichment was the payment made to Cambridge Analytica by the candidates to further their political agendas by reaching and targeting users through their personal data. The enrichment was attributable to the company because the use of the data infringed the users’ rights and legally protected interests without their consent, which constitutes an enrichment under the DCFR133_.

As discussed, users have a legitimate interest that the controller would not exploit their data, which would generate fruits of the enrichment within the meaning of VII.-5:104134 _{i.e. the}

enrichment generated from the legal relationship between the parties is not necessarily monetary. In data contracts this refers to more data being generated, thus, aiding the commercial practice of suppliers. The use of which without consent is unjust and the profit is

129 DCFR, VII.-3:101(1(a) & 1(c)); VII.-3:102(1(a) & 1(c)). 130 DCFR, VII.-4:101 (c) & (d)).

131 European Union, Charter of Fundamental Rights of the European Union [2012] 2012/C 326/02, art 8. 132 Bart Shermer, ‘Do you really own your personal data?’ (Leiden Law Blog, 2015) <https://bit.ly/1s7y93n> accessed 11 May 2018.

133 DCFR (n 130). 134 DCFR, VII.5:104.