Fairness and Control In Data-Driven Marketing - UiO - DUO
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of Fairness and Control In Data-Driven Marketing - UiO - DUO
Fairness and Control
In Data-Driven Marketing
On the notion of control in data protection and the implications when digital
standardised contractual terms, containing provisions on personal data processing
for marketing purposes, are seen as unfair under interplaying legal instruments
Candidate number: 7009
Submission deadline: 16.05.2019
Number of words: 15,102
1
Table of Contents
1 Introduction ........................................................................................................................ 1
2 The Interplay of Rules Applicable to M3DM Processing Activities .............................. 4
2.1 The General Restriction of M3DM Processing Activities ................................................... 4
2.1.1 Preliminary Remarks ................................................................................................. 4
2.1.2 Scope of Data Protection: Relevant Observations on the Notion of ‘Personal Data’
............................................................................................................................ 5
2.1.3 Legal Requirements of M3DM Processing Activity................................................... 7
2.2 The Notion of Control in the EU Framework ...................................................................... 8
2.2.1 The European Rhetorical Entanglement of the Meaning of Control....................... 10
2.2.2 The Placement of Structural Measures: Reasons and Consiquenses ...................... 14
2.2.3 Final Remarks.......................................................................................................... 16
2.3 Concluding Remarks .......................................................................................................... 17
3 Consent and Contracts: Similarly Shared Elements of Agreement ............................ 18
3.1 Establishment of Similarity Structure Demonstrating Simplicity of Issues....................... 18
3.1.1 Information Requirements ....................................................................................... 20
3.2 Application of the Legal Interactivity to ‘The Ride of My Life’ ....................................... 21
3.2.1 Valid Consent and Contract: Capacities of Offer and Acceptance ......................... 21
3.2.2 Consent Must be Given with Affirmative Action...................................................... 22
3.2.3 Provisions Stipulating Processing Activity must Form Part of the Valid Contract 23
3.3 Information Requirments: The Outlook of the Layered Notice Praxis .............................. 25
3.3.1 Consent and Contract: Different types of Notices and Requirements ..................... 25
4 What M3DM Processing Activities Can Be Justified Based on Valid Consent.......... 26
4.1 Can Adhoc Privacy Notices be Freely Given?................................................................... 26
4.2 Encapsulating Consent as an Imperative Barrier of Potential Misuses.............................. 27
4.3 Finding Balance between Exploitation and Protection of Personal Data........................... 28
4.3.1 Why Buy ‘Google Assistant’ in a ‘Data Driven Market’?....................................... 28
5 The ‘Transparent’ Potential of Data Subjects Empowerment .................................... 29
5.1 Preliminary Remarks.......................................................................................................... 29
5.2 Forms of Productive and Transparent Practices................................................................. 29
5.3 Use of Data as Unfair Commercial Practice ...................................................................... 30
2
6 Conclusion......................................................................................................................... 32
7 Table of reference............................................................................................................. 33
7.1 A. Books and journal articles ............................................................................................. 33
7.2 B. Report and other documents .......................................................................................... 36
7.2.1 Independent EU Data Protection and Privacy Advisory Bodies............................. 36
7.2.2 European Commission............................................................................................. 38
8 Table of abbreviations ..................................................................................................... 43
9 Table of legal instruments ............................................................................................... 45
10 Table of cases .................................................................................................................... 46
1
1 Introduction Digital technologies are rapidly reshaping the world, bringing great benefits as well as many
challenges. Despite rigours efforts on behalf of the EU to establish a growing digital single
market (DSM), the inability of the law to evolve at a similar phase has left users of digital
services and content, in a situation that allows for harmful exploitation and undermines the
general will of the society.1
Society, stakeholders, and users (hereafter subjects or data subjects) all greatly benefit
from the continuous development of the digital environment.2 The rise of the ‘Internet of
Things’ (IoT) and the pursuing dramatic increase in data collection and sharing (‘Big Data’)
has offered companies like Google, Amazon, and Facebook the ability to bring about new
products and services as well as to configure old ones in a way that is better suited to the
needs their consumers'. Ultimately, individuals’ everyday lives are greatly improved through
better and less expensive, or, more often, even free, products and services, in all sectors of
society.3
In particular, this is made possible by cookies and everyday smart devices, embedded with
sensors, and designed to continuously collect, process, and transfer data.4 Tracking subjects
behaviour and interests, online or offline, essentially creating a 'profile'5 that links to subjects
account or IP address, enabled above-mentioned companies,6 to offer their services for free,
i.e. by operating ad-networks, where ads are defined and displayed according to subjects pro-
files, using predictive or behavioural analytics concluded by these ad-network or affiliate ad-
server. Additionally, this allows them to better predict how subjects could be influenced.7
The increasing capabilities of digital technologies to process data, e.g. by methods of ad-
vanced analytics, machine and, deep learning, have allowed both private and public entities to
make use of personal data on an unprecedented scale in order to pursue their activities.8 In
1 Jacquemin, Digital content and sales or service contracts, 27. 2 Ibid. 2-3. Commission, IoT: Action Plan, 3. Ezrachi and Stucke, Written evidence (OPL0043), [2.1.]. 3 Bentzen, et al., 2018:11. 4 WP29, Opinion on IoT Development, 6-7. Using http://www.youronlinechoices.com/nor/dine-valg you can see the magnitude of OSP’s presently tracking you and providing you with interest-based advertising. 5 Qv. GDPR, rec. 30. 6 “Google operates the ‘Google Display Network’ (comprising partner websites and some Google [properties, e.g.] YouTube), DoubleClick online ad serving [products, ...] ‘DoubleClick’, ‘Ad Exchange’ and ‘Invite Media’. These provide advertisers with the tools needed to analyse the market and deliver specialised ads with greater ease and efficiency”. Qv. http://www.google.co.uk/intl/en/policies/privacy. 7 Ezrachi and Stucke, Written evidence (OPL0043), [2.1.-2.5.]. Re. Commission, DSM Strategy for EU, 63-64. Qv. “[The] core themes of the strategic implications of Big Data.”, cf. Ibid. [2.3.-2.9.]. 8 Ibid. [2.2.].
2
return personal data has become a central asset to companies' and the digital society.9 Such
activities often include collection and use of personal data for concerning purposes, such as to
gain undue advantage over competitors, not only by predicting trends and behaviours but
sometimes by manipulating their services or products to erase any trace of competition, q.v.
Googles search result violation in 2017.10
‘Data’, as information, has always played a central role in any market economy. As the
essential input for its performance, the flow of information has stimulated innovation and the
economy as well as enabled consumer’s choice.11 However, more recent cases have had
greater impacts on data subject’s ability to act based on relevant and accurate information.
Moreover, they often question the general fairness of these new practices in an environment
where companies gain access to massive amount of personal data often without the know-
ledge of subjects, and consequently sell it to marketers or use it in pursuit of influencing pub-
lic opinion through a verity of media,12 q.v. Facebook - Cambridge Analytica scandal in
2018.13 Unsurprisingly, these recent developments have increased privacy concerns and
brought new challenges for data protection,14 as subjects are not fully informed about its col-
lection, processing, and subsequent use and lack the capacity to control the access others have
to their data.15 Resulting in the deterioration of the data subject’s trust.16
Providing data subject’s with a sufficient level of control is a paramount concern because
putting subject’s in control of their data, achieving empowerment and effective protection of
there privacy, improves their level of trust which plays an important role in the uptake of new
9 Reding, “The EU data protection reform 2012”, 2. Commission, Completing a trusted DSM, 2. EESC, Opinion 345/2017 on the ePR, [3.3]. 10 Case AT.39740 Google Search (Shopping). 11 Ezrachi and Stucke, Written evidence (OPL0043), [2.1.-2.2.]. 12 Commission, Completing a trusted DSM, 3. 13 One’s users consented to personality quiz-app apps ToU, an app freely available on Facebooks platform, it collected psychographic data about users for academic purposes, as indicated in the ToU. However, Facebooks design enabled the app to additionally collect data from all Facebook friend of a user, without their consent. Consequently, although under 300,000 agreed, data was collected from approx. 72 million users. The data was then sold to Cambridge Analytica to use for political and commercial purposes. It was, i.a. allegedly used to influence Brexit voters as well as to advance US presidential candidates such as Donald Trump, cf. Farivar, “lawsuits filed by angry Facebook users”, https://arstechnica.com/tech-policy/2018/03.html and subsequent cases Case no. 01725, N.D. Cal. 3:18, Case no 01732, N.D. Case Cal. D. Del. 5:18, CA. Facebook - Cambridge Analytica scandal had similar facts as Specht v. Netscape. 14 It is why EU data protection agencies are turning their focus to social media platform giants such as Facebook, stating that saying “sorry is not enough” when a multibillion-dollar platform uses personal data unlawfully, cf. Andrea Jelinek, former chairman of the WP29. 15 Hansen et al., Privacy and identity management, 316-317. Privacy definition provided by Culnan is used, Culnan, M.J.: How did they get my name? an exploratory investigation of consumer attitudes toward secondary information use. MIS Q. 17(September), 341–364 (1993). 16 GDPR, rec. 7-8.
3
technology.17 Rebuilding data subject’s lack of trust is therefore essential to maintain digital
development and the growth of the digital economy. Nevertheless, overregulation can often
cause significant harm. Thus, neglecting to maintain the balance of interests between society,
controllers and data subjects would be counterproductive to abovementioned aims.18
Recent reform sets out to achieve this balance, allowing greater control while striking a
balance between the free flow of data and the data subjects rights to the protection of their
personal data.19 Importantly the new General Data Protection Regulation 2016/679/EU
(GDPR) strengthens and extends the scope EU’s data protection requirements. It includes the
principle of consent, as one of the lawful basis for collecting and processing personal data
which collector obtain e.g. through subj ects use of digital products and service (digital ser-
vices hereafter refers to digital products).20 The lack of transparency that has surrounded
those circumstances has recently been made painfully clear with the influx of cookie consent
requests of all types following the implementation of the GDPR. Notably, social media giants
such as Facebook and Google have now taken steps to increase transparency, respect the rules
of democratic debate, and overall, to portray themselves as placing privacy and data protec-
tion, in the forefront, taking up data protection measures and requesting consent.21
It remains to be seen whether marketers actually apply the requirements of consent and
transparency in accordance with the current reform and in a way that offers data subjects en-
ough control over their personal data, to reinstate their trust in digital services, while still
maintaining balance, thus sustaining the development of the digital single market (DSM).22
More importantly it most first be asked to what extend data driven marketing falls under the
GDPR. Thereafter what is actually meant by the ‘notion of control’ and how principles of
fairness not just within the GDPR but in interplaying rules help achieve subject control.
17 Studies [31] have shown that [31]. See the European research project SWAMI: www.isi.fraunhofer.de/t/projekte/e-fri-swami.htm. 18 Qv. “given [the rapid development of digital technologies and] the importance of creating the trust that will allow the digital economy to develop [the GDPR calls for data subjects to] have control of their own personal data”, cf. GDPR, rec. 6-7. Or as the commission puts it “Creating the right framework conditions and the right environment is essential to retain, grow and foster the emergence of new online platforms [...]”, cf. Commission, Online platforms: Opportunities and Challenges, 3. Q.v. EU Committee. OP & DSM (HL Paper 129), 67 [255], regarding concerns on implementing GDPR, re. Yahoo (OPL0042) and ITIF (OPL0076) by ensuring individuals right to privacy are put in action while still sustaining development of the online environment and economy. 19 GDPR, art. 1-3, rec. 1-13. 20 EU Committee, OP & DSM (HL Paper 129), 57-59 [217-221, 223]. 21 Adapting to new digital reality {Citation}es, 4-5. Study on consent notification measures. 22 Another key aspect of building trust is the capability to adjust the functioning and properties of technological systems to individual preferences (within safe boundaries). <ref: Commission, IoT: Action plan, 6*-7.>
4
2 The Interplay of Rules Applicable to M3DM Processing Activities 2.1 The General Restriction of M3DM Processing Activities
2.1.1 Preliminary Remarks
The rise of the ‘Internet of Things’ (IoT) and the pursuing dramatic increase in constant data
generation and flow,23 combined with 'big data' analytics (BDA), has massively (continually
to greater extent) equipped entities (like Google, Amazon, and Facebook) with capabilities to
‘obtain’ personal data, e.g. by use of cookies and everyday smart devices, embedded with
sensors, and designed to continuously collect, process, and transfer data.24 Tracking subjects
behaviour and interests, online or offline, essentially creating a 'profile'25 that links to subjects
account or IP address, in a way that enables exploitation (i.e. ‘utilisation’), i.e. predict and
infer subject’s interests and behaviour for, and consequently ‘benefiting’ from, more effective
marketing.26 Data driven marketing27 allows offering digital services for free, to bring about
new digital products and services (hereafter jointly referenced as digital services), to config-
ure old ones in a way that is better suited to the needs their consumers (hereafter respectively,
development- and optimisation through personalisation (DtP and OtP)) as well as to find new
potential customers and to reach them, (hereafter ...) as ads are defined and displayed accord-
ing to subjects profiles, using predictive or behavioural analytics concluded by ad-network or
affiliate ad-server.28
Rules of data protection are relevant as data processing forms the basis of data driven
marketing practices.29 Generally, such processing is prohibited if the data processed is con-
sidered ‘personal’, i.e. the original raw data, metadata collected by cookies,30 extracted, ag-
23 24 It goeas without saying that these are not the sole factorce, for example the commission noted reasently that the use of mobile data has grown 12 fold as result of roaming charges since June 2017, cf. Commission, “EU in May 2019: Top 20 Achivements”, 5. 25 WP29, Opinion on IoT Development, 6-7. Using http://www.youronlinechoices.com/nor/dine-valg you can see the magnitude of OSP’s presently tracking you and providing you with interest-based advertising. 26 Ezrachi and Stucke, Written evidence (OPL0043), Ibid. [2.2.]. WP29, Opinion on IoT Development, 10-11. Such as the application of censor fusion, fingerprinting, or cross matching. Qv. GDPR, rec. 30. 27 “Google operates the ‘Google Display Network’ (comprising partner websites and some Google [properties, e.g.] YouTube), DoubleClick online ad serving [products, ...] ‘DoubleClick’, ‘Ad Exchange’ and ‘Invite Media’. These provide advertisers with the tools needed to analyse the market and deliver specialised ads with greater ease and efficiency”. Qv. http://www.google.co.uk/intl/en/policies/privacy. 28 Ezrachi and Stucke, Written evidence (OPL0043), [2.1.-2.5.]. Re. Commission, DSM Strategy for EU, 63-64. Qv. “[The] core themes of the strategic implications of Big Data.”, cf. Ibid. [2.3.-2.9.]. 29 The definitions of ‘data subject’, i.e. any natural persons who can be directly or indirectly identified by the controller or a third party using reasonably likely means, and ‘personal data’, i.e. any information data relating to a data subject that can be linked to said individual, are key for determining the scope of the GDPR, cf. art. 4(1). 30 as the commission has concluded in September 2010 where the commission has decided to refer the UK to
5
gregated or inferred information so far as it relates to an identified or is reasonably likely,
without disproportionate effort, to be matched to an (i.e. identifiable) individual,31 unless both
lawful and fair.32
2.1.2 Scope of Data Protection: Relevant Observations on the Notion of ‘Personal Data’
In accordance to the above, under the GDPR it remains a prerequisite for the data to be ‘per-
sonal’ in order for subjects to enjoy their rights of protection, i.e. control is only provided in
situations where the data is personal.
The majority of data used to build profiles on and market to data subjects (e.g. raw data) is
however, not ‘personal’ data strictly speaking (i.e. they are just codes and digits by them
selves). Nevertheless, flexibility is presumably embedded into the concept of 'personal data' to
provide an appropriate response to the circumstances at stake.33 A high degree of flexibility is
generally given in regards to the above mentioned raw data when collected in relation to IoT
devices, Big Data and cloud computing, do to there pervasive nature and vast amount of data
processed which might be combined with other ‘unique identifiers’ and other information
received by the servers to create profiles of natural persons.34 They thus generally fall under
the GDPR. However, as they data driven marketing generally neither produces legal effects
nor a comparable risk potential (e.g. decision on whether to give subjects car insurance based
on there score) the profiling does generally constitute processing falling under the prohibition
under Article 22(1) of the GDPR.35
Furthermore, data used for data driven marketing that might be considered personal data
at one stage (falling under GDPR) can be rendered anonymous, i.e. incapable of being identi-
fiable, at different stages of the processing activity or thereafter processing activity of others,
EU's Court of Justice (ECJ) for not implementing rules on confidentiality of e-communications such as e-mail or internet browsing, cf. Article 5(1) of the ePrivacy Directive 2002/58/EC (ePD) and Article 2(h) of the Data Protection Directive 95/46/EC (DPD). Said rules requires Member States to ensure confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance unless the users concerned have consented is obtained. Member States are also required to establish appropriate sanctions in case of infringements and such supervision be carried out by an independent authority must be charged with supervising cf. (IP/09/1626) (IP/09/570) (IP/12/60). DPD, art. 24, 28. Qv. Definition of personal data see GDPR, rec. 26 and +++ art. 4(1). art. 4(12) of the GDPR. 31 Cf. Breyer which held that dynamic IP addresses may be PD under art. 2(a) of the DPD so far as they are reasonably likely to be matched to an individual. The corresponding definition is taken up in art. 4(1) of the GDPR, cf. rec. 26 (sentence 1 and 3), (re. “GDPR”, 2) and recent case Nowak where CJEU has ruled that a candidate’s exam script is ‘personal data’, as it constitutes information that ‘relates’ to him. Qv. WP 29 Opinion 4/2007 on the concept of personal data, WP 136, 21. [Recital 26.]. 32 GDPR, art. 5(1)(a). 33 WP29, Opinion on Personal Data, 4. 34 Lazaro, Christophe and Le Métayer, Control over Personal Data, 18-20. GDPR 235 35 GDPR 1832-183.
6
thereby falling again outside the scope of data protection law.36 Nevertheless, statements of
data driven marketing entities like Pornhub.com that inaccurately assume that personal data
does not include anonymized or pseudonymized data,37 are domed to be not wholly correct.
The half truth exists as pseudonymization does not render data incapable of being used to
identify subjects, i.e. personal data, but rather that the personal data which is object of
pseudonymization, is aggregated in manner where it solely cant be attributed to specific sub-
jects without use of additional information belonging to the personal data which was the ob-
ject of the pseudonymization. This will be explained below with reference to ECJ
Wirtschaftsakademie.
ECJ Wirtschaftsakademie, dealt with the issue of whether a Facebook fan page administrator (FB-FP adm.), such as Wirtschaftsakademie (WA), was, in accordance with the DPD, a con-troller jointly responsible with FB, a social media networks, for the processing of personal data collected by FB via cookies placed on visitors devices, for statistical purposes (providing WA with ‘Facebook insight’ function), without first being informed. The court found that such was the case because WA as adm. took part in the determination of the purposes and means of the processing, by opening the FB-FP and agreeing to predetermined terms of processing, WA made it possible for FB to collect data of the visitors, and was involved with defining param-eters depending, in particular, on its target audience and the objectives of managing and pro-moting its activities, which ‘influenced’ the purposes and means of the processing.
The statistical information provided to FB-FP adm., i.e. demographical percentage of likes
and visits, is the aggregated form of personal data collected and processed by FB, i.e. infor-
mation which subject accessed and liked what on the FB-FP. It is presumed anonymous as the
statistics are presented in a manner whereby the adm. cannot know which particular subjects,
nor in what way they, belong to given statistics. If and when, the adm. collects received in-
formation and further processes it would fall outside the scope of data protection instruments
as long as the original information collected was endurably anymous.38 Where as it would fall
inside the scope when the data object of collection and subsequent processing has undergone
pseudonymisation, although the risk to identification would be reduced significantly in said
case.
Comparatively, it can be argued that the aggregated data an adm. is supplied with in the
36 “Key Aspects Expleined: GDPR Proposal”, 2. 37 According to Article 4(5) of the GDPR, ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; 38 “Key Aspects Expleined: GDPR Proposal”, 2.
7
Facebook insight function is neither the object of anomysastion or pseudonymised. Concern-
ing the latter, the data (i.e. the key), which the statistics are based on, are (at least facebook
likes but not who accessed the FB - FP) accessible to the FB-FN adm.
However, the notion of anonymous data should be interpreted narrowly, and with con-
sideration to the fact that the ability of receivers to link data together and re-identifying sub-
ject is, now more then ever easily possible, e.g. due to the rise of sophisticated re-
identification tactics.39 This is especially true concerning location data do to the extensive re-
identification capabilities of data driven marketing entities. For example, the criteria of per-
sonal data is meet where, e.g. the FB-FP adm. has copied down the ‘Facebook insights’ stat-
istics, e.g. the number of likes of mid day posts, for further processing of some self deter-
mined purpose, e.g. knowing frequency of midday activity across services, and thereafter
examines the midday posts themselves on his FB FP, to identify who the individuals are that
are liking midday posts.
This is especially the case when collecting metadata as it is generally not encrypted, and
the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for
the systems to operate: location data from cell phones and other devices, telephone calling
records, header information in e-mail, and so on. This information provides an enormous
amount of surveillance data that was unavailable before these systems became widespread.40
This situation specifically, where this raw data is collected by and, or, through digital de-
vices or services, also triggers particular rules of the ePD, i.e. art. 5(3) and 13 …REC 30
GDPR EDPB opinion on interplay 11-12.
2.1.3 Legal Requirements of M3DM Processing Activity
In accordance with the above, for the data driven marketing processing activity to be lawful it
must both not be prohibited by law in combination with having legitimate purposes for, and
which limits the, collection and processing and legitimate basis, i.e. either [1] subjects valid
consents (this is likely the only legitimate basis where ePD applies, notably prior to the
placement of cookies necessary for behavioural advertising, STH SPECIAL CHATO-
GORYcf. next chapter)41 are obtained by controllers,42 i.e. the entities involved in the M3DM,
that, alone or jointly with others, determine why and how data will be processed, i.e. who
39 “Key Aspects Expleined: GDPR Proposal”, 2. 40 (going dark, 5) 41 EDPB, guidelines on GDPR art. 6(1)(b), 13 [52]. AD REFERENCED MATERIAL THEREIN. 42 Reding, “The EU Data Protection Reform 2012”, 2
8
have the ‘factual influence’,43 or [2] they have other legal permissions, e.g. prevailing legiti-
mate interests (see chapter thereafter) or contractual necessity (this is generally not a suitable
legal ground for behavioural advertising and associated tracking profiling,44 but might be rel-
evant, in some cases, for personalisation of content,45 cf. chapter next).46
Building on the above and will serve as the structure of analysis, unless consent is specifi-
cally required, if there does not exist a contract that is considered valid (as determined by, e.g.
e-commerce, contract law, etc. where applicable), and that the processing activity is either
necessary either for the performance of a contract or in order to take pre-contractual steps at
the request of a subject (7 [22]), they need to seek justification, in accordance with the princi-
ples of purpose limitation, in another appropriate legal basis,47 e.g. consent or prevailing le-
gitimate interest.
Whether a processing is seen as ‘unfair’ can be used when considering the need for-, and
ability of control in that particular situation, will central to deciding whether legitimate inter-
est can be deemed more appropriate, whether they can prevail over the rights of data subjects.
Yet what is considered fair is by itself difficult to define in abstract and will be discussed. It
first needs to be established what is meant by control.
2.2 The Notion of Control in the EU Framework
What do major companies like Microsoft actually mean when they express a will to “[...] pre-
43 WP29, Opinion: “controller" and "processor", 10. The GDPR, 14, 17. GDPR, art. 4(7). 44 EDPB, guidelines on GDPR art. 6(1)(b), 13. 45 EDPB, guidelines on GDPR art. 6(1)(b), 13, 14. 46 The GDPR similar to its predesseor the DPD, provided six grounds for processing being lawful. Cf. GDPR, art. 6 (1)(a-f). NB. (d-e) only concern public authorities, therefore, as NRAs are likely not in the buisness of marketing, at least not on the scale of private entaties, they are exempt from this paper. (b) concerns processing for contractual neccessesity, this ground is irrelavant as this scope is limited to cases and data used to conclude a contract, e.g. such as shoping chart cookies, and not e.g. collection of data about buying behaviour because of a obligation stemming from a contract. Lastly, (c) deals with processing necessary for compliance with legal obligations, this ground is deemed irrelevant as it would appear exceptional if processing for marketing purposes would be necessary to comply with legal obligations, cf. Moerel and Prins, “homo digitalis - proposal: BD and IoT”,3. In principle, after the user has uninstalled the app, the app developer does not have a legal ground to continue processing of the personal data relating to that user, and therefore has to delete all data. An app developer that wishes to keep certain data, for example in order to facilitate reinstallation of the app, has to separately ask for consent in the uninstall process, asking the user to agree to a defined extra retention period. The only exception to this rule is the possible existence of legal obligations to retain some data for specific purposes, for example fiscal obligations relating to financial transactions.The Working Party reminds all information society services, such as apps, in opinion on apps on smart devices, 24)that the European data retention obligation (Directive 2006/24/EC) does not apply to them and therefore cannot be invoked as a legal ground to continue to process data about app users after they have deleted the app. The Working Party takes this opportunity to highlight the especially risky nature of traffic data, which deserve special precautions and safeguards per se – as highlighted in the WP29’s Report on the enforcement of the Data Retention Directive (WP172) – where all the relevant stakeholders were called upon to implement the appropriate security measures. 47 EDPB, guidelines on GDPR art. 6(1)(b), 14 [19]. WHERE THEY TAKE DIFFERENT APPROACH.
9
serve the ability for [subjects] to control [their] data”48? Soon after recent forms, ‘giving sub-
jects control’ became as trendy as ‘we value your privacy’. Never the essence of the former
statement is not within the grasps of subjects because of the plurality of different meanings
frequently ascribed to the ‘notion of control’ and the vagueness of its supposed core mecha-
nisms of empowering them.49 This prompts the need for a greater comprehension of the no-
tion before conducting an examination of whether the EU data protection framework allows
data subjects more control in a way that allows trust in the DSM.
The ambiguity surrounding the meaning of ‘control’ likely stems from ‘misleading confla-
tion’, firstly, between scholarly literature and materials produced by the EU regulator, DPAs
and advisory bodies. Secondly, between the latter materials themselves, as well as their
vagueness. It is important to realize that although the recent EU reform pushed for providing
subject’s with greater control over their personal data, the notion of control is not new. In fact,
privacy advocates, scholars, regulators, and the tech industry have for a long time advocated,
for giving subjects more control as the key regulatory response to the problems raised by re-
cent developments of digital technologies.50 In the course of scholarly literature the notion of
control has often been conceptualised in certain ways, notably as one of the foundations of
privacy,51 which creates a misleading confliction with the deployment of the notion of control
by EU institutions as a tool for data subjects to manage their privacy.52 In short, this means
that if subjects control is guaranteed under EU law, their privacy (or aspects of it) is not sim-
ultaneously guaranteed automatically but their ‘ability to manage’ it would be.
Secondly, by the scale of diverse EU material expressing the need for control,53 often in
an incoherent manner and leaving the meaning of control and its core elements vague and
pervasive.54 The GDPR best illustrates this lack of decisiveness as it briefly references in its
recitals, the need for subjects to have control given the challenges brought by the technologi-
cal development and the importance of creating the trust that allows for the development of
48 Nadella, Your data, powering your experiences, controlled by you, at https://privacy.microsoft.com/en-US 49 Lazaro, Christophe and Le Métayer, Control over Personal Data, 29. (ATH) 50 Ibid. Lazaro, Christophe and Le Métayer, Control over Personal Data, 4, 7, 15-16. Woodrow, The Case Against Idealising Control, 424. 51 Debates concerning the validity of such will be left out of this paper. For in depth analysis of the meaning of control as developed in privacy and data protection scholarship, see Lazaro, Christophe and Le Métayer, Control over Personal Data, 6-15. Leenes, DP and Privacy, 117-120. 52 Lazaro, Christophe and Le Métayer, Control over Personal Data, 15. Morel et al., IoT: Enhancing Transparency and Consent, 1. 53 e.g. preparatory legislation works, legislative text, experts’ opinions, and material addressed to citizens 54 Lazaro, Christophe and Le Métayer, Control over Personal Data, 15-19, 21.
10
the DSM.55 No explanation is however given to the meaning of control (including its prag-
matic modalities), how providing data subjects with greater control is among the crucial ele-
ments that will create the trust that will allow the digital economy to develop across the inter-
nal market?56
2.2.1 The European Rhetorical Entanglement of the Meaning of Control
The EU rhetoric might provide an explanation to the promises of the commission that the EU
legal framework, particularly with the addition of the GDPR, empowers data subjects to exer-
cise effective control over their personal data.57 Through an examination of the material pro-
duced by the EU regulator, the dominant rhetoric can be said to take a uniquely entangled
approach to the notion of control where as it encompasses both subjective and structural
agents.58
Respectively, this empowerment to ‘manage’ their personal data could obliquely manifest
through a combination of several categories of rules (i.e. a set of ‘micro rights’) that are fre-
quently linked with or mentioned along side ‘the notion of control’.59 These micro rights
mainly surround the right to object and the requirements of consent60 (and to withdraw it),61
as well as of transparency and information (including the rights of access).62 These provide
55 GDPR, rec. 6-7. Or as the commission puts it “Creating the right framework conditions and the right environment is essential to retain, grow and foster the emergence of new online platforms [...]”, cf. Commission, Online platforms: Opportunities and Challenges, 3. Q.v. Commission (EC), comprehensive approach on personal data protection, 3-4 [H-N], EU Committee, OP & DSM (HL Paper 129), 67 [255], regarding concerns on implementing GDPR, re. Yahoo (OPL0042) and ITIF (OPL0076) by ensuring individuals right to privacy are put in action while still sustaining development of the online environment and economy. 56 Ibid. Morel et al., IoT: Enhancing Transparency and Consent, 1-2. 57 Voigt, and Bussche. The EU GDPR, 141-147. Commission, Completing a trusted DSM, 3, 5. Commission, stronger protection, new oppertunities, 3. Important rules arising for secondary legislation concerns the burden of proof, obligations, safeguards, and rights deriving from data processing. Tackling the DSM unrelated to whether data is considered personal are the ECD, the Services Directive 2006/123/EC, the Directive on the re-use of public sector information (Directive 2003/98/EC, known as the ‘PSI Directive’, currently under review), the GDPR, which is complemented by the e-Privacy Directive 2002/58/EC (ePD) as modified by Directive 2009/136/EC (currently under review). The general provisions of the TFEU (Articles 49 and 56) could be applicable to the totality of data storage and other processing services. However, addressing existing barriers through infringement procedures against the Member States concerned has been identified as cumbersome and complicated, yet leaves a situation of legal uncertainty. 58 Lazaro, Christophe and Le Métayer, Control over Personal Data, 15-16. 59 Q.v. Reding, “EU DP Full Speed”, 3. 60 Ibid. Consent as defined in the Article 4(11) in the GDPR (see also rec. 43), is one of the legal grounds for processing personal data cf. GDPR, art 6(1)(a), q.v. rec. 32 and must be obtained prusuant to the requirements as stipulated in the GDPR, see art. 7-11 and rec. 42, 33. Q.v. GDPR, art. 7(3) on consent. 61 The right to object (GDPR, art. 21, rec. 69-70.) or to restrict data processing (GDPR, art. 18-19, rec. 67.), rights related to automated decision-making and profiling (GDPR, art. 22, rec. 71-73.). 62 Lazaro, Christophe and Le Métayer, Control over Personal Data, 21-22. See also Bygrave, DP Law, 158-163. Q.v. concerning the requirement of transparency, as well as fairness, the controller must, before any processing operation of personal data begins, inform the data subject of its existence, what their legal basis and purposes
11
data subjects with the ability to make decisions through autonomous choice (and by a delib-
erate and informed action) about the processing and, or, subsequent use of their personal data
by others.63
In comparison when the notion of control is conceptualised as privacy, the subjects would
be considered to lose control over personal data as soon as they provide and entrust control-
lers with it,64 whereas the EU rhetoric, in the same situation, would not consider control lost
as long as the subject still has some measure of influence over the processing and subsequent
use,65 i.e. where subjects have the ability to be aware66 of what, where and when personal data
is processed and why, how, and by whom, and the ability to act in some manner to shape the
use, e.g. to withdraw consent, to rectify67 or erasure,68 of the personal data that concerns
them.69
It would be impossible for subjects to exercise control over the use of personal data, that
concerns them, by third parties, if the latter or otherwise responsible party, does not make the
subject sufficiently aware of its collection,70 nor the purpose and scope of the processing prac-
tice, i.e. by ‘effectively communicating’, directly or indirectly, ‘intelligible information,71 that
is necessary’, in a ‘concise and transparent manner’, to the subject (q.v. chapter 3.),72 since it
affects subjects ability to take action,73 encompassing the exercise of their ‘micro rights’, cf.
are, to name a few. The communication itself must be governed by the principle of transparency, cf. GDPR, art. 5(1)(a), whereby controllers are obligated to create suitable information measures, cf. GDPR, art. 12. Qv. art. 2(1). whereas effective control by the data subject and by national data protection authorities requires transparent behaviour on the part of data controllers, 63 Lazaro, Christophe and Le Métayer, Control over Personal Data, 21-22. Bygrave, DP Law, 158, 160-162. Compare similariteis with the principle of ‘data subjects influence’ descussed in Bygrave, DP Law, 158-163. 64 Lazaro, Christophe and Le Métayer, Control over Personal Data, 29. Leenes, DP and Privacy, 122-123. 65 Compare, EESC, “Opinion on ePRp”, (6.3). 66 ATH re. awareness in Bygrave, DP Law, 158-163. 67 GDPR, art. 15-16, rec. 63-65. 68 GDPR, art. 17, rec. 66. Also called the right to be forgotten. 69 See analysis on ‘data subjects influence’ in Bygrave.. (ADD). Reding, DP reform.. 2 70 Q.v. EESC, “opinion on ePRp”, (5.4), where EESC warns against the effets profetability resulting from the possibility to obtain greater acess to personal information by futher processing of metadat, re. (5.2) and the presumed lack of knowlidge thereof, by data subjects when expressing consent to the storega of metadata, which will bresumably have such effect, and therefore advvocates the need to inform and better educate subjects. 71 In the ‘event of uncertenty’ about the 'level of intelligibility’ and ‘transparancy of information' and 'effectivnes of user interface/ notices/ polices etc.', the 'controller' can: determine what the avarge member of which the privacy information is inteded for (the subjects, that the collected personal data cconcerns) based on collectors assumed knowledge about that group of subjects) or test them (i.e. mentioned uncertities relating to both the information and communication) through, firstly, a number of 'mechanisms' (e.g. user panels readability testing, consolidation with stakholders (indrusty and advocacy) and regulatory bodies) and , secondly, through other means, as appropriate to determine the suitability of the information and communication to allow understanding by aan avarge member of the intended audicance. WP29, GDPR Guidelines: Transparency, 6. Re. Morel et al., IoT: Enhancing Transparency and Consent, 4. 72 WP29, GDPR Guidelines: Transparency, 5. 73 Q.v. WP29, “opinion: apps on smart devicess”, 24.
12
ECJ, Bara and Others, where the court held that the requirement of fair processing precludes
transfers between, and further processing by, NRAs without first informing the data subject,
for the purpose of the processing by, and in its capacity as, the recipient of the data.74
Control is similarly rendered unachievable when, although subjects are made sufficiently
aware, subjects have no means of taken actions, both, ‘expressing the privacy preferences’
‘they have decided’, which is communicated, directly or indirectly, to, and ‘received’, and
‘upheld’ by ‘parties responsible for implementation of requirements to shape the processing
accordingly’ as well as possibly to ‘allow the subject to monitor actual compliance’ with the
privacy choices they gave.75
The EU regulator appears to have recognized, or at least feels compelled to recognise,
Q.v. I v. Finnland,76 that duo to the digital design, notably its complexity,77 for subjects to be
able to ‘effectively exercise control’ (i.e. through use of these ‘micro rights’) providing the
micro rights themselves is insufficient, rather a set of ‘structural measures’ must be placed
within the digital environment that ensures its reliability and effectiveness,78 as technical solu-
tions facilitate more effective and sufficient means of making data subjects aware and em-
powered to exercise control.79 I v. Finnland (2008), which concerned confidentiality of pa-
tient data in a public hospital system. Specifically, the patient did not entrust the employees to
refrain from accessing the data without authorisation as was required by law. However as the
law did not require, and thereby by ensure that the law was implemented obligations under
Article 8(1) under the convention were not fulfilled. As the hospital did not place measures
within the health record system, that comprehensively logged access to the records, as well as
stored such log in away making monitoring of compliance possible, i.e. whether the data had
been accessed without proper authorisation.80 The lack of logging undermined the applicant’s
ability to litigate before the Finnish courts because it deprived her of concrete evidence that
her health records had been accessed unlawfully. Had the hospital provided a greater control
over access to health records by restricting access or by maintaining a log of all persons who
74 ECJ, Bara and Others, para 32, 33, 35. 75 Lazaro, Christophe and Le Métayer, Control over Personal Data, 30. Morel et al., IoT: Enhancing Transparency and Consent, 1. 76 Positive obligations extend to more then just putting legal rules in place. See Bygrave, privacy by design 109-110. 77 There is ample disbelieve that enabling ‘subjective controls’, e.g. like requiring informed consent, can, by themselfs, provides subjects with sufficient control duo to the digital design, notably its complexity, cf. Morel et al., IoT: Enhancing Transparency and Consent, 2. 78 Lazaro, Christophe and Le Métayer, Control over Personal Data, 18-20. Q.v. Bygrave, Privacy by design, 107. Where Bygrave points out that Article 25 shows that the EU regulator embraces PbD idieals to such… 79 Reding, “The EU Data Protection Reform 2012”, 2. GDPR, rec. 59. 80 Bygrave, Privacy by design, 109-110.
13
had accessed the applicant’s medical file, the applicant would have been placed in a less dis-
advantaged position before the domestic courts’: ibid, para. 44.
As seen above whether and to what extent structural measures need to be in place depends
on the risk at case. Although the main elements of the ‘structural measures’ are not widely
determined, EU material allows categorization of three pillars.81 There will be limited discus-
sion in this paper devoted to the first two pillars. 82 Respectively, they are ensuring effective
enforcement83 of effective and heterogeneous rules, which encompasses the need for
comprehensive set of rules to cope with risks of the online environment.84 These rules need to
apply to the processing of personal data of EU citizens independently of the area of the world
in which their data is being processed.85 Finally, the rules need to be effective in a way that
they are actually enforced, e.g. by independent national data protection authorities (NDPAs).
Secondly, the responsibility and accountability of data controllers86 which entails, e.g., the
designation of a data protection officer, the performance of impact assessments and possibly
the observation of ‘the principle of privacy by design’ (DPbDsgn) (see chapter 3.3.).87 The
final pillar involves ‘measures’ i.e. that reinforce security or enhance privacy, such as
implementation of an privacy certification scheme, using privacy enhancing technologies
(PETs) and privacy friendly default settings (DPbDflt),88 which deals with minimising the
processing of personal data (see chapter 3.3.).89
81 (ADD what material). 82 These can be said to entail mainly organisational measures q.v. Lazaro, Christophe and Le Métayer, Control over Personal Data, 18. 83 GDPR, rec. 7, 11, 13. 84 Ibid. 2-4, 18-20. Reding, “Your data, your rights”, 2-3. Q.v. such rules can now be found in the GDPR, e.g. ‘right to withdraw’, ‘burden of proof’ and ‘proof of need to collect and retain personal data’. 85 Lazaro, Christophe and Le Métayer, Control over Personal Data, 18-20. The GDPR applies “regardless of whether the processing takes place in the Union or not”, cf. GDPR, art. 3(1). Qv. in speech held 2014 Viviane Reding, then Vice-President of the European Commission, stated that “Europe must act decisively to establish a robust data protection framework that can be the gold standard for the world. Otherwise others will move first and impose their standards on us.” 86 Ibid. GDPR, rec. 103. 87 Lazaro, Christophe and Le Métayer, Control over Personal Data, 18-20. The GDPR increases NDPA’s powers, cf. GDPR, art. 51–59. 88 GDPR, art. 25(2). 89 Lazaro, Christophe and Le Métayer, Control over Personal Data, 18-20.
14
2.2.2 The Placement of Structural Measures: Reasons and Consiquenses
The ‘structural measures’ placed in the EU framework aim at enhancing data subjects ability
to take deliberate action and trust is placed on stakeholders, like Microsoft or Google,90 to set
up the measures in a way that will allow there customers, the data subjects, to take effective
control.91
Thus, the placement of these ‘structural measures’ is not done in the pursuit of achieving
‘hard privacy’ or ‘privacy by architect’, where the system is designed in a way that ensures
non disclosure of personal data and, more or less, thereby gives away with the need for data
subject to take action. Without the ability to take some action based on subjects own deci-
sions that in someway shapes the processing, e.g. whether or not to provide personal data in
the first place, control would be delegated to the system (e.g. as the programming would dic-
tated whether or not personal data would be provided from subjects) and trust would need to
placed on non human actors (i.e. the programming) or at least the manufactures.92
With reference to the GDPR, notably requirements of implementation of structural and
organisational measures (TOM) such as relevant to ensuring, e.g. PDbDsgn & bDflt (PDbD:
here after used collectively reference both), as such provisions, counter to their rational, being
limited in scope and loosely formulated, combined with there being little incentive to abide to
them, strongly indicates that the EU regulator has not decided to employ mentioned ‘hard
privacy’ approach, at least not to its full extent.93 The rationale behind DPbD is that,94 having
implemented measures, designed to ensure compliance with DP requirements and principals,
90 Q.v. Google’s Privacy Policy, where, in the first pharagraph in big letters, Google acknowledges that trust is placed on them when subjects are using their services and that they work hard to put subjects in control, cf. X. 91 Lazaro, Christophe and Le Métayer, Control over Personal Data, 26-30. 92 This notion of “privacy by architecture” differs from the usual vision of “privacy by control” as the user does not have to take any action: the design of the system ensures that his or her personal data will not be disclosed. in that case that control is entirely delegated to non-human actors. Privacy can be distinguished as hard privacy and soft privacy based on different trust assumptions. The data protection goal of hard privacy refers to data minimization, based on the assumption that personal data is not divulged to third parties (utilising privacy en-hancing technologies (PETs)). The system model of hard privacy is that a data subject provides as little data as possible and tries to reduce the need to place ‘trust’ on other entities. The threat model includes service provider, data holder, and adversarial environment, where strategic adversaries with certain resources are motivated to breach privacy, similar to security systems. Soft privacy, on the contrary, is based on the assumption that data subject lost control of personal data and has to trust the honesty and competence of data controllers. The data protection goal of soft privacy is to provide data security and process data with specific purpose and consent, by means of policies, access control, and audit. The system model is that the data subject provides personal data and the data controller is responsible for the data protection. Consequently, a weaker threat model applies, including different parties with inequality of power, such as external parties, honest insiders who make errors, and corrupt insiders within honest data holders. Deng et al., “A privacy threat analysis framework”, 4-5. re. Lazaro, Christophe and Le Métayer, Control over Personal Data, 26-27. 93 See assessment, cf. Bygrave, “DP by design and default”, 114-119. 94 GDPR, art. 25(1). The duty extends to ensuring default application of particular data protection principles and default limits on data accessibility.
15
from the design stage right throughout the lifecycle, (i.e. effectuating systems architectures
with built in DP compliance) would achieve greater results than through traditional regulatory
methods, code of conduct or contractual obligations, in relation to, e.g. improving traction of
DP principles, ensuring compliance and accountability as well as, likely, eliminate any phas-
ing challenges.95
In reality, contrary to DPbDflt, the GDPR might have reduced DPbDsgn effects in certain
parts of the life circle, to act as no more than merely guidance. 96 Currently, only ‘control-
lers’ are subject to requirements relating to the principal of DPbDsgn under GDPR (similarly
to the principal of DPbDflt). Furthermore, controllers use of processors is restricted to such
use sufficiently guaranties DPbDsgn.97 Where the definition of controller does not expend (as
is likely where entities are involved with e.g. IoT or Search engines) to include ‘producers’ of
digital devices, services and products, that collect, processing and, or, facilitates online behav-
ioural advertisings, the latter are only ‘encourage’ under the GDPR to design there DS in ac-
cordance to DPbDsgn.98 Moreover, in such case the producer might be subject to the same
obligation under different legal instruments, as manufacturer of terminal equipment are re-
quired to implement measures ensuring DPbD in their construction according to ePD, cf. art.
14(3), irrespective of whether the manufacturers would be designated as controller in accord-
ance to GDPR, 99 Similarly, provisions on stakeholders responsibilities of ensure sufficient
capabilities of subjects to ecsice their rights, e.g. provide information, request consent or en-
able objection, are implemented across legal instruments.
Admittedly, not all entities involved in developing any of the relevant DSPs (i.e. that fa-
cilitate 3DMPs) are covered. For example, in relation to the mass amount of data collected on
subjects behaviour across the Internet, e.g. through use of cookies, the entities involved in
developing the basic internet standards, which significantly effects such processing and could
in practice make the Internet DPbDsgn would not be considered controllers, nor, generally,
would the manufacturer of the digital device such as subjects PC where the cookies are stored
95 Bygrave, “DP by design and default”, 106. ICO, “Data protection by design and default”. Qv. GDPR, rec. 78. pseudonymising personal data as soon as possible; ensuring transparency in respect of the functions and processing of personal data; enabling individuals to monitor the processing; and creating (and improving) security features . 96 The requirements relating to PbDsgn essentially prompts the implementation of measures where they are needed to ensure that the particular processing activity sufficiently meets requirments of GDPR and otherwise ensure information security and protection of subjects rights. Which measures are appropriate in the context of the processing activity can be concluded by an impact assessment 97 Bygrave, “DP by design and default”, 116. 98 Bygrave, “DP by design and default”, 116, 118. Compare The GDPR 64. 99 Bygrave, “DP by design and default”, 108.
16
(although, such is more likely in relation to IoT devices see chapter X) nor the publisher or
the ad network (although, such is more likely in relation to SMN websites). Comparatively,
the advertiser and manufacturer of web browsers, such as Google Chrome, that allows access
to the Internet, would be considered controllers.100 Moreover, it remains a issue who should
be required to inform.
The complexity of the various entities involved in various ways and at various 3stages of
3DMPs makes it extremely difficult to delineate clear lines of responsibility and accounta-
bility, notwithstanding designating a controller and processor. Information needed for suc-
cessful provision of data driven marketing is the product of mixing the various data obtained
by various entities across various services and platforms.101 Notably, Google as the device
manufacturer of IoT devices (e.g. the Google Pixel phone) or as a DSP, collects themselves or
obtains from Android, as the OS provider, affiliated or partnered services and third party apps
(given that it was unveiled through the Google Appstore and uses one or more Google ser-
vices, e.g. Google Maps, play, analytics etc.), information relating to subjects activity online
(e.g. subjects telephony data and use of functions or third party apps) and offline (through
device sensors), collected by services or devices, irrespective of platform or whether during
subjects use or not.102
2.2.3 Final Remarks
As mentioned in order to effectively combat the ‘contemporary challenges’103 undermining
subject’s trust,104 relevant stakeholders, (as required by relevant legal instrument, q.v. discus-
sion above) should intervene by implementation of structural measures.105 However, NDPAs
must ensure their accountability, as it is known that DSPs are prone to neglect their informa-
tion duties, provide coercive and misleading consent request notification or all together avoid
data subject’s involvement.106
This placement of trust, achieved through the specific configuration of requirements (i.e.
implimentation of measures entailing the structural agent of control) in the EU framework, is
likely the result of attempting to achieve balance between stakeholders and data subjects ra-
100 Bygrave, “DP by design and default”, 118. 101 Google admits it may conduct such practices see Google Privacy Policy: Protect our Users, and the Public. 102 Google Privacy Policy: Your Activity. 103 GDPR, rec 58 AND. 104 WP29, Opinion: online behavioural advertising”, 6. 105 WP29, “opinion: IoT”, 3. 106 Lazaro, Christophe and Le Métayer, Control over Personal Data, 23-25.
17
ther than being the decided regulatory approach because of it being the most suited for data
subjects.107
In reality determining whether these tools and measures provided, are in practice, realisti-
cally effective in enabling control, and what the normative consequences from operating such
control, hinges on ‘the scope of the instruments’ that give rise to data subjects control’.108
Since, if the legal provision that enable control, as determined above, are not ‘available to
data subjects’ to deal with situations where they don’t fully trust that there rights will be re-
spected, such provisions would seemingly be ill equipped to foster trust.
Simply put data subjects cannot trust what they do not know or control. Thus mistrust
starts appearing as subjects become aware of the connection between there digital behaviour
and the presented targeted content without having oversight of what sort of data was being
collected, or how, which companies received and utilised it to provide targeted advertising.109
2.3 Concluding Remarks
Consent for collecting and processing personal data is an imperative barrier of potential mis-
uses by private and public entities in today’s data driven society where marketers have access
to vast amount of data and analytical technics to build user profiles containing information
about subjects, who they are and how they behave, and can use such personal profiles in ways
that might negatively affect subjects or the society as a whole. Therefore, It is essential to
place importance on data subject's informed consent as one of the legal grounds allowing the
processing of personal data and that its limits constrain possibilities to process the data, thus
serving as a mechanism for the subjects to stay in control of the purposes for which her per-
sonal data are used.110
Although consent can be a fundamental tool for individual users to guard their sovereignty
over their individuality, lifting some of the regulatory burdens of controllers is not necessarily
bad, that is if it is done to maintain a balance of interests, similar to providing data subjects
with greater protection. Importantly, data-driven business models can be pro-competitive,
yielding innovations that benefit both consumers and the company. Collecting and analysing
107 Compare, Commission, “Guidelines: Social Media”, 32. 108 Ibid. Reding, “The EU Data Protection Reform 2012”, 2-3. [make more ref.] 109 https://www.datatilsynet.no/globalassets/global/english/privacy-trends-2016.pdf 110 With digitalization came big data whereby utilizing the cloud infrastructure private corporations have gained the capacity to search, aggregate, and cross-reference large datasets for analysis in order to identify previously undetectable patterns, as well as the power to monitor and profile individuals, calculate risks and even predict behaviour, cf. Chen and Cheung, The Transparent Self Under Big Data Profiling, 356.
18
data can provide the company with insights on how to use resources more efficiently and to
outmanoeuvre dominant incumbents. The European Commission noted in 2015 that “the use
of big data by the top 100 EU manufacturers could lead to savings worth €425 billion,” and
that, “by 2020, big data analytics could boost EU economic growth by an additional 1.9%,
equalling a GDP increase of €206 billion.” n.”[7]
In reality marketers are given some leeway when it comes to transparency of said use, be-
cause regulators have deemed it necessary to maintain balance between the formers and soci-
eties economic interests and data subject’s privacy related interests. Therefore, the current,
and evermore urgent issue lays in finding a balance between the exploitation of personal in-
formation and the protection of individual privacy.
3 Consent and Contracts: Similarly Shared Elements of Agreement 3.1 Establishment of Similarity Structure Demonstrating Simplicity of Issues
The various ways subjects can interact with PornHub.com, i.e. a self acclaimed “best adult
porn website on the net!”,111 to enter into a valid contract, will be used to illustrate not just a
practical application of rules governing the formation and validity of online contracts but
more importantly how and to what extent they interplay.
As stated in Pornhubs T&C subjects agree via access or use of the website, whether they
click accept or not, to be bound and to abide by Pornhubs ToS and Privacy policy, which in-
clud, e.g. the processing activities by Pornhub as the collector, concerning uses (i.e. tracking,
profiling, analysing, predicting) of personal data (i.e. raw-, survay and usage data, as well as
sensitive data) for the purposes of, and to the extent necessary to, provide their service, or for
other purposes, e.g. development and optimisation based on personalisation, behavioural ad-
vertising, e.g. for their or third parties legitimate interest, or based on subjects consent.112
In relation to data driven marketing, applicable and overlapping rules can mainly be found
in two distinct fields both in regard to determining the existence of a valid contract pursuant
to contractual necessity, i.e. in data protection and e-commerce (and e-consumer) law, and in
regard to valid consent for a particular purposes, i.e. e-privacy and data protection. The va-
lidity of these agreements depends on which rules apply as well as what particular purposes
can be justified based on those legitimate grounds. Logically it will therefore form the second
legal issue assessed in this chapter.
111 www.pornhub.com 112 Ibid.
19
The formation of such agreement along with other online contracts is governed by the
ECD,113 as it applies to providers of 'information society services’ (ISS providers), i.e. ser-
vices normally provided for remuneration,114 at a distance, by electronic means and at the
individual request of a recipient of services.115 Accordingly, an offer or acceptance is deemed
to be effective when it is communicated, unrelated, whether by electronic means.116 Where the
latter follows the former,117 their mutual assent will gain equal validity to other contracts con-
cluded by more ‘traditional’ means,118 as long as accessible, e.g. on providers webpage,119 in
a way that allows recipient of offer to store and reproduce them,120 or in relation to consumer
contracts under the CRD, cf. art. 8(7), when subjects have been provided with conformation
of reception.121
Moreover, specific rules mandate greater requirements for a contract to be valid if it trig-
gers ‘consumer protection law’, i.e. aggressive commercial practices, misleading or unfair
conduct, e.g. where relevant use of pre ticked boxes, misleading omission of needed informa-
tion or use of unfair terms is restricted and certain information requirements must be fulfilled.
These rules will here after only referenced in so much as relevant, e.g. where they provide
113 Importantly, ECD, art. 9(1) allows electronic contracts to be concluded and forbids member states from creating interferences based solely on the account of being an online contract. A similar definition can be found in article 5 and 5bis of the UNCITRAL Model Law on Electronic Commerce. 54 COM (1998) 586 final, p. 26. 114 Qv. Mc Fadden v Sony Music C-484/14, "The remuneration of a service supplied by a service provider within the course of its economic activity does not require the service to be paid for by those for whom it is performed" (para 41) That is the case, inter alia, where the performance of a service free of charge is provided by a service provider for the purposes of advertising the goods sold and services provided by that service provider, since the cost of that activity is incorporated into the price of those goods or services" (para 42) 115 Cf. ECD, art 2(a), rec. 18, and Directive 98/34/ EC (as amended), art. 1(2)(b), rec. 18. 116 The fact that the contract or the communication was made through electronic means does not affect its validity or enforceability solely, cf. UN Convention on the use of Electronic Communications, Art. 8(1), art. 9. ECD, art 9(1). 117 Different theories exist on non-instantanies communication, q.v. time of contracts conclution in regards to data messages under Uncitral Model Law, cf. art. 15(1), stipulating at dispatch and ,cf. art. 15(2), stipulating both when the communicated is acces 118 COM (2003) 702 final, p. 11. Digital contracts for Europe – Unleashing the potential of e-commerce, 9.12.2015, COM(2015) 633 final, see also ECJ Haute-Garonne, which cocluded that Article 8 precluded national legislation banning advertising by dentists as it prohibited any recourse to online advertising methods that promotes specific dentists or their company [cf. paras 17-19, 22.]. Qv. Member States have the freedom not to apply Article 9(1) to certain types of contracts, cf. Article 9(2) such as rental contracts. 119In El Majdoub, the CJEU ruled that the 'click-wrapping' technique fulfils the requirements in Article 23 of the Brussels I Regulation, as the purpose was to treat electronic communications in the same way as written communications provided that they offered the same sort of guarantees in terms of evidence of the contract. Thus, it was sufficient that it was 'possible' to save and print the ToU information (i.e. to provide to a durable record of the agreement) before conclusion of the contract. 120 ECD, art. 10(3). 121In El Majdoub, the CJEU ruled that the 'click-wrapping' technique fulfils the requirements in Article 23 of the Brussels I Regulation, as the purpose was to treat electronic communications in the same way as written communications provided that they offered the same sort of guarantees in terms of evidence of the contract. Thus, it was sufficient that it was 'possible' to save and print the ToU information (i.e. to provide to a durable record of the agreement) before conclusion of the contract.
20
greater protection then the GDPR and e-Privacy or where information obligations comple-
ment each other. Finally it is necessary to emphasise that DP rules apply in all these cases,
where personal data is processed, they form legal floor of protection and cannot be contracted
away. Nevertheless, the validity of a online contract in terms of contractual necessity and
valid consent as well as the notion of effective acceptance in regards to the latter legitimate
basis, are dividing points between e-commerce and data protection as the legal assment of
Pornhub.com below will illustrate.
3.1.1 Information Requirements
Trust is hard to give to something you do not control or know, thus, in accordance with the
GDPR, the collection and use of personal data must be fair and transparent to allow data sub-
jects to exercise their rights.122 Controllers must inform the subject of the existence of collec-
tion and processing, what collectors legal basis and purposes are for said processing, who are
if any, the third party recipients of the collected and or processed data,123 or can access it and
the usability of the obtained by said third parties as well as subjects rights and any further
information necessary to ensure fair and transparent processing, taking into account the con-
text and the specific circumstances of the processing.124 Data subjects maintain the right to be
informed at the time of collection, where personal data has been obtained directly from the
subjects,125 or, when obtained from third parties, within a reasonable amount of time or upon
being used to directly contact (directly market to) the data subjects.126
Foremost, the communication itself must be governed by the principle of transparency,127
i.e. be accessible, easy to understand and, use clear and plain language.128 Additionally, by the
principle of data protection by design, whereby controllers are obligated to create suitable
information measures.129 Thus, and in line with the GDPR,130 controllers must create suitable
information measures,131 such as ‘layered’ information notices (see chapter 3.1.2.),132 that are
122 GDPR, art. 12, rec. 39, 58. 123 GDPR, art. 13(1)(e). 124 GDPR, rec. 60, qv. rec. 62. 125 GDPR, art. 13. 126 GDPR, art. 14, rec. 61. Qv. exceptions apply, cf. GDPR, rec. 73, 62. See opinion on IoT, 16 “The fairness principle specifically requires that personal data should never be collected and processed without the individual being actually aware of it.” Could uswe otherwise take out. 127 GDPR, art. 5(1)(a), rec. 59. 128 GDPR, rec. 39. Qv. WP29, Guidelines on Transparency under GDPR. 129 Voigt and Bussche, The EU GDPR, 141-147. Cf. GDPR, art. 12. 130 GDPR, art. 12 131 Voigt, and Bussche, The EU GDPR, 141-147. 132 As WP29 has advocated for:
21
governed by the principle of transparency,133 thereby, there should be greater clarity in the
communication given, e.g. when signing up to social networks or entering sites. It should con-
tain [a set of] information (such as described above) in a clear and comprehensible manner,
such as the functionality, interoperability and main characteristics of digital content.134
3.2 Application of the Legal Interactivity to ‘The Ride of My Life’
3.2.1 Valid Consent and Contract: Capacities of Offer and Acceptance
As subject enter the “wonderful world of Pornhub”135 they are not greeted with an ability to
take affirmative action, e.g. whereby subjects click of a button, ensuing a communication of
there agreement, i.e. ‘valid’ click wrap agreement under EU law, cf. CJEU El Majdoub.
Nevertheless, a valid contract might still have taken place, i.e. brows-wrap agreement,
whereby an actual or constructed notice of SCC could be deemed as demonstrating subjects
assent,136 such would ultimately depend on a case by case assessment, notably what rules are
apply is a determining factor, cf. Barnes & Nobel (B&N), where the court decided B&N’s
placement of a hyperlink at the bottom of every page, gave insufficient notice of ToU to hold
the costumers to an arbitration (i.e. browse wrap-) agreement. Because B&N did not other-
wise provide other notices to users nor prompted them to take any affirmative action to dem-
onstrate assent, moreover, in the latter case, even if the links would have been placed close to
the relevant buttons that users must click on, without more, would be insufficient to give rise
to constructive notice.
Similar to B&N, Pornhub displays some information at the bottom of every page within
pornhub.com. Although such information would adequately give notice, e.g. both solely there
in, or in combination with adequate reference to further information, could be enough to con-
clude the existence of a contract without any affirmative action such in would still remain
133 GDPR, art. 5(1)(a). 134 CRD, art. 6(2) re. 6(1)(a), (r) and (s). 135 www.pornhub.com 136 Cf. Barnes & Nobel (B&N). where the court decided B&N’s placement of a hyperlink at the bottom of every page, gave insufficient notice of ToU to hold the costumers to an arbitration agreement (a browse wrap agreement). Because B&N did not otherwise provide other notices to users nor prompted them to take any affirmative action to demonstrate assent, in which even if the links would have been placed close to the relevant buttons that users must click on. without more. is insufficient to give rise to constructive notice. Specht v. Netscape, where users argued that a freely downloaded ‘plugin’ transmitted user’s personal data, after having downloaded and, while facilitating the use of a ‘browser’. The producer, Netscape, argued that the respected privacy dispute was subject to a binding arbitration clause, contained in the ‘browsers ToU’, which users had assented to via clickwrap agreement. It was concluded that even when defined broadly, the arbitration clause did not include ‘use of the plug in’ as it did not expressly mention it nor had users assented to separate arbitration clause, contained in the ‘plug ins’ ToU (i.e. a browse wrap agreement) as they could not have learned of the existence before downloading the plugin.
22
insufficient where consent is needed in the field of data protection and e-privacy, as stricter
requirements exist to protect data subjects that entail that a consent would only be considered
given with an affirmative action.137
3.2.2 Consent Must be Given with Affirmative Action
Although there must be an affirmative action, the GDPR does not specifically clarify whether
subject’s conduct entails ‘actions’ that demonstrates actual or constructive notice can be con-
sidered as indication of acceptance. 138
Not including websites who collect personal data without a notice,139 cookie consent
forms can, for the sake of simplicity, be presented as overlays that blocks usage until accept-
ance has presumably been provided, i.e. a cookie wall (as mentioned in chapter 2.2.1.2.),140 or
by a notice, e.g. standard banner, not preventing use while notice is displayed. The WP29 the
EDPS and the EDRI have been vocal of their opinion on cookie walls and all underline the
limits of current implementation of the cookie consent mechanism (based on "cookie walls")
under the ePD,141 that it should only be allowed in certain exceptional circumstances (q.v.
chapter 4.3.2.).142 A ‘non-cookie wall notice’ can be placed on a 3 point spectrum i.e. without
and with the option to accept, on a take it or leave it basis or with the ability to accept or de-
cline some or all processing activities.
Considering notices without an option to accept, as is the present particular case concern-
ing Pornhub, as part of the requirement of clear affirmative action, cf. GDPR, art. 4(11), inac-
tivity should not constitute consent, cf. GDPR, rec. 32, when there is no option for a user to
affirmative provide indication of assent, the website either auto-accepts, i.e. automatically
assumes consent is given and disappears when scrolling or when users reacts by closing the
banner. However, this is not inactivity as prescribed in the GDPR, nor are other cases, where
the website will only inform subjects the first time, they use a website, or whenever entering a
website, and stops displaying after assuming implied consent is given by continued use.
137 Cf. GDPR, art. 4(11). 138 GDPR, rec. 32. 139 Interestingly, these are not solely hyperlink-streaming- and other illegal websites there are many other legal sites, some even owned and operated by well-known companies. Nevertheless 140 On the internet, many companies offer people take-it-or-leave-it-choices regarding privacy. For instance, some websites install tracking walls (or ‘cookie walls’), barriers that visitors can only pass if they agree to being tracked. If people encounter such take-it-or-leave-it choices, they are likely to consent, even if they do not want to disclose data in exchange for using a website. An assessment of the ePR, 9. 141 See chapter 2.2.1.2. on page 10. 142 WP29, Opinion on evaluation and review of ePD, 16. Opinion on ePR proposal, p. 16, EDPS, cited above, p. 14; EDRI, e-Privacy Directive Revision, https://edri.org/files/epd-revision/EDRi_ePrivacyDir-final.pdf. See also SMART 2013/0071; Acquisti-Taylor-Wagman, cited above, p. 41; DLA Piper, cited above, p. 29.
23
In the latter case the consent would among other likely not be valid as users would not be
able to withdraw their consent as easily, i.e. by browsing,143 same likely applies to scrolling
but not necessarily when a user closes the notice by clicking an icon. However, noticing the
banner and choosing not to click accept but rather closing the banner would rather signal a
decline rather than acceptance.144
On the other hand, in these situation where this type of notification blocks usage of the
website until user has disabled ad-blockers, there would be both affirmative action as well as
an indication of acceptance, when a user would disable ad-blockers and allow the site to place
cookies. Furthermore, by turning the adblocker back on the user has withdrawn his accept-
ance.145 Nevertheless this would likely be considered a form of a ‘cookie wall’, thereby ren-
dering a supposed consent invalid, as it would not be freely given, (q.v. chapter 4.3.2.).
Furthermore, in these situations, websites (or digital services) often only inform users to
disable adblocks to continue or to receive services without providing more information such
as the purpose of disabling (the purpose of collection) it would not be a valid consent without
sufficient information. Ergo, not stating the purpose will generally eliminate the possibility of
being a valid consent, (q.v. chapter 4.3.2.). However, this could be deemed valid if the col-
lected data is stored in and related to end-user’s (data subjects) terminal equipment
(/according to the new ePR).146
3.2.3 Provisions Stipulating Processing Activity must Form Part of the Valid Contract
In comparison with the requirements of consent, as argued above, the presumption is not
without merit, that by browsing Pornhub.com subjects enter into a valid contract although
they take no affirmative action as there conduct147 would likely demonstrate subjects actual or
constructive notice of the offer (which is, in this case, e.g. stipulated in Pornhubs privacy pol-
icy, ToC, etc.), and there continued use would thus likely indicate there acceptance. Neverthe-
less, terms stipulating the processing activity in question, must have formed apart of this no-
tice in order to exist within the ‘valid contract’, cf. Specht v. Netscape, this is not guaranteed.
Knowledge of SCC is of relevance to determine whether certain SCC, or certain provi-
sions therein, form apart of a valid contract. This is a two part assessment, i.e. how certain
143 cf. art. 7(3) 144 Use cookie consent form reaserchstudy. 145 WP29, Guidelines on consent under GDPR 259/2018, 17. 146 cf. PECR, art. 8(1)(b), re. art. 9(2). 147 GDPR, rec. 32.
24
SCC, or provisions therin, are assumed to have formed apart of a contract. Provisions can be
among the text which has specifically been agreed to, or refered to therein or other places, or
neither refered or apart of agreed text. Secondly what requirements are given in that particular
situation to subjects having knowledge. Such requirements can be derived from the content of
SCC (i.e. being unfair or unexpected) the feild of use, standing of contractual parties and their
prior contractual relations.148
Specht v. Netscape: where users argued that a freely downloaded ‘plugin’ transmitted
user’s personal data, after having downloaded and, while facilitating the use of a ‘browser’.
The producer, Netscape, argued that the respected privacy dispute was subject to a binding
arbitration clause, contained in the ‘browsers ToU’, which users had assented to via click-
wrap agreement. It was concluded that even when defined broadly, the arbitration clause did
not include ‘use of the plug in’ as it did not expressly mention it, nor had users assented to
separate arbitration clause, contained in the ‘plug ins ToU’ (i.e. a browse wrap agreement) as
they could not have learned of the existence before downloading the plug-in.
The content of the footer wrapper is divided into three separate sections. The last being
irrelevant and only containing logos. Although, the first section contains text which would
otherwise contain relevant contractual information, it is clear from the information provided
in this case that it relates mostly to the features of the site and does not expressly mention that
they collect data, nor the type, means, use or purpose of there processing activities, nor do
they state that by use of pornhub subjects accept to abide by there ToC, ToS and privacy pol-
icy nor do they reference these policies. The only reference to SCC is made in the second sec-
tion via listing of menu links in column titled information. It is thus referred SCC or a Brows-
wrap.
The SCC are generally apart of the contract if subjects are aware of their existence. If a
subject knows that certain SCC apply but did check them, although accessible, subjects would
demonstrate Thus subjects would enter into a contract whether or not they had actual know-
ledge of there content.
Unlikely that there unlikely that there is a binding contract about the data processing, for
example, in e-commerce If the offer corresponds to a consumer contract as defined in X, it
will not become binding unless certain information is provided in a clear and comprehensive
manner, cf. art. 6(1)(a)-(t) of CRD contains a list of 20 pre-contractual requirements, which
are complemented by requirements under Article 5 of the ECD. 3
148
25
3.3 Information Requirments: The Outlook of the Layered Notice Praxis
3.3.1 Consent and Contract: Different types of Notices and Requirements
As stated, the design of no-cookie wall notices can be place on a 3-pointed spectrum. In all
cases, i.e. unrelated where a notice is placed on the spectrum, information requirements must
be meet for consent to be valid. Examining the different typically-used notices along the latter
two points of the spectrum, pursuant to the 'layered' information notices praxis advocated by
WP29, can provide extensive illustration of how controllers would successfully provide rel-
evant information to the subject in an intelligible and easily accessible form.149
Notably subjects are not aware of their data being collection most of the time. This stems
from digital services often neglecting to ask permission or even to inform subjects when col-
lecting their data. Such lack of information constitutes a significant barrier to demonstrating
valid consent under EU law, as the subject must be informed ‘prior’ to obtaining consent or
otherwise commencing collection of their personal data.150 Unless the information is given
and, in such way that the average data subject is able to understand what they are essentially
allowing without much effort.151 Without this knowledge, the individual has no control and
consent becomes invalid as a legal basis in accordance with the GDPR.152 Where no informa-
tion is given consent cannot be relied upon as a legal basis for the corresponding data process-
ing under EU law. Furthermore, other legal bases would not be possible when no notification
has been given.
As concluded above the validity of a consent obtained through a notice where there is no
option to affirmatively act upon, hinges on both being allowed ‘cookie wall circumstances’ as
well as containing suitable information as required by e.g. the GDPR and ePR (see chapter x),
unless otherwise being exempted (see chapter x). This type of notice is only under consider-
ation in following assessment in relation to information requirements.
It is essential to examine information requirements of the notices that provide data subject
the ability to affirmatively indicate their assent by action, depending on the particular context
of a processing activity. Notably, subjects reasonable expectations and the extent of parties
common understanding, can be useful in determining what kind of information needs to be
149 GOOGLE THESIS 2, PAGE 75. 150 151 WP29 Guidelines on Consent under Regulation 2016/679, 14. Cf. GDPR, rec.42. 152 GDPR, art. 6(1)(a).
26
provided, to what extent and in what manner, i.e. whether it can be on a take it or leave it
bases or if the notice needs to give subjects options to explicitly agree or decline some or all
processing activities, to be a valid informed consent.
4 What M3DM Processing Activities Can Be Justified Based on Valid
Consent 4.1 Can Adhoc Privacy Notices be Freely Given?
For an effective consent to be valid, it must be freely given, specific, informed, and unam-
biguous.153 Meeting these three elements does not give way for unfair and unlawful process-
ing. “If the purpose of the data processing is excessive and/or disproportionate, even if the
user has consented, the app developer will not have a valid legal ground and would likely be
in violation of the (GDPR)”.154
Silence or inactivity cannot be taken as a valid consent.155 There must be an affirmative
action to demonstrate data subjects assent thus an actual or constructed notice of SCC would
not suffice.156 Importantly, merely (affirmatively) clicking on a download button does not
show assent to SCC if they are not conspicuous157 and if it is not explicit to the subject that
clicking clearly indicates that he or she is consenting (agreeing) to a specific processing for a
specific purpose.158
Actual practices of 'requesting' and 'obtaining' consent within the DSM pose challenges to
the concept of consent as ‘freely given’, specific and informed indication of the wishes of the
individual, by which, the data subject displays his agreement to personal data relating to him
being processed.159
If data subject is presented with a request for collection and processing of personal data on
a take it or leave it bases, then there is no real contracting freedom. To be considered freely
given the data subject must have real choice and control.
153 GDPR, art. 7, 4(11), rec. 32, 42. Qv. The GDPR added ‘unambiguous’. The former EU DPD specified that consent must be ‘freely, specific and informed’. 154 WP29, Opinion on apps on smart devices, 16. 155 Commission, Completing a trusted DSM, 3. 156 GDPR, art. 4(11). Cf. Barnes & Nobel (B&N). where the court decided B&N’s placement of a hyperlink at the bottom of every page, gave insufficient notice of ToU to hold the costumers to an arbitration agreement (a browse wrap agreement). Because B&N did not otherwise provide other notices to users nor prompted them to take any affirmative action to demonstrate assent, in which even if the links would have been placed close to the relevant buttons that users must click on. without more. is insufficient to give rise to constructive notice. 157 Which requests consent should be clear, concise GDPR, rec. 34. 158 GDPR, rec. 32. Qv. Barnes and Nobel. [see bygrave] 159 Google thesis 2, 71, 76.
27
The consent of the data subject for the processing of his personal data, as the main means
of empowerment of the data subject, is the genuine expression of the right to informational
self-determination and should be considered under the light of the individual's autonomy and
free will. it is interesting to examine whether the processing of the personal data should really
rely on the consent of the data subject, in the first place.
4.2 Encapsulating Consent as an Imperative Barrier of Potential Misuses
It is essential that data subject's informed consent is one of the legal grounds that allows the
processing of personal data and that the limits of the consent given constrain the possibilities
to process the data, thus serving as a mechanism for the data subject to stay in control of the
purposes for which her personal data are used.160
As seen above the problem is not the collection of data but that when companies have ac-
cess to vast amount of data, including personal data, they gain the ability to mix various data
together and analyse them in numerous ways to make predictions about data subjects. The
value of individual’s personal data lies in its usability, i.e. in this case the ability to make pre-
dictions that allow for better, more accurate and effective marketing practices, and which also
have the ability to negatively affect individuals. 161
This is potentially why companies like Google and Facebook allow data subjects to see
their data, e.g. what pages they visited or what they have liked, but not the predictions about
data subjects which they have concluded by comparing all available data related to a particu-
lar individual, with the great amount of data that they have on everyone else.162 As will be
argued in the next subchapter, it is questionable whether an opt out approach would fulfil
transparency requirements.
Although an opt out approach would suffice transparency requirements as well as be justi-
fied compared to the aims of the GDPR, it is certain that consent as a legal basis for process-
ing personal data is an imperative barrier for any potential misuses. Since data, including per-
sonal data, forms the basis of these predictions, if an entity is not able to collect or process
individual’s personal data without his or her consent, the companies would be unable to con-
duct those analyses about data subject and target him or her accordingly, or provide other
marketers with said ability.163
160 N. Forgó et al, The Principle of Purpose Limitation and Big Data, 27-28. 161 See for example https://www.facebook.com/ads/preferences, and https://myactivity.google.com. 162 See for example https://www.facebook.com/ads/preferences, and https://myactivity.google.com. 163 N. Forgó et al, The Principle of Purpose Limitation and Big Data, 27-28.
28
4.3 Finding Balance between Exploitation and Protection of Personal Data
4.3.1 Why Buy ‘Google Assistant’ in a ‘Data Driven Market’?
The DSM is a cooperative environment where its participants (e.g. data subjects, controllers
and society) receive the highest pay off where they cooperate; take into consideration the be-
haviour, decisions and interests of each other to obtain equilibrium.
The ‘potential use’ of the collected data is the problematic factor; Data subjects, control-
lers and society perceive the ‘potential use’ idiosyncratically as positive or harmful depending
on the situation. Normally data subjects’ interests are not the same as societies and conse-
quently occasionally conflict. In such case, subject’s rights might need to be ignored in urgent
cases, for example to maintain the growth of the digital economy.164
It is important to keep in mind that the big data revelation is, in itself, not bad for the
individual or the society. On the contrary it a great value to society to have the ability to
examine big data to uncover hidden patterns, unknown correlations, customer preferences,
market, social and health trends, and other useful information that can provide deeper insight
into our society and help organizations make more informed decisions.
Deb Roy’s 2013 study of his child’s language development provides good insight into the
potential’s revelations and positive outcome from personal data processing. Deb used over-
head cameras to record and map all sounds from his family’s domestic environment during
the first years of their child’s development. The purpose was to understand how we learn a
language, in context, through the words we hear. The study allowed for the precise tracking
and identification of every utterance spoken in both space and time. The study revealed the
spatial clustering of certain words, such as the word "water" in the architectural context of the
kitchen. Learning of a word is not achieved by reputation but rather the context within which
the words are used when they are heard by the child, e.g. how and where. Words heard in
more various contexts will be learned first. In this way predicting first words was possible.165
Imagine in today's society when individuals are using Google Home, ….
The negative effect that users and the society can receive from the issue of contractual
clauses giving online service providers the right to process user's data for marketing purposes
has recently become apparent in the Facebook-Cambridge Analytica scandal where a re-
searcher under his private company (GSR), developed and availed a personality quiz app,
164 Marketers later use of personal data can, similarly, be viewed from opposing poles. For example, when the personal data is used to personalize digital services, {vs. filter bubble}. 165 A Plus. “What One Dad Learned When He Recorded 230,000 Hours of His Son Learning to Talk.”
29
through Facebook’s platform as an online research survey. As indicated in the ‘fine print’,166
upon installing the app on their Facebook account, the app would collect psychographic in-
formation about participant for academic purposes.
Although less than 300,000nd agreed, Facebook's design allowed the app to collect infor-
mation from all users in every participant's Facebook social network, without their consent,
consequently, enabling GSR to acquire data from approx. 72 million Facebook users. The
psychographic data,167 with or without consent for academic purposes, was then sold to Cam-
bridge Analytica to use for political and commercial purposes. The data was used to advance
US presidential candidates and is claimed to have been used thereafter in e.g. Trump’s cam-
paign, Brexit referendum.168
5 The ‘Transparent’ Potential of Data Subjects Empowerment 5.1 Preliminary Remarks
Transparency, when applied in practice by marketers, empowers data subjects to hold market-
ers accountable and to exercise control over their personal data, e.g. by providing or with-
drawing informed consent as well as to carry out any of data subjects’ rights mentioned in
chapter two.169 Regretably however, the digital environment is not characterized by fairness
or transparency, it has traditionally been ignorant of data subject privacy related interested
and rights.170
5.2 Forms of Productive and Transparent Practices
In particular, children should be fully aware of the possible consequences when they first sign
up to social networks. All information on the protection of personal data must be given in a
clear and intelligible way – easy to understand and easy to find.
These rights are enhanced when transparency is not use-dependant. Transparency irre-
spective of use allows for access to, and control over data subjects personal data no matter in
166 certain preferences and users Facebook social network, 167 Where conventional political advertising uses crude demographic factors like age and ZIP code to target advertising, Cambridge supposedly used a technique called psychographics, which involves building a detailed psychological profile of a user that will allow a campaign to predict exactly what kind of appeal will be most likely to convince any particular voter. https://arstechnica.com/tech-policy/2018/03/facebooks-cambridge-analytica-scandal-explained/ 168 Case no. 01725, N.D. Cal. 3:18, Case no 01732, N.D. Case Cal. D. Del. 5:18, CA 169 WP29, Guidelines on Transparency under GDPR, 5. See, for example, the Opinion of Advocate General Cruz Villalon (9 July 2015) in the Bara case (Case C-201/14) at paragraph 74. (mögulega reifa eða kvóta) 170 Online platforms and the digital single market p. 63.
30
which way a digital product or service is used. Google enhances data subjects’ rights when it
allows data subjects access to all their personal data which has been collected by Googles
Gmail services during data subjects use of the service irrespective whether it was through the
Gmail website or the Gmail mobile app. Similarly, data subjects should have access as well as
control over their personal data collected by Google irrespective of the data being collected
during use of any other particular goggle service.171
It is easier for companies to personalise privacy notices when data subjects are allowed to
manually adjust their privacy settings. When Facebook allows data subjects to choose, via
privacy dashboard, not to see ads outside of Facebooks platform that are based on data sub-
jects activities on Facebooks Company Products, Facebook can exclude information that re-
flects that use in their privacy notice their by personalising notices by reflecting only the types
of processing occurring for that particular data subject.172
5.3 Use of Data as Unfair Commercial Practice
The UCPD prohibits any unfair commercial practices,173 either under all circumstances174 or
belonging to one of three categories of practices that lead to a consumer making a “transac-
tional decision”175 and are subject to a “fairness” test, these are aggressive practices,176 prac-
tices that mislead consumers by action,177 or by omission.178 Lastly, any commercial practices
deemed unfair if contrary to professional diligence and likely to result in a consumer decision
that would not otherwise have taken.179 Those practices are unfair if they restrict user freedom
of choice through coercion, harassment, or undue influence, and are likely to result in a con-
sumer making a transactional decision he would not have otherwise taken.180 Therefore, the
commercial practices discussed, i.e. advertising, performed within an digital platform and
171 WP29, Guidelines on Transparency under GDPR, 22. 172 Ibid. 173 ‘Commercial practices’ is defined as “any act, omission, course of conduct or representation, commercial communication including advertising and marketing, by a trader, directly connected with the promotion, sale or supply of a product to consumers,” cf. UCPD, art. 2(d). 174, Thirty-one commercial practices (contained in the Annex) are deemed unfair and prohibited under all circumstances, cf. UCPD, art. 5(5), Annex I. 175 A transactional decision is, amongst others, a decision to purchase or make payment, cf. UCPD, art. 2(k) 176 UCPD, art. 5(4)(b). 177 UCPD, art. 6 (false or inaccurate information) 178 UCPD, art. 7 (non-provision of information that the consumer needs to make a decision). 179 UCPD, art. 5(2). . Issues of fairness linked with (i) the use of product or service as an advertising medium for third-party advertising, (ii) or as media for their own products or service as the subject matter of advertising, (iii) which type of targeting advertising technic or personalisation of search results, the device used and the data subject. 180 UCPD, art. 8.
31
aimed at convincing consumers to purchase an in-platform product can lead to a transactional
decision, thereby falling within the UCPD. Same applies to where the commercial practice
aims at ‘pushing’ consumers to use a free product or service, which does not initially involve
any purchase or payment.181
Google could be said to employ these commercial practices. Firstly, by serving ‘interest-
based ads’ on apps and software belonging to the Google Display Network, aimed at buying
in-network products, such include remarketed ads see graph.182 These ‘interest-based ads’ are
selected on the basis of information such as what user browsed, the way of interacting with
sites and software, location, demographics and more.
Secondly, by personalising search results on their Search Network as well as search en-
gine optimization and prominent placements, of paid or interest-based material or favouring
their own products and services. Although Googles search result algorithm is a highly kept
secret an recent study by x concluded that an average, 11.7% of Google Web Search results
and the highest personalization was queries related to political issues, news, and local busi-
nesses.183 in performing these practises and essentially by creating a filter bubble, Google
could be exploiting its position of power in a way which significantly limits the consumer's
ability to make an informed decision.184 In fact, Google has been penalised for breach of EU
antitrust rules by abusing its market dominance as a search engine by giving an illegal advan-
tage to another Google products thereby denying other companies the chance to compete on
the merits and to innovate. Furthermore, it denied consumers a genuine choice of services and
the full benefits of innovation.185
Another situation which can give rise to unfair commercial practices includes where a col-
lector exploits personal data revealing specific misfortune or circumstance of such gravity as
to impair the consumer’s judgement, to influence the consumer’s decision with regard to ser-
vice or product.186
181 The European Commission and the UK Office of Fair Trading favour a broad interpretation and therefore “[a] commercial practice may be considered unfair not only if it is likely to cause the average consumer to purchase or not to purchase a product but also if it is likely to cause the consumer to enter a shop” also OFFICE OF FAIR TRADING, ONLINE TARGETING OF ADVERTISING AND PRICES, 6. 182 https://services.google.com/fh/files/misc/analytics_360_product_overview.pdf 183 Hannák etc. “Measuring Personalization of Web Search,“ 2. 184 Cf. UCPD, art. 2(j). 185 http://europa.eu/rapid/press-release_IP-17-1784_en.htm. 186 Cf. UCPD, art. 9(c). App-solutely Protected? The Protection of Consumers Using Mobile Apps in the European Union Christiana Markou* and Christine Riefa
32
6 Conclusion The deployment of the notion of control by EU institutions as a tool for data subjects to man-
age their privacy differs from common scholarly literature where the notion of control has
often been conceptualised in certain ways, notably as one of the foundations of privacy.
Through an examination of the material produced by the EU regulator, the dominant rhetoric
can be said to take a uniquely entangled approach to the notion of control where as it encom-
passes both subjective and structural agents.
The EU regulator appears to have recognised, or at least feels compelled to recognise, that
duo to the digital design, notably its complexity, for subjects to be able to ‘effectively exer-
cise control’ (i.e. through use of these ‘micro rights’) providing the micro rights themselves is
insufficient, rather a set of ‘structural measures’ must be placed within the digital environ-
ment that ensures its reliability and effectiveness, as technical solutions facilitate more effec-
tive and sufficient means of making data subjects aware and empowered to exercise control.
Control can be assisted by the principal of fairness both in the GDPR as well as through
different interplaying legal instruments
33
7 Table of reference 7.1 A. Books and journal articles
A Plus. “What One Dad Learned When He Recorded 230,000 Hours Of His Son Learning
To Talk.” Last modified 12 April 2018. https://aplus.com/a/deb-roy-recorded-son-learning-
talk?no_monetization=true.
Bygrave, Lee A. Data Privacy Law: An International Perspective. First edition, Vol. 63.
Oxford: Oxford University Press, 2014. ISBN 978-0-19-967555-5.
Bygrave, Lee A. "Data Protection by Design and by Default: Deciphering the EU’s Legis-
lative Requirements" (DP by design and default). Oslo Law Review 4, no. 02 (2017): 105-
120. SISN online: 2387-3299.
Deng, Mina, Kim Wuyts, Riccardo Scandariato, Bart Preneel, and Wouter Joosen. "A pri-
vacy threat analysis framework: supporting the elicitation and fulfillment of privacy require-
ments." Requirements Engineering 16, no. 1 (2011): 3-32.
Deng et al., “A privacy threat analysis framework”,
Chen, Yongxi and Cheung, Anne S. Y., The Transparent Self Under Big Data Profiling:
Privacy and Chinese Legislation on the Social Credit System (June 26, 2017). Vol. 12, No. 2,
The Journal of Comparative Law (2017) 356-378; University of Hong Kong Faculty of Law
Research Paper No. 2017/011. Available at SSRN: https://ssrn.com/abstract=2992537 or
http://dx.doi.org/10.2139/ssrn.2992537.
Corrales M., Fenwick M., Forgó N. (2017) Disruptive Technologies Shaping the Law of
the Future. In: Corrales M., Fenwick M., Forgó N. (eds) New Technology, Big Data and the
Law. Perspectives in Law, Business and Innovation. Springer, Singapore
https://doi.org/10.1007/978-981-10-5038-1_1.
CXL. “How Data-Driven Marketers Are Using Psychographics.” Last modified 11 Au-
gust, 2017. https://conversionxl.com/blog/psychographics/.
34
D’Agostino, Elena. Contracts of Adhesion between Law and Economics: Rethinking the
Unconscionability Doctrine. SpringerBriefs in Law. Springer International Publishing, 2015.
DOI 10.1007/978-3-319-13114-6. (Contracts of adhesion).
Degeling, Martin, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub,
and Thorsten Holz. “We Value Your Privacy ... Now Take Some Cookies: Measuring the
GDPR’s Impact on Web Privacy” (Cookies: Measuring GDPRs Impact). Proceedings 2019
Network and Distributed System Security Symposium, 2019.
https://doi.org/10.14722/ndss.2019.23378.
Malbon, Justin, Online Cross-Border Consumer Transactions: A Proposal for Developing
Fair Standard Form Contract Terms (November 22, 2013).
http://dx.doi.org/10.2139/ssrn.2413289.
Forbs. “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did.” Last
modified 16 February 2012. https://www.forbes.com/sites/kashmirhill/2012/02/16/how-
target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#60bb8ac26668.
Hannák, Anikó, Piotr Sapieżyński, Arash Molavi Khaki, David Lazer, Alan Mislove, and
Christo Wilson. „Measuring Personalization of Web Search". ArXiv e-prints 1706 (1. June
2017): arXiv:1706.05011.
Hansen, Marit, Eleni Kosta, Igor Nai Fovino, and Simone Fischer-Hübner, eds. Privacy
and Identity Management. The Smart Revolution - 12th IFIP WG 9.2, 9.5, 9.6/11.7, 11.6/SIG
9.2.2 International Summer School, Ispra, Italy, September 4-8, 2017, Revised Selected Pa-
pers. Vol. 526. IFIP Advances in Information and Communication Technology. Springer,
2018. doi:10.1007/978-3-319-92925-5.
Hervé Jacquemin, Digital Content and Sales or Service contracts under EU Law and Bel-
gian/French Law, 8 (2017) JIPITEC 27 para 1. page 27.
Leenes, Ronald, Rosamunde van Brakel, Serge Gutwirth, and Paul De Hert, eds. Data
Protection and Privacy: (In)Visibilities and Infrastructures. Vol. 36. Law, Governance and
Technology Series. Cham: Springer International Publishing, 2017.
35
https://doi.org/10.1007/978-3-319-50796-5.
Kosta, Eleni. Consent in European Data Protection Law (Consent: EU DP). Vol. 3. 3
vols. Nijhoff Studies in EU Law. Brill, 2013. https://doi.org/10.1163/9789004232365.
N. Forgó et al. (2017) The Principle of Purpose Limitation and Big Data. In: Corrales M.,
Fenwick M., Forgó N. (eds) New Technology, Big Data and the Law. Perspectives in Law,
Business and Innovation. Springer, Singapore https://doi.org/10.1007/978-981-10-5038-1_1.
Lazaro, Christophe and Le Métayer, Daniel, Control over Personal Data: True Remedy or
Fairy Tale? (June 1, 2015). SCRIPT-ed, Vol. 12, No. 1, June 2015. Available at SSRN:
https://ssrn.com/abstract=2689223
Forgó, Nikolaus, Stefanie Hänold and Benjamin Schütze. “The Principle of Purpose Limi-
tation and Big Data,” in New Technology, Big Data and the Law. M. edited by Marcelo Cor-
rales, Mark Fenwick, Nikolaus Forgó. 17-42. Perspectives in Law, Business and Innovation.
Singapore: Springer, 2017. DOI 10.1007/978-981-10-5038-1_2
Voigt, P., and A. von dem Bussche. The EU General Data Protection Regulation (GDPR):
A Practical Guide. Springer International Publishing, 2017.
https://books.google.no/books?id=cWAwDwAAQBAJ.
Victor Morel, Daniel Le Métayer, Mathieu Cunche, Claude Castelluccia. Enhancing
Transparency and Consent in the IoT. IWPE 2018 - International Workshop on Privacy Engi-
neering, Apr 2018, London, United Kingdom. IEEE, pp.116-119, Proceedings of the Interna-
tional Workshop on Privacy Engineering (IWPE 2018). <10.1109/EuroSPW.2018.00023>.
<hal-01709255v2> (Morel et al., IoT: Enhancing Transparency and Consent).
Bygrave, Lee A. "Data Protection by Design and by Default: Deciphering the EU’s Legis-
lative Requirements." Oslo Law Review 4, no. 02 (2017): 105-120. SISN online: 2387-3299
Wolters, P. T. J. “The Control by and Rights of the Data Subject Under the GDPR.” Jour-
nal of Internet Law, 22, no. 1 (2018): 7-18, ISSN: 1094-2904
https://repository.ubn.ru.nl/handle/2066/194516.
36
Information Commissioner’s Office (ICO) Data protection by design and default.
(2018https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-
gdpr/accountability-and-governance/data-protection-by-design-and-default/2018). Accessed:
2018-08-30.
‘The REAL Difference Between Marketing & Advertising’. MarketingProfs. Accessed 30
November 2018. http://www.marketingprofs.com/2/mccall5.asp.
Moerel, Lokke and Prins, Corien, Privacy for the Homo Digitalis: Proposal for a New
Regulatory Framework for Data Protection in the Light of Big Data and the Internet of Things
(May 25, 2016). Available at SSRN: https://ssrn.com/abstract=2784123 or
http://dx.doi.org/10.2139/ssrn.2784123
Hartzog, Woodrow. The Case Against Idealising Control. European Data Protection Law
Review. Volume 4, Issue 4 (2018), pp. 423 – 432. DOI:
https://doi.org/10.21552/edpl/2018/4/5
Datatilsyet, Personal data in exchange for free services: an unhappy partnership? (PII in-
exchange for VAS), (28 January 2016)
https://www.datatilsynet.no/globalassets/global/english/privacy-trends-2016.pdf
Export Citation
7.2 B. Report and other documents
7.2.1 Independent EU Data Protection and Privacy Advisory Bodies
Article 29 Data Protection Working Party, Guidelines on Consent under Regulation
2016/679, (2017) WP 259.
Article 29 Data Protection Working Party (2015), Cookie Sweep Combined Analysis –
Report, WP 229.
Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of "controller"
37
and "processor", (16 February 2010) WP 169, 00264/10/EN. (WP29, Opinion: “controller"
and "processor").
Article 29 Data Protection Working Party, Opinion 8/2014 on the on Recent Developments on
the Internet of Things, (16 September 2014) WP 223. (WP29, Opinion on IoT Development).
Article 29 Data Protection Working Party (2004) Opinion 4/2004 on the processing of
personal data by means of video surveillance, 11750/02/EN, WP 89, Brussels, 11 Feb 2004
Article 29 Data Protection Working, Opinion 4/2017 on the Proposal for a Directive on
certain aspects concerning contracts for the supply of digital content,
Article 29 Data Protection Working Party, Opinion 01/2017 on the proposal for a regulation
of the ePrivacy Regulation (WP247, 4.4.2017). (WP29, Opinion on ePR proposal).
Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data,
20 June 2007 (WP136) 01248//07/EN. (WP29, Opinion on Personal Data).
Article 29 Data Protection Working Party, Opinion 03/2016 on the evaluation and review of
the ePrivacy Directive (2002/58/EC), (19 July 2016) WP 240. (WP29, Opinion on evaluation
and review of ePD).
Article 29 Data Protection Working Party, Opinion 5/2005 on the use of location data with a
view to providing value-added services (2130/05/EN), Peter Schaar, (25 November 2005) WP
115. (WP29, Opinion on location data: value-added services).
Article 29 Data Protection Working Party, Guidelines on Transparency under Regulation
2016/679, 11 April 2018 (WP260 rev.01, 29 November 2017) 17/EN. (WP29, GDPR Guide-
lines: Transparency).
European Data Protection Supervisor, Opinion 5/2016 Preliminary EDPS Opinion on the
review of the ePrivacy Directive (2002/58/EC) (Opinion on review of ePD), (22 July 2016)
Digital Agenda: Commission refers UK to Court over privacy and personal data protec-
tion, (IP/10/1215).
38
Deloitte, Evaluation and Review of Directive 2002/58 on Privacy and the Electronic
Communication Sector (Evaluation of ePD), SMART 2016/0080 (European Commission
2017).
7.2.2 European Commission
European Commission - PRESS RELEASES - Press Release - Digital Agenda: Commis-
sion Closes Infringement Case after UK Correctly Implements EU Rules on Privacy in Elec-
tronic Communications’.
COMM/PRESS/01, ‘Digital Agenda: Commission Closes Infringement Case after UK
Correctly Implements EU Rules on Privacy in Electronic Communications’ (europa, 26 Janu-
ary 2012) <http://europa.eu/rapid/press-release_IP-12-60_en.htm> accessed 14 November
2018
‘European Commission - PRESS RELEASES - Press Release - Digital Agenda: Commis-
sion Closes Infringement Case after UK Correctly Implements EU Rules on Privacy in Elec-
tronic Communications’ <http://europa.eu/rapid/press-release_IP-12-60_en.htm> accessed 14
November 2018.
European Commission (2016) European Commission launches EU-U.S. Privacy Shield:
stronger protection for transatlantic data flows. 12 July 2016, IP/16/2461.
http://europa.eu/rapid/press-release_IP-16-2461_en.htm. Accessed 10 September 2018.
Summary of Commission decision of 27 June 2017 relating to a proceeding under Article
102 of the Treaty on the Functioning of the European Union and Article 54 of the EEA
Agreement (Case AT.39740 — Google Search (Shopping)) (notified under document number
C(2017) 4444)
COMMISSION DECISION of 27.6.2017 relating to proceedings under Article 102 of the
Treaty on the Functioning of the European Union and Article 54 of the Agreement on the
European Economic Area (AT.39740 - Google Search (Shopping))
39
Commission (EC), Guidance on Unfair Commercial Practices
https://webgate.ec.europa.eu/ucp/public/index.cfm?event=public.guidance.browse&article
=article-14&elemID=74#article-14; see also OFFICE OF FAIR TRADING, ONLINE TAR-
GETING OF ADVERTISING AND PRICES 6, 1.11 (2010), available at
http://webarchive.nationalarchives.gov.uk/20140402142426/http:/www.oft.gov.uk/shared_oft
/business_leaflets/659703/OFT1231.pdf.
Commission Case AT.39740 Google Search (Shopping), decision of 27 June 2017 avail-
able at http://ec.europa.eu/competition/antitrust/cases/dec_docs/39740/39740_14996_3.pdf.
For further information see IP/17/1784 of 27 June 2017 available at
http://europa.eu/rapid/press-release_IP-17-1784_en.htm and MEMO/17/1785 of 27 June 2017
available at http://europa.eu/rapid/press-release_MEMO-17-1785_en.htm.
Commission Decision relating to proceedings under Article 102 of the Treaty on the
Functioning of the European Union and Article 54 of the Agreement on the European Eco-
nomic Area (AT.39740 - Google Search (Shopping)), OJ C 9, January 12 2018.
Commission (EC), Stronger protection, new opportunities - Commission guidance on the
direct application of the General Data Protection Regulation as of 25 May 2018, COM (2018)
43 final.
Communication from the Commission to the European Parliament, the Council, the Eco-
nomic and Social Committee and the Committees of the Regions, A comprehensive approach
on personal data protection in the European Union, COM(2010) 609 final, Brussels, 4 Nov
2010, available at http://ec.europa.eu/justice/news/consulting public/0006/com 2010 609
en.pdf. (Commission (EC), comprehensive approach on personal data protection)
Communication from the Commission to the European Parliament, the Council, the Eco-
nomic and Social Committee and the Committees of the Regions, Safeguarding Privacy in a
Connected World: A European Data Protection Framework for the 21th Century, COM
(2012) 9 final, Brussels, 25 Jan 2012, available at http://eur-lex.europa.eu/legalcontent/.
(Commission (EC), Safeguarding Privacy in a Connected World)
40
Commission, Online Platforms and the Digital Single Market: Opportunities and Chal-
lenges for Europe (Online platforms: Opportunities and Challenges), (Communication) COM
(2016) 288 final. 25.5.2016
Commission, Online platforms: Opportunities and Challenges, []
Commission, Internet of Things: An action plan for Europe (IoT: Action plan), (Com-
munication) COM (2009) 278 final.
Commission, A Digital Single Market Strategy for Europe - Analysis and Evidence: Ac-
companying the document Communication from the Commission to the European Parliament,
the Council, the European Economic and Social Committee and the Committee of the Regions
on a Digital Single Market Strategy for Europe (DSM Strategy for EU), (internal procedure)
SWD (2015) 100 final.
Commission, DSM Strategy for EU.
Commission, Completing a trusted Digital Single Market for all: The European Commis-
sion's contribution to the Informal EU Leaders' meeting on data protection and the Digital
Single Market in Sofia on 16 May 2018 (Completing a trusted DSM), (Communication)
COM (2018) 320 final. 25.5.2016
Commission, Completing a trusted DSM
Commission, “The Top 20 EU achievements 2014-2019 (ANNEX III) Europe in May 2019:
Preparing for a more united, stronger and more democratic Union in an increasingly uncertain
world” (EU in May 2019: Top 20 Achivements) a part
The concept of privacy consists of the three main features secrecy, anonymity, and soli-
tude. In particular the value attached to information varies with respect to the individual to
which the information relates who generally has a higher interest in its secrecy than a poten-
tial by stander. However, privacy is valuable not only to the individual but also to functioning
democratic political system and all individuals there in as it provides as exclusion in which
democracy can grow
Weber, R.H.,“How does Privacy change in the Age of the Internet?”, in: Fuchs, C.,
Boersma, K., Albrechtslund, A. and Sandoval, M., eds., Internet and Surveillance, Routledge,
41
2011, 274. 9 Regan, P.M., Legislating privacy: Technology, Social Values and Public Policy,
University of North Carolina Press, Chapel Hilland London, 2009, 225
Digital Agenda: Commission closes infringement case after UK correctly implements EU
rules on privacy in electronic communications, EUROPEAN COMMISSION (Jan. 26, 2012),
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/60&type =HTML. Com-
mission refers UK to Court over privacy and personal data protection
(IP/10/1215)
“European Commission - PRESS RELEASES - Press Release - Digital Agenda: Commis-
sion Refers UK to Court over Privacy and Personal Data Protection.” Case breifing. Accessed
November 14, 2018. http://europa.eu/rapid/press-release_IP-10-1215_en.htm.
“European Commission - PRESS RELEASES - Press Release - Digital Agenda: Commis-
sion Refers UK to Court over Privacy and Personal Data Protection.”
European Commission, Vice-President of the European Commission, EU Justice Com-
missioner, Viviane Reding, PRESS RELEASE: The EU Data Protection Reform 2012: Mak-
ing Europe the Standard Setter for Modern Data Protection Rules in the Digital Age, 22
January 2012, SPEECH/12/26, available online at
<europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/12/26>(accessed 12 November
2014).
As Viviane Reding commented,‘[p]ersonal data is the currency of today’s digital market.’
Reding, “The EU Data Protection Reform 2012”
Reding, Viviane. Data Protection Day 2014: "Full Speed on EU Data Protection Reform"
(EU DP Full Speed), European Commission Brussels, (27 January 2014) MEMO/14/60
Reding, Viviene. “The EU Data Protection Reform 2012: Making Europe the Standard
Setter for Modern Data Protection Rules in the Digital Age.” Innovation Conference: Digital,
Life, Design, (22 January 2012) SPEECH/12/26 available at
42
http://ec.europa.eu/commission_2010-2014/reding/pdf/speeches/s1226_en.pdf.
Reding Viviane., “Your data, your rights: Safeguarding your privacy in a connected
world”, SPEECH/11/183, Europa (16 March 2011), available at available online at
europa.eu/rapid/press-release_SPEECH-11-183_en.htm>(accessed10September2014
Privacy Platform "The Review of the EU Data Protection Framework"
Executive Summary of the preliminary Opinion of the European Data Protection Supervi-
sor on the review of the ePrivacy Directive (2002/58/EC).
Opinion of the European Economic and Social Committee on the ‘Proposal for a Regula-
tion of the European Parliament and of the Council concerning the respect for private life and
the protection of personal data in electronic communications and repealing Directive
2002/58/EC (Regulation on Privacy and Electronic Communications)’ (COM(2017) 10 final
— 2017/0003 (COD)) OJ C 345, 13.10.2017, p. 138–144
Mańko, Rafal, “Contracts for the supply of digital content and digital services”, EU legis-
lation in progress (Briefing), 3 ed. EPRS, 19 February 2018, PE 614.707, available at:
http://www.europarl.europa.eu.
Office of Fair Trading, Online targeting of advertising and prices: A market study. (May,
2010). OFT 1231, available at
https://webarchive.nationalarchives.gov.uk/20140402175024/http://www.oft.gov.uk/OFTwor
k/markets-work/online-targeting
Ariel Ezrachi and Maurice Stucke, Online Platforms and the EU Digital Single Market.
(Written Evidence), (data.parliament.uk, 16 October 2015) OPL0043, available at
http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/eu-
internal-market-subcommittee/online-platforms-and-the-eu-digital-single-
market/written/23223.html
43
Farivar, Cyrus, “Cambridge Analytica breach results in lawsuits filed by angry Facebook
users: ‘Facebook lies within the penumbra of blame’, Maryland woman claims” (lawsuits
filed by angry Facebook users), published 23 March 2018, https://arstechnica.com/tech-
policy/2018/03.com
Ezrachi and Stucke, ‘Written Evidence (OPL0043) Online Platforms and the EU Digital
Single Market’. (Governmental database: Parliament of the United Kingdom),
Mańko, Rafal, “Contracts for the supply of digital content and digital services”, EU legis-
lation in progress (Briefing), 3 ed. EPRS, 19 February 2018, PE 614.707, available at:
http://www.europarl.europa.eu.
House of Lords Select Committee on European Union, Online Platforms and the Digital
Single Market (10th report, session 2015-2016, HL paper 129) Volume II: Oral and written
evidence <https://publications.parliament.uk/pa/ld201516/ldselect/ldeucom/129/129.pdf>
House of Lords Select Committee on European Union. “Online Platforms and the Digital
Single Market.” Volume II: Oral and written evidence. Volume II: Oral and Written Evi-
dence. house of lords, April 20, 2016.
https://publications.parliament.uk/pa/ld201516/ldselect/ldeucom/129/129.pdf.
8 Table of abbreviations Article 29 Working Party .................................................................................................. WP29
European Union...................................................................................................................... EU
Digital Single Market .......................................................................................................... DSM
European Commission ........................................................................................................... EC
the Charter of Fundamental Rights .......................................................................................CFR
the European Convention on Human Rights..................................................................... ECHR
the Treaty on the Functioning of the European Union.................................................................
TFEU
Proposal for a regulation concerning e-communications and data protection ........................... 5
Proposal for a Regulation on Electronic Communication............................................................
44
5
European General Data Protection Regulation (EU) 2016/679 ....................................... GDPR
the e-Privacy Directive 2002/58/EC ...................................................................................e-PD
Proposal for a Directive of concerning contracts for the supply of digital content ....... pSDCD
the e-commerce Directive 2000/31/EC ................................................................................ ECD
the European Court of Human Rights ............................................................................... ECHR
The European Court of Justice ........................................................................................... CJEU
Over the Top Services .......................................................................................................... OTT
Internet of Things ................................................................................................................... IoT
Terms of Use ToU
Information Society Service .................................................................................................. ISS
public e-communication service provider .................................................................................. 5
Information and Communication Technology ...................................................................... ICT
Terms and Conditions (standard contract terms) .............................................................. T&Cs
Unfair Commercial Practices Directive 2005/29/EC ....................................................... UCPD
Standard Contractual Clause .................................................................................................SCC
Data Protection Supervisor....................................................................................................DPS
Privacy-Enhancing Technologies........................................................................................ PETs
Staff working document ..................................................................................................... SWD
45
9 Table of legal instruments
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and
on the free movement of such data, and repealing Directive 95/46/EC (General Data Protec-
tion Regulation), Pub. L. No. L 119/1, OJ L 119, 4.5.2016, pp. 1–88 88 (2018).
Treaty of the Functioning of the European Union, opened for signature 7 February 1992,
[2009] OJ C 115/199 (entered into force 1 November 1993) (‘TFEU’).
Consumer Rights Directive
Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011
on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the
European Parliament and of the Council and repealing Council Directive 85/577/EEC and
Directive 97/7/EC of the European Parliament and of the Council, OJ L304/64
Data Protection Directive
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and on the free
movement of such data, OJ L281/31
European Electronic Communications Code
Final text of the proposal for a Directive establishing the European Electronic Communi-
cations Code, as adopted by the European Parliament on 14 November 2018.
ePrivacy Directive
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
concerning the processing of personal data and the protection of privacy in the electronic
communications sector, OJ L201/37
ePrivacy Regulation
Proposal for a Regulation of the European Parliament and of the Council concerning the
respect for private life and the protection of personal data in electronic communications and
46
repealing Directive 2002/58/EC, COM/2017/010
Framework Directive
Directive 2001/21/EC of the European Parliament and of the Council of 7 March 2002 on
a common regulatory framework for electronic communications networks and services as
amended by Regulation (EC) No 717/2007 of the European Parliament and of the Council of
27 June 2007 on roaming on public mobile telephone networks within the Community and
Regulation (EC) No 544/2009 of the European Parliament and of the Council of 18 June 2009
amending Regulation (EC) No 717/2007 and Directive 2002/21/EC and Directive
2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending
Directives 2002/21/EC, 2002/19/EC and 2002/20/EC
GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (General Data Protec-
tion Regulation), OJ L119/1
Regulation
Regulation (EU) 2015/2120 of the European Parliament and
10 Table of cases
Barnes & Nobel
CJEU British Gas Trading case
CJEU, El Majdoub
Register v. Verio
The Netscape case
ECJ, judgment of 13 May 2014, Google Spain and Google (C-131/12, EU:C:2014:317).
ECJ, judgment of 1 October 2015, Bara and Others (C‑201/14, ECLI:EU:C:2015:638)
Order of the Court (Eighth Chamber) of 23 October 2018 — Council départemental de
l’ordre des chirurgiens-dentistes de la Haute-Garonne
(Case C-296/18)
47
Glossary of Terminology abbreviations, and acronyms , Data Subjects Participation and Control i, 5
form of marketing that has a high risk of negatively affecting individuals and society. For
example, Google search result is tailored using the personal data they have collected on an
individual such as recent searches, location country and langued. Solely, collecting basic
information like location and using it as a factor in individuals search results can have ma-
jor consequences 8, 9
Indirect and Direct marketing 8
Internet of Things 1
Over the Top Services 10
Providers of Information Society Services 2, 22
publicly available Electronic Communication Services providers 12
Terms of Use 3, 5, 19, 20, 22
European Courts
4, 19, 22
Internationally known Abbreviations and Acronyms central mews network 9
Guest ID number 10
Opinions and Executive Summaries of relavant European Authorities or
Similar DPA's
Executive Summary of the preliminary Opinion of the European Data Protection Supervisor
on the review of the ePrivacy Directive (2002/58/EC) 13
Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the
supply of digital content, 20
the proposal for a regulation (WP247, 4.4.2017, opinion 01/2017) , the Article 29 Working
Party 13