Is Personal Data the New Currency?

INTERNATIONAL FOCUS

Personal Data as a Tradeable Commodity in the Digitial Era: A European Perspective

Eirini Vyzirgiannaki Member of ELSA Athens

As we transition into the digital era, the traditional economic model shifts towards a data-driven one. Not only is there an enormous volume of digital data available, but also an array of advanced methods to process it and extract monetary value from it. The personal data of European citizens has the potential to be worth nearly €1 trillion annually by some estimates.1 In this light, could one argue that data is the currency of today's digital economy? Is it possible to conceptualise personal data as a tradeable commodity? Given that data protection amounts to a fundamental right in Europe, can personal data be treated as a mere economic asset? Three data-centred business strategies are prevalent in contemporary digital markets.2 In the ‘zero-price’ or ‘data as payment’ model, consumers provide their personal data in exchange for digital services or products that are otherwise advertised as free of charge. In the ‘personal data economy’ users may supply their data to businesses and obtain value from this exchange. Finally, the ‘pay for privacy’ model 1 European Commission, ‘Questions and Answers - Data protection reform package’ (24 May 2017) <https://ec.europa.eu/commission/ presscorner/detail/en/MEMO_17_1441> accessed 1 October 2021. 2 Stacy-Ann Elvy, ‘Paying for Privacy and the Personal Data Economy’ (2017) 117 Columbia Law Review 1369. requires consumers to pay a higher price if they do not consent to the collection and processing of their data, while offering discounts to those who do. Data subjects are, thus, perceived as owners of wealth that can be shared on their own terms. Consumers may supply their personal data as a means of payment, a non-pecuniary counter-performance, in agreements for digital services and content. In turn, businesses can harness the collected data to generate revenue either directly or indirectly.3 Namely, they can extract monetary value by selling or licensing it. They can also increase profit by using consumers’ data for product improvement, personalised services or offers, and targeted advertising. However, treating personal data as a non-pecuniary currency cannot accurately reflect the value exchange that occurs in a transaction. As personal data is inherently dynamic and fluid and cannot obtain a standardised value, it is challenging to quantify its commercial worth.4 Furthermore, as a non-depletable asset, it can be exploited indefinitely

3 Beate Roessler, ‘Should Personal Data Be a Tradable Good? On the Moral Limits of Markets in Privacy’ in Beate Roessler and Dorota Mokrosinska (eds), Social Dimensions of Privacy (CUP 2015). 4 Rebecca Kelly and Gerald Swaby, ‘Consumer Protection Rights and “Free” Digital Content’ (2017) 23(7) Computer and Telecommunications Law Review 165.

to generate more profit. Therefore, such data-driven transactions are often asymmetrical and consumers are likely to provide personal data whose ultimate value exceeds that of the product or service they receive in return.5 The uneven bargaining power compromises the level of protection afforded to personal data and may have a discriminatory effect.6 Privacy may become a luxury available to few, while those unable to afford it would relinquish access to their data for a discount. Similarly, individuals may be denied goods and services unless they disclose their data. In the same vein, the high level of protection granted to personal data within the European legal order limits the leeway for its commercialisation –lucrative as it may be.7 Being perceived as a projection individuality, intrinsically tied to personhood, personal data cannot be reduced to a mere commodity. The right to data protection constitutes an autonomous fundamental right; the pertinent legal framework in Europe includes Articles 7 and 8 EUCFR, Article 16 TFEU, the GDPR, Article 8 ECHR and the modernised Convention 108+ of the Council of Europe. Nevertheless, as per Recital 4 GDPR, data protection is not an absolute right but must be considered in relation to its function in society and be balanced against other fundamental rights. In this regard, the tradability of personal data is supported by the freedom to conduct business and form contracts. Notably, it is underpinned by the right to informational self-determination, which encompasses relinquishing control over one’s data. Eliminating such data-centred transactional practices would also undermine the free flow of data and the proper function markets. As the legal system allows the commercial exploitation of other incorporeal personality attributes with an economic value, such as one’s name, image and reputation,8 the commodification of personal data appears conceivable within in the European legal order. The dual nature of personal data as the subject of a protected fundamental right and as an economic good has increasingly gained normative recognition.

5 Gianclaudio Malgieri and Bart Custers, ‘Pricing Privacy – the Right to Know the Value of Your Personal Data’ (2018) 34 Computer Law and Security Review 289. 6 Giuseppe Versaci, ‘Personal Data and Contract Law: Challenges and Concerns about the Economic Exploitation of the Right to Data Protection’ (2018) 14 European Review of Contract Law 374. 7 European Data Protection Supervisor, ‘Opinion 8/2018 on the legislative package “A New Deal for Consumers”’ (5 October 2018). 8 Giorgio Resta, ‘The New Frontiers of Personality Rights and the Problem of Commodification: European and Comparative Perspectives’ (2011) 26 Tulane European and Civil Law Forum 33. With Directives 2019/770 and 2019/2161, the EU legislature expanded consumer protection to online contracts for digital services and content ‘paid’ with personal data rather than with money and, thus, acknowledged that personal data functions as a de facto price or contractual counter-performance. Yet, it stipulated that personal data cannot be reduced to a mere economic asset and shall fall in a special protective regime even when treated as a tradable commodity.9 Contract law shall apply on these transactions only in tandem with the data protection legislation. The principles shaping the European perspective on data protection, namely privacy, transparency, autonomy and non-discrimination, offer legitimate ground to restrict freedom of contract. On that premise, contractual arrangements concerning personal data shall be valid insofar as individuals retain their rights as data subjects, currently enshrined in the GDPR. Hence, even while bound by a contractual link, counterparties shall have their data processed only if a lawful basis exists and shall be able to exercise their rights to access data, withdraw consent or even ‘be forgotten’. All in all, delving into the dual nature of personal data and reframing it as a tradable commodity showcases the opportunities and challenges that accompany our transition into the digital era. Although some conceptual barriers in legal thinking may need to be broken down as we navigate this novel landscape in Europe, the way forward passes through the core principles, values and norms that underpin our legal order.

9 Václav Janeček and Gianclaudio Malgieri, ‘Data Extra Commercium’ in Sebastian Lohsse, Reiner Schulze and Dirk Staudenmayer (eds), Data as counter-performance - contract law 2.0? (Nomos 2020).