Research Article: 2024 Vol: 27 Issue: 3S
Rong Han, Beijing Normal University
Na Jiang, Beijing Normal University
Citation Information: Han R., Jiang N., (2024). The integration of personal data protection into consumer law in EU digital markets. Journal of Legal, Ethical and Regulatory Issues, 27(S3), 1-6.
The data-driven economy has greatly changed the way of business and consumption in the digital markets. Many companies make full use of data to profile their customers, expand their business, improve their services and turnovers; consumers are paying the goods, services, and digital contents, not just with money, but also their personal data.1 The widely collection and process of personal data in business to customer (B2C) transactions could potential harm the interests of consumers (Helberger, 2016), including but not limited to the infringement of their consumer rights, personal data rights and other fundamental rights. For example, Wallmark Marie. et al (2018) found that processing massive amount of personal data for the sake of providing personalised price was regard as unfair and manipulative by consumers.2 These issues are pressing and require an appropriate legal response to ensure the sustainable and consumer-friendly growth of the digital economy (Wallmark, 2018).
Given the mixed attributes of these issues, the personal data protection law and consumer law could possibly offer a solution for them. Although the competition law might be helpful as well by regulating the digital markets, it is more of an indirect solution for consumers. Aiming to empower consumers to better enforce consumer rights and personal data rights in digital markets, this essay will analysis these issues mainly from the perspective of consumer law and personal data protection law.
My claim is that to achieve a high level of consumer protection, the consumer law should make a further step to integrate personal data protection into consumer rights given the importance of the personal data in B2C transactions and their inextricable link to consumer welfare. The first part will examine the convergence of personal data protection and consumer law; then potential approaches to incorporating personal data protection into consumer law will be explored, which encompass the integration of fairness principles, obligations and remedies; last, this essay will conclude with a brief summary.
With the integration of more and more data into consumer products and services, almost every single B2C transaction involves the process of personal data which might be classified, analysed (Costa-Cabral, 2003), traded or used for other commercial exploitation.3 As a result, the personal data play a crucial rule in commercial practices, and many consumer issues become the personal data protection issues (Lynskey, 2023). Theoretically, both the personal data protection law and consumer law shall be supposed to solve these intersection issues. However, the reality is that there are still some gray areas where neither the personal data protection law nor the consumer law offers effective regulation.
The Importance of Personal Data in Commercial Practices
The personal data in commercial practices generally are directly provided by consumers for the fulfillment of consumer contract, observed by data controllers from cookies and other methods, and derived from the two former types of data and other data. They play a crucial role in the provision of goods/services, business strategies, and innovation of digital markets.
First, the B2C transactions in digital markets are inevitably to process a massive personal data of their customer for the purpose of transaction itself. The Amazon retailer is a typical example, which collects data related customers’ order, bank account, address and so on to fulfill the purchase contract. In addition to that, the personal data have economic value as well. The business model of many companies are based on harnessing the economic value of personal data (Hoofnagle, 2013). In order to gain access to large amount of personal data, the company might forego monetary payment for their digital services.4 For example, the Facebook provides free social media service for customer/users in exchange of their personal data created on the social media platform. With the large amount of personal data of users, many companies are providing personalized price and service for consumers by analyzing the data related to consumer’s behaviour, desires, interests, habits, financial situation and so on. All of the above commercial activities involved with processing personal data shall subject to the personal data protection law and consumer law.
The Gap of Personal Data Protection in Commercial Practices
In digital markets, it is the personal data protection law that deal with the fairness of consumers’ personal data processing, while the consumer law deals with the fairness of transaction. Although both of which have the goal of protecting the fundamental rights of consumers, they work independently. However, it appears that relying solely on personal data protection laws may not fully safeguard consumers’ personal data rights. There is a need for consumer law intervention to bridge this gap and better serve the interests of consumers.
The EU personal data protection law provides a framework for the protection of personal data of consumers. Particularly (O.J., 2016), the General Data Protection Regulation (GDPR)5 clarified a series of personal data rights of data subjects and obligations of data controllers/processors, as well as the enforcement mechanism. The current regulation system basically have set the line of lawful and unlawful processing of personal data in digital world. However, as Bert-Jaap Koops(2014) pointed out (Koops, 2014), the data protection law can barely stop the unnecessary personal data process in reality since the data controllers/processors are easily be able to circumvent the process restriction because of the open and fuzzy norms.6 On the top of that, the controller-based personal data protection rules in GDPR do not compatible with reality of the polycentric data controllers in digital markets, which results in the ineffective enforcement of this regulation. As Orla Lynskey(2023) pointed out, everyone is responsible means no one is responsible.7 Consequently, the personal data protection law might be unable to provide effective solutions to the excessive process of personal data of consumers. Therefore, I think it is unrealistic to solely rely on the personal data law when it comes to the protection of personal data of consumers in digital markets.
Meanwhile, the European Union has modified traditional consumer law tools to enhance consumer protection in terms of the digital services. One example is the Consumer Rights Act 2015 added ‘digital content’ element (Andrew, 2008), which requires the provision of digital goods and services shall satisfy minimum quality and other requirements.8 The Digital Content Directive9 also introduced the new legal recognition of providing personal data as a consumer’s “counter-performance” in a contractual relationship (Directive, 2019). This means the start of using consumer law to assess the fairness of contracts regarding services that are presented to the consumer as “free” (European Parliament, 2015). Except these adjustment, the consumer law did not do much about the protection of personal data of consumers. As Helberger et al (2017) argued, personal data have played only a small role in the process of amending the consumer law framework.10 Consequently, some questions still remain unanswered like how to remain the value of personal data in B2C transactions, to what extent the personal data could be commercial exploited, and what are the proper remedies for this type of contract.
Based on the above analysis, it can be concluded that: first, the personal data protection law alone is incapable of preventing or stopping that massive process of personal data in digital markets; second, the consumer law doesn’t do much to solve this problem as well. Consequently, there are still some gray areas or legal uncertainties when it comes to how to strike a balance between the excessive commercial exploitation of personal data and the protection of consumer’s fundamental rights (Svantesson, 2010). Therefore, in my opinion, the consumer law has to make a further step to fill this gap given the fact that the protection of personal data is inextricably link to interest and welfare of consumers.
Having fully acknowledged the necessity to add parameter of personal data protection into consumer law, this section will explore three possible ways to achieve this goal. The first one is the integration of fairness principle, in which the consumer law could assist the fairness of terms and conditions, commercial practice in the contractual relationship between traders and consumers; then it is suggested to include the obligation of personal personal data protection into the consumer contract for the sake of clarifying obligations beared by traders and providing better remedy options for consumers; lastly, the integration of remedy of personal data rights into consumer law could avoid remedy conflicts in two disciplines of law and help consumers to save litigation cost in claiming their personal data rights and consumer rights at the same procedure.
The Integration of Fairness Principle
The notion of fairness underpins both the regimes of personal data protection and consumer law. Given the fairness principle in personal data protection law stops at the input stage of personal data and it could be easily manipulated by data controllers, thus the consumer law could help to extend this principle to the output stage and give it more strength in application.
First, the Unfair Terms Directive can be used to assess the fairness of the contract terms related to the processing of disproportionate amounts of consumer’s personal data. Although the Recital 42 GDPR specifies that pre-formulated declarations of data subject consent should not contain unfair terms, it doesn’t give further explanation to what constitute “unfair terms”. The article 3(1) of the Unfair Contract Terms Directive thus has a role to play in this scenario, it could invalid the unfair terms which cause a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of the consumer. For example, in 2016, the German competition authority suspects that Facebook’s terms of service are in violation of data protection law by representing an abusive imposition of unfair conditions on users.11
In addition, the Unfair Commercial Practices Directive could also help to assess the fairness of personal data gathered on the basis of consumer’s consent and other legal grounds. For example, suppose a consumer purchase a bottle of vitamin D online, he paid 20 pounds and also gave his personal data such as Email address, phone number, home address to the seller for the fulfillment of the purchase contract. If the seller obtained consent from the consumer to share his personal data with third parties and gave the consumer 20% discount to motivate this sharing behaviour, it doesn’t constitute a violation of data protection law, but might be an unfair commercial practice because the consumer might lack the full acknowledgment of all the personal data process behaviour conducted by the seller. In this case, I think it is necessary for the consumer law to intervene to assess the fairness of the 20% discount and the excessive process of personal data, reviewing whether this transaction is fair to consumer given his weaker position and incapability to protect his rights and (economic) interests.
The Integration of Obligations
The traders in digital markets usually have direct obligations of protecting personal data and consumer rights to consumers. But whether the personal data protection obligation is included in the consumer contract is unclear. For example, the current consumer protection legislation in EU does not include specific requirements mandating adequate data security. As a result, the consumer could only resort to data protection law to get remedy if the trader violated the obligation of data security in B2C transactions (Svantesson, 2018). Nevertheless, it is far from easy for consumers to get remedy based on data protection law which also offer liability exemptions for data processor and consumer.
Therefore, if the obligation of personal data protection was integrated into consumer law, consumers could claim the breach of purchase contract based on the infringement of personal data rights. In this case, the consumer could chose to get the remedy based on the consumer law, with more remedy options such as terminating the contract or asking the refund. More importantly, it is easier for consumers to claim the damage since the trader has minimum obligation to guarantee the quality of their services or products.
The Integration of Remedies
With the integration of fairness principle and obligation, the last way to extend the scope of consumer law to data-related issues is through remedy. Although the data protection law empower data subjects a series of rights and remedy measures to against unfair data processing, they are not designed for the optimal interests of consumers. For example, if data subjects objected the unlawful process behaviour of the data controller, he or she has no choice but to leave the service or products provided by the trader, which is definitely not to the optimal remedy for consumers. In such scenario, the remedy of consumer law could fill that gap.
Specifically, a deviation from what has been promised under the contract (for example that personal data are not shared with third parties) could be seen as a breach of contract. And consumers could sue the company under the consumer law if companies infringed his or her personal data rights. By doing so, the consumer law could not only add extra flexibility to the prescribed rights in data protection law, but also provide consumers with additional remedies in the infringement of personal data rights (Helberger, 2017), such as refund or termination of consumer contract.12 More importantly, it could be easier and faster for consumers to claim their personal data rights and consumer rights at the same procedure.
The personal data have become one of the most valuable assets and resources for business in digital markets. The personal data protection law such as GDPR does not give effective and efficient solutions to the ubiquitous excessive commercial exploitation of personal data. Given the inextricable link between personal data processing and B2C transactions, integrating personal data protection into consumer law is necessary to achieve a high level of consumer protection.
The consumer law, first and foremost could broaden the fairness principle by assessing whole commercial relationship between consumers and data controllers through the lens of unfair terms and conditions, unfair commercial practices. Furthermore, by integrating personal data protection obligations into consumer contract, consumer law could provide consumers with concrete contract law remedies in case of breach of personal data protection obligation.
Nevertheless, we should also bear in mind that this is not a panacea to deal with all of the issues posed by the widely process of personal data in digital markets given the shortcomings of the consumer law itself in protecting consumer rights. As Eidenmueller et al (2013) argued, the mandatory consumer rights in EU would be not fully enforced in the private or semi-private efficient consumer dispute resolution system.13 Therefore, the consumer law still need to make further advancement in regulation, enforcement acclimatize itself in the digital markets.
1Natali Helberger and Frederik Zuiderveen Borgesius and Agustin Reyna, “The Perfect Match? A Closer Look at the Relationship between EU Consumer Law and Data Protection Law” (2017) 54(5) Common Market Law Review 1, 2.
2Marie Wallmark and Eyal Greenberg and Dan Engels, “Consumer Welfare and Price Discrimination: A Fine Line” (2018) 1(1) SMU Data Science Review 1, 1.
3Francisco Costa-Cabral and Orla Lynskey, “Family ties: the intersection between data protection and competition in EU Law” (2017) 54 (1) Common Market Law Review 11, 11.
4Hoofnagle and Whittington, “Free Accounting for the Costs of the Internet’s Most Popular Price” (2014) 61 UCLA Law Review 606, 606.
5O.J. 2016, L 119/1. Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46.
6Bert-Jaap Koops, “The Trouble with European Data Protection Law” ( 2014) 4(4) International Data Privacy Law 250, 254-255.
7Orla Lynskey, “Complete and Effective Data Protection” (2023) 76(1) Current Legal Problems 297, 343.
8Andrew Murray, Information Technology Law (5th edn, OUP 2023), 488-489.
9Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services
10Natali Helberger et al(n 1), 23.
11Press Release Bundeskartellamt <http://www.bundeskartellamt. de/SharedDocs/Meldung/EN/Pressemitteilungen/2016/02_03_2016_ Facebook.html?nn¼3591568>
12Natali Helberger et al(n 1), 12.
13Eidenmueller, Horst G. M. and Fries, Martin, Against False Settlement:Designing Efficient Consumer Rights Enforcement Systems in Europe (July7,2013).
Andrew Murray, Information Technology Law (5th edn, OUP 2023).
Costa-Cabral, F., & Lynskey, O. (2017). Family ties: the intersection between data protection and competition in EU Law. Common Market L. Rev., 54, 11.
Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services.
European Parliament, Consumer Protection in the EU, PE 565.904, Sept. 2015.
Helberger, N. (2016). Profiling and targeting consumers in the Internet of Things–A new challenge for consumer law. Available at SSRN 2728717.
Indexed at, Google Scholar, Cross Ref
Helberger, N., Borgesius, F. Z., & Reyna, A. (2017). The perfect match? A closer look at the relationship between EU consumer law and data protection law. Common Market Law Review, 54(5).
Hoofnagle, C. J., & Whittington, J. (2013). Free: accounting for the costs of the internet's most popular price. UCLA L. Rev., 61, 606.
Koops, B. J. (2014). The trouble with European data protection law. International data privacy law, 4(4), 250-261.
Lynskey, O. (2023). Complete and Effective Data Protection. Current Legal Problems, 76(1), 297-344.
O.J. 2016, L 119/1. Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46.
Svantesson, D. J. B. (2018). Enter the quagmire–the complicated relationship between data protection law and consumer protection law. Computer law & security review, 34(1), 25-36.
Indexed at, Google Scholar, Cross Ref
Svantesson, D., & Clarke, R. (2010). A best practice model for e-consumer protection. computer law & security review, 26(1), 31-37.
Wallmark, M., Greenberg, E., & Engels, D. (2018). Consumer welfare and price discrimination: a fine line. SMU Data Science Review, 1(1), 14.
Received: 02-Feb-2024, Manuscript No. JLERI-24-14572; Editor assigned: 03-Feb-2024, Pre QC No. JLERI-24-14572(PQ); Reviewed: 17-Feb-2024, QC No. JLERI-24-14572; Revised: 22-Feb-2024, Manuscript No. JLERI-24-14572(R); Published: 29-Feb-2024