Content

F. Consent for the Processing of Personal Data and its Relationship to Contract (Schmidt-Kessel) in:

Alberto Franceschi, Reiner Schulze, Michele Graziadei, Oreste Pollicino, Federica Riente, Salvatore Sica, Pietro Sirena (Ed.)

Digital Revolution - New Challenges for Law, page 75 - 83

Data Protection, Artificial Intelligence, Smart Products, Blockchain Technology and Virtual Currencies

1. Edition 2020, ISBN print: 978-3-406-74387-0, ISBN online: 978-3-406-75904-8, https://doi.org/10.17104/9783406759048-75

Series: Beck International

Bibliographic information
Reemers Publishing Services GmbH o:/Beck/De_Franceschi/3d/Part_03.3d from 12.08.2019 15:01:32 3B2 9.1.580; Page size: 160.00mm 240.00mm PART 3 THE PROCESSING OF PERSONAL DATA F. Consent for the Processing of Personal Data and its Relationship to Contract1 1The protection of personal data is not an absolute one. Several provisions – in particular in articles 6 and 9 GDPR – provide controllers ex lege with a legal basis to process them. What is more important for the data economy is the fact, that the protection of personal data is to a large extent left to the – in best case autonomous – decisions of the data subject. With its consent the data subject may legalise controllers’ processing.2 2When dealing with the relation between contracts and the consent for processing of personal data some preliminary remarks have to be made before going into the substance of the topic: Most important starting point is the fact that aim and object of the data protection law in general and the GDPR in particular is the protection of a particular personality right (which is not sufficiently covered by the notion of privacy). In contrast, the Regulation is not meant to prevent commercialisation as such, nor meant to organise the attribution of property rights, nor meant to deal with fairness of bargains. Therefore, the idea to strengthen mainly (or even only) the rules of consent to protect assets of the data subject to ensure fair market conditions is erroneous in principle, because fairness or even equivalence of performances is not at all a task for the GDPR. 3On the other hand, data protection law in Europe is to a certain extent a totalitarian regulatory system in the sense, that it applies to all possible settings of life of private persons and their data. This totalitarism of GDPR as positive law has severe effects – mainly side effects – on commercialisation, attribution of property rights and fairness of bargains, which cannot be ignored. The rules on consent form a most important interface between data protection and large parts of the legal order and are, therefore, a good starting point when analysing the relationship between consent and contract. I. Consent in the GDPR 4Consent is a tool of utmost importance under the GDPR. Within European Data Protection Law it remains the core mechanism for data subjects and controllers which serves for several functions: Consent authorises the controller’s processing, article 6(1)(a) 1 This paper was first presented at Villa Braida, 19 April 2018. I kept the style of an oral presentation and reduced references to a minimum. 2 In particular, Christiane Wendehorst has rightly emphasized the fact, that consent will not be the only way to commercialization of personal data and that other ways (like article 6(1)(b) and (f) and (4) GDPR) should not be underestimated: cf Wendehorst, Die Digitalisierung und das BGB, in Neue Juristische Wochenschrift 2016, 2609 (2612); Graf von Westphalen/Wendehorst, Hergabe personenbezogener Daten für digitale Inhalte – Gegenleistung, bereitzustellendes Material oder Zwangsbeitrag zum Datenbinnenmarkt?, in Betriebsberater 2016, 2179; Wendehorst/Graf von Westphalen, Das Verhältnis zwischen Datenschutz-Grundverordnung und AGB-Recht, in Neue Juristische Wochenschrift 2016, 3745 (3747): “Aushöhlung von … Schutzmechanismen”. Schmidt-Kessel 75 Reemers Publishing Services GmbH o:/Beck/De_Franceschi/3d/Part_03.3d from 12.08.2019 15:01:32 3B2 9.1.580; Page size: 160.00mm 240.00mm GDPR. Consent is a mechanism to dispose of legal positions of the data subject. And consent enables commercialisation of personal data within the Internal Market and beyond. 1. General prerequisites 5 Consent under the GDPR presupposes in the first line that it is freely given, specific, informed and unambiguous (articles 4(11), 7(4) GDPR). It has to refer to one or more specific purposes (articles 6(1)(a), 9(2)(a) GDPR) where specific means that a completely generalised consent for “all purposes” is not permitted in the GDPR. The consent has to be clearly distinguishable from the other matters between the parties (article 7(2) GDPR). And it is subject to withdrawal by the data subject (article 7(3) GDPR). 2. Restrictions to consent 6 The GDPR itself names additional (possible) restrictions to consent by the data subject. Valid consent by a natural person presupposes, first, that the data subject is at least 16 years old. This holds true for the information society services directly supplied to a child whereas for other cases the GDPR does not regulate a minimum age by its own rules. Member states may provide for a lower age not below 13 years. 7 Obviously, this is not the whole story of the protection of minors in data law. And not only because the regulatory gap for other cases than information society services offered to the minor but also because of the reference to contract law in article 6(1)(b) GDPR, where the regulation expressly refers to national law including the particular national law rules on minors’ protection for lack of capacity in concluding contracts. 8 Moreover, member states may provide for particular categories of data that consent would not authorise the processing (article 9(2)(a) GDPR). Depending on national rules there might be data which are not open to consent and which, from a commercialisation perspective, may be analysed as extra commercium. 3. The so-called bundling prohibition 9 The most enigmatic provision of the restrictions to consent is to be found in article 7 (4) GDPR in the formulation of a kind of bundling prohibition. The rule orders that when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Article 7(4) GDPR raises the question whether a synallagmatic relationship in the sense of paying a performance by a counter-performance in data or rights to use data respectively is forbidden all together.3 10 Looking into the details and the history of bundling prohibitions concerning the consent of the data subject, one has to remember that the original idea was to prohibit consent, where the object of the consent has nothing to do with the contract but is only of accessory nature.4 This historical idea of bundling prohibitions is still mirrored in article 7(4) GDPR with the formulation “That is not necessary for the performance of that contract”. Therefore, the interpretation of article 7(4) GDPR should be a restrictive 3 Recital 43 GDPR in its second sentence reads much more precisely when declaring consent to be presumed not to be freely given in such a situation. However, this is not the text of the regulatory part of the regulation and therefore not as such binding. 4 An additional historical origin may be found in completion law and regulatory approaches data law, cf Specht/Kerber, Datenrechte, ABIDA-Gutachten 2017, 45. Part 3. The Processing of Personal Data 76 Schmidt-Kessel Reemers Publishing Services GmbH o:/Beck/De_Franceschi/3d/Part_03.3d from 12.08.2019 15:01:33 3B2 9.1.580; Page size: 160.00mm 240.00mm one: It does not prohibit the synallagma situation, because in this case the processing of the data is necessary for the functioning of the contract.5 11In any event such a core nature of a consent for the performance of the contract as counter-performance presupposes that the receiver of the consent makes itself very clear about the fact that data or the use as data functions as a counter-performance in this particular contract. This leads to the result that in case of synallagmatic relationships article 7(4) GDPR provides for a transparency necessity rather than for a prohibition of such promises.6 II. Consent and Contract 12Among the core issues of data economy there is the question on how contract and consent work together, are interlinked or even interwoven in the sense that both items cannot be separated or analysed separately. The issue of the relationship of consent and contract turns out to be the more difficult the more national legal orders are involved. The reason for that lies in the different modes of thinking on contracts and their fulfilment on a proprietary or quasi-proprietary level.7 However, in the relationship between contract and consent one has to take into account the fact that consent is regulated on the EU-level, which – at least in case of conflict – prevails over national law and national dogmatic structures. 1. Separation of contract and consent (Trennungsprinzip) 13Looking into the details of GDPR, the Regulation turns out to think of consent and contract as being different and at least somewhat separated institutions.8 The validity of consent is, therefore, from the point of view of the Regulation no prerequisite of a valid contract to provide for (a right to use) personal data.9 Several provisions of the GDPR could be named to support this conclusion: 14First, consent under the GDPR has to be clearly distinguishable from other matters (article 7(2) GDPR), which includes other terms of a contractual or similar relationship. This does not necessarily mean that consent and contract may not be integrated in one single factual act, but demonstrates that the GDPR thinks both acts separately. 15A second argument in favour of the separation of consent and contract and the separate treatment of both may be drawn from article 6(1)(b) GDPR, which makes 5 De Franceschi, La circolazione dei dati personali tra privacy e contratto, ESI 2017, 62. To the same result for the (old) directive 95/46/EC Langhanke/Schmidt-Kessel, Consumer Data as Consideration, in Journal of European Consumer and Market Law 2015, 218 (221–22) and Corte di cassazione, 2. 7. 2018, no. 17278 (see the case note by Pertot, Zeitschrift für das Privatrecht der Europäischen Union (GPR) 2019 (forthcoming). To the contrary for the Austrian courts Oberster Gerichtshof, 31. 8. 2018, 6 OB 140/ 18 H. 6 Schwartmann/Klein, in Schwartmann/Jaspers/Thüsing, (eds.), DS-GVO/BDSG, Art. 7 no. 48; Buchner, Grundsätze und Rechtmäßigkeit der Datenverarbeitung unter der DS-GVO, in DuD 2016, 155 (158/59); Schmidt-Kessel/Grimm, Unentgeltlich oder entgeltlich? – Der vertragliche Austausch von digitalen Inhalten gegen personenbezogene Daten, in Zeitschrift für die gesamte Privatrechtswissenschaft 2017, 84 (91/92). 7 See in particular the different results for Austria, Switzerland and Germany presented by Langhanke, Daten als Leistung, Mohr Siebeck 2018, 147–182. 8 Cf Metzger, Dienst gegen Daten: Ein synallagmatischer Vertag, in Archiv für die civilistische Praxis 216 (2016) 817 (831–833), who does not provide for reasons under data protection law but is only arguing on the basis of German contract law. Along the same lines Specht, Daten als Gegenleistung – Verlangt die Digitalisierung nach einem neuen Vertragstypus?, Juristenzeitung 2017, 763 (765/66). 9 But see Linardatos, Daten als Gegenleistung, in Specht/Werry/Werry (eds.), Handbuch Datenrecht in der Digitalisierung (forthcoming). F. Consent for the Processing of Personal Data and its Relationship to Contract Schmidt-Kessel 77 Reemers Publishing Services GmbH o:/Beck/De_Franceschi/3d/Part_03.3d from 12.08.2019 15:01:34 3B2 9.1.580; Page size: 160.00mm 240.00mm processing of personal data lawful if processing is necessary for the performance of a contract to which the data subject is party.10 This shows that consent is not needed where processing is necessary for the performance of those contracts but on the other hand, this authorisation does not cover other cases of data processing in context of a contract, for which, therefore, consent is needed as a separate act. This again demonstrates that consent and contract are seen separately. 16 Also the rule containing the enigmatic bundling prohibition in article 7(4) GDPR shows that the regulation thinks of contract and consent in different terms. Here the Regulation expressly refers to the fact that a performance of a contract may be made (or may not be made) conditional on consent to the processing of personal data, which demonstrates again, that the two acts are separated and treated separately. 17 A last argument might be drawn from article 9 GDPR: For the particular sensitive personal data regulated there, the general legal basis of article 6(1)(b) GDPR does not apply.11 For data covered by article 9 GDPR the necessity to process personal data to fulfil the contract is, therefore, not sufficient. A separate consent under article 9(2)(a) GDPR is always necessary. 2. Consequence: consent capable of being object of an obligation 18 The advocated separation of consent from contract then paves the way for accepting consent – and thereby the right to use personal data – as being an object of obligations.12 One might doubt that the generable and indispensable possibility to withdraw from consent would exclude such a kind of obligations from being established. However, the concept of obligation with its classical variants including e.g. natural obligations is flexible enough to cover the limited binding nature of such an obligation.13 This is even true in the light of the fact that the – indispensable14 – right to withdraw from consent excludes enforcement in kind of such an obligation15 and – at least in principle – also excludes claims for damages for breach of such kind of contractual obligation.16 19 As seen before, the so-called bundling prohibition in article 7(4) GDPR does not prevent a counter-obligation to – by consent – provide for a right to use personal data as consideration. The purpose of the bundling prohibition is avoiding unnecessary accessory consent, which does not form part of the bargain of the parties. The right to use data as counter-performance has, therefore, to be explicitly agreed as purpose in the sense of article 6(1)(a) GDPR to integrate the consent into the bargain and to exclude the application of the so-called bundling prohibition in article 7(4) GDPR. 10 Moreover the rule also legitimises processing in case where the processing is necessary in order to take steps at the request of the data subject prior to entering into the contract, which isn’t so important for the argument here at stake. 11 See Pormeister, Informed consent to sensitive personal data processing for the performance of digital consumer contracts on the example of “23andMe”, in Journal of European Consumer and Market Law 2017, 17 (19). 12 Cf. Bundesgerichtshof, 14.3.2017, VI ZR 721/15, Neue Juristische Wochenschrift 2017, 2119, no. 22,. 13 See Langhanke, Daten als Leistung, Mohr Siebeck 2018, 125–129; Langhanke/Schmidt-Kessel, Consumer Data as Consideration, in Journal of European Consumer and Market Law 2015, 218 (221). 14 See Langhanke, Daten als Leistung, Mohr Siebeck 2018, 116–119; Mössner, in beck-online.Großkommentar (version 2018), § 90 BGB, no. 86. More open for restrictions of the right to withdraw from consent Buchner, Informationelle Selbstbestimmung im Privatrecht, Mohr Siebeck 2006, 272. 15 Cf Metzger, Dienst gegen Daten: Ein synallagmatischer Vertag, in Archiv für die civilistische Praxis 216 (2016) 817 (855): no impossibility in the sense of § 275 BGB (what would then restrict the enforcement?). 16 Again Langhanke, Daten als Leistung, Mohr Siebeck 2018, 137–142 and Langhanke/Schmidt-Kessel, Consumer Data as Consideration, in Journal of European Consumer and Market Law 2015, 218 (222). Part 3. The Processing of Personal Data 78 Schmidt-Kessel Reemers Publishing Services GmbH o:/Beck/De_Franceschi/3d/Part_03.3d from 12.08.2019 15:01:34 3B2 9.1.580; Page size: 160.00mm 240.00mm 20Moreover, the separation of contract and consent also excludes solutions, which would apply article 6(1)(b) GDPR to situations of payment with personal data.17 Using personal data of the contractual partner as part of the earning model of the controller will not be part of the contract performance addressed in article 6(1)(b) GDPR. III. Consent and (quasi) proprietary Positions 21In European and extra-European legal orders, the question of whether there are institutions like property in data or a data property law is much discussed.18 I will not address these two questions generally in this paper but only have a view on the function of consent in relation to positions with an erga omnes effect. 1. Close to an absolute right 22Data protection law provides the data subject with rights and remedies which take effect against third parties. The positions built by these rights and remedies come (at least) very close to an absolute right not only in the sense of a particular personality right (which obviously the rights and remedies represent end enforce) but also of a right of real property or intellectual property or something in between. 23Data protection law provides in that sense the data subject with rights to control the processing of the data (articles 13–15 GDPR) and with rights which enable the data subject to control the data and its content themselves (articles 16, 17 GDPR). Moreover, article 18 GDPR paves the way for the data subject to restrict processing of its personal data and articles 79, 82 GDPR establish rights to effective judicial remedies against controllers and processors, and rights to compensation and damages. 24However, even having these rights and remedies in mind, in respect of the position of the data subject it is not even clear to what object the established quasi-proprietary position refers. The reason for that is that data protection law does not really differentiate between content, code and physical carrier because of the very broad notions of “data” and “processing”. The objective of the established quasi-proprietary positions, therefore, remain rather unclear and diffuse. 2. Consent fulfils (some) functions of a disposition (Verfügung) 25It is therefore not very surprising, that the exact role of consent at this quasiproprietary level is not entirely clear. At least it does fulfil several classical functions of proprietary dispositions (the German Verfügungen etc.).19 On the other hand, it does not reach the level of a complete transfer of the legal position of the transferor. 26In particular, consent by the data subject does not lead to transferability of the particular position of the data subject in its entirety. In this respect, the situation is 17 See De Franceschi, La circolazione dei dati personali tra privacy e contratto, ESI 2017, 72 and Langhanke/Schmidt-Kessel, Consumer Data as Consideration, in Journal of European Consumer and Market Law 2015, 218 (220). Contra Bräutigam, Das Nutzungsverhältnis bei sozialen Netzwerken, in Multimedia und Recht 2012, 635 (640). 18 See in particular Zech, Data as a Tradeable Commodity, in De Franceschi (ed.), European Contract Law ang the Digital Single Market, Intersentia 2016, 51–80; Zech, Daten als Wirtschaftsgut – Überlegungen zum einem “Recht des Datenerzeugers”, in Computer und Recht 2015, 137–146; Specht, Ausschließlichkeitsrechte an Daten – Notwendigkeit, Schutzumfang, Alternativen, in CR 2016, 288–296; Grützmacher, Dateneigentum – ein Flickenteppich, CR 2016, 485–495; Amstutz, Dateneigentum, in Archiv für die civilistische Praxis 218 (2018) 438–551. 19 Cf Specht, Daten als Gegenleistung – Verlangt die Digitalisierung nach einem neuen Vertragstypus?, Juristenzeitung 2017, 763 (766). F. Consent for the Processing of Personal Data and its Relationship to Contract Schmidt-Kessel 79 Reemers Publishing Services GmbH o:/Beck/De_Franceschi/3d/Part_03.3d from 12.08.2019 15:01:35 3B2 9.1.580; Page size: 160.00mm 240.00mm similar to the classical droit d’auteur approach in (continental) intellectual property law. This limited effect of consent builds an important restriction to commercialisation of personal data and protects the data subject from a consent “for all purposes”. 27 Consent, in contrast, enables the data subject to establish and to dispose of rights to use personal data by such consent. However, the GDPR does not regulate this phenomenon in terms of exploitation rights – like copyright law and other intellectual property institutions would do –, because the perspective is rather one of reducing protection by consent and not exploiting a property right. 28 Such a right to use established by the data subjects consent may as such not be passed on without prior consent by the data subject. As a rule, such rights are therefore not transferable.20 This lack of re-transferability significantly reduces the marketability of rights to use in personal data.21 29 The (first) acquirer of such a right to use established by consent might be protected by tort law22 and similar means like unjustified enrichment23 against an interference of third parties. However, the right to withdraw from consent – at least usually – will often exclude a responsibility of the data subject interfering. On the other hand, neither the right to withdraw nor the remedies established by the GDPR include a particular legitimation of self-help by the data subject. Whether it would be possible to establish self-help-rights like they are well-known in several legal orders for the defence of property or possession is an open dogmatical and policy question. IV. Consent and Transfer by Contract? 30 The result of this paper so far is that there are on the basis of European data protection law under the GDPR two levels approached by the law, i.e. a contractual and a proprietary level. The relationship of these two levels is an open question for the development of European Private Law for the data economy. 1. General approaches to contract and transfer of property rights 31 The reason for that openness is that the concepts how contract and transfer of property rights are interlinked or interwoven is analysed by the national legal orders under several completely different approaches. Whereas the classical German view – 20 Specht, Konsequenzen der Ökonomisierung informationeller Selbstbestimmung. Die zivilrechtliche Erfassung des Datenhandels, Heymanns 2012, no. 33; Wandtke, Ökonomischer Wert von persönlichen Daten – Diskussion des “Warencharakters” von Daten aus persönlichkeits- und urheberrechtlicher Sicht, in Multimedia und Recht 2017, 6 (11); Rank, Daten als Leistungsgegenstand, in Specht/Werry/Werry (eds.), Handbuch Datenrecht in der Digitalisierung (forthcoming). 21 However, the lack of transferability does not (necessarily) lead to an illegality of a contract between two controllers (contra Specht/Kerber, Datenrechte, ABIDA-Gutachten 2017, 46) but contains the promise to bring about the necessary consent of the data subject(s). Die decision by Landgericht Düsseldorf, 20.12.2013, 33 O 95/13 U, in Zeitschrift für Datenschutz 2014, 200 deals with a case of advertisements systematically without the necessary consent (under competition law inter alia transposing article 13 e-Privacy-Directive). 22 Cf Grützmacher, Dateneigentum – ein Flickenteppich, CR 2016, 485 (489–492); Specht/Kerber, Datenrechte, ABIDA-Gutachten 2017, 34–37. 23 In particular, the German Eingriffskondition (see Schmidt-Kessel and Grimm, Unentgeltlich oder entgeltlich? – Der vertragliche Austausch von digitalen Inhalten gegen personenbezogene Daten, in Zeitschrift für die gesamte Privatrechtswissenschaft 2017, 84 (105) and Specht/Kerber, Datenrechte, ABIDA-Gutachten 2017, 51–54) and other derivatives of the famous actio de in rem verso, cf Büchler, Die Kommerzialisierung von Persönlichkeitsgütern – Zur Dialektik von Ich und Mein, Archiv für die civilistische Praxis 206 (2006) 300 (332–335) and Schlechtriem, Restitution und Bereicherungsausgleich in Europa, Volume II, Mohr Siebeck 2001, 250–262. Part 3. The Processing of Personal Data 80 Schmidt-Kessel Reemers Publishing Services GmbH o:/Beck/De_Franceschi/3d/Part_03.3d from 12.08.2019 15:01:35 3B2 9.1.580; Page size: 160.00mm 240.00mm also mirrored by the different rules in private international law – draws a clear line between obligatory and proprietary effects and therefore separates the establishment of an obligation and of a contract from bringing about proprietary effects, the large majority of national legal orders seems to think of transfer of property rights as a possible effect of a contract as such or at least presupposes a valid contract as a basis for a transfer, which takes place under additional prerequisites. 32Moreover, even where contract and transfer of a proprietary positon are thought separately in sense of a Trennungsprinzip the question is not answered whether a deficit in the validity or the binding nature of the contract would affect also the transfer of the proprietary position. As opposed to the – mainly special German – approach of Abstraktionsprinzip separating the obligatory and the proprietary level of a contractual relationship also in terms of validity, the majority of national legal orders in Europe tends to make the validity of transfer dependent on the validity of the underlying contract. 2. Contract and consent – abstraction principle? 33Transferred to the relationship of contract and consent one has therefore to ask, whether both acts are dependent or independent in terms of validity. As seen before, contract and consent are thought separately within at least the GDPR, which in this respect supersedes national laws and national dogmatic structures. German authors usually advocate the abstract validity of consent even in case of an invalid contractual obligation.24 34The next question to be answered under the GDPR is, therefore, whether the Regulation would accept a causal link between contract and proprietary disposition as a separate (and non-written) prerequisite for the validity of consent under the GDPR or the valid establishment of a right to use. More precisely one has to ask, in particular, whether national rules on transfer (or establishing) of rights by mere contractual agreement could indirectly restrict the validity (or legal effect or effectivity) of consent. This question may be asked for example for the Italian article 1376 Codice Civile (on effetto traslativo) and the French article 1196 Code civil (on effet translatif).25 The same question is discussed for the respective Austrian and Suisse principles.26 These rules, in particular, confer “proprietary effects” on contracts for cases where the binding nature of the contract (transferring the proprietary position) is affected by law or by a contractual remedy.27 35Such additional requirements for the validity of consent would be compatible with the scope of harmonisation established by the GDPR. This is the case because the GDPR (first) separates contract and consent without clarifying the relationship itself. The 24 Langhanke, Daten als Leistung, Mohr Siebeck 2018, 163–166; Metzger, Dienst gegen Daten: Ein synallagmatischer Vertag, in Archiv für die civilistische Praxis 216 (2016) 817 (831 et seq.); Specht, Daten als Gegenleistung – Verlangt die Digitalisierung nach einem neuen Vertragstypus?, Juristenzeitung 2017, 763 (766). 25 Both articles would not directly apply to the establishment of a right to use of goods (or personal data) which rather comes close to a lease contract. 26 See the proposals by Langhanke, Daten als Leistung, Mohr Siebeck 2018, 168–174 (for Austria: einheitlicher Gestattungsvertrag making the consent dependent on the validity of the contract) and 174–180 (for Switzerland: consent also dependent on the validity of the contract). 27 However, the question of a Trennungsprinzip or even an Abstraktionsprinzip, which would apply also to the establishment of a right to use (of which nature?) under a simple lease contract, has not been finally decided even under German law, cf Specht, Daten als Gegenleistung – Verlangt die Digitalisierung nach einem neuen Vertragstypus?, Juristenzeitung 2017, 763 (765/66). To the contrary, for the usufruct established to fulfill a contractual obligation, German law sticks to the traditional approach of an Abstraktionsprinzip, see Frank, in Staudingers Kommentar zum Bürgerlichen Gesetzbuch, Sellier 2008, preliminary remarks to § 1030 BGB, no. 18; Pohlmann, in Münchner Kommentar zum BGB, Beck 2007, § 1030 no. 15; cf Bayerisches Oberstes Landesgericht, BayObLGZ 1979, 273 (277). F. Consent for the Processing of Personal Data and its Relationship to Contract Schmidt-Kessel 81 Reemers Publishing Services GmbH o:/Beck/De_Franceschi/3d/Part_03.3d from 12.08.2019 15:01:36 3B2 9.1.580; Page size: 160.00mm 240.00mm GDPR (secondly) does not deal with the obligatory or proprietary restitutionary effects, where a contract comes to an end, and therefore does not deal with the main consequences of following a German style Abstraktionsprinzip or a causal link of the transfer by consent with the contract and its validity. Finally, the GDPR does not itself (aim to) organise fair bargains in the field of commercialisation of personal data but only deals with a protection of person integrity.28 36 One also could draw an additional argument from article 8 of the EU Charter of Fundamental Rights because such an approach would enhance data protection by way of (additionally to the GDPR) applying fair bargaining rules which affect the validity of the consent.29 However, the argument is not that article 8 of the Charter of Fundamental Rights necessarily leads to an interpretation of GDPR of a causal link between contract and consent affecting the validity of the latter but only to an interpretation of the Regulation, which leaves the possibility to the member states to establish such kind of additional prerequisites for the validity of consent. 3. Change by the Directive 770/2019 on the supply of digital content? 37 The aforementioned arguments might be overruled now by two attempts to regulate contractual issues in personal data by the Directive on contracts for the supply of digital content and by several elements of the new deal for consumers.30 These EU legal acts – the first as amended by the European Parliament and the Council – explicitly refer to the GDPR and its remedies in favour of the data subjects for purposes of restitution after termination, in particular article 16(2) Digital Content Directive. 38 Such a reference could perhaps change the very nature and aim of GDPR and could broaden its (fully) harmonising effects also to the fairness of bargains and contract law. This would overburden the regulation, which in all its details wasn’t meant nor shaped to solve contract law issues. 39 From a policy prospective these new rules include, therefore, the risk of leading to bad policy results not mirroring the differentiated classical regimes for restitution after a contract being brought to an end. Moreover, it mixes up the obligatory and the proprietary level of the relationships concerned without any good reason. One should therefore refuse such an argument and analyse the references as a stopgap as long as no more sophisticated restitutionary remedies and mechanisms for personal data have been developed. V. Conclusions 1. The GDPR thinks of consent and contract as being different (and at least somewhat separated) institutions. European data law, therefore, follows a Trennungsprinzip (separation principle) approach. 2. The separation of consent from contract paves the way to accept consent – and thereby the right to use personal data – as being an object of obligations. 28 This restriction of the approach of GDPR is sometimes overlooked, see e.g. Pormeister, Informed consent to sensitive personal data processing for the performance of digital consumer contracts on the example of “23andMe”, in Journal of European Consumer and Market Law 2017, 17 (19). 29 See as to the value of such an argument see i.a. Resta, Autonomia privata e diritti della personalità, Jovene 2005, 250 et seq. and De Franceschi, La circolazione dei dati personali tra privacy e contratto, ESI 2018, 11/12. 30 See in particular the proposed article 2(7)(b) Proposal for the Enforcement Directive (COM[2018] 185) amending article 13 Consumer Rights Directive 2011/83/EU by an additional paragraph (4) referring for the consequences of termination as to personal data to the “obligations applicable under Regulation (EU) 2016/679”. Part 3. The Processing of Personal Data 82 Schmidt-Kessel Reemers Publishing Services GmbH o:/Beck/De_Franceschi/3d/Part_03.3d from 12.08.2019 15:01:36 3B2 9.1.580; Page size: 160.00mm 240.00mm 3. The so-called bundling prohibition does not prevent an obligation to – by consent – provide for a right to use personal data as consideration. 4. Data protection law provides the data subject with rights and remedies erga omnes, which come close to an absolute right similar to real property or intellectual property. 5. Data protection law thereby raises a fundamental problem because it does not really differentiate between Content, Code and Physical Carrier because of the broad notions of “data” and “processing”. 6. Consent by the data subject does not lead to transferability of the particular position of the data subject in its entirety. 7. Consent enables the data subject to establish and to dispose of – non transferable – rights to use personal data by such consent. However, the GDPR does not regulate this phenomenon in terms of exploitation rights. 8. National rules on transfer (or establishing) of rights by mere contractual agreement could indirectly restrict the validity of consent. 9. Such additional requirements for the validity of consent are compatible with the scope of harmonisation established by the GDPR. European data law in that sense does not prescribe an Abstraktionsprinzip (abstraction principle) approach. 10. Referring to the GDPR for purposes of restitution after termination could give birth to the argument for a change in the very nature and aim of GDPR and could broaden its (fully) harmonising effects also to the fairness of bargains and contract law. F. Consent for the Processing of Personal Data and its Relationship to Contract Schmidt-Kessel 83

Chapter Preview

References

Zusammenfassung

Digital Revolution – New Challenges for Law addresses the impact of digital technology on European Laws, taking inspiration from the work of the European Law Institute’s Digital Law Special Interest Group.

Contributions address such diverse issues as the notion of data, data protection, supply of digital content, digital inheritance, online platforms, artificial intelligence, algorithmic regulation, Internet of Things, 3D-Printing, blockchain technology, smart contracts and virtual currencies.

The analysis of these issues is not confined to one area such as contract law, but cuts across both legal subjects and other disciplines to highlight the breadth and depth of the challenges posed by digitalisation. In particular, this volume highlights the consequence of digitalisation by analysing new overlaps and relationships between different fields of law (e.g. the relationship between contract law and data protection, or private and criminal responsibility in the Internet of Things). Written by leading scholars, practitioners and policymakers, this volume provides answers to the challenges posed by the digital revolution and acts as a basis for further developments of EU law and beyond.

Dr Alberto De Franceschi is associate professor of Private Law at the University of Ferrara (Italy). Dr Reiner Schulze is a professor and Director of the Centre of European Private Law at the Westfa?lische Wilhelms-Universita?t Mu?nster (Germany).