83 Baker St, London, W1U 6AG, England
Ponzano 51, 1st
28003 Madrid, Spain
The Digital Content Directive allows consumers, for the first time, to pay for digital content and services “with their personal data”. Although the Directive makes it clear that the GDPR takes precedence over it and should at all times be respected, it now seems obvious that there will be friction between them (as well anticipated by the EDPS back in 2017).
Having entered into force on January 1st, Spain’s implementation of the Directive (into its Consumer Protection Law) is putting this friction to the test by allowing businesses to limit an individual’s right to withdraw her consent, including the interruption of the services provided when consent is withdrawn (in direct contradiction of the EDPB’s Guidelines on consent as a legal basis for the processing of personal data).
So, various questions:
We are eager to explore all of these points with other professionals and colleagues over the course of the coming months, but there seems to be a particular use case that raises fewer conflicts while also avoiding the ethical challenges of turning a fundamental right into a commodity:
Sharing an email address as a means of “payment” for content, services, or other benefits, insofar as it is only used as a vehicle for the individual’s “postponed attention” (in a first-party or zero-party data context) and not employed as a cross-domain identity of sorts, does sound like a sensible exchange that possibly had a more difficult fit within the sole context of the contractual legal basis (Article 6 GDPR).