How the Digital Content Directive will break the GDPR

The Digital Content Directive allows consumers, for the first time, to pay for digital content and services “with their personal data”. Although the Directive makes it clear that the GDPR takes precedence over it and should at all times be respected, it now seems obvious that there will be friction between them (as well anticipated by the EDPS back in 2017).

Having entered into force on January 1st, Spain’s implementation of the Directive (into its Consumer Protection Law) is putting this friction to the test by allowing businesses to limit an individual’s right to withdraw her consent, including the interruption of the services provided when consent is withdrawn (in direct contradiction of the EDPB’s Guidelines on consent as a legal basis for the processing of personal data).

So, various questions: 

• By bringing personal data into the sphere of private law (and Consumer Protection), we are assuming that such data may be treated as “personal property”. Not only should it not affect the rights of others (as Carissa Véliz has often explained), but it should also be rivalrous and excludable.
• As a consequence of the same framing, some EU consumer protection Directives apply, but seem hard to fit: Under the Unfair Contract Terms Directive (1993) a contractual term will be deemed unfair if it causes a significant imbalance to the detriment of the consumer, which could be found in the price being requested, as it is impossible to measure the real value of a particular data point. Under the Consumer Rights Directive 2011, consumers may withdraw from any off-premises contract within 14 days.
• By declaring that “consent” is a valid legal basis for the resulting personal data processing, we assume that such consent can really be free and informed, and yet all guidelines on “consent walls” point in the opposite direction.
• By stating that anonymized data that cannot really be used outside the service provided will subsequently “belong” to the data controller, we are obviating the fact that it is precisely this data that has the most value.
• By putting personal data into the stream of commerce and, at the same time, expecting it to be subject to the safeguards provided by the GDPR, we are assuming that individuals will be able to exercise their privacy rights through the chain of custody that arises from its effective monetization, when in reality this is a one-way street.

We are eager to explore all of these points with other professionals and colleagues over the course of the coming months, but there seems to be a particular use case that raises fewer conflicts while also avoiding the ethical challenges of turning a fundamental right into a commodity: 

Sharing an email address as a means of “payment” for content, services, or other benefits, insofar as it is only used as a vehicle for the individual’s “postponed attention” (in a first-party or zero-party data context) and not employed as a cross-domain identity of sorts, does sound like a sensible exchange that possibly had a more difficult fit within the sole context of the contractual legal basis (Article 6 GDPR).

(Photo by Nareeta Martin on Unsplash)