Data as currency – how the EU Purchasing Directive and the EU Digital Content and Services Directive should reconcile data protection and data use and what opportunities this opens up for Switzerland.
Economically, “pay-with-your-own-data” is an everyday occurrence. For example, when we, more or less consciously, accept the transmission of our IP address, or grudgingly accept a comprehensive cookie declaration without reservation. But also unconsciously, when we provide an app with our location or health data.
1. Subject of regulation WKRL and DIDRL
The European Sale of Goods Directive (Directive (EU) 2019/771 (“CPR”)) and the Directive on Contractual Aspects of the Provision of Digital Content & Digital Services (Directive (EU) 2019/770 (“DIDRL”)) aim to address this above-mentioned reality. The aim of the Directives is to harmonise EU sales law, but more importantly to strengthen consumer protection for products that involve digital content or services & thus lead to some exchange or provision of user data.
Furthermore, health-related applications are also covered, unless they are provided exclusively by a health professional, i.e. are subject to prescription.
For example, a fitness tracker that collects all physical data such as heartbeat, sleep patterns, stress levels, calories burned & the like as a wristband would thus fall under the WKRL, while an app that collects the same data & is downloaded onto a smartphone would fall under the DIDRL.
The provision of data by the user is thus not to be seen as a monetary but nevertheless fully valuable consideration. While the DIDRL does not classify data as goods, there is still the “business model” where the consumer does not pay money for the use of services, but provides the entrepreneur with his personal data. It is precisely this modern development that poses a challenge for data protection: the rules of the GDPR are supposed to take precedence over the rules of the directives. However, the GDPR provides for rights of withdrawal & a prohibition of tying, which in the case of application have an impact on the contractual services, but above all on the possibilities of data use.
During the transposition of the directives into national law through amendments to the German Civil Code (BGB), a discussion on data protection law has arisen about a less restrictive, more up-to-date interpretation of the provisions of data protection law.
It seems as if two opposing trends are emerging here: consumer protection is to be strengthened via a new “digital” type of contract, while data protection, on the other hand, is to be put at the service of economic reality & applied as a vehicle for usability, ultimately the implementation of these contracts.
Switzerland is already in this trend with its legislative innovations: no increased requirements for data processing in the course of the new DPA; no compulsion to justify, but transparency.
2. The relationship with data protection
In the contractual constellation “access to personal data in exchange for access to digital content”, data unquestionably represent a “suitable subject matter of performance”.
While this may seem unproblematic under civil law, this contractual constellation is a challenge under data protection law, as it is hardly compatible with the current interpretation of the GDPR.
This is not covered by the permissive element of Art. 6 I b DSGVO as data processing for the fulfilment of a contract. Only consent under data protection law is sufficient for the creditor to be able to commercialise the data. However, this consent can be freely revoked at any time according to Art. 7 III DSGVO.
It is therefore questionable what the remaining contractual consideration is. Here, the “defensive conception” of the GDPR collides with the synallagmatic reciprocity relationship of civil law contracts & thus the economic reality.
3. Possible solutions to the “conflict” with the GDPR
As a solution to the conflict between existing contracts & data protection, it is proposed to understand the revocability of consent as dispositive, i.e. restrictable & to align data protection in the sense of a “data debt law” to this new type of contract.
The mere linking of performance and consideration does not violate the prohibition of tying. A linkage of performance and data provision is permissible above all if the data are the decisive basis for the legal transaction. Thus, the prohibition of coupling becomes a transparency function: “anyone who wants to be paid with data must also disclose this.
In the case of a fitness tracker, it would therefore first have to be established whether the user has paid a one-off purchase fee or whether he is paying by means of consent-based further processing of his health data.
The purpose of the device is to record data on the number of steps taken, weight, pulse, sleep phases, activity and location. This data can then be transferred to the provider’s server, as well as shared within the framework of “partnerships with third parties”. The data can also be used to improve & personalise services and develop new services.
Although the processing of health-related data is subject to a consent requirement under both Article 5 of the new Swiss Data Protection Act and Article 9 of the GDPR, its use is not covered by such a requirement. The use of this data is described as being for the “provision and maintenance of the services” and is therefore covered by the “fulfilment of the purpose of the contract”. The fact that it is precisely this use of data that is the subject of the contract & that a fitness tracker cannot otherwise fulfil its purpose does not make consent dispensable.
At the very least, the transfer to third parties & use of the data for purposes such as service optimisation or determining discounts requires consent. However, the example of the fitness tracker shows that even if data processing (of health data) that actually requires consent can be depicted via the purpose of the contract or a consent given in this regard upon conclusion of the contract, the commercial interest will regularly concern the data going beyond this. And these are not the decisive basis for the legal transaction with fitness trackers. So the conflict remains here between the GDPR requirements for data processing and the use of data provided for by the type of contract with “digital content”.
4. Legal situation in Switzerland
Even in its new version, Swiss data protection law does not provide for a concept of “justification” as a basis for processing. Instead, the transparency requirement is decisive (with the exception of sensitive data, which also includes health data collected by a fitness tracker). Thus, in contrast to the GDPR, the necessity of a legal ground for processing is the exception & not the rule.
According to Article 6 III nDSG, personal data may only be obtained for a specific & identifiable purpose for the data subject; it may only be processed in a way that is compatible with that purpose. Furthermore, there is a duty to inform about the identity and contact details of the person responsible, the purpose of the data processing and, if necessary, the recipients of the data.
In accordance with Art. 6 VI nDSG, explicit & voluntary consent is only required for the processing of particularly sensitive personal data or for “high-risk profiling”. Where consent is required, it can be obtained via GTCs, whereby it should be noted that the more risks data processing involves for the data subject, the higher the requirements for the validity of the consent. Fields that have already been ticked are, however, possible.
If the fitness tracker were to be used in Switzerland, the health data processed for the performance of the contract would have to be mapped transparently & for this purpose, simplified consent could be obtained via a pre-ticked field. The same applies to the commercialisation of the collected data. Each solution must be assessed on a case-by-case basis in light of the data involved, the data transfer, the respective recipients and, last but not least, on the basis of the individual “risk appetite”.
Should you have any questions in this regard, please do not hesitate to contact us at any time.