Content

Martin Schmidt-Kessel, Right to Withdraw Consent to Data Processing – The Effect on the Contract in:

Sebastian Lohsse, Reiner Schulze, Dirk Staudenmayer (Ed.)

Data as Counter-Performance - Contract Law 2.0?, page 127 - 146

Münster Colloquia on EU Law and the Digital Economy V

1. Edition 2020, ISBN print: 978-3-8487-7606-1, ISBN online: 978-3-7489-0853-1, https://doi.org/10.5771/9783748908531-127

Bibliographic information
Performance of Contract and Withdrawal from the Contract with respect to Data Protection – Contract Law at a Crossroads? Right to Withdraw Consent to Data Processing – The Effect on the Contract Martin Schmidt-Kessel* Introduction A general discussion on data markets and especially on a digital internal market cannot neglect contracting over privacy. From an international perspective, the discourse on this particular issue can be divided into at least two – usually separate – approaches, namely the US-American1 and the European. For the most part, the latter was triggered by the European Commission’s initial proposal for a Directive on certain aspects concerning contracts for the supply of digital content.2 Moreover, it is now influenced by the several rules referring to contracting over privacy contained in the recent EU Digital Content Directive 2019/770 (‘DCD’) and by the questions added to the topic by the General Data Protection Regulation 2016/679 (GDPR), in force in the European Union since 25 May 2018. In referring to EU data protection law and the GDPR in particular, it becomes clear that contract law in relation to privacy is heavily influenced – if not determined – by the effects of data protection law. The freedom of the data subject to consent to data processing is a core element of data protection within the European Union as it empowers the controller to process legally the personal data of that subject. However, such consent by the data subject is limited only to a certain extent and in particular underlies the data subject’s right to withdraw consent at any I. * Professor of German and European Consumer Law, Private Law and Comparative Law, University of Bayreuth. 1 This, in particular, includes the contributions to the Chicago conference on ‘Contracting over Privacy’ organised by Omri Ben-Shahar and Lior Strahilevitz in October 2015, see i.a. Omri Ben-Shahar and Lior Strahilevitz, ‘Contracting over Privacy: Introduction’ (2016) 45 Journal of Legal Studies 1; Omri Ben-Shahar and Adam Chilton, ‘Simplification of Privacy Disclosures: An Experimental Test’ (2016) 45 Journal of Legal Studies 41; Oren Bar-Gill and Ben-Shahar, ‘Optimal Defaults in Consumer Markets’ (2016) 45 Journal of Legal Studies 137. 2 COM(2015) 634 final. For an earlier approach, see Carman Langhanke and Martin Schmidt-Kessel, ‘Consumer Data as Consideration’ (2015) 6 EuCML 218. 129 time, Art 7(3) GDPR. This precarious nature of consent (and the legal position obtained by the controller by means of such consent) leads to the more general question on how contracting over privacy could produce binding contracts. In other words, how far do rules on data protection affect the binding effect of a contract? This question, central to this paper, consists of two main parts: (i) how far data protection law produces situations of illegality (due to serving as ordre public interne)? (ii) how far do (legal) impediments brought about by data protection to the performance of a valid contract limit the binding effect of the contract? In dealing with these questions one has to first reflect in general on the relationship between a contract and the standards of lawful processing under data protection law (II.). Although the result is that contract and consent to data processing have to be understood as being different and separated notions, such clear distinction does not exclude overlaps between the two regimes and disciplines. Here, rules on illegality of contracts when deviating from data protection law are the first junction (III.). Even if conflicting data protection law and its effects do not affect the validity of the contract, contract law rules on impossibility of performance may continue to apply, thereby giving rise to the second junction between the two disciplines (IV.). Where the data subject’s right to withdraw consent to data processing is concerned, the question arises as to the extent to which the parties to a contract may – directly or indirectly – deviate from the rules on consent and how far these rules establish mandatory law also for the contract itself (V.). This relationship between contract and data protection can then serve as a basis to examine the consequences and effects on the contract of the withdrawal of consent by the data subject (VI.). Contract and standards of lawful processing The topic of this contribution lies at the heart of the relationship between contracts and the processing of personal data. Accordingly, it is important to emphasize at the outset the differences in legal framework: whereas the GDPR has a general perception of this relationship, EU contract law and the laws of the Member States have only just started to develop such perception or, more generally, a kind of Datenschuldrecht, a legal discipline on data related obligations. II. Martin Schmidt-Kessel 130 Separation of contract from standards of processing As a starting point, the GDPR considers the legality of processing on the one hand and contract and the contractual relationship on the other as being different and separate institutions.3 Arguments for this separation may be derived not only from the several references to contract (Arts 6(1)(b) and 9(2)(h) GDPR in particular) but also from several rules on consent. For example, Art 7(2) GDPR clarifies that consent shall be clearly distinguishable from the other matters, thereby establishing a particular standard of transparency for the consent in the context of the conclusion of a contract.4 Moreover, the rule in Art 7(4) GDPR on bundling of consent with other contractual obligations demonstrates that the GDPR understands consent as being something ‘under’ the contract, which might even become the object of a promise so becoming the object of a contractual obligation.5 The fact that contract law for minors largely remains unaffected in spite of rules on consent given by minors (Art 8(3) GDPR) hints further at a separation between contract and lawfulness of processing. (Re-)connecting contract and lawfulness of processing Having separated contract and consent – and thereby data processing and contract – from each other on a conceptual level, the GDPR deliberately reconnects contract and the lawfulness of processing by referring to the 1. 2. 3 Dirk Heckmann and Paschke, ‘Art 7’ in Eugen Ehmann and Martin Selmayr (eds), Datenschutzgrundverordnung (C.H. Beck 2018) para 30; Carman Langhanke, Daten als Leistung (Mohr Siebeck 2018) 148–151; Axel Metzger, ‘Dienst gegen Daten: Ein synallagmatischer Vertrag’ (2016) 216 AcP 216 817, 831; Martin Schmidt-Kessel, ‘Consent for the Processing of Personal Data and its Relationship to Contract’ in Alberto De Franceschi and Reiner Schulze (eds), Digital Revolution – New Challenges for Law (C.H. Beck 2019) no. 13-17; Louisa Specht, ‘Daten als Gegenleistung – Verlangt die Digitalisierung nach einem neuen Vertragstypus?’ (2017) 15-16 JZ 763, 765. 4 Schmidt-Kessel (n 3) para 14; cf Specht (n 3) 766. 5 Schmidt-Kessel (n 3) para 16; Thomas Riehm, ‘Freie Widerrufbarkeit der Einwilligung und Struktur der Obligation’ in Tereza Pertot (ed.), Rechte an Daten (Mohr Siebeck 2020) 176, 186 et seq. Right to Withdraw Consent to Data Processing – The Effect on the Contract 131 contract as a potential basis for lawful processing. Such references appear in Arts 6(1)(b) and 9(2)(h) GDPR and for profiling in Art 22(2)(a) GDPR.6 Art 6(1)(b) GDPR reflects the first junction between contract and the lawfulness of processing; it may be called the general contract privilege of data protection law: data processing shall be lawful if it is necessary for the performance of a contract to which the data subject is party. The provision focuses on controllers’ duties and obligations under such a contract in particular, whereas it is not yet entirely clear whether the contractual duties of the data subject would also authorize the controller to process the respective personal data.7 This general contract privilege does not apply to the special categories of personal data falling under Art 9 GDPR. Instead, Art 9(2)(h) GDPR provides a much more restricted legal basis in relation to the performance of contracts for medical treatment and preventive medicine in particular. Moreover, Art 22(2)(a) GDPR establishes an additional particular contract privilege in instances where automated individual decision-making (including profiling) is necessary in order to enter into or perform of a contract between the data subject and the controller. In all these cases the contract privilege aims to enable performance of the contract and to set aside possible impediments from data protection law to the performance. The scope of Art 6(1)(b) GDPR At present, the scope of Art 6(1)(b) GDPR is not sufficiently settled; in particular the provision does not provide for a conclusive concept for data-related duties and obligations of the data subject.8 Moreover, it can be seriously doubted whether the provision applies to duties and obligations to provide for (rights to use) personal data for data-based business and earning models. While it is understood that the general contract privilege applies to the duties and obligations of the controller (cf Recital 40 GDPR) it is not entirely clear whether the general contract privilege also applies to duties and obligations of the data subject. The qualification ‘necessary for the perfor- 3. 6 Whether Member States are allowed under the GDPR to also (re-)connect contract and consent by making the valid contract a prerequisite to the validity of consent, is still an open question, cf Schmidt-Kessel (n 3) paras 30–39. 7 See below, subsection 3. 8 cf for a rather German perspective Sebastian Schulz, ‘Art 6’ in Peter Gola (ed.), Datenschutz-Grundverordnung (2nd edn, C.H. Beck 2018) paras 28–40. Martin Schmidt-Kessel 132 mance of a contract’ mainly formulates the purpose of the rule, namely to enable contract performance and avoid impediments to the performance of the contract by data protection law. This purpose – as the wording of the provision – is not restricted to duties and obligations of the controller or other parties, but would also cover duties and obligations of the data subject. On the other hand, the regulatory system within the GDPR (in particular, the rules on consent and legitimate interest) raises an argument in the opposite direction and asks for reluctance: including duties and obligations of the data subject to provide a legal basis for data processing under Art 6(1)(b) GDPR would undermine the pressure for other legal bases in particular for consent (and for legitimate interests, Art 6(1)(f) GDPR).9 Moreover, Recital 40GDPR may be read in the sense of Art 6(1)(b) GDPR only covering duties and obligations of the controller. A final argument might be drawn from the second part of Art 6(1)(b) GDPR dealing with pre-contractual situations which obviously only covers activities by the controller ‘at the request of the data subject prior to entering into the contract’. Whereas the precise calibration of the general contract privilege remains an open question (ultimately to be decided by the ECJ), there appears to be a tendency – based on arguments of the structure, wording and the wider purpose of the provisions – towards a restrictive approach to Art 6(1)(b) GDPR. The general contract privilege, therefore, tends to cover only duties and obligations of the controller, which should not to be impeded by data protection law. A second approach to restrict the scope of application of Art 6(1)(b) GDPR argues that the provision is restricted to accessory processing only.10 9 Christiane Wendehorst and Friedrich Graf von Westphalen, ‘Das Verhältnis zwischen Datenschutz-Grundverordnung und AGB-Recht’ (2016) 52 NJW 3745, 3747. 10 Langhanke/Schmidt-Kessel (n 2) 220; Andreas Sattler, ‘Personenbezug als Hindernis des Datenhandels’ in Pertot (n 5) 49, 69–70; Schantz, ‘Art 6’ in Spiros Simitis, Gerrit Hornung and Indra Spiecker (eds), Datenschutzrecht (Nomos 2019) para 33; Martin Schmidt-Kessel and Anna Grimm, ‘Unentgeltlich oder entgeltlich? – Der vertragliche Austausch von digitalen Inhalten gegen personenbezogene Daten’ [2017] ZfPW 84, 90. Similarly Dimitrios Linardatos, ‘Daten als Gegenleistung im Vertrag mit Blick auf die Richtlinie über digitale Inhalte’ in Louisa Specht-Riemenschneider, Nikola Werry and Susanna Werry (eds), Datenrecht in der Digitalisierung (Erich Schmidt 2019) para 45, Friedrich Graf von Westphalen and Christiane Wendehorst, ‘Hergabe personenbezogener Daten für digitale Inhalte – Gegenleistung, bereitzustellendes Material oder Zwangsbeitrag zum Datenbinnenmarkt?’ [2016] BB 2179, 2184; Wendehorst/Graf von Westphalen (n 9) 3747. Right to Withdraw Consent to Data Processing – The Effect on the Contract 133 According to this view, the provision does not apply where data are the core object of the data subject’s performance. The main argument is again the purpose of the provision, which would not cover the commercialization of personal data but is restricted to enable other performance, for which (ancillary) data processing is necessary. Again, such a restriction of Art 6(1)(b) GDPR is not mirrored by the wording of the provision. Such a restricted scope would however be in line with the origins of the general contract privilege, which emerged before data-based business models became a significant issue. The advocates of this restriction have so far left open the application to the controller’s core obligations: does Art 6(1)(b) GDPR cover contractual promises by the controller to the data subject to process its personal data being at the core of the contractual relationship? A practical example would be the profile, established for the use of a dating service app, preparing automated propositions for possible matches. The amendment of the general contract privilege by the particular one for profiling in Art 22(2)(a) GDPR shows the general systematic direction: the controller’s core obligations provide for a justification for processing under Arts 6(1)(b), 22(2)(a) GDPR at least insofar as the much more restrictive requirements under Art 9 GDPR do not apply. Illegality of contracts deviating from the GDPR? Deviations from the GDPR may be sanctioned in several cases with high administrative fines or even criminal sanctions, though the latter are at the discretion of the Member States. Therefore, the various national and European rules on the illegality of contracts, contractual promises, contract terms, and on performance of contractual obligations provide for a second important category of junctions between contract law and the GDPR. From this perspective, it could be seen as surprising that the GDPR also adheres to the general principles of freedom of contract and party autonomy (1). In contrast, illegality of contract or contract clauses is the exception under the GDPR (2). On the other hand, illegality and voidness of contract terms are a well-known instrument under the GDPR (3), the scope of which is not fully clear at present. III. Martin Schmidt-Kessel 134 GDPR adheres to freedom of contract The autonomy of the data subject is a central principle underpinning European data protection law. First and foremost, the autonomy is mirrored by the importance of consent as a legal basis for data processing (i.a. Arts 6(1)(a), 7, 8 GDPR). Moreover, the right to object to data processing based on the legitimate interest of the controller (Art 6(1)(f) GDPR) established by Art 21 GDPR flanks this general approach. Information duties and information access rights aim to enable the data subject to autonomously control the data processing. Beyond these direct references to the autonomy of the data subject, several provisions of the GDPR refer to contracts among private parties including the data subject. These references not only concern the aforementioned contract privileges in Arts 6(1)(b), 9(2)(h), 22(2)(a) GDPR but also cover inter alia the (weak) bundling prohibition (Art 7(4) GDPR), the relationship to contract law rules on the protection of minors (Art 8(3) GDPR), the scope of information duties (Art 13(2)(e) GDPR), the right to data portability (Art 20(1) GDPR) and transfers of personal data to third countries (Arts 46(2)(c) and (d), (3)(a), 49(1)(b) and (c) GDPR). Through these cross-references European data protection law incorporates the national standards of contract law (including party autonomy and freedom of contract) into the system of data protection. Moreover, Recital 42 GDPR clarifies the applicability of the Unfair Contract Terms Directive 93/13/EEC not only to the respective contracts with consumers but also to the terms of the consent by the data subject.11 This Directive also takes freedom of contract as a starting point and on this basis prohibits particular contract terms. The cross-reference to the Directive in Recital 42 GDPR demonstrates the fundamental nature of the principle of freedom of contract for data protection law, which remain in a significant contrast to the general prohibitions principle of the GDPR. 1. 11 Jan Henrik Klement, ‘Art 7’ in Simitis/Hornung/Spiecker (n 10) paras 80–81. For more details see Vanessa Mak, ‘Contract and Consumer Law’ in Vanessa Mak, Eric Tjong Tjin and Anna Berlee (eds), Research Handbook in Data Science and Law (Edward Elgar 2018) 17, 30. Right to Withdraw Consent to Data Processing – The Effect on the Contract 135 Illegality and voidness as the exception As a consequence of the application of the general principle of freedom of contract to data protection law, illegality of contract and illegality of contract terms form the exception under the GDPR. Aside from Recital (42) GDPR and its reference to the Unfair Contract Terms Directive 93/13/ EEC, the weak bundling prohibition (Art 7(4) GDPR) is the only case which come closes to declaring the invalidity of a juridical act, yet probably does not always lead to invalidity of consent.12 Where the contract otherwise deviates from the prerequisites of the GDPR, the consequence is not illegality of the contract but rather other negative consequences, though the contract remains valid: This is particularly the case where a contract between controller and processor does meet the legal requirements under Art 28(3) GDPR with the consequence that the processor will be qualified as a (joint) controller, while the contract between the two remains valid. Beyond the Unfair Contract Terms Directive 93/13/EEC and – possibly – Art 7(4) GDPR illegality may serve as an important tool to prevent restrictions of the data subject’s autonomy and freedom of contract between data subject and controller. Such a consequence should be derived from national principles and provisions functionally equivalent to Arts II.–7:301 and II.–7:302 DCFR for prohibited deviations from core provisions of the GDPR.13 Important examples thereof are the voidness for illegality of those agreements and terms excluding or restricting withdrawal of consent (Art 7(3) GDPR) or the objection to processing (Art 21(1) GDPR).14 Moreover, Arts 7(3), 21(1) GDPR have to be understood to also prohibit obligations to refrain from withdrawing or objecting.15 Sometimes the consent of the data subject is even seen as a prerequisite for the contract giving rise to obligations,16 or freedom of consent is used as an argument against the 2. 12 cf Langhanke (n 3) 136f.; Linardatos (n 10) para 49. See also the Italian Cass. 2.7.2018 – no. 17278 (with case note by Tereza Pertot, ‘Die Auslegung des datenschutzrechtlichen Koppelungsverbots – Lockerung durch den Corte di Cassazione’ (2019) 2 GPR 54) and the Austrian OGH 31.8.2018 – 6 Ob 140/18 h (with case note by Sebastian Schwamberger, ‘Reichweite des datenschutzrechtlichen Koppelungsverbots nach alter und neuer Rechtslage’ (2019) 2 GPR 57). 13 Heckmann/Paschke (n 3) para 30; Alisa Rank-Haedler, ‘Daten als Leistungsgegenstand: Vertragsrechtliche Typisierung’ in Specht-Riemenschneider/Werry/Werry (n 10) para. 14. 14 See below, section VI. 15 See below, section VI. 16 See, in particular, Linardatos (n 10) para 41. Martin Schmidt-Kessel 136 possibility of a valid contractual obligation to consent to data processing17. Others hold the bargaining on the ways of data processing or the duties of the controller to be precluded by the GDPR overriding national contract law.18 Impediments to performance affecting binding effect Affecting the binding effect of contracts, which are in conflict with data protection law, is not necessarily restricted to illegality. A contract may also be affected by legal impediments to performance. In particular, the unlawfulness of data processing may lead to a legal impediment to performance.19 Such unlawfulness may bar both duties and obligations of the data subject and duties and obligations of the other party:20 In either case, it would at least bar the enforcement of performance in kind. Additionally, a relevant impediment would affect counter obligations under the contract. Under most contract laws of the EU Member States, such legal impediment would not lead to an ipso iure termination of the contract. However, there is a strong traditional trait to such a solution. In particular, such cases represent the historical raison d’être of the classical condictio causa data causa non secuta, which is also mirrored in some older provisions such as § 326(1) BGB and the Hague Convention on the sale of goods. Moreover, many classical force majeure clauses lead to an ipso iure termination, which would, however, usually not apply to the cases at hand on initial impediments to performance caused by conflicts with data protection law. Termination of the contract due to a legal impediment to performance is usually rather framed as a remedy triggered by declaration (or in older provisions by court order on the application of the aggrieved party). Such a solution is much more flexible for calibrating the consequences of termination to, inter alia, the values in exchange, the amounts earned (in particular by the controller) and the degrees of amortization. Keeping in mind that the value of data-related performances is presently very difficult to de- IV. 17 Giovanni De Cristofaro, ‘Die datenschutzrechtliche Einwilligung als Gegenstand des Leistungsversprechens’ in Pertot (n 5) 151, 165–166. 18 cf Guiseppe Versaci, ‘Personal Data and Contract Law: Challenges and Concerns about the Economic Exploitation of the Right to Data Protection’ (2018) 4 ERCL 374, 388. 19 Schmidt-Kessel/Grimm (n 10) 103. 20 cf Metzger (n 3) 855 (denied for withdrawal of consent). Right to Withdraw Consent to Data Processing – The Effect on the Contract 137 termine, such a more flexible right to terminate should be preferred over the erratic solutions of ipso iure avoidance. Right to withdraw from consent as a part of the ordre public interne The data subject may withdraw his consent at any time (Art 7(3) GDPR). The wording of the provision does not give clear guidance whether the right to withdraw is mandatory and thus belongs to the ordre public interne of the acquis. Art 8(2) of the EU Charter of Fundamental Rights (‘CFR’) indeed mentions consent but not the right to withdraw consent. Likewise, Art 21 GDPR does not expressly state whether the right to object is mandatory or not. Some authors have argued, therefore, that under a binding contract withdrawal may be restricted by good faith and fair dealing21 or by the binding effect of the contract22. However, the better reasons support the opinion that the right to withdraw and the right to object are impliedly established as mandatory rights of the data subject.23 Moreover, Art 8 CFR supports this mandatory nature on the level of primary law at least for the right to withdraw consent.24 Recital 39 DCD now seems to confirm this. The main reasons for this view may be drawn first from the principle of party autonomy, which governs the GDPR and the CFR. As opposed to freedom of contract, which by definition must be a bilateral (or multilateral) freedom, the freedom of the data subject to consent (or not to consent) to data processing by the controller is a unilateral concept aiming to protect only the interests of the data subject. Therefore, as opposed to the basic principles of contract law, the capacity to become legally bound by consent is not an element of the freedom to consent. The consent is, therefore, V. 21 See Benedikt Buchner, Informationelle Selbstbestimmung im Privatrecht (Mohr Siebeck 2006) 270 et seq. 22 Linardatos (n 10) paras 56–59. Cf Andreas Sattler, ‘Personenbezogene Daten als Leistungsgegenstand’ [2017] JZ 1036, 1042–1042. 23 Alberto De Franceschi, La circulazione die dati personali tra privacy e contratto (Edizioni Scientifiche Italiane 2017) 73, 120; Peter Schantz and Heinrich Wolff, Das neue Datenschutzrecht (C.H. Beck 201) para 532; Schmidt-Kessel/Grimm (n 10) 91; Versaci (n 18) 391; Graf von Westphalen/Wendehorst (n 10) 2183ff. More radically De Cristofaro (n 17) 166 argues against the validity of consent-related obligations, which would restrict freedom of consent. 24 De Franceschi (n 23) 74, 115, 120; Schmidt-Kessel/Grimm (n 10) 91; Graf von Westphalen/Wendehorst (n 10) 2183–2814. Martin Schmidt-Kessel 138 freely withdrawable and the right of the data subject to withdraw is protected under Art 8(2) CFR (and Art 7(3) GDPR). This basic solution is in line with the specific thresholds for consent, established in particular by Arts 4(11), 7, 8 GDPR. The general enforcement deficit neglecting the extraordinary decision that pure information asymmetry as such could render the consent void (see Art 4(11) GDPR) should not lead to an underestimation of these thresholds. The right to withdraw consent mirrors the thresholds by releasing the data subject from the need to explain and prove the information asymmetry, in general, and the lack of information given, in particular. Moreover, the right to withdraw is a consequence of the purpose limitation principle, Art 5(1)(b) GDPR. Other than Art 6(1)(b)–(d) GDPR, the legal basis of consent under Art 6(1)(a) GDPR is not restricted to a certain purpose or a certain set of purposes, but rather the purposes covered by the consent are within the decision of the data subject. This raises the risk of a delimitation of the protective function of Art 6(1) GDPR by consent to processing for a broad range of purposes. This risk is balanced by the limitation of the effects of consent inherent to the right to withdraw it, which aims to execute the purpose limitation principle not only by the – rather weak – specification requirement but also by limiting the binding nature of consent. This purpose limiting function of the right to withdraw would not be effective if the right to withdraw would not be mandatory. On the other hand, the controller’s trust in the consent given is protected not only by the significant factual rarity of withdrawal but also by the lack of retroactive effect (see Art 7(3) 2nd Sentence GDPR).25 Practical needs to organize the cessation of data processing will additionally be satisfied by an application of Art 6(1)(f) GDPR under a transition period. Data protection law, therefore, safeguards the general interest of the controller of being protected in his expectation interest in the possibility to use personal data for the purposes consented to by the data subject at least until withdrawal. Contract law consequences – such as rights to end the contract via withdrawal or other means of expiration of the obligations of the controller as a party to the contract – may amend this protection. As a consequence of these considerations, the right to withdraw consent constitutes a part of the ordre public interne.26 The data subject does not 25 Heckmann/Paschke (n 3) para 87. 26 Langhanke (n 3) 118; Langhanke/Schmidt-Kessel (n 2) 221; Metzger (n 3) 825; Specht (n 3) 767. Right to Withdraw Consent to Data Processing – The Effect on the Contract 139 have the capacity to waive the right to withdraw consent.27 The mandatory nature of that right goes even further by also prohibiting the establishment of contractual obligations not to withdraw from consent.28 Without this amendment, European law would allow the circumvention of the incapacity to waive the right to withdraw. Therefore, Art 8 CFR and Art 7(3) GDPR also prevent contractual obligations to that effect. Indirectly, this interpretation excludes fully enforceable obligations to establish a right to use personal data by way of consent.29 This result raises further questions: to what extent does the lack of an enforceable obligation limit the binding effect of a contract? In addition, to what degree does the free right to withdrawal determine the consequences of withdrawal? While the second question will be dealt with in the next section, the answer to the first focuses on the initial binding effect of such a contract and the obligations thereunder. With Art 3(1) subpara 2 DCD and the new Art 3(1a) Consumer Rights Directive 2011/83/EU30 (‘CRD’), EU law acknowledges the possibility of such a binding effect at least for the situations of data processing under Art 6(1)(a) and (f) GDPR:31 for contracts for the supply of digital content or a digital service, the consumer may – validly – undertake to provide personal data to the supplier and confer upon him the right to use the data,32 which enables the consumer to profit from the standards on conformity for digital content or digital service supplied (Arts 6ff DCD) and from remedies for nonconformity (Art 14 DCD) established by the Digital Content Directive 2019/770. The same holds true for the consumer protection instruments enacted in transposing the Consumer Rights Directive 2011/83/EU into national law. Therefore, EU law prohibits an obligation enforceable in kind, but does not (aim to) prohibit valid contracts including such data-related obligations. This is in line with the fact, that under European private law(s) enforceability in kind is – from a comparative point of view – not self-evident. On the contrary, national legal orders know of many concepts 27 Klement (n 11) para. 92. 28 Langhanke/Schmidt-Kessel (n 2) 220; Schmidt-Kessel/Grimm (n 10) 92; contra Klement (n 11) para. 92. 29 Langhanke/Schmidt-Kessel (n 2) 221; Riehm (n 5) 187–189. 30 As amended by the Directive (EU) 2019/2161 of the European Parliament and of the Council of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and of the Council as regards the better enforcement and modernisation of Union consumer protection rules [2019] OJ L238/7. 31 Metzger (n 3) 824. 32 Langhanke (n 3) 108 et seq.; Metzger (n 3) 833. Martin Schmidt-Kessel 140 to handle non-enforceable duties and obligations under a – valid – contract, such as natural obligations, Obliegenheiten, exception of contradictory behaviour (dolo agit), justified non-performance or excused non-performance.33 Most are dealt with in the discussion on Datenschuldrecht and data-related obligations from 2015 onwards.34 On the other hand, authors discussing the exact legal construction of data-related obligations agree in generally accepting the validity of the respective contracts. Consequences of withdrawal under an existing contract A necessary point of consideration concerns the consequences of withdrawal under Art 7(3) GDPR on an existing contract. While the provision deals with the main consequences of withdrawal for the lawfulness of data processing (1), so far no obligatory consequences are expressly regulated either in data protection law or in contract law. However, a set of implied consequences based on the effectiveness of data protection will certainly emerge to protect freedom of consent and the free withdrawal from consent (2). Moreover, the EU recently established two special rules on restitutionary effects of ending a contract entailing data-related obligations (3), which have to be evaluated as to whether they could serve as a model for restitution after withdrawal under Art 7(3) GDPR (4). Consequences under data protection law Art 7(3) 2nd Sentence GDPR establishes a rough structure of the consequences of withdrawal under data protection law: Withdrawal of consent has no retroactive effect. Therefore, the lawfulness of processing based on consent before withdrawal is not affected.35 What remains open to discussion, however, is whether another legal basis for the data processing could apply after withdrawal or to the conse- VI. 1. 33 Cf the discussion in Langhanke (n 3) 125–129; Langhanke/Schmidt-Kessel (n 2) 221. 34 Natural obligations are considered by Langhanke/Schmidt-Kessel (n 2) 221; Riehm (n 5) 192. Obliegenheiten are considered by Riehm (n 5) 192. A dolo agit-exception is argued by Langhanke (n 3) 127. The concept of justified non-performance may be found with De Franceschi (n 23) 121; Langhanke/Schmidt-Kessel (n 2) 218, 221; Metzger (n 3) 834ff., 855; Schmidt-Kessel/Grimm (n 10) 103ff. Excused non-performance is argued in favour of by Specht (n 3) 767. 35 See ex multis De Franceschi (n 23) 116. Right to Withdraw Consent to Data Processing – The Effect on the Contract 141 quences of withdrawal.36 In the general discourses on data protection law this mainly concerns the case of a parallel legal basis and, in particular, whether withdrawal would bar their applicability. However, the structure of Art 6(1) GDPR is very clear as to the parallel applicability of all legal bases mentioned in the provision,37 which excludes a general solution of withdrawal always barring the other legal bases. Art 17(1)(b) GDPR provides for the decisive systematic argument.38 On the other hand, at least in case of Art 6(1)(f) GDPR the controller in the individual case may be prevented from pleading a legitimate interest because of contractual obligations to the contrary, of waiver, or of estoppel by inconsistent behaviour (venire contra factum proprium). Such an exclusion may be based in the individual case on Art 5(1)(a) GDPR.39 For the questions at hand, it is of much more interest whether withdrawal could lead to an additional application of other legal bases just for dealing with the consequences of withdrawal. For example, the windingup of the contract – in case this becomes necessary because of the withdrawal of consent – should at least provide the controller with a legitimate interest (Art 6(1)(f) GDPR) for that purpose. Moreover, the general contract privilege of Art 6(1)(b) GDPR would apply for new contractual duties, e.g. restitution after termination or modification(s) of the contract.40 Consequences in contract law In contract law, a broad variety of questions of contracting over privacy and Datenschuldrecht emerge because of withdrawal of consent. If the right to use personal data forms the object of an obligation under the contract, the original aim of the performance of the contract will be disarranged by the withdrawal. This will lead in many cases to consequences for the other obligations under the contract. The Digital Content Directive 2019/700 deliberately abstains from establishing rules on the consequences of with- 2. 36 See Buchner (n 21) 272–274. 37 Schulz (n 8) para 10. 38 Schulz (n 8) para 11; Phillip Hacker, ‘Daten als Gegenleistung: Rechtsgeschäfte im Spannungsfeld von DS-GVO und allgemeinem Vertragsrecht’ [2019] ZfPW 148, 160; Klement (n 11) para. 34. 39 Schantz/Wolff (n 23) para 475. 40 Schulz (n 8) para 28; Riehm (n 5) 180. Contra Schantz (n 10) para 30; Schantz/Wolff (n 23) para 558. Martin Schmidt-Kessel 142 drawal in contract law leaving them to national law (for the time being).41 Of the variety of possible echoes of withdrawal in the contract, the following will only deal with the replacement by another obligation of the data subject, and with termination. However, those consequences are not always inevitable: where the controller has drawn his earnings (or the overwhelming part thereof) out of the right to use the personal data, before the data subject withdrew consent, there might be no need to change anything of the rest of the contract. For example, this might be the case where a consent without time limit42 is withdrawn years later or where the amortization for the controller takes place within the first days after consent was given. Replacement by an obligation to pay? Some discussions in the context of the bundling prohibition in Art 7(4) GDPR suggest that replacing the data-related obligation by an obligation with a different content could be a suitable contractual consequence of withdrawal of consent. This suggestion originates in the idea that a bundling prohibition may be overcome by offering alternatives to consent, e.g. an extra payment.43 However, would replacing the use of the personal data with another obligation of the data subject (e.g. additional payment, losing a discount, compensation for value) be in conformity with the free right to withdraw?44 Any detriment to the data subject could be interpreted as a restriction of the – mandatory – right to withdraw from consent. Therefore, the answer correlates to a large extent with the meaning of Art 7(4) GDPR: Initially using an obligatory alternative money consideration as a fallback position in case of withdrawal would be in line with GDPR. Therefore, the weaker Art 7(4) GDPR is, the more the compensatory solution would be on the table. a) 41 See Recital 40 DCD. 42 If not anyway such a consent would be qualified usury, cf Martin Schmidt-Kessel, Lehrbuch Verbraucherrecht (2018) para 127. 43 See Hacker (n 38) 178; Metzger (n 3) 823 and 824; Pertot (n 12) 55; Schwamberger (n 12) 58; Shaira Thobani, ‘Il mercato dei dati personali: tra tutela dell’interessato e tutela dell’utente’ (2019) 3 Rivista di diritto dei media 131, 140ff. Contra Lindratos (n 10) para 49. 44 Cf Specht (n 3) 769. Right to Withdraw Consent to Data Processing – The Effect on the Contract 143 Termination of the contract? As withdrawal leads to a termination of the right to use the personal data under data protection law, the connotation with a right to terminate the contract is rather obvious.45 However, neither the GDPR nor the Digital Content Directive 2019/770 give a hint into that direction. Recital 40 DCD is sometimes understood as a mandate for Member States to establish a right of the controller to end the contract for withdrawal of consent by the other party. However, it was a wise decision by the EU legislator not to go into the regulatory details here and Member States should follow by applying general contract law instead of establishing new rules. This is not only true because of the divergence of Member States’ legal orders as to termination the contract disturbed by breach or other events. For the situations at hand, there may have been no uniform policy decision to take. Whether the controller should be allowed to bring the contract to an end if the data subject withdraws from consent, depends on many factors. Dogmatically, the exact interpretation of Art 7(4) GDPR would be substantially influenced by such a decision. From a policy point of view, the (subjective) equilibrium of values of the reciprocal performances is not necessarily touched upon by the end of the right to use the personal data. Finally, the right to terminate the contract must also be calibrated with the counter-performance by the controller, which might be a single act of supply or a continuous supply. Relevant restitutionary rules within the acquis EU law is rather reluctant to deal with the detailed consequences of termination for breach. References to national law prevail. Arts 16 and 17 DCD therefore represent the exception. For the first time ever in EU law, Art 16(2) DCD now deals with the restitution of data provided by one party in fulfilling the contract: ‘In respect of personal data of the consumer, the trader shall comply with the obligations applicable under Regulation (EU) 2016/679.’ Art 13(4) CRD establishes the same rule (with identical b) 3. 45 This consequence is argued by several authors: De Cristofaro (n 17) 171; Metzger (n 3) 864; Specht (n 3) 768. Cf Langhanke/Schmidt-Kessel (n 2) 222 and Gerald Spindler, ‘Digitale Wirtschaft – analoges Recht: Braucht das BGB ein Update?’ (2016) 17 JZ 805, 807. Martin Schmidt-Kessel 144 wording) for the restitution after a withdrawal by a consumer from a consumer contract under the Directive. Probably, the cross-reference to the GDPR not only covers the rights and remedies of the data subject established by Arts 12–23 GDPR (information, access, erasure, restriction of processing, notification, data portability, etc.) but also those dealt with by Arts 77–84 GDPR (including effective judicial remedy against controller, monetary compensation). However, at present it is not entirely clear whether these obligations are conclusive in the sense that neither additional rights of the consumer may be deduced from the Directive(s) nor may the Member States add rules, e.g. for the restitution of profits gained by using the personal data. The question is not without importance bearing in mind that not all rules in Arts 12–33, 77–84 GDPR are meant to apply in circumstances of restitution. Moreover, ending the contract under the Digital Content Directive 2019/770 and the Consumer Rights Directive 2011/83/EU does not necessarily trigger the rights and remedies to which the articles refer. No generalization of the rules so far established! The aforementioned articles with rules for two different means of ending the contract raise the question whether they represent more general principles of data protection law, of Datenschuldrecht in general or of the principles governing restitution in case of data-related contractual obligations in particular. From a general data protection perspective one could even ask whether Art 16(2) DCD and Art 13(4) CRD cause a paradigm shift for the whole GDPR: do these provisions generally lead to a commercialization of the GDPR in the sense that the Regulation according to the European legislator also protects the commercial interests of the data subject in the use of his personal data? At least both articles here provide a valuable argument.46 On a more technical level, one could discuss whether the GDPR-remedies generally serve as a model solution on restitution after failure of contract. Expressed more dogmatically: does the GDPR serve as a functional re vindicatio for personal data?47 The answer to this last question is – tentatively – ‘no’: Art 16(2) DCD and Art 13(4) CRD serve rather as a stopgap-solu- 4. 46 See Schmidt-Kessel (n 3) paras 37–39. 47 Some authors seem to argue that way, see De Franceschi (n 23) 124; Metzger (n 3) 864; Specht (n 3) 768. Right to Withdraw Consent to Data Processing – The Effect on the Contract 145 tion48 in the sense of a Datenschuldrecht avant la lettre. Such an analysis is completely in line with the classical experiences with restitution after termination in other uniform law texts (e.g. the CISG). Usually such rules consist of some last minute formulas, in which only German lawyers seem to be significantly interested. The German particularities include a denser control of first instance judges by the German Federal Court of Justice (Bundesgerichtshof) in the realm of restitution, the fault principle, which largely prevents judges from solving restitutionary issues within the calculation of damages and the sharp dichotomy between the separate kinds of termination, the termination ex tunc (Rücktritt) and termination ex nunc (Kündigung). The solutions enacted in Art 16(2) DCD and Art 13(4) CRD should therefore not be taken too seriously. In particular, the provisions do not represent a binding interpretation of GDPR. First and foremost, however, Art 16(2) DCD and Art 13(4) CRD should not be used as a model for further legislation. Seven short conclusions 1) The GDPR is (inter alia) based on freedom of contract, but contains some restrictions in terms of illegality and legal impediments of performance. 2) The GDPR prevents data-related duties and obligations of the data subject from being enforceable in kind. 3) The GDPR does not prevent a contract including such duty or obligation from being binding as such on both parties. 4) Withdrawal of consent by the data subject is followed by consequences in data protection law mainly organized by the GDPR. 5) Consequences in contract are determined by GDPR only to a limited extent. 6) Art 16(2) DCD and Art 13(4) Directive CRD do not represent a binding interpretation of GDPR. 7) Art 16(2) DCD and Art 13(4) Directive CRD should not be used as a model for further legislation. VI. 48 Schmidt-Kessel (n 3) para 39. Martin Schmidt-Kessel 146

Chapter Preview

References

Abstract

This 5th volume in the “Münster Colloquia on EU Law and the Digital Economy” focuses on one of the most important challenges faced by private law in this era of digitalization: the effects of “data as counter-performance” on contract law; a phenomenon acknowledged by the EU legislator in the new “Digital Content Directive” 2019/770. In this volume, legal experts from across Europe examine various issues, in particular contract performance and restitution, and the relationship between contract law and data protection, central to the question: Contract law 2.0?

Zusammenfassung

Wissenschaftler und Praktiker aus mehreren europäischen Ländern befassen sich in dem Band mit den vertragsrechtlichen Konsequenzen, die sich daraus ergeben, dass „Daten als Gegenleistung“ zur Verfügung gestellt werden. Dieses praktische Phänomen, das in der sog. „Digitale-Inhalte-Richtlinie“ auch durch den europäischen Gesetzgeber Anerkennung gefunden hat, wirft etwa Fragen des Rechts der Erfüllung, aber auch der Rückabwicklung von Verträgen auf; beleuchtet wird ferner der Zusammenhang von Vertragsrecht und Datenschutzrecht. Die Reihe der „Münster Colloquia on EU Law and the Digital Economy“ wendet sich damit in ihrem nunmehr fünften Band wiederum einer der wichtigen Herausforderungen zu, die sich als Folge der Digitalisierung für Rechtswissenschaft und Praxis im Privatrecht stellen.