Axel Metzger, A Market Model for Personal Data: State of Play under the New Directive on Digital Content and Digital Services in:

Sebastian Lohsse, Reiner Schulze, Dirk Staudenmayer (Ed.)

Data as Counter-Performance - Contract Law 2.0?, page 23 - 46

Münster Colloquia on EU Law and the Digital Economy V

1. Edition 2020, ISBN print: 978-3-8487-7606-1, ISBN online: 978-3-7489-0853-1,

Bibliographic information
Legal Nature and Economic Value of Data in the Contractual Relationship A Market Model for Personal Data: State of Play under the New Directive on Digital Content and Digital Services Axel Metzger* Data as counter-performance in consumer contracts Article 3(1) subpara. 2 of the new Directive (EU) 2019/770 ‘on certain aspects concerning contracts for the supply of digital content and digital services’ (DCSD) signifies a paradigm shift in the law of personal data. According to the old paradigm, ‘free services’ were offered to consumers who gave their consent to the processing of their data. Both transactions were seen as being independent of each other. The leading search engines, social media platforms and many ‘content’ providers did not – and still do not – demand for a money consideration from the users. Those services therefore appeared as if they would be gratuitous for the consumer, whereas the service providers earned their revenues on the other side of the market by selling advertisements to business customers. The processing of the data, either based on consent or on the other legal grounds of Article 6(1) General Data Protection Regulation (GDPR), was interpreted as an ancillary unilateral legal act besides the service contract. This model was already queried in legal literature before the Proposal of the Directive was published in 2015.1 However, those early voices did not lead to any changes in the business practices of the services which designed – and still do so – the two transactions as being split up. The ‘terms of use’ and the ‘privacy statements’ were often drafted as separate documents, the services being described as offered for free. I. * Prof. Dr. Axel Metzger, LL.M. (Harvard), Humboldt University of Berlin. 1 See eg Peter Bräutigam, ‘Das Nutzungsverhältnis bei sozialen Netzwerken – Zivilrechtlicher Austausch von IT-Leistung gegen personenbezogene Daten’ (2012) 15(10) MMR 635; Benedikt Buchner, ‘Die Einwilligung im Datenschutzrecht – vom Rechtfertigungsgrund zum Kommerzialisierungsinstrument’ (2012) 34(1) DuD 39, 41; Patricia Maria Rogosch, Die Einwilligung Im Datenschutzrecht (Nomos 2013) 41 –46. 25 It therefore appeared as an innovative approach, when the Proposal of the new Directive, published in December 2015,2 suggested in Article 3(1) subpara. 2 to apply the new rules on the supply and conformity of digital content and digital services both on paid services and on services where the consumer provides ‘a counter-performance other than money in the form of personal data or any other data’. The idea to treat money consideration and personal data equally was already expressed in a recital of the later dropped Common European Sales Law of 2011 (CESL).3 However, the broader public that is interested in data protection issues only took notice when the concept reappeared in the regulatory part of the DCSD. Since that time, a lively debate has arisen both in the industry4 and among data protection officers5 and academics.6 It is no exaggeration to say that we are 2 European Commission, ‘Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content’, COM(2015) 634 final, 2015/0287 (COD), 09.12.2015. 3 European Commission, ‘Proposal for a Regulation on a Common European Sales Law’ COM(2011) 635 final, Recital 18. 4 See eg, Eurochambres, ‘Reaction to the European Commission’s proposal on the distance sales of digital content (COM(2015) 634 final)’ (18 April 2016), accessed 27 September 2019. 5 See European Data Protection Supervisor, Opinion 4/2017. 6 For academic publications during the legislative procdure see: Marietta Auer, ‘Digitale Leistungen’ (2019) 5(2) ZfPW 130; Hugh Beale, ‘Conclusion and Performance of Contracts: An Overview’ in Reiner Schulze, Dirk Staudenmayer and Sebastian Lohsse (eds), Contracts for the Supply of Digital Content: Regulatory Challenges and Gaps (Nomos 2017) 33; European Law Institute (ELI), ‘Statement on the European Commission’s proposed directive on the supply of digital content to consumers’ (ELI, 2016) accessed 27 September 2019; Beate Gsell, ‘Der europäische Richtlinienvorschlag zu bestimmten vertragsrechtlichen Aspekten der Bereitstellung digitaler Inhalte’ (2018) 62(2) ZUM 75; Philipp Hacker, ‘Daten als Gegenleistung: Rechtsgeschäfte im Spannungsfeld von DS-GVO und allgemeinem Vertragsrecht’ (2019) 5(2) ZfPW 148; Niko Härting, ‘Digital Goods und Datenschutz – Daten sparen oder monetarisieren? Die Reichweite des vom DinhRL-E erfassten Geschäftsmodells’ (2016) (11) CR 735; Ruth Janal and Jonathan Jung, ‘Spezialregelungen für Verträge über digitale Inhalte in Theorie und Praxis’ (2017) 32(9) VuR 332; Axel Metzger, ‘Data as Counter- Performance – What Rights and Duties do Parties Have?’ (2017) 8(1) JIPITEC 2; Axel Metzger et al, ‘Data-Related Aspects of the Digital Content Directive’ (2018) 9(1) JIPITEC 90; Andreas Sattler, ‘Personenbezogene Daten als Leistungsgegenstand – Die Einwilligung als Wegbereiter des Datenschuldrechts’ (2017) 72(21) JZ 1036; Martin Schmidt-Kessel et al, ‘Die Richtlinienvorschläge der Kommission zu Axel Metzger 26 facing a shift of paradigm in the law of personal data with this new approach. The language of Article 3(1) subpara. 2 DCSD-Proposal was at the same time explicit and narrow. It was explicit that personal data or other data could be interpreted as counter-performance of the consumer7 which provoked the severe criticism of the European Data Protection Supervisor.8 However, the scope of application was rather narrow with regard to personal data that could qualify as counter-performance. Article 3(1) subpara. 2 only mentioned ‘actively provided’ data. Recital 14 excluded data automatically generated and collected by cookies and also data ‘necessary for the digital content to function in conformity with the contract, for example geographical location where necessary for a mobile application to function properly’, and data collected ‘for the sole purpose of meeting legal requirements’. These restrictions were criticised both by academics9 Digitalen Inhalten und Online-Handel – Teil 1’ [2016] GPR Fokus 2; Martin Schmidt-Kessel et al, ‘Die Richtlinienvorschläge der Kommission zu Digitalen Inhalten und Online-Handel – Teil 2’ [2016] GPR Fokus 54; Martin Schmidt-Kessel and Anna Grimm, ‘Unentgeltlich oder entgeltlich? – Der vertragliche Austausch von digitalen Inhalten gegen personenbezogene Daten’ (2017) 3(1) ZfPW 84; Louisa Specht, ‘Daten als Gegenleistung – Verlangt die Digitalisierung nach einem neuen Vertragstypus?’ (2017) 72(15-16) JZ 763; Gerald Spindler, ‘Verträge über digitale Inhalte – Anwendungsbereich und Ansätze – Vorschlag der EU-Kommission zu einer Richtlinie über Verträge zur Bereitstellung digitaler Inhalte’ (2016) 19(3) MMR 147; Gerald Spindler, ‘Verträge über digitale Inhalte – Haftung, Gewährleistung und Portabilität – Vorschlag der EU-Kommission zu einer Richtlinie über Verträge zur Bereitstellung digitaler Inhalte’ (2016) 19(4) MMR 219; Friedrich Graf von Westphalen, ‘Richtlinienentwurf der Kommission betreffend die Bereitstellung digitaler Inhalte und das Recht des Verbrauchers auf Schadensersatz’ (2016) BB 1411; Friedrich Graf von Westphalen and Christiane Wendehorst, ‘Hergabe personenbezogener Daten für digitale Inhalte – Gegenleistung, bereitzustellendes Material oder Zwangsbeitrag zum Datenbinnenmarkt?’ (2016) BB 2179. For publications after the enactment of the Directive see n 13. 7 ‘This Directive shall apply to any contract where the supplier supplies digital content to the consumer or undertakes to do so and, in exchange, a price is to be paid or the consumer actively provides counter-performance other than money in the form of personal data or any other data.’. 8 European Data Protection Supervisor (n 5) 7: ‘There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation.’. 9 See European Law Institute (n 6) 15; Metzger et al, ‘Data-Related Aspects of the Digital Content Directive’ (n 6) paras 25–28; Gerald Spindler, ‘Verträge über digitale Inhalte – Anwendungsbereich und Ansätze Vorschlag der EU-Kommission zu einer Richtlinie über Verträge zur Bereitstellung digitaler Inhalte’ (2016) 19(3) MMR 147, 150. A Market Model for Personal Data 27 and consumer organisations,10 a criticism that was finally taken up by the European Parliament which requested a broader inclusion of personal data into the framework of the Directive.11 The final text of Article 3(1) subpara. 2 DCSD addresses both concerns. The revised text avoids the words ‘personal data as counter-performance’ to make clear that the European legislature does not encourage a further commercialisation of personal data.12 All the safeguards of the GDPR remain untouched, see Article 3(8) and Recital 38 DCSD. Consent must be freely given and may be withdrawn at any time, see Article 7(1), (2) GDPR. The crucial question, if and under which conditions such a consent may be given within the framework of a contract, will be discussed in the next section of this paper. And yet, besides all these precautions, the substance of Article 3(1) subpara. 2 DCSD has not been changed during the legislative procedure. The Directive remains applicable both for consumers who pay money and for consumers who provide personal data.13 Whether the personal data of the consumer should be interpreted as a synallagmatic 10 Verbraucherzentrale Bundesverband, ‘Digitale Inhalte: Für eine zielgenaue und kohärente Gesetzgebung – Stellungnahme zum Vorschlag der EU-Kommission für eine Richtlinie über bestimmte vertragsrechtliche Aspekte der Bereitstellung digitaler Inhalte – COM(2015) 634 endg.’ (1 September 2017) 16 accessed 27 September 2019. 11 European Parliament, ‘Report on the proposal for a directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content (COM(2015) 634 – C8-0394/2015 – 2015/0287(COD))’ A8-0375/2017, Amendments 21 and 80. 12 See also Recital 24: While fully recognising that the protection of personal data is a fundamental right and that therefore personal data cannot be considered as a commodity, this Directive should ensure that consumers are, in the context of such business models, entitled to contractual remedies. 13 For publications after the enactment of the Directive see: Ivo Bach, ‘Neue Richtlinien zum Verbrauchsgüterkauf und zu Verbraucherverträgen über digitale Inhalte’ (2019) 72(24) NJW 1705, 1706; Cornelia Kern, ‘Anwendungsbereich der Warenkauf- und der Digitale Inhalte-RL’, in Wolfgang Stabentheiner, Christiane Wendehorst and Brigitta Zöchling-Jud (eds), Das neue europäische Gewährleistungsrecht (Manz 2019), 33; Axel Metzger, ‘Verträge über digitale Inhalte und digitale Dienstleistungen: Neuer BGB-Vertragstypus oder punktuelle Reform?’ (2019) 74(12) JZ 577; Lena Mischau, ‘Daten als „Gegenleistung“ im neuen Verbrauchervertragsrecht’ (2020) 28(2) ZEuP 335; Thomas Riehm, ‘Freie Widerruflichkeit der Einwilligung und Struktur der Obligation – Daten als Gegenleistung?’ in Tereza Pertot (ed), Rechte an Daten (unpublished manuscript 2019) 4; Gerald Spindler and Karin Sein, ‘Die endgültige Richtlinie über Verträge über digitale Inhalte und Dienstleistungen Anwendungsbereich und grundsätzliche Ansätze’ (2019) Axel Metzger 28 counter-performance or not, is mainly of importance for the relationship between the duties of the two contracting parties. But since the DCSD does not harmonise the duties of the consumer,14 it can also avoid to answer this question.15 The DSCD in its final version is applicable irrespective of whether the consumer provides the data actively; the wording ‘actively provided’ in Article 3(1) subpara. 2 has been deleted. However, the Directive does not provide a clear-cut solution for data collected from a passive consumer. According to Recital 24, it suffices that personal data is ‘created’ with the use of the digital content or service. Even a mere collection of ‘metadata, such as information concerning the consumer’s device or browsing history’ may suffice according to Recital 25.16 This should also cover situations in which the service provider uses cookies to collect personal data of the consumer.17 But this applies only if the relationship between trader and consumer ‘is considered to be a contract under national law’. It is therefore up to the national level to decide about the scope of application of the new rules.18 22(7) MMR 415, 418; Karin Sein and Gerald Spindler, ‘The new Directive on Contracts for the Supply of Digital Content and Digital Services – Scope of Application and Trader’s Obligation to Supply – Part 1’ (2019) 15(3) ERCL 257; Dirk Staudenmayer, ‘Auf dem Weg zum digitalen Privatrecht – Verträge über digitale Inhalte’ (2019) 72(35) NJW 2497. For earlier publications see n 6 and n 1. 14 With the exception of Article 17. 15 See with more details Axel Metzger, ‘Dienst gegen Daten: Ein synallagmatischer Vertrag’ (2016) 216(6) AcP 817, 833–835. 16 See also Recital 38 at the end. 17 But see Gerald Spindler and Karin Sein, ‘Die endgültige Richtlinie über Verträge über digitale Inhalte und Dienstleistungen Anwendungsbereich und grundsätzliche Ansätze’ (n 13) 418. 18 See also Gerald Spindler and Karin Sein, ‘The new Directive on Contracts for the Supply of Digital Content and Digital Services – Scope of Application and Trader’s Obligation to Supply – Part 1’ (n 13) 263ff.; See also Metzger, ‘Verträge über digitale Inhalte und digitale Dienstleistungen: Neuer BGB-Vertragstypus oder punktuelle Reform?’ (n 13) 579; Mischau, ‘Daten als ´Gegenleistung` im neuen Verbrauchervertragsrecht’ (n 13) at III.1 and V.3; Zohar Efroni, ‘'Gaps and Opportunities: The Rudimentary Protection for 'Data-Paying Consumers' under the New EU Consumer Protection Law' forthcoming in (2020) 57(3) CMLR. A Market Model for Personal Data 29 Personal data and the law of contract Consumers must conclude a contract in order to benefit from the consumer protection measures taken by the DCSD. According to Article 3(1) subpara. 1, the Directive ‘shall apply to any contract (...)’. Subpara. 2 extends the scope of application to situations where the consumer provides personal data. But this also requires a contract to be concluded, as clarified by Recital 24.19 However, the key question whether a situation in which the consumer uses a service, eg a search engine, and the service providers collects the consumer’s personal data is to be qualified as a contract or not has not been regulated in the Directive. Article 3(10) determines that the Directive shall not affect the freedom of Member States to regulate aspects of general contract law, such as rules on the formation, validity, nullity or effects of contracts. As a consequence, the law of the Member States will have to decide on the requirements of offer, acceptance and possibly further preconditions of a valid contract, eg the English consideration or the French ‘cause’ doctrines. The following outline is mainly based on German contract law. Offer to conclude a contract The initiative to conclude a contract (or not) will typically come from the content or service provider. In the easy case of a two-sided relationship between a content or service provider offering its service and a consumer interested in using this service,20 it will be a matter of interpretation of the communication and conduct of the service provider and, more particularly, its general terms and conditions whether the requirements of an offer to conclude a contract are met. According to German contract law, an objective standard of interpretation has to be to applied, § 157 BGB. The question therefore is how a rea- II. 1. 19 ‘This Directive should, therefore, apply to contracts where the trader supplies, or undertakes to supply, digital content or a digital service to the consumer, and the consumer provides, or undertakes to provide, personal data. ’. 20 The regulatory part of the DCSD ignores the fact that the supply of content or software is often not carried out by the owner of the copyright but by a trader, eg an app store, which may lead to a three-partite relationship with a supply contract and an End User License Agreement, see Recital 53. See also European Law Institute (n 6) 24–26; Metzger and others, ‘Data-Related Aspects of the Digital Content Directive’ (n 6) 101. Axel Metzger 30 sonable consumer must understand the communication and conduct of the service provider. The terms of popular services directed to German consumers, like Facebook,21 WhatsApp,22 Spotify23 or Google,24 give a number of indications for a contract offer. They are drafted in the form of complex and lengthy standard contracts. The word ‘contract’ is used more or less regularly. Many of the issues dealt with in the terms and conditions are typical for contractual relationships. For a reasonable consumer, this kind of communication must appear as an offer to conclude a contract on the use of the services.25 This interpretation is unaffected by the fact that consumers may not pay money in exchange for the use of the service. On the contrary, users understand ‘free services’ as an exchange ‘personal data for service’. A survey conducted by DIVSI in Germany in 2014 showed that 67% of the respondents knew personal data as one means of payment in contracts.26 It is therefore quite conceivable that a reasonable consumer will understand a ‘free service’ with long terms and conditions as an offer to conclude a contract, 21 See N° 4 Section 2 and 6 of the German Facebook ‘Nutzungsbedingungen’, Facebook inc., ‘Nutzungsbedingungen’ (31 July 2019) accessed 25 September 2019. 22 See Whatsapp inc, ‘WhatsApp Business Nutzungsbedingungen’ (15 May 2018) accessed 25 September 2019; ‘WhatsApp Inc. ist die vertragsschließende Rechtspersönlichkeit, die dir unsere Business Services bereitstellt.’ (WhatsApp is the contracting legal entity, that offers you our Business Services.). 23 See Spotify AB, ‘Spotify Nutzungsbedingungen’ (15 August 2018) accessed 25 September 2019; see N° 1: ‘Ihr Vertrag mit uns...’ (Your contract with us...). 24 See Google Ireland ltd, ‘Google- Nutzungsbedingungen’ (22 January 2019) accessed 25 September 2019; for the German terms at, ‘Willkommen bei Google’: ‘Die Nutzung der Dienste setzt voraus, dass Sie diesen Nutzungsbedingungen zustimmen. Bitte lesen Sie diese sorgfältig durch.’ (The use of the services requires that you accept these terms and conditions. Please read them carefully.). 25 See Gerald Spindler, ‘Vorb §§ 145ff BGB’ in Gerald Spindler and Fabian Schuster (eds), Recht der elektronischen Medien (C.H. Beck 2019) para 4; more reluctant Jan Busche, ‘§ 145 BGB’ in Münchener Kommentar zum Bürgerlichen Gesetzbuch (8th edn, C.H. Beck 2018) para 13. 26 See Deutsches Institut für Vertrauen und Sicherheit im Internet (DIVSI), ‘Daten – Ware Und Währung’ (2014) 16 accessed 25 September 2019. A Market Model for Personal Data 31 even if he/she does not pay money as consideration.27 A second possible interpretation would be to qualify the consumer’s willingness to be exposed to advertisements as the consumer’s consideration under the contract.28 But this would not alter the fact that the reasonable consumer understands the provision of the ‘free’ service as an offer to conclude a contract. Acceptance by the consumer Acceptance by the consumer may be explicit by clicking of boxes or similar features on the service’s website. It may also be implicit if the use of the service or reception of the content requires a request by the user, eg the sending of a search query or the demand for the display of a content or the streaming of an audio or a video file. But even if a mere passive use of a service or access to a content does not require an active communication by the user with the service provider, it may still be interpreted as an implicit acceptance of the contract offer. According to § 151 sentence 1 BGB, a contract comes into existence through the acceptance of the offer without the offeror needing to be notified of the acceptance, if such a declaration is not to be expected according to customary practice or if the offeror has waived it. One may well argue that the customary practice for digital services without any acceptance mechanism is to expect no kind of an explicit notification of the user of those services. Still, it should be noted that § 151 sentence 1 BGB only dispenses of the notification of the acceptance, not of the acceptance as such. The latter must be demonstrated by a clearly visible conduct or declaration of the offeree.29 Personal data as consideration? European contract law instruments like the CESL, the ‘Draft Common Frame of Reference’ or the ‘Principles of European Contract Law’ deliberately refrain from requiring substantive indicia of seriousness30 like the English ‘consideration’ or the French, Italian or Spanish ‘cause’ or ‘causa’ 2. 3. 27 See also Hacker (n 6) 185ff. (analysis in connection with German law of standard contracts (AGB)). 28 Riehm (n 13) 20. 29 Jan Busche, ‘§ 151 BGB’ in Münchener Kommentar zum Bürgerlichen Gesetzbuch (8th edn, C.H. Beck 2018) para 9. 30 Article 30 CESL; Article II.–4:101 DCFR; Article 2:201 PECL. Axel Metzger 32 doctrine.31 But national contract laws still maintain their traditions, however often with pragmatic solutions. It is eg possible under the UK Consumer Rights Act 2015 to seek damages if a digital content supplied to a consumer causes damage to a device or to other digital content, irrespective of whether the consumer has paid money as consideration or not.32 Still, the application of the other provisions of the Act, eg on the quality of the content, are only applicable if the consumer has paid a price.33 It is therefore an open question for further research if and under which conditions other EU member states qualify situations as contracts in which the consumer uses a digital content or service and the provider collects the consumer’s data. Contract with or without consent to data processing The concept of Article 3(1) subpara. 2 DCSD is based on the idea that the consumer agrees to the processing of his or her personal data. In the typical scenario, the processing of data will thus be justified by the consent of the consumer in accordance with Article 6(1)(a) GDPR. In this simple case, the scope of application of the DCSD and the requirements of the GDPR seem synchronised. But at closer scrutiny, the relationship between the DCSD and the justification of data processing under the GDPR is more complex. Most importantly, the application of the DCSD does not require the consent of the consumer (or data-subject) to be valid under Article 6(1)(a) GDPR. Otherwise, the controller would profit from its non-compliance with the conditions of the GDPR.34 He could disregard the requirements of the GDPR and deprive the consumer of the protection given by the DCSD. Such an interpretation of the DCSD would make no sense. Therefore, even an invalid consent may be sufficient to apply the DCSD if the other requirements are met. In this regard, it is of some importance to distinguish between the valid or invalid contractual obligations between trader and consumer on the one hand, and the valid or invalid consent by the 4. 31 See on the whole Hein Kötz, ‘Indicia of Seriousness’. in Jürgen Basedow, Klaus J. Hopt, Reinhard Zimmermann, and Andreas Stier (eds), Max Planck Encyclopedia of European Private Law (OUP 2012). 32 Section 46. 33 Section 33ff. 34 Hacker (n 6) 161; Mischau, ‘Daten als „Gegenleistung“ im neuen Verbrauchervertragsrecht’ (n 15) at III.1. A Market Model for Personal Data 33 data-subject on the other hand.35 A possible starting point to conceptualise this question could be the so called ‘abstraction principle’, one of the basic principle of German civil law.36 According to the abstraction principle, the agreement on the rights and obligations of the parties and the transactions in rem have to be separated. One may be valid, while the other may be void. Although it is obvious, that a consent in the processing of personal data is not a transaction in rem stricto sensu, it makes still sense to distinguish between the contractual promise to provide data and give consent and the performance of this promise. The distinction between the (in-)valid consent and the contract on the supply of digital contents or digital services under the DCSD is also of relevance for the prohibition of coupling of contract and consent in Article 7(4) GDPR. According to this provision, ‘when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract’. At first glance, this sounds like an explicit prohibition of any bundling of consent and contract performance since the GDPR has primacy over the DCSD, see Article 3(8) DCSD. But the wording ‘utmost account shall be taken’ gives some flexibility, as emphasised by commentators.37 Indeed, the mere framework of a contract should not be considered as an indication of coercion and defective decision-making. Other factors may be whether the consumer can use competing services or if the service is essential or dispensable for the consumer.38 But even if consent would be invalid in a given case under Article 7(4) GDPR, this would not automatically result in the non-applicability of the DCSD as shown above. 35 See also Riehm (n 13) 10ff.; Specht (n 6) 765. 36 See already Friedrich Carl von Savigny, System des heutigen Römischen Rechts Vol. 3 (Veit 1840) 312ff.; for the ‘abstraction principle’ under the German Civil Code see Jürgen Oechsler, ‘§ 929 BGB’ in Münchener Kommentar zum Bürgerlichen Gesetzbuch (7th edn, C.H. Beck 2018) para 8 with further references. 37 Peter Schantz, ‘Die Datenschutz-Grundverordnung – Beginn einer neuen Zeitrechnung im Datenschutzrecht’ (2016) 69(26) NJW 1841, 1845; Sebastian Schulz in Peter Gola (ed), Datenschutz-Grundverordnung (2nd edn, Beck 2018) Art 7 para 26; Dirk Heckmann and Anne Paschke in Eugen Ehmann and Martin Selmayr (eds), Datenschutz-Grundverordnung (2nd edn, C.H. Beck 2018) Art 7 para 98; Andreas Sattler, ‘Personenbezug als Hindernis des Datenhandels’, ’ in Tereza Pertot (ed), Rechte an Daten (unpublished manuscript 2019) 14ff. 38 Schulz in Gola (ed) (n 37) Art 7 para 27; Heckmann and Paschke in Ehmann and Selmayr (eds) (n 37) Art 7 para 98; Sattler (n 37) 15. Axel Metzger 34 The same principles apply to a later withdrawal of the data subject’s consent. According to Article 7(3) GDPR, the data subject may withdraw its consent at any time; contractual agreements may not restrict this right.39 The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. What remains unclear under Article 7(3) GDPR and the DCSD are the further consequences for the contract. Here again, the ‘abstraction principle’ provides a possible solution. The withdrawal of consent does not affect the validity of the contract. However, the applicable contract law provisions may allow the trader to terminate the contract.40 Thus, the destiny of contract and the consent may differ. But this does not mean that every use of data, legal or illegal, suffices for the application of the DCSD. According to Article 3(1) subpara. 2 DCSD the Directive is not applicable where personal data is ‘exclusively processed by the trader for the purpose of supplying the digital content or digital service’ or ‘for allowing the trader to comply with legal requirements to which the trader is subject, and the trader does not process those data for any other purpose’. This means that the application of the DSCD cannot be based on scenarios in which the processing of the data is based on Article 6(1)(b) and (c) GDPR, eg, in case where a navigation service processes location data with the sole purpose to recommend the route to the consumer. However, the processing of data must remain limited to the mentioned purposes; otherwise the DCSD is applicable.41 Regrettably, the DCSD does not provide a clear-cut rule for cases in which the processing of data is based on Article 6(1)(f) GDPR, ie is ‘necessary for the purposes of the legitimate interests pursued by the controller or by a third party’, or on other statutory grounds, Article 6(1)(e), (2) GDPR. The issue is of growing interest, especially if one shares the criticism of consent as the commonly used basis of data processing.42 Lengthy ‘data policies’ and ‘privacy statements’ do indeed, as put forward by the 39 See Recital 42 GDPR: ‘Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.’. 40 See Hacker (n 6) 178; Metzger, ‘Dienst gegen Daten: Ein synallagmatischer Vertrag’ (n 13) 863ff; Riehm (n 13) 22; Specht (n 6) 768. 41 Gerald Spindler and Karin Sein, ‘Die endgültige Richtlinie über Verträge über digitale Inhalte und Dienstleistungen Anwendungsbereich und grundsätzliche Ansätze’ (n 13) 418. 42 See on the following Zohar Efroni et al, ‘Privacy Icons: A Risk-Based Approach to Visualisation of Data Processing’ (2019) 5(3) EDPL 352, 357 with further references. A Market Model for Personal Data 35 critics, prevent the consumer from taking an informed decision instead of helping him. However, the politically charged follow-up question then is whether the conditions of an informed consent can be improved (liberal approach) or whether the legislature or other collective bodies or courts should define the rules (state-centered approach).43 Two main arguments advocate for an (improved) consent-based approach, at least for the time being: First, a society should not give up too hastily the basic idea of selfdetermination in data protection law. The ‘data subject’ should have the final word on the processing of its data as long as the conditions of consent can be improved, eg by innovative information models like privacy icons.44 Second, a consent-based approach is key to learn more about the economic value of data and the opportunities for data-subjects to participate in that value. We still do not know enough about data markets to implement an efficient regulation. But even if the law sticks to consent as the basic principle, there may still be cases where the processing of data is based on ‘legitimate interests’ or other statutory grounds. In these cases the application of the DCSD and its enhanced level of consumer protection are called into question. Admittedly, the DSCD does not exclude its – certainly consumer-friendly – application in these scenarios as long as the provision or processing of data can be construed in the sense of Article 3(1) subpara. 2 DCSD.45 But the text is not clear on this matter. Obligation to provide data as counter-performance The main purposes of the DCSD are to secure a high level of consumer protection on the different markets for digital contents and services and to increase legal certainty and reduce transaction costs, in particular for small and medium-sized enterprises.46 The Directive aims to achieve these goals by a one-sided harmonisation of the contractual rights and remedies of the consumer. It does not address the contractual rights of the trader at the other side of the contract (or the consumer duties as their mirror image), with the exception of some consumer duties in case of the termination of 5. 43 In this direction Heike Schweitzer, ‘Neue Machtlagen in der digitalen Welt? Das Beispiel unentgeltlicher Leistungen’ in Torsten Körber and Jürgen Kühling (eds), Regulierung – Wettbewerb – Innovation (Nomos 2017) 269, 281ff. 44 Efroni et al (n 42). 45 Mischau, ‘Daten als “Gegenleistung” im neuen Verbrauchervertragsrecht’ (n 13) at III.1.c); Schweitzer (n 43) 282. 46 See Recitals 3, 5. Axel Metzger 36 the contract in Article 17 DCSD. Besides Article 17, both the contractual rights of the trader and the obligations of the consumers are left to the national contract law of the member states as aspects of ‘general contract law’, see Article 3(10). The same holds true for the relationship between the trader’s obligations and the consumer’s obligations, especially to provide personal data. If and to what extent a consumer has an obligation to provide personal data under a contract and to give its consent in the processing of that data, or whether the processing of data is a mere side-effect of the contract, is first and foremost a question of contract interpretation.47 The data policies of popular Internet services indeed assume such a contractual obligation of the user. The career network ‘Xing’ states in its ‘terms and conditions’: ‘The user is obliged (a) to provide only true and non-misleading statements along with its real name, and to refrain from using pseudonyms or pen names... ’.48 The ‘Facebook’ ‘terms of service’ provide under the headline ‘Your commitments to Facebook and our community’: ‘You must: Use the same name that you use in everyday life. Provide accurate information about yourself. Create only one account (your own) and use your timeline for personal purposes.’49 Comparable language may be found in Amazon’s ‘Conditions of Use and Sale’: ‘You are responsible for ensuring that the details you provide us with are correct and complete, and for informing us of any changes to the information you have provided.’50 The cited terms and conditions clearly articulate obligations of users (‘is obliged’, ‘must’, ‘are responsible’) to provide accurate personal data on the basis of the used forms and dialogue boxes and, in the case of Amazon, even to proactively inform the service about any changes to the information. These obligations presuppose that the user is willing to give his or her consent to the processing of the data if it is not justified on the basis of other legal grounds. From the perspective of a reasonable consumer, these terms read 47 A separate question then is, whether such an obligation may be validly agreed upon regarding national contract law and the provisions of the GDPR, a question which will be dealt with in section 6. 48 See New Work SE (Xing), ‘AGB’ at 4.1 accessed 2 October 2019. 49 See Facebook Inc. (Facebook), ‘Nutzungsbedingungen’ at 3 accessed 2 October 2019. The validity of some the conditions has been challenged by consumer organisations, see Case 16 O 341/15 District Court Berlin, Germany (2018) = MMR 2018, 328 (appeal pending). 50 See Amazon EU Sarl (Amazon), ‘ Allgemeine Geschäftsbedingungen’ at 7 accessed 2 October 2019. A Market Model for Personal Data 37 as legally binding obligations under a contract, irrespective of the fact that service providers may have difficulties to enforce those duties, especially since the data subject’s consent must by freely given51 and can be withdrawn at any moment, Article 7(3) GDPR.52 But is this obligation to provide (correct) personal data to be qualified as the consumer’s counter-performance in the sense of its synallagmatic obligation under the contract? With other words, does the provider supply digital contents or services in order to collect and process the consumer’s personal data? Different from the initial Proposal of 2015, the DCSD does not take a position in this question. The word ‘counter-performance’ has deliberately been deleted.53 If the promises and the resulting obligations under the contract may be construed as a counter-performance or not is therefore a question of national contract law. The member states’ contract law is also decisive for the consequences of a possible non-performance of the consumer, eg whether the trader may refuse under § 320 BGB to supply the content or service until the consumer has provided correct data, whether he may rescind the contract under § 323 BGB if the consumer does not perform, etc. The discussion on the different types of contracts to be found in the different business models has just begun.54 The main parameters for an accurate qualification of the consumers obligation should be: First, is the provision or collection of data and the related consent the main benefit arising out of the contract for the trader or is it just of secondary or subordinate importance?55 The processing of data may be of secondary interest in the framework of paid services or if the trader uses the data for a one-time selection of personalised advertisements. In the latter case, the exposure to the advertisement may be qualified as the main benefit.56 But one should not set aside too easily the economic value of the personal data of users. At the surface, the personal data may appear as nothing more than the necessary means to offer better suited advertisements. However, it is common knowledge that providers of 51 Article 4(11), 7(4) and Recitals 32, 42, 43 GDPR. 52 Compare Riehm (n 13) 11ff. 53 See supra at I. 54 On the final text of the Directive see Metzger, ‘Verträge über digitale Inhalte und digitale Dienstleistungen: Neuer BGB-Vertragstypus oder punktuelle Reform?’ (n 13) 579; Staudenmayer (n 13) 2498.; on the last versions of the Draft Proposal during the legislative process Hacker (n 6) 158ff; Specht (n 6) 765ff; sceptical Riehm (n 13) 18ff. 55 See Stadler, ‘§ 320 BGB’ in Jauernig (ed), Bürgerliches Gesetzbuch (BGB) – Kommentar (17th edn, C.H. Beck 2018) para 6ff. 56 Riehm (n 13). Axel Metzger 38 digital services and their partner companies follow their users over different platforms with tailor-made advertisements, additional services and additional opportunities to collect and accumulate their personal data. Moreover, Internet services are very innovative in developing new business models based on the personal data of their users and creating added value besides the directly visible use of data for personalised advertisements. It would not capture the full value of the personal data provided by the consumer to qualify it as subordinate to the other interests of the service provider. Therefore, the direct payment by consumers or the exposure to advertisements may be the primary interest of the providers of some of the simpler services, but the use of personal data in a broader sense will still be the dominant motive for the more complex business models of the leading platforms. Second, even if the collection and processing of data is the main benefit for the service provider, this does not automatically lead to a synallagmatic linkage of the mutual obligations under German contract law. German law recognises different types of linkages between the obligations of the parties to a contract, the synallagmatic linkage in the sense of § 320 BGB being only one among others.57 In this regard, it is also of importance to ask whether the provisions on synallagmatic contracts match with the interests of the parties of contracts on personal data. It may, eg, be an appropriate answer to a consumer who does not provide the correct data under a contract to give the service provider a right to refuse its own part of the performance in accordance with § 320 BGB. Validity of contract The DCSD does not harmonise the formation and validity of contracts, see Article 3(10). The application of the consumer’s rights under the Directive is nevertheless based the conclusion of a contract as clarified in Recitals 24, 25. As a matter of principle, this will require a valid contract, irrespective of the question whether some of the provisions of the Directive may be applied mutatis mutandis to invalid contracts to provide consumers with an equivalent level of protection in case if invalidity. Contracts with the provision or collection of personal data on the consumer’s side of the contract face a number of challenges regarding their validity which can only be briefly touched here. Again, the following sketch is mainly referring to 6. 57 Hacker (n 6) 167ff; Metzger, ‘Dienst gegen Daten: Ein synallagmatischer Vertrag’ (n 15) 833; Riehm (n 13) 17. A Market Model for Personal Data 39 German law as one instance of a member state law. As explained earlier, according to the German ‘abstraction principle’, the possible invalidity of the data-subject’s consent under Article 6, 7 GDPR does not automatically entail the invalidity of the contract between trader and consumer. Still there are data-specific challenges for the validity of those contracts. A first difficult and highly practical challenge for contracts covered by the DCSD is posed by the involvement of minors. Many digital contents and digital services are used by minors without parental approval. According to German contract law, contracts with minors between seven and eighteen require the authorisation of their parents (or other legal representatives) if the minor does not receive only a legal benefit from the contract, § 107 BGB. It would be simplistic to qualify ‘free’ digital services which do not require any payment as legally beneficial in the sense of § 107 if the service collects the minor’s personal data. On the contrary, such a processing of data in the framework of a contractual relationship qualifies as legal detriment.58 The validity of the contract is therefore subject to the authorisation of the parents. Still it should be noted that Article 8 GDPR follows different principles with regard to the consent of minors. The GDPR allows minors at the age of sixteen years to give consent without parental authorisation, Article 8(1) subpara. 1. The threshold may even be lowered by member states to the age of thirteen, Article 8(1) subpara. 2. This may lead to situations where the contract is void according to national contract law, but the given consent is valid (but may be withdrawn at any time with effect ex nunc according to Article 7(3) GDPR).59 Further limits of party autonomy may arise with regard to standard terms in the sense of Directive 93/13/EEC on Unfair Terms in Consumer Contracts and the national implementations, eg §§ 305–310 BGB.60 The processing of data is often based on standardized ‘data policies’. Recital 42 GDPR clarifies that the requirements of the Unfair Terms Directive apply to those policies. This means in particular, that an unclear or an unspecified purpose of data processing may be invalid since it does not meet the requirements of transparency, see Article 5 Unfair Terms Directive, § 307(1) sentence 2 BGB. Moreover, data policies may comprise ‘unfair terms’, see Article 3(1) Unfair Terms Directive, or ‘unreasonable disadvan- 58 Bräutigam (n 1) 637; Florian Faust, Verhandlungen des 71 Deutschen Juristentages Essen 2016 Bd I: Gutachten Teil A: Digitale Wirtschaft – Analoges Recht: Braucht das BGB ein Update? (C.H. Beck 2016) 8ff. 59 On the consequences under German law see Metzger (n 13) 839ff; Specht (n 6) 768. 60 See with more details Hacker (n 6) 183ff. Axel Metzger 40 tages’, see § 307(1), (2) BGB. On the basis of these provisions German courts have, eg, invalidated several clauses in Facebook’s data policy.61 As a last resort, limits of party autonomy may arise out of general clauses like eg public policy according to § 138 BGB. Public policy may be applied if a contract on digital content or services leads to an extensive commercialisation of privacy, eg by generating and exploiting personality profiles.62 But public policy, though regularly cited in legal literature, is only rarely applied in court cases with regard to the commercialisation of personality rights, especially since most cases can either be solved by the specific legal instruments of the GDPR with regard to consent or by the control of data policies as standard terms. A market model for personal data Why taking the risks of a market model? The DCSD does not open pandora’s box of an unleashed marketplace of personal data. The strict limitations of any commercial use of personal data laid down in the GDPR remain untouched. Still, the DCSD tries to overcome an overly paternalistic protection of the consumers from themselves – in their own best interest.63 From a purely factual point of view, consumers are engaged on a daily basis in the commercialisation of their personal data. The DCSD reflects the legislature’s intention to accompany the consumer on the digital markets and provide him with a bundle of consumer protection instruments. A radical and dogmatic insistence on data protection principles as such does not help the consumer with regard to typical consumer contracts issues like eg conformity of the digital content or service, rights and duties in case of termination of the contract etc. In this limited perspective, the DCSD is based on a market model for personal data. This raises the question why a society should take the risk of such a market model – the alternative being to fully regulate the conditions and limits of any processing of data by the legislature. The answer lies in the very basic assumption of all models of market economies. A market model III. 1. 61 Case 5 U 42/12 Court of Appeal Berlin, Germany (2014) = CR 2014, 319 = BeckRS 2014, 03648. 62 eg Hans Peter Bull, ‘Zweifelsfragen um die informationelle Selbstbestimmung – Datenschutz als Datenaskese?’ (2006) 59(23) NJW 1617, 1621. 63 See also Metzger et al, ‘Data-Related Aspects of the Digital Content Directive’ (n 6), para 14. A Market Model for Personal Data 41 is better suited to maximise welfare than a state-centered regulation.64 And indeed, one can hardly ignore that consumers benefit in many ways from the valuable services they receive over the Internet and other digital service providers, starting from contents and technology of every kind that makes their life easier, to search engines and social media platforms, which help them to keep up their social contacts, etc. Consumers would have to pay a considerable share of their income if all of these services were only available on a paid basis. But welfare maximisation becomes even more obvious when the market capitalisation of the huge companies with data-driven business models is taken into account. Each of the famous GAFA companies – Google, Apple, Facebook, Amazon, and one should add also Microsoft – has a market value which exceeds the whole German car industry.65 It is therefore beyond any doubt, that personal data and business models which are based on personal data produce tremendous welfare – the open follow-up question being whether that welfare is distributed fairly.66 Indications for market failure If a market model for personal data shall function well, the basic preconditions for such a market model must be given. Lawmakers should be attentive with regard to the indications for market failure that can be observed on the different markets for personal data of consumers. Each of the aspects dealt with in the following outline would deserve an in-depth analysis in additional full papers. A first cause of market failure that can be observed on the markets for personal data is lack of competition. On a well-functioning market, consumers should have the choice between different services and offerings. They should have the possibility to choose between paid services and ser- 2. 64 This is very basic assumption of every welfare economics model since Adam Smith’s famous ‘invisible hand’ theorem, see Adam Smith, An inquiry into the nature and causes of the wealth of nations (The Modern Library 1937) 423. 65 Compare the current 2019 Forbes list of the World’s largest companies ranked by market value, see:, ‘GLOBAL 2000 The World’s Largest Public Companies’ (15 May 2018) accessed 25 September 2019. 66 On the relationship of social welfare and distribution of income see Steven Shavell, Foundations of Economic Analysis of Law (Harvard University Press 2004) 647–660. Axel Metzger 42 vices which are based on the processing of personal data. In an ideal world, consumers should also have the choice between more or less data-intensive services.67 However, reality proves to be different. Internet services function as platforms for their different kinds of users and have as such a natural inclination to dominance.68 Network effects push consumers to become the customers of highly centralised communication platforms. And if services have established a dominant position in one market, they are tempted to leverage this dominant position to strengthen their position on neighbouring markets. Competition law so far has difficulties to remedy those problems, especially when service providers grow into a dominant position. The Court of Appeal of Düsseldorf just recently suspended a decision by the Federal Cartel Office to order Facebook to restrict its data collection in Germany.69 In its decision, the Court calls into question whether the collection of personal data in an alleged violation of the GDPR may be qualified as anti-competitive in the sense of Art 102 TFEU and § 19 German Act against Restraints of Competition (Gesetz gegen Wettbewerbsbeschränkungen, GWB). This shows the difficulties of competition law to capture the specificities of data-driven business models.70 A second cause of market failure of data markets is asymmetric information.71 In a well-functioning market for personal data, consumers must know what they consent to. Unfortunately this is hardly ever the case, in spite of overly detailed and lengthy terms and conditions or privacy statements.72 It is well known that consumers hardly ever read terms but just tick boxes, if necessary, and continue with the use of the service.73 The blame for the length and complexity of privacy statements does not solely 67 Maximilian Becker, ‘Rechte an Daten – Industrie 40 und die IP-Rechte von morgen’ (2017) 72(19) JZ 170, 175ff. 68 On the following see Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer, ‘Competition Policy for the Digital Era Final Report’ (European Commission 2019) 19ff. 69 Facebook I [2019] VI-Kart 1/19 (V) (Court of Appeal of Düsseldorf, Germany) = NZKart 2019, 495. 70 See also Torsten Körber, ‘Die Facebook-Entscheidung des Bundeskartellamtes – Machtmissbrauch durch Verletzung des Datenschutzrechts?’ (2019) 7(4) NZ-Kart 187; Peter Georg Picht, ‘Competition Law for the Digital Era – An Adventurous Journey’ (2019) 50(7) IIC 789ff.; Schweitzer (n 43) 304ff. 71 See generally on asymmetric information in contracts Schäfer/Ott, Lehrbuch der ökonomischen Analyse des Zivilrechts (5th edn, Springer Gabler 2012) 80. 72 Moreover, privacy statements (as terms and conditions) show the character of ‘lemon market’ products, see Becker (n 67) 174. 73 Efroni et al (n 42) 355ff. A Market Model for Personal Data 43 lie with the service providers but also with the European and national legislatures which have created a regulatory jungle for data subjects, service providers and public authorities. It is therefore high time to develop new information models that support the consumer in taking an informed decision instead of confusing him with overly complicated bundles of small prints. ‘Privacy Icons’ could be one way to improve the consumer’s self-determination on data-driven markets.74 Yet, one should have no illusions about the efficiency of information models. Even well-informed consumers may take decisions that go against their long-term preferences (so called ‘privacy paradox’).75 It is one thing to recognise, at least in principle, the importance of a cautious handling of one’s own personal data. But it is another thing to live in accordance with this principle if the consumer is tempted by offerings of contents and services that are based on the collection of its data. A third reason for market models to fail are transaction costs. The issue of transaction costs may seem remote for transactions over personal data at first glance, since personal data can be transferred without significant costs like all other data. But such a perspective would ignore that transaction costs may also occur after the conclusion of the contract and the performance of the parties’ obligations when it comes to the termination of the contract. Transaction costs may occur if the consumer cannot switch from one service to another because he cannot take along his personal data. Such lock-in effects have been described as ‘ex post transaction costs’.76 On a fully functioning market, consumers have the option to switch from one provider to another if they can terminate the contract. This presupposes not only that withdrawal of consent is at no cost but also that data and content portability rules of Article 20 GDPR and Article 16(3), (4) DCSD operate effectively.77 74 Efroni et al (n 42). 75 See Alessandro Acquisti and Jens Grossklags, ‘Losses, Gains, and Hyperbolic Discounting: An Experimental Approach to Information Security Attitudes and Behavior’ [2003] 2nd Annual Workshop on ‘Economics and Information Security’ 789ff; Patricia Norberg et al, ‘The Privacy Paradox: Personal Information Disclosure Intentions versus Behaviors’ (2007) 41(1) 2nd Annual Workshop on ‘Economics and Information Security’ 100ff. 76 Chris Jay Hoofnagle and Jan Whittington, ‘Free: Accounting for the Costs of the Internet’s Most Popular Price’ (2014) 61(3) UCLA Law Review 606, 612ff. 77 Sceptical on the portability rules of Article 16 Metzger et al, ‘Data-Related Aspects of the Digital Content Directive’ (n 6) 103ff.; Zohar Efroni (n 18) 1–32. Axel Metzger 44 Conclusions The DCSD’s approach to recognise data as counter-performance is innovative and pragmatic at the same time. It is innovative since lawmakers so far shied away to acknowledge that consumers may monetise the economic value of their personal data on the different markets for digital contents and services. The DCSD takes this step. But the approach is also pragmactic. The DCSD does not create a market for personal data. It merely recognises a prevalent social practice and tries to empower the consumers who are already active on these marktes. The safeguards of the GDPR thereby remain untouched. The legal means of the DCSD to achieve these goals are based on contract law. The DCSD increases the intensity of rights of the consumer and duties of the trader. Under the DCSD, the consumer who provides its personal data in exchange for the content or service will have the same rights as in case of a money consideration. Both active and passive consumers may be covered. However, for passive consumers, whose data is collected by the trader, the DCSD emphasises that it is up to the national contract law to decide whether a contract has been concluded. For the upcoming implementation into the member states’ law, the DCSD raises a number of challenges. First, the DCSD has a one-sided focus on the consumer’s rights. It does not regulate the rights of the trader and the duties of the consumer. It will be a hot topic for the coming years to decide if and in what circumstances the trader can claim for the promised counter-performance within the limits of data protection law. In this regard, the DCSD creates a great deal of difficult homework for the national legislature. Second, and even more fundamental, the market model recognised by the DCSD will urge the European and national lawmakers to improve the efficiency of the markets for personal data. These markets will not flourish and strengthen the common welfare without competition between different services and offerings, well-informed consumers and low transaction costs. IV. A Market Model for Personal Data 45

Chapter Preview



This 5th volume in the “Münster Colloquia on EU Law and the Digital Economy” focuses on one of the most important challenges faced by private law in this era of digitalization: the effects of “data as counter-performance” on contract law; a phenomenon acknowledged by the EU legislator in the new “Digital Content Directive” 2019/770. In this volume, legal experts from across Europe examine various issues, in particular contract performance and restitution, and the relationship between contract law and data protection, central to the question: Contract law 2.0?


Wissenschaftler und Praktiker aus mehreren europäischen Ländern befassen sich in dem Band mit den vertragsrechtlichen Konsequenzen, die sich daraus ergeben, dass „Daten als Gegenleistung“ zur Verfügung gestellt werden. Dieses praktische Phänomen, das in der sog. „Digitale-Inhalte-Richtlinie“ auch durch den europäischen Gesetzgeber Anerkennung gefunden hat, wirft etwa Fragen des Rechts der Erfüllung, aber auch der Rückabwicklung von Verträgen auf; beleuchtet wird ferner der Zusammenhang von Vertragsrecht und Datenschutzrecht. Die Reihe der „Münster Colloquia on EU Law and the Digital Economy“ wendet sich damit in ihrem nunmehr fünften Band wiederum einer der wichtigen Herausforderungen zu, die sich als Folge der Digitalisierung für Rechtswissenschaft und Praxis im Privatrecht stellen.