Ruth Janal, Fishing for an Agreement: Data Access and the Notion of Contract in:

Sebastian Lohsse, Reiner Schulze, Dirk Staudenmayer (Ed.)

Trading Data in the Digital Economy: Legal Concepts and Tools, page 271 - 292

Münster Colloquia on EU Law and the Digital Economy III

1. Edition 2017, ISBN print: 978-3-8487-4565-4, ISBN online: 978-3-8452-8818-5,

Bibliographic information
  271  Fishing for an Agreement: Data Access and the Notion of Contract Ruth Janal I. Introduction The digital age and the data-reliant digital economy are challenging our traditional notion of contract. No one put this better to paper than Christiane Wendehorst and Friedrich Graf von Westphalen in a recent article, in which they argued: The nature of contractual relationships has changed profoundly as a result of the exponential increase in technical possibilities. Whoever has a smart TV set in the living room, for example, has not only formed a sales contract with the seller, but is […] party to a variety of continuing contractual relations with the manufacturer of the good, the producers of embedded software and subsequently installed apps and cloud service providers and so forth […]. And only a small percentage of the consumers have made a conscious decision to conclude those contracts.1 Indeed, the seemingly gratuitous nature of many services via the Internet, accompanied by a bilateral or multilateral exchange of data, has made the formerly well-defined concept of contract look quite fuzzy. In this paper, I want to focus on two issues: in which instances does the authorized access to data correlate to the existence of a contract? And does contract law serve to address the legal issues that arise from authorized access to data? II. Access to Data The exchange of data is paramount to the digital economy and to the Internet of Things. Data may be exchanged in various directions: ____________________ 1 Wendehorst/Graf von Westphalen, ‘Das Verhältnis zwischen Datenschutz- Grundverordnung und AGB-Recht’ (2016) NJW 3745, 3746. Ruth Janal 272 (i) Data can be provided by a user. This may be either wittingly (when filling in forms, uploading content) or unwittingly (when data is collected through the use of a device). (ii) Digital content may be offered by a content provider (provision of an online service, offering files for download, pushing updates onto a device). (iii) Data may be distributed through a network, as is the case with Peer2Peer-filesharing. The existence of a contract does not necessarily impact this factual exchange of data. While it is true that some parties are only willing to part with digital content where a contractual agreement has been formed, other parties do not have similar qualms. When it comes to the collection of data from user devices, the existence of a contract regularly does not determine the data collected by other parties. A good example for this is the case of connected cars: recent studies have shown that connected cars transfer a multitude of data to the car manufacturer, including data that allows for the creation of driver profiles and preferences.2 The existence of a contractual agreement between the manufacturer and the owner of the car3 does not materially influence the amount of data collected and transmitted. Once the user registers an account, however, there is a decisive difference regarding the quality and extent of data potentially collected: if a user signs in with an account, it is both easier to identify the user (via the user name, e-mail address or phone number rather than via a device number, IP address or cookies) and to merge data that is being collected from various devices and services. ____________________ 2 See Dirscherl, ‘Datenkrake Auto dient als Beweismittel gegen den Fahrer’ (31 May 2016) ; Markey, ‘Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk’ (6 February 2016), . 3 The manufacturer will typically not be the seller of the car (notable exception: Tesla). In some instances, however, the owner might contract for additional assistance services provided by the car manufacturer, i.e. BMW connected drive, Mercedes Me etc. Fishing for an Agreement: Data Access and the Notion of Contract 273  III. The Notion of Contract 1. Agreement with an intention to create legal effect So when does access to data coincide with the existence of a contract? While the notion of contract differs in the legal orders of Member States, there is certainly some common ground. Both Art. II.–1:101 of the Draft Common Frame of Reference (DCFR) and Art. 30(1) of the proposed Common European Sales Law (CESL) identify three elements: an agreement between the parties with an identifiable content, made with the intention to create legal effect. All three elements are to be derived from an objective interpretation, i.e. from the understanding a reasonable recipient would have had from the statements and conduct of the parties.4 In common law countries, consideration is an additional element required for the enforcement of the contract. The requirement of an intention to create legal effect is used to distinguish a contract from a mere social agreement. An intention to create legal effect will usually exist when parties agree to exchange goods or services for money. Traditionally, the thin line between contract and social agreement thus only needed to be determined when parties interacted without any commercial intentions, i.e. when consumers formed car or betting pools or friends offered advice to each other.5 Commercial parties were generally presumed to possess an intention of creating legal effect if they entered into an agreement6 – whereas in some cases, such as advertising, the agreement with the user was missing in the first place. The digital world is challenging our views on whether the parties possess an intention to create legal effect. This is because in multi-sided markets in the digital world, the customer often does not provide financial remuneration to the business providing a service. Often, the parties neither discuss nor give much thought to whether their relationship should have ____________________ 4 For further details see Whittaker/Riesenhuber, ‘Conceptions of Contract’ in Dannemann/Vogenauer (eds), The Common European Sales Law in Context (OUP 2013) 144 et seq. 5 See BGH in (1974) NJW 1705, 1706; BGH in (2015) NJW 2880 et seq.; Simpkins v Pays [1955] 1 WLR 975; Burgess & Anor v Lejonvarn [2016] EWHC 40 (TCC). 6 Esso Petroleum Ltd v Commissioners of Customs and Excise [1976] UKHL 4; BGHZ 100, 117, 118–119; BGH in (1990) NJW 513, 514. Ruth Janal 274 binding effect. Thus, the intention to create legal effect in the view of a reasonable person must be determined by an objective standard.7 Before I address the difficulties in finding such an objective standard, a few words are warranted on the lack of financial remuneration. 2. The lack of financial remuneration Traditionally, businesses have rarely offered services without financial remuneration. Fast-forward to the digital world, and the offering of services without direct financial remuneration from the customer has become the norm rather than the exception. In those instances the (personal) data collected from the recipient of the service will often finance the service. This has led to a growing debate on whether the disclosure of (personal) data can be considered a counter-performance.8 In civil law countries, the discussion is somewhat futile, since the validity of a contract does not turn on the promise of a counter-performance (while such a promise will impact the classification of the contract and the rights and obligations arising under that contract). Admittedly, there are form requirements for donations (which are usually remedied when the donation has been carried out).9 But it is questionable whether such form requirements apply to the ‘donation’ of digital content. The form require- ____________________ 7 See for the offline-world Medicus/Petersen, Allgemeiner Teil des BGB (11th edn, C.F. Müller 2016) paras 191 et seq. 8 See, inter alia, Art. 3(1) of the ‘Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content’ COM(2015) 634 final; Langhanke/ Schmidt-Kessel, ‘Consumer Data as Consideration’ (2015) EuCML 218; Metzger, ‘Dienst gegen Daten: Ein synallagmatischer Vertrag’ (2016) 216 AcP 817; Metzger, ‘Data as Counter Performance: What Rights and Duties do Parties have?’ (2017) 8 JIPITEC 2; De Franceschi, ‘Digitale Inhalte gegen personenbezogene Daten: Unentgeltlichkeit oder Gegenleistung?’ in Schmidt-Kessel/Kramme (eds), Geschäftsmodelle in der digitalen Welt (Jenaer Wissenschaftliche Verlagsgesellschaft 2017) 120 et seq. A more sceptical view is held by the European Data Protection Supervisor, ‘Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content’ (14 March 2017), para 11 et seq. 9 See § 518 BGB, Art. 931 Code civil, Art. 782 Codice Civile. Following Art. IV.H.–2:102(b) DCFR, the form requirement does not apply if the donation is made by a business. Fishing for an Agreement: Data Access and the Notion of Contract 275  ment is supposed to alert the donor to the risk of transferring an asset without receiving any benefit in return. Due to the non-rivalrous nature of data, however, the ‘donor’ of digital content does not lose any assets and does not need specific warnings.10 In any case, once the digital content has been delivered, a possible lack of form will be remedied.11 In common law countries, while an agreement needs to be supported by consideration to be legally enforceable, the consideration given need not be adequate. Thus, it is sufficient for each side of the bargain to provide something of value. If empty chocolate wrappers count as consideration in the non-digital economy,12 then enabling the other party to collect data should certainly amount to sufficient consideration in the digital economy.13 The lack of financial remuneration therefore does not stand in the way of the validity or enforcement of a contract. 3. Examples The fact that gratuitous contracts may exist does not imply that every provision of digital content without financial remuneration constitutes the performance of a contract. Let us take a closer look at some examples. ____________________ 10 Maissen, ‘Service, Kauf oder Nutzungsberechtigung – Vertragstypen bei digitalen Inhalten’ in Schmidt-Kessel/Kramme (n 8) 105. 11 For details of the legal orders of several Member States see Zweigert/Kötz, Einführung in die Rechtsvergleichung (2nd edn, Mohr Siebeck 1996) 383. 12 Chappell & Co Ltd v Nestle Co Ltd [1959] UKHL 1. 13 Singh, ‘Protecting Personal Data as a Property Right’ (2016) ILI Law Review 138 ; Albrecht, ‘Qualität bei Verträgen über die Bereitstellung digitaler Inhalte – England, Deutschland und der Vorschlag der EU-Kommission für eine Digitale-Inhalte-Richtlinie’ in Schmidt- Kessel/Kramme (n 8) 264. But note that the rules for consumer contracts on digital content under the UK Consumer Rights Act 2015 will only apply if the consumer pays with money (or a specified equivalent), s 33(2) CRA 2015 (see also Explanatory Notes to the Consumer Rights Act 2015, para 174). Ruth Janal 276 a) Digital content offered without registration On the Internet, the provision of digital content is often financed by advertising and offered to the viewer/user without the need for user registration. Many search engines, online journals, music and video platforms etc. operate in this way. Some authors argue that the making available of digital content to the public is an offer to contract, and the consumption of that content is an acceptance.14 I beg to differ:15 on the one hand, the content provider will generally not intend to be bound to provide the content. On the other hand, the customer will not expect to acquire any rights against the content provider. No one assumes that watching TV or listening to the radio leads to the formation of a contract between the user and the TV or radio channel – why should this be any different when we are talking about Internet services? I will, however, readily admit that the lines are blurry: when a content provider explicitly offers the download of a file and the user decides to download the file (thereby increasing his assets), there is certainly an argument to be had that the parties implicitly agreed on a donation. The provision of a download bears similarities to the transfer of goods as a promotional gift – again note that the comparison falls short because the digital content is duplicated, not transferred. b) Registration of an account When a user registers an account with a provider of digital content, a contract will usually be formed.16 Oftentimes, the provider will require the user to accept the provider’s terms and conditions as part of the registration process, which is a clear indication of the legal nature of the agree- ____________________ 14 Metzger, ‘Dienst gegen Daten’ (n 8) 839; Wendehorst/Graf von Westphalen (n 1) 3746 (contract or at least quasi-contract). 15 See also BGH in (2008) GRUR 245, 247: making digital content available online without restrictions may constitute implied consent with specific uses; the BGH does not assume the existence of a licensing contract. 16 cf however Spreadex Ltd v. Cochrane [2012] EWHC 1290: Donaldson QC held that a user agreement between a trading platform and its customers did not constitute a contract as the the provision of an on-line platform did not amount to sufficient consideration . Fishing for an Agreement: Data Access and the Notion of Contract 277  ment. Even if an acceptance of standard terms is not required, the reasonable expectation of the parties is that the provider is bound to save the content of the account for future access by the user. As always, matters are not as simple as they might initially seem. In particular, registration may not correlate with an intention to create legal effect in instances where a service is rendered on the basis of a contract with another party. Consider a database owner who contracts with a university regarding the use of a database. This database owner might allow individual university members to register accounts in order to save specific documents and create individual search profiles. The members of the university would most likely consider the registration of the account as a feature of the service provided to the university and not as evidence of an intention to create legal effects. The same may be true where a customer acquires a device and particular features of the device can only be used after registration of an account. Think about a connected car that allows the drivers to save their individual driver preferences (seat and mirror position, language and multimedia settings etc.). These driver profiles might be transferred to another car via a USB stick or via an online account. The individual driver will probably consider the two options as interchangeable features of the car – and there is no convincing reason to deny an intention to create legal effect with respect to the first option but impute such intent with respect to the second option. Finally, many companies offer a combination of services, some of which do not require registration and others which do (think Google search engine/Google Gmail or Amazon customer book reviews/Amazon prime). Once a customer has registered a user account with the provider, does that mean that all of these services are made under contract? Or should only those services that require registration be considered as contractual services? c) Clickwraps Another point for contention are clickwrap situations, where an agreement (particularly an End User Licence Agreement) is supposedly formed by clicking on ‘I agree’ when putting a particular hard- or software into oper- Ruth Janal 278 ation for the first time.17 In that situation, customers have already purchased the device or software, and the refusal to click on ‘I agree’ will render the purchased device or digital content inoperable. It can hardly be said that the customer’s consent is freely given in those instances,18 as returning the goods and recovering the money spent may be too cumbersome. Even if one assumes that a contract can be formed in this way, difficult questions of representation may arise. Particularly in the case of hardware that requires a complex installation process, consumers will often ask family members, friends or the seller of the device to put the device into operation. That request for help will regularly not include power of authority to conclude contracts. Thus, if the helper clicks on ‘I agree’, the formation of a contract between the owner of the device and the service provider is questionable. d) Update of software not originally acquired from the software producer Modern hardware is often delivered with pre-installed software. A customer may also subsequently acquire software from a distributor who is not the software producer. In both cases, there is no contract between the owner of the device and the software producer.19 However, software manufacturers provide software updates and upgrades at regular intervals, which the user may decide to install. Whether this decision comes with an ____________________ 17 I.e., a smartphone with an Android operation system will give the following notice when being put into operation: ‘Du erklärst Dich außerdem damit einverstanden, dass Updates von Google an Dein Gerät gesendet und auf diesem installiert werden können. Bei Deiner Verwendung dieses Geräts beachten wir unsere Datenschutzerklärung und es gelten weitere Bestimmungen.’ = ‘You agree that Google updates may be sent to your device and be installed on it. We comply with our privacy statement; further conditions apply.’ 18 Ernst, ‘Softwareverträge’ in Ulmer/Brandner/ Hensen (eds), AGB-Recht (12th edn, C.H. Beck 2016) paras 7 et seq.; Wiesemann/Kast, ‘Vertrieb von Software und Hardware’ in Auer-Reinssdorff/Conrad (eds), Handbuch IT- und Datenschutzrecht, (2nd edn C.H. Beck 2016) para 136; Riehm, ‘Updates, Patches & Co – Schutz nachwirkender Qualitätserwartungen’ in Schmidt- Kessel/Kramme (n 8) 208 et seq. 19 Riehm ibid 207. Fishing for an Agreement: Data Access and the Notion of Contract 279  intention to create legal effects is doubtful.20 Again, most customers will probably consider the update to be a feature of the device that they have acquired. Depending on the default settings, the update will be automatic and will not be based upon an individual customer decision. Finally, there may not be much of a choice as to whether to install updates: many updates include security patches for vulnerabilities of the original software, and updates are inevitable to avoid ransomware and other attacks. Furthermore, if one does equate the update with a declaration of intent, this has the curious consequence that a contractual agreement between the software producer and the owner of the device does not exist – up until the point in time when the first update is installed. 4. Interim conclusion In the digital world, it is hard to discern the instances in which a contract is concluded between the parties. The registration of a user account seems to be the clearest indication of a formation of contract. However, as I have argued above,21 even such a registration may not always coincide with the parties’ legal intent. For purposes of legal clarity, one could envision particular transparency requirements such as a labelled button that needs to be activated for a contract to be formed. This model was introduced in Art. 8(2) Consumer Rights Directive22 to inform consumers about their obligation to pay a price to the supplier. At least in theory, a similar symbol could be used to alert the user that a contract is being concluded in the eyes of the provider of digital content.23 I do have my doubts though whether that would be particularly helpful. Another proposition is to do away with the requirement of legal intent entirely and resort to the idea of ‘factual contracts’ (faktische Vertragsverhältnisse). This concept was once ____________________ 20 In the affirmative Wendehorst/Graf v.Westphalen (n 1) 3746; Riehm (n 17) 220, albeit Riehm considers the contractual obligation of the software provider to be limited. 21 See above, III. 3. b). 22 Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights [2011] OJ L304/64. 23 De Franceschi (n 8) 128 et seq. argues that Art. 8(2) should be interpreted broadly so as to include remuneration in the form of data. I am sceptical of this interpretation, for the reasons pointed out by Metzger ‘Dienst gegen Daten’ (n 8) 846. Ruth Janal 280 conceived in German law for contracts that were supposedly concluded by mere conduct without an underlying intention to create legal obligations and was later abandoned for good reason.24 Before one sets out to explore these ideas any further, it is worthwhile to examine whether the existence of a contract actually matters – that is whether contract law adequately addresses the legal issues that arise from access to data. IV. Does Contract Law Address the Issues Arising from Access to Data? In the first part of this paper, I have argued that it is not always easy to determine whether the provider of digital content and the user of such content have formed a contract, even though one party grants the other access to data (or at least tolerates the existence of such an access to data). In the second part of the paper, I will examine whether we need contract law in order to solve the issues arising from access to data. There are four issues I want to address: Processing and attribution of data, the rights and obligations of the parties and finally, confidentiality. 1. Processing of personal data Under the EU’s General Data Protection Regulation25 (GDPR), which will apply from 25 May 2018, the processing of personal data is deemed lawful only under the prerequisites described in Art. 6(1) GDPR. Personal data is any data that relates to an identified or identifiable person.26 A person is identifiable if the particular controller possesses means which allow him to legally and reasonably identify the data subject, taking into account time, cost and man-power.27 If the data accessed qualifies as personal data, ____________________ 24 For an overview see Medicus/Petersen (n 7) paras 245 et seq. with further references. 25 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1. 26 Art. 4(1) GDPR. 27 Case C-582/14 Breyer EU:C:2016:779. Fishing for an Agreement: Data Access and the Notion of Contract 281  the existence or initiation of a contract may influence the lawfulness of processing: Processing of personal data is lawful if it is necessary for the performance of a contract to which the data subject is party – or in order to take steps at the request of the data subject prior to entering into a contract, Art. 6(1)(b) GDPR. However, the significance of this legal ground for processing should not be overstated. First of all, where there is an agreement between the parties that does not cross the threshold of a contract, the controller can simply request the data subject to consent to the processing of data, Art. 6(1)(a) GDPR. Secondly, even where there is no agreement between the parties, the processing of data may be lawful under the other grounds cited in Art. 6(1) GDPR. Let us turn back to the example of connected cars: a fair amount of the data generated by cars is being processed in order to comply with legal obligations, namely emission control rules28 and the automatic emergency call to public answering points under the eCall-Regulation29 (starting from April 2018). As a consequence, data processing is necessary for compliance with a legal obligation and covered by Art. 6(1)(c) GDPR. Furthermore, systems that monitor the driver’s behaviour and/or physiological functions prevent accidents by detecting driver drowsiness. The processing of such data is lawful under Art. 6(1)(d) GDPR because it protects the vital interests of the data subject and other humans. Most importantly, Art. 6(1)(f) GDPR declares the processing of data to be lawful if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Recitals 47 and 48 GDPR name fraud prevention, direct marketing and internal administrative purposes within a group of undertakings as possible legiti- ____________________ 28 Art. 5(3) Regulation (EC) No. 715/2007 of 20 June 2007 on type approval of motor vehicles with respect to emissions from light passenger and commercial vehicles (Euro 5 and Euro 6) and on access to vehicle repair and maintenance information [2007] OJ L171/1 and Art. 4 Regulation (EC) 692/2008 of 18 July 2008 implementing and amending Regulation (EC) No. 715/2007 [2008] OJ L 199/1. 29 Regulation (EU) No. 2015/758 of 29 April 2015 concerning type-approval requirements for the deployment of the eCall in-vehicle system based on the 112 service and amending Directive 2007/46/EC [2015] OJ L123/77. Ruth Janal 282 mate interests pursued by the controller.30 In light of these examples, it is not a stretch to consider product compliance and product development as legitimate interests of the controller, thus providing a legal ground for the processing of performance data. Furthermore, a legitimate interest lies in the establishment, exercise or defence of legal claims.31 Thus, diagnostic trouble codes might be saved to allow the manufacturer to defend itself against incorrect claims of defectiveness.32 Whenever a legitimate interest of the data controller or a third party can be established, Art. 6(1)(f) GDPR requires a balancing of interests of the controller and the data subject, respectively. Note also that any further processing of the data shall not be incompatible with the purposes for which the data was originally collected.33 According to Recital 50 GDPR, any new processing purpose does not need to be based on a legal ground of its own – even though this interpretation is disputed by some of the persons involved in the negotiations of the Directive.34 In determining whether further processing is incompatible with the original purpose, regard is to be had to any links between the respective processing purposes, the purpose of collecting the data, the sensi- ____________________ 30 The breadth of these considerations is viewed critically by Wendehorst/Graf von Westphalen (n 1) 3746. 31 This may be inferred from Art. 9(2)(f) GDPR which allows for the processing of particular sensitive data if such processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. 32 The German automobile club ADAC reported a case where the buyer of a BMW convertible required from the seller repair of a defective convertible top. On the basis of diagnostic trouble codes retrieved by the manufacturer, the seller refused repair, claiming that the owner had closed the convertible top at accelerated speed, thus causing the defect. See Dirscherl (n 2). 33 Art. 5(1)(b) GDPR. According to Art. 6(2) eCall-Regulation, the data processed by the eCall-systems shall not be used for any other purposes than the handling of emergency services, see also recital 25. However, this does not seem to apply to TPS (third party service supported) eCall systems that are installed in vehicles on a voluntary basis. 34 Schantz‚ ‘Die Datenschutz-Grundverordnung – Beginn einer neuen Zeitrechnung im Datenschutzrecht’ (2016) NJW 1841, 1844; Albrecht, ‘Das neue EU- Datenschutzrecht – Von der Richtlinie zur Verordnung’ (2016) CR 88, 92. Fishing for an Agreement: Data Access and the Notion of Contract 283  tivity of the data and the existence of ‘appropriate safeguards’, such as encryption or pseudonymization.35 This is not the place to elaborate on how the balancing exercises under Art. 6(1)(f) and (4) GDPR are to be conducted. My point is that the existence of a contract does not make a significant difference regarding the lawfulness of the processing of personal data, as there are sufficient other legal grounds which provide for the lawfulness of processing. 2. Attribution of the data It is a truism to say that data is the oil of the 21st century.36 While this parallel does have its limits,37 data unquestionably possesses economic value, and contract law might help with an adequate attribution of this data. In the absence of legal default rules however, the attribution and access to data is left to the parties’ negotiating process. This is problematic because the relationship between a) the provider of services or the manufacturer of devices and b) the users who generate the data will often be characterized by structural imbalances (repeat players relying on general terms and conditions, powerful market positions). A striking example is provided by the Tesla Model S user manual, which stipulates that Tesla may use the data generated by the customer’s Tesla for a variety of purposes, including ‘providing you with Tesla telematics services; troubleshooting; evaluation of your vehicle’s quality, functionality and performance; analysis and research by Tesla and its partners for the improvement and design of our vehicles and systems; and as otherwise may be required by law’.38 On the other hand, Tesla professes it will ‘not disclose the data recorded to an owner unless it pertains to a non-warranty repair service and in this case, will disclose only the data ____________________ 35 Art. 6(4) GDPR. This specifically excludes cases where the processing is based on consent. In such an instance, the controller will have to ask for a new declaration of consent that includes the new processing purpose. 36 The phrase can be traced back to a statement made by Clive Humby in 2006, see Palmer, ‘Data is the New Oil’ (3 November 2006) . 37 In particular, data is non-rivalrous, see Zech, Information als Schutzgegenstand (Mohr 2012) 117 et seq. 38 177. Ruth Janal 284 that is related to the repair’.39 While this may be a very blatant example, I highly doubt that we can look to the contractual negotiation process to bring about an adequate attribution of the data in each and every instance. 3. Rights and obligations of the parties a) Right to use protected content An additional reason why one might look to contract law is to safeguard the user’s right to use digital content which is protected under IP law, particularly copyright and related rights. Obviously, an explicit contractual agreement provides for legal certainty regarding the breadth of use allowed. However, in the absence of a contractual agreement, the user may still be allowed to use the digital content. In particular, the publishing of digital content online may constitute implied consent by the rights holder to the use of said content.40 Furthermore, the right to use the digital content may result from the exceptions and limitations of copyright. Most notably, under Art. 5(1) Computer Software Directive,41 the lawful acquirer is entitled to use the computer program in accordance with its intended purpose. As a consequence, the buyer of a device with embedded software is allowed to use the software without the need for a contract between the software developer and the user. Let me just briefly note this right of use is subject to ‘specific contractual provisions’42 insofar as the rights holders’ restrictive acts are concerned (reproduction or alteration of the software program and any form of distribution to the public). Thus, the producer has some leeway to restrict the use of the software, even though a core set of user rights cannot be waived, in particular the use of a lawfully acquired copy and the correction of errors.43 This does not necessarily keep software producers from trying: take, for example, the car manufacturer Tesla which attempts to restrict the commercial use of the Tesla ‘Full ____________________ 39 ibid. 40 BGH in (2008) GRUR 245, 247; BGH in (2010) GRUR 628, 632; Ohly, ‘Zwölf Thesen zur Einwilligung im Internet’ (2012) GRUR 983. 41 Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs [2009] OJ L111/16. 42 Art. 5(1) Computer Software Directive. 43 Recital 13 Computer Software Directive. Fishing for an Agreement: Data Access and the Notion of Contract 285  Self Driving Capability’ by car owners: ‘Please note also that using a selfdriving Tesla for car sharing and ride hailing for friends and family is fine, but doing so for revenue purposes will only be permissible on the Tesla Network.’44 b) Damages claims for ‘defective’ content Contract law does play a decisive factor in determining the rights and obligations of the parties. Generally, if a contract has been formed, the digital content would have to possess the qualities that the recipient of the content could reasonably expect.45 Defining those reasonable expectations is not an easy task, as functionalities differ depending on the marketing and description of the individual product or service.46 Certainly, there is a reasonable expectation that the digital content or service functions in the way that was promised (i.e. data stored on the provider’s servers can be retrieved), and security vulnerabilities should qualify as a defect of digital content.47 However, depending on the type of gratuitous contract (donation, loan, gratuitous storage, gratuitous service) and the applicable contract law, the liability standard will be lower if the customer does not pay a price.48 The European Commission’s Proposal for a Directive on Digital Content addresses this matter by treating data as remuneration in some instances.49 In practice, the only important contractual remedy will be the right to obtain damages in case of non-performance or faulty performance. This is because requiring the contractual partner to perform a promise made with- ____________________ 44 . 45 cf s 34(1) CRA 2015 for digital content acquired by paying a price; Art. 6(1) Proposal for a Directive on Digital Content; Art. IV.H.-3:102 (1) DCFR for donations. 46 For contracts with financial remuneration see Riehm (n 17), 209 et seq.; Albrecht (n 13) 244 et seq.; Metzger, ‘Dienst gegen Daten’ (n 8) 847. 47 Riehm (n 17), 211. For gratuitous updates ibid 217 et seq. 48 See Art. IV.H.-3:102 (1)(a) DCFR for donations: regard is to be had to the gratuitous nature of the contract. §§ 521, 599, 609 BGB set a lower standard of care in case of donations, loans and gratuitous storage. s 34 (1) CRA 2015 (satisfactory quality of digital content) does not apply if the consumer does not pay a price, see s 33(1) and (2) CRA 2015. 49 Art. 3(1) and (4) Digital Content Directive. Ruth Janal 286 out financial remuneration is too cumbersome.50 If the digital content or service does not live up to the user’s expectation, the user will simply switch to another provider. A reduction or remuneration of the price fails for obvious reasons. In contrast, the right to damages for defective digital content or faulty digital services may become relevant, for example if the customer’s data can no longer be retrieved from the cloud hosting provider; if the price determined in an auction was too low as a result of the unavailability of the service during the auction period; or if a software security breach leads harms the user’s digital environment. Obviously, suppliers try to eliminate this risk by inserting limitation of liability clauses in their standard terms and conditions. It then needs to be settled whether the respective term is unfair and void.51 If a contractual agreement between the parties does not exist, the supplier may be obliged to compensate the user under principles of tort law for damages suffered from a defect of the digital content. Due to the commercial intentions of the supplier and the potential risk created for the consumer’s interests, the fact that the digital content is offered without remuneration does not, in itself, negate a duty of care on the part of the supplier. Nonetheless, defining the scope of such a duty of care is not always easy.52 Under German law, for example, a duty of care may arise under the principles of Produzentenhaftung, if the digital content does not provide the safety that the user is entitled to expect. Depending on the circumstances, the software producer may fulfil its duty of care simply by issuing a warning to refrain from the use of said digital content (rather than provide an update).53 ____________________ 50 See for contracts with financial remuneration Riehm (n 17) 210 et seq. 51 See no. 1(b) of the Annex to Art. 3(3) of Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts [1993] OJ L 95/29. 52 See the European Parliament resolution of 4 July 2017 on a longer lifetime for products: benefits for consumers and companies (2016/2272(INI)) that calls to protect consumers against software obsolence in para. 37 et seq. 53 Riehm (n 17), 218 et seq. Interestingly, India is pressuring Microsoft to offer a sharply discounted upgrade to the latest Windows 10 operating system in the wake of recent cyberattacks on older versions of the Windows operating system – an endeavor to which Microsoft reportedly has agreed in principle, cf Rocha, ‘Exclusive: India presses Microsoft for Windows discount in wake of cyber attacks’ (30 June 2017), . Fishing for an Agreement: Data Access and the Notion of Contract 287  Also, it is a matter for contention amongst the legal orders of the Members States whether negligent acts or omissions should give rise to a claim for compensation of pure economic and/or immaterial loss under tort. While compensation under, i.e., Art. 1240 Code civil does not pose a problem as long as the damage is directe, certain and légitime, the same is not true for German and English tort law. Under German law, the loss of data stored on the user’s own computer may be considered a violation of property rights if the supplier was under a duty of care to monitor the digital content and warn the supplier of potential dangers.54 There is, however, no action under German tort law for pure economic loss caused by negligent acts or omissions. In English law, economic loss may be compensated under the tort of negligence only if a special relationship between the claimant and defendant exists due to an assumption of responsibility by the defendant, and if the claimant reasonably relies on the defendant's special skill.55 The rule mainly applies to cases of negligent misstatement and it is questionable whether it will be expanded to cases of digital content (although, arguably, a special relationship of proximity exists – say – between a software producer who pushes regular updates of its software and the owner of a device on which that software is installed). Finally, the European Union’s Product Liability Directive56 only addresses damages for death, personal injury and property infringements – and it is a matter of contention whether the Product Liability Directive applies to digital content in the first place.57 As a consequence, the existence of a contract may play a significant role in damages compensation. That said, the extent of obligations owed by the supplier very much depends upon the description of the digital con- ____________________ 54 For details see Riehm (n 17) 218 et seq. 55 Hedley Byrne & Co Ltd v Heller & Partners Ltd [1964] AC 465. 56 Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products [1985] OJ L210/29. 57 The Directive only applies to damage caused by ‘movables’, see Arts 1 and 2. For more details see Wagner, ‘Produkthaftungsgesetz’ in Säcker/Rixecker/Oetker/Limperg (eds), Münchener Kommentar zum BGB (7th edn, C.H. Beck 2016) § 2 ProdHaftG paras 15 et seq. The European Commission has recently launched a public consultation on this Directive, particularly regarding the adequacy of the Directive to face the challenges raised by new technological developments, . Ruth Janal 288 tent (i.e. functionalities, updates etc.). Also, the applicable law may provide for lighter liability if the customer does not provide financial remuneration. 4. Confidentiality Finally, confidentiality becomes an important issue if the supplier gains access to personal data or access to other data of economic value generated by the user. Obviously, if a contract is explicitly formed, confidentiality clauses can be inserted into the agreement. Even if the contract does not specifically include a confidentiality clause, the law may imply terms that provide for confidentiality.58 If the parties are not bound by a contract, one would need to resort to tort law. While tort law is generally the domain of the Member States, there are two Union rules that address the issue of confidentiality. As regards personal data, any data subject who suffers (both material and non-material) damage59 as a result of an infringement of the General Data Protection Regulation may request compensation from the data controller (or processor) under Art. 82 GDPR. The rule prescribes a fault-based liability with a presumption of fault. This means that the onus rests upon the data controller to prove that it is not in any way responsible for the event giving rise to the damage.60 With respect to non-personal data of economic value, the rules of the Trade Secrets Directive61 come into play (which is to be implemented by the Member States until 9 June 2018). Under Art. 4 of this Directive, Member States must take appropriate measures to protect trade secret ____________________ 58 Jacqueline Gold & Anne Summers v Allison Cox & Leanne Bingham [2012] EWHC 272 (Q.B.); Bachmann, ‘§ 241’ in Säcker/Rixecker/Oetker/Limperg (n 55) para 96. 59 Recital 146 elaborates that ‘The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of [the GDPR].’ 60 Art. 82(3) GDPR. 61 Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure [2016] OJ L157/1. Fishing for an Agreement: Data Access and the Notion of Contract 289  holders against the unlawful acquisition, use and disclosure of trade secrets. Information is deemed to be a trade secret if (i) it is not generally known or readily accessible to persons in the relevant sector, (ii) the information possesses commercial value because it is a secret, and (iii) has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.62 In the context of relationships giving access to data, there are a number of issues that need to be addressed: first of all, can information deemed to be a trade secret if parties have access to the data who are not in a contractual relationship with the trade secret holder? I.e. if a car manufacturer has access to the GPS data of all the cars owned by a rental car or a haulage company, can this data (which allows inferences regarding customers and operating capacity) nonetheless be considered a trade secret? I would argue that it does, as long as the trade secret holder is not in a position to change the data access and takes reasonable measures to protect its secret in any other regard. If the information is a trade secret, it is protected against acquisition by means of unauthorized access and against use or disclosure in breach of a confidentiality agreement or any other duty not to disclose the trade secret.63 In my view, even if one deems the hard- or software manufacturer’s access to the date as legitimate (i.e. for product compliance purposes), and there is no contractual confidentiality agreement, then that party would at least be under a duty not to disclose the trade secret due to the relationship of proximity created as a consequence of the trade secret holder relinquishing access to data to another party. Apart from the said EU rules, confidential information may also be protected under the tort law of the Member States, such as § 823 BGB (Allgemeines Persönlichkeitsrecht, Eingriff in den eingerichteten und ausgeübten Gewerbebetrieb), Art. 1240 Code civil and the torts of misuse of private information and breach of confidence. These explanations should not imply that each and every secrecy interest of the user of a service or device is actually protected under tort law. ____________________ 62 Art. 2(1) Trade Secrets Directive. 63 Art. 4(2) and (3) Trade Secrets Directive. Ruth Janal 290 Certainly, contractual confidentiality terms, even if only implied, are preferable to the recourse to tort law. V. Conclusion In this paper I have argued that access to data does not necessarily correlate with the existence of a contract under traditional contract law doctrine. It is oftentimes difficult to define whether an agreement with the intent to create legal effect exists between the parties. Since parties oftentimes do not consider whether their relationship should have binding effect, it is necessary to resort to objective standards. However, as the discussion in section III has shown, it is far from easy to determine objective standards. In my view, an agreement with intention to create legal effect is lacking in quite a few of the instances identified in section III. Nonetheless, the user of the respective device / recipient of the service accepts or tolerates the provider’s or manufacturer’s access to the data generated. This has led to a trend in the scholarly discussion to expand the notion of contract by assuming implicit agreements and lowering the expectations as to what constitutes an intention to create legal effect. Defining an agreement as ‘contract’, though, only serves the development of the law where contract law actually addresses the issues arising from that relationship. In section IV, I have argued that contract law does address some of the issues arising from access to data, in particular regarding obligations to provide updates and duties of confidentiality. Nonetheless, there is no use denying that contractual legal default rules have to rely on imprecise standards of reasonability in many respects and are missing entirely in other instances (such as who will have access to data). In the light of these findings, I propose that searching for the demarcation line between contract and social agreement does not contribute to the development of the law in these instances. Rather than stretching the traditional notion of contract and/or trying to identify this elusive demarcation, we should look to a new concept: a de facto-relationship defined by a tolerated access to data. That access may be granted based on an autonomous decision by the user. In the alternative, the user of the device or service may have resigned to the existing access. In any case, the tolerated access leads to a level of proximity between the parties that warrants particular duties of care. When we look at creating new rules for the digital world, we should thus not limit ourselves to contract law. Instead, we should accept that a special relationship characterized by tolerated access may exist, Fishing for an Agreement: Data Access and the Notion of Contract 291  which does not necessarily qualify as a contract. The rules of the digital age need to address such de facto-relationships.

Chapter Preview



Digitization is one of the ground-breaking trends of this century. It is fundamentally transforming our entire economy and our society. In particular, the datafication of business processes leads to an incredibly fast and ever increasing mass of data. Such data is the blood in the veins of the digital economy. Many existing business models, but much more importantly those future business models that will drive innovation and create economic growth depend on being able to use these data.

The present volume assembles the contributions to 3rd Münster Colloquium on Trading Data in the Digital Economy: Legal Concepts and Tools. In accordance with the Colloquium’s general aim, they provide for a closer analysis of the different legal concepts and tools (exclusivity rights, compulsory licences, and contractual concepts) in order to promote the discussion of several options at European level to tackle the challenges in the trade of data.


„Die“ Digitalisierung gehört zu den wichtigsten Themen des neuen Jahrhunderts. Sie verändert unsere Gesellschaft ebenso grundlegend wie unsere Wirtschaft. Die geschäftsmäßige Datenerfassung führt zu einer enormen Datenmenge, die das Blut in den Adern der digitalen Wirtschaft bildet. Viele aktuelle, vor allem aber künftige Geschäftsmodelle, die Innovationen vorantreiben und wirtschaftliches Wachstum schaffen sollen, basieren auf der Nutzung dieser Daten.

Der Band analysiert rechtliche Konzepte und Instrumente rund um das Thema des Datenhandels. Er dokumentiert damit die Beträge und Ergebnisse des „Münster Colloquium on Trading Data in the Digital Economy“. Damit leistet der Band einen Beitrag zur Bewältigung der Herausforderungen des Datenhandels, insbesondere auf europäischer Ebene.