Fairness and Control In Data-Driven Marketing

(1)

Fairness and Control In Data-Driven Marketing

On the notion of control in data protection and the implications when digital standardised contractual terms, containing provisions on personal data processing for marketing purposes, are seen as unfair under interplaying legal instruments

Candidate number: 7009

Submission deadline: 16.05.2019 Number of words: 15,102

(2)

Table of Contents

1 Introduction ... 1

2 The Interplay of Rules Applicable to M3DM Processing Activities... 4

2.1 The General Restriction of M3DM Processing Activities ... 4

2.1.1 Preliminary Remarks ... 4

2.1.2 Scope of Data Protection: Relevant Observations on the Notion of ‘Personal Data’ ... 5

2.1.3 Legal Requirements of M3DM Processing Activity... 7

2.2 The Notion of Control in the EU Framework ... 8

2.2.1 The European Rhetorical Entanglement of the Meaning of Control... 10

2.2.2 The Placement of Structural Measures: Reasons and Consiquenses... 14

2.2.3 Final Remarks... 16

2.3 Concluding Remarks ... 17

3 Consent and Contracts: Similarly Shared Elements of Agreement ... 18

3.1 Establishment of Similarity Structure Demonstrating Simplicity of Issues... 18

3.1.1 Information Requirements ... 20

3.2 Application of the Legal Interactivity to ‘The Ride of My Life’ ... 21

3.2.1 Valid Consent and Contract: Capacities of Offer and Acceptance... 21

3.2.2 Consent Must be Given with Affirmative Action... 22

3.2.3 Provisions Stipulating Processing Activity must Form Part of the Valid Contract 23 3.3 Information Requirments: The Outlook of the Layered Notice Praxis ... 25

3.3.1 Consent and Contract: Different types of Notices and Requirements... 25

4 What M3DM Processing Activities Can Be Justified Based on Valid Consent... 26

4.1 Can Adhoc Privacy Notices be Freely Given?... 26

4.2 Encapsulating Consent as an Imperative Barrier of Potential Misuses... 27

4.3 Finding Balance between Exploitation and Protection of Personal Data... 28

4.3.1 Why Buy ‘Google Assistant’ in a ‘Data Driven Market’?... 28

5 The ‘Transparent’ Potential of Data Subjects Empowerment ... 29

5.1 Preliminary Remarks... 29

5.2 Forms of Productive and Transparent Practices... 29

5.3 Use of Data as Unfair Commercial Practice ... 30

(3)

6 Conclusion... 32

7 Table of reference... 33

7.1 A. Books and journal articles ... 33

7.2 B. Report and other documents ... 36

7.2.1 Independent EU Data Protection and Privacy Advisory Bodies... 36

7.2.2 European Commission... 38

8 Table of abbreviations ... 43

9 Table of legal instruments ... 45

10 Table of cases ... 46

(4)

1 Introduction

Digital technologies are rapidly reshaping the world, bringing great benefits as well as many challenges. Despite rigours efforts on behalf of the EU to establish a growing digital single market (DSM), the inability of the law to evolve at a similar phase has left users of digital services and content, in a situation that allows for harmful exploitation and undermines the general will of the society.¹

Society, stakeholders, and users (hereafter subjects or data subjects) all greatly benefit from the continuous development of the digital environment.² The rise of the ‘Internet of Things’ (IoT) and the pursuing dramatic increase in data collection and sharing (‘Big Data’) has offered companies like Google, Amazon, and Facebook the ability to bring about new products and services as well as to configure old ones in a way that is better suited to the needs their consumers'. Ultimately, individuals’ everyday lives are greatly improved through better and less expensive, or, more often, even free, products and services, in all sectors of society.³

In particular, this is made possible by cookies and everyday smart devices, embedded with sensors, and designed to continuously collect, process, and transfer data.⁴ Tracking subjects behaviour and interests, online or offline, essentially creating a 'profile'⁵ that links to subjects account or IP address, enabled above-mentioned companies,⁶ to offer their services for free, i.e. by operating ad-networks, where ads are defined and displayed according to subjects profiles, using predictive or behavioural analytics concluded by these ad-network or affiliate ad- server. Additionally, this allows them to better predict how subjects could be influenced.⁷

The increasing capabilities of digital technologies to process data, e.g. by methods of ad- vanced analytics, machine and, deep learning, have allowed both private and public entities to make use of personal data on an unprecedented scale in order to pursue their activities.⁸ In

1 Jacquemin, Digital content and sales or service contracts, 27.

2 Ibid. 2-3. Commission, IoT: Action Plan, 3. Ezrachi and Stucke, Written evidence (OPL0043), [2.1.].

3 Bentzen, et al., 2018:11.

4 WP29, Opinion on IoT Development, 6-7. Using http://www.youronlinechoices.com/nor/dine-valg you can see the magnitude of OSP’s presently tracking you and providing you with interest-based advertising.

5 Qv. GDPR, rec. 30.

6 “Google operates the ‘Google Display Network’ (comprising partner websites and some Google [properties, e.g.] YouTube), DoubleClick online ad serving [products, ...] ‘DoubleClick’, ‘Ad Exchange’ and ‘Invite Media’.

These provide advertisers with the tools needed to analyse the market and deliver specialised ads with greater ease and efficiency”. Qv. http://www.google.co.uk/intl/en/policies/privacy.

7 Ezrachi and Stucke, Written evidence (OPL0043), [2.1.-2.5.]. Re. Commission, DSM Strategy for EU, 63-64.

Qv. “[The] core themes of the strategic implications of Big Data.”, cf. Ibid. [2.3.-2.9.].

8 Ibid. [2.2.].

(5)

return personal data has become a central asset to companies' and the digital society.⁹ Such activities often include collection and use of personal data for concerning purposes, such as to gain undue advantage over competitors, not only by predicting trends and behaviours but sometimes by manipulating their services or products to erase any trace of competition, q.v.

Googles search result violation in 2017.¹⁰

‘Data’, as information, has always played a central role in any market economy. As the essential input for its performance, the flow of information has stimulated innovation and the economy as well as enabled consumer’s choice.¹¹ However, more recent cases have had greater impacts on data subject’s ability to act based on relevant and accurate information.

Moreover, they often question the general fairness of these new practices in an environment where companies gain access to massive amount of personal data often without the knowledge of subjects, and consequently sell it to marketers or use it in pursuit of influencing public opinion through a verity of media,¹² q.v. Facebook - Cambridge Analytica scandal in 2018.¹³ Unsurprisingly, these recent developments have increased privacy concerns and brought new challenges for data protection,¹⁴ as subjects are not fully informed about its collection, processing, and subsequent use and lack the capacity to control the access others have to their data.¹⁵ Resulting in the deterioration of the data subject’s trust.¹⁶

Providing data subject’s with a sufficient level of control is a paramount concern because putting subject’s in control of their data, achieving empowerment and effective protection of there privacy, improves their level of trust which plays an important role in the uptake of new

9 Reding, “The EU data protection reform 2012”, 2. Commission, Completing a trusted DSM, 2. EESC, Opinion 345/2017 on the ePR, [3.3].

10 Case AT.39740 Google Search (Shopping).

11 Ezrachi and Stucke, Written evidence (OPL0043), [2.1.-2.2.].

12 Commission, Completing a trusted DSM, 3.

13 One’s users consented to personality quiz-app apps ToU, an app freely available on Facebooks platform, it collected psychographic data about users for academic purposes, as indicated in the ToU. However, Facebooks design enabled the app to additionally collect data from all Facebook friend of a user, without their consent.

Consequently, although under 300,000 agreed, data was collected from approx. 72 million users. The data was then sold to Cambridge Analytica to use for political and commercial purposes. It was, i.a. allegedly used to influence Brexit voters as well as to advance US presidential candidates such as Donald Trump, cf. Farivar,

“lawsuits filed by angry Facebook users”, https://arstechnica.com/tech-policy/2018/03.html and subsequent cases Case no. 01725, N.D. Cal. 3:18, Case no 01732, N.D. Case Cal. D. Del. 5:18, CA. Facebook - Cambridge Analytica scandal had similar facts as Specht v. Netscape.

14 It is why EU data protection agencies are turning their focus to social media platform giants such as Facebook, stating that saying “sorry is not enough” when a multibillion-dollar platform uses personal data unlawfully, cf.

Andrea Jelinek, former chairman of the WP29.

15 Hansen et al., Privacy and identity management, 316-317. Privacy definition provided by Culnan is used, Culnan, M.J.: How did they get my name? an exploratory investigation of consumer attitudes toward secondary information use. MIS Q. 17(September), 341–364 (1993).

16 GDPR, rec. 7-8.

(6)

technology.¹⁷ Rebuilding data subject’s lack of trust is therefore essential to maintain digital development and the growth of the digital economy. Nevertheless, overregulation can often cause significant harm. Thus, neglecting to maintain the balance of interests between society, controllers and data subjects would be counterproductive to abovementioned aims.¹⁸

Recent reform sets out to achieve this balance, allowing greater control while striking a balance between the free flow of data and the data subjects rights to the protection of their personal data.¹⁹ Importantly the new General Data Protection Regulation 2016/679/EU (GDPR) strengthens and extends the scope EU’s data protection requirements. It includes the principle of consent, as one of the lawful basis for collecting and processing personal data which collector obtain e.g. through subj ects use of digital products and service (digital services hereafter refers to digital products).²⁰ The lack of transparency that has surrounded those circumstances has recently been made painfully clear with the influx of cookie consent requests of all types following the implementation of the GDPR. Notably, social media giants such as Facebook and Google have now taken steps to increase transparency, respect the rules of democratic debate, and overall, to portray themselves as placing privacy and data protection, in the forefront, taking up data protection measures and requesting consent.²¹

It remains to be seen whether marketers actually apply the requirements of consent and transparency in accordance with the current reform and in a way that offers data subjects enough control over their personal data, to reinstate their trust in digital services, while still maintaining balance, thus sustaining the development of the digital single market (DSM).²² More importantly it most first be asked to what extend data driven marketing falls under the GDPR. Thereafter what is actually meant by the ‘notion of control’ and how principles of fairness not just within the GDPR but in interplaying rules help achieve subject control.

17 Studies [31] have shown that [31]. See the European research project SWAMI:

www.isi.fraunhofer.de/t/projekte/e-fri-swami.htm.

18 Qv. “given [the rapid development of digital technologies and] the importance of creating the trust that will allow the digital economy to develop [the GDPR calls for data subjects to] have control of their own personal data”, cf. GDPR, rec. 6-7. Or as the commission puts it “Creating the right framework conditions and the right environment is essential to retain, grow and foster the emergence of new online platforms [...]”, cf. Commission, Online platforms: Opportunities and Challenges, 3. Q.v. EU Committee. OP & DSM (HL Paper 129), 67 [255], regarding concerns on implementing GDPR, re. Yahoo (OPL0042) and ITIF (OPL0076) by ensuring individuals right to privacy are put in action while still sustaining development of the online environment and economy.

19 GDPR, art. 1-3, rec. 1-13.

20 EU Committee, OP & DSM (HL Paper 129), 57-59 [217-221, 223].

21 Adapting to new digital reality {Citation}es, 4-5. Study on consent notification measures.

22 Another key aspect of building trust is the capability to adjust the functioning and properties of technological systems to individual preferences (within safe boundaries). <ref: Commission, IoT: Action plan, 6*-7.>

(7)

2 The Interplay of Rules Applicable to M3DM Processing Activities 2.1 The General Restriction of M3DM Processing Activities

2.1.1 Preliminary Remarks

The rise of the ‘Internet of Things’ (IoT) and the pursuing dramatic increase in constant data generation and flow,²³ combined with 'big data' analytics (BDA), has massively (continually to greater extent) equipped entities (like Google, Amazon, and Facebook) with capabilities to

‘obtain’ personal data, e.g. by use of cookies and everyday smart devices, embedded with sensors, and designed to continuously collect, process, and transfer data.²⁴ Tracking subjects behaviour and interests, online or offline, essentially creating a 'profile'²⁵ that links to subjects account or IP address, in a way that enables exploitation (i.e. ‘utilisation’), i.e. predict and infer subject’s interests and behaviour for, and consequently ‘benefiting’ from, more effective marketing.²⁶ Data driven marketing²⁷ allows offering digital services for free, to bring about new digital products and services (hereafter jointly referenced as digital services), to configure old ones in a way that is better suited to the needs their consumers (hereafter respectively, development- and optimisation through personalisation (DtP and OtP)) as well as to find new potential customers and to reach them, (hereafter ...) as ads are defined and displayed according to subjects profiles, using predictive or behavioural analytics concluded by ad-network or affiliate ad-server.²⁸

Rules of data protection are relevant as data processing forms the basis of data driven marketing practices.²⁹ Generally, such processing is prohibited if the data processed is considered ‘personal’, i.e. the original raw data, metadata collected by cookies,³⁰ extracted, ag-

23

24 It goeas without saying that these are not the sole factorce, for example the commission noted reasently that the use of mobile data has grown 12 fold as result of roaming charges since June 2017, cf. Commission, “EU in May 2019: Top 20 Achivements”, 5.

25 WP29, Opinion on IoT Development, 6-7. Using http://www.youronlinechoices.com/nor/dine-valg you can see the magnitude of OSP’s presently tracking you and providing you with interest-based advertising.

26 Ezrachi and Stucke, Written evidence (OPL0043), Ibid. [2.2.]. WP29, Opinion on IoT Development, 10-11.

Such as the application of censor fusion, fingerprinting, or cross matching. Qv. GDPR, rec. 30.

27 “Google operates the ‘Google Display Network’ (comprising partner websites and some Google [properties, e.g.] YouTube), DoubleClick online ad serving [products, ...] ‘DoubleClick’, ‘Ad Exchange’ and ‘Invite Media’.

These provide advertisers with the tools needed to analyse the market and deliver specialised ads with greater ease and efficiency”. Qv. http://www.google.co.uk/intl/en/policies/privacy.

28 Ezrachi and Stucke, Written evidence (OPL0043), [2.1.-2.5.]. Re. Commission, DSM Strategy for EU, 63-64.

Qv. “[The] core themes of the strategic implications of Big Data.”, cf. Ibid. [2.3.-2.9.].

29 The definitions of ‘data subject’, i.e. any natural persons who can be directly or indirectly identified by the controller or a third party using reasonably likely means, and ‘personal data’, i.e. any information data relating to a data subject that can be linked to said individual, are key for determining the scope of the GDPR, cf. art. 4(1).

30 as the commission has concluded in September 2010 where the commission has decided to refer the UK to

(8)

gregated or inferred information so far as it relates to an identified or is reasonably likely, without disproportionate effort, to be matched to an (i.e. identifiable) individual,³¹ unless both lawful and fair.³²

2.1.2 Scope of Data Protection: Relevant Observations on the Notion of ‘Personal Data’

In accordance to the above, under the GDPR it remains a prerequisite for the data to be ‘personal’ in order for subjects to enjoy their rights of protection, i.e. control is only provided in situations where the data is personal.

The majority of data used to build profiles on and market to data subjects (e.g. raw data) is however, not ‘personal’ data strictly speaking (i.e. they are just codes and digits by them selves). Nevertheless, flexibility is presumably embedded into the concept of 'personal data' to provide an appropriate response to the circumstances at stake.³³ A high degree of flexibility is generally given in regards to the above mentioned raw data when collected in relation to IoT devices, Big Data and cloud computing, do to there pervasive nature and vast amount of data processed which might be combined with other ‘unique identifiers’ and other information received by the servers to create profiles of natural persons.³⁴ They thus generally fall under the GDPR. However, as they data driven marketing generally neither produces legal effects nor a comparable risk potential (e.g. decision on whether to give subjects car insurance based on there score) the profiling does generally constitute processing falling under the prohibition under Article 22(1) of the GDPR.³⁵

Furthermore, data used for data driven marketing that might be considered personal data at one stage (falling under GDPR) can be rendered anonymous, i.e. incapable of being identifiable, at different stages of the processing activity or thereafter processing activity of others,

EU's Court of Justice (ECJ) for not implementing rules on confidentiality of e-communications such as e-mail or internet browsing, cf. Article 5(1) of the ePrivacy Directive 2002/58/EC (ePD) and Article 2(h) of the Data Protection Directive 95/46/EC (DPD). Said rules requires Member States to ensure confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance unless the users concerned have consented is obtained. Member States are also required to establish appropriate sanctions in case of infringements and such supervision be carried out by an independent authority must be charged with supervising cf. (IP/09/1626) (IP/09/570) (IP/12/60). DPD, art. 24, 28. Qv. Definition of personal data see GDPR, rec. 26 and +++ art. 4(1). art. 4(12) of the GDPR.

31 Cf. Breyer which held that dynamic IP addresses may be PD under art. 2(a) of the DPD so far as they are reasonably likely to be matched to an individual. The corresponding definition is taken up in art. 4(1) of the GDPR, cf. rec. 26 (sentence 1 and 3), (re. “GDPR”, 2) and recent case Nowak where CJEU has ruled that a candidate’s exam script is ‘personal data’, as it constitutes information that ‘relates’ to him. Qv. WP 29 Opinion 4/2007 on the concept of personal data, WP 136, 21. [Recital 26.].

32 GDPR, art. 5(1)(a).

33 WP29, Opinion on Personal Data, 4.

34 Lazaro, Christophe and Le Métayer, Control over Personal Data, 18-20. GDPR 235

35 GDPR 1832-183.

(9)

thereby falling again outside the scope of data protection law.³⁶ Nevertheless, statements of data driven marketing entities like Pornhub.com that inaccurately assume that personal data does not include anonymized or pseudonymized data,³⁷ are domed to be not wholly correct.

The half truth exists as pseudonymization does not render data incapable of being used to identify subjects, i.e. personal data, but rather that the personal data which is object of pseudonymization, is aggregated in manner where it solely cant be attributed to specific subjects without use of additional information belonging to the personal data which was the object of the pseudonymization. This will be explained below with reference to ECJ Wirtschaftsakademie.

ECJ Wirtschaftsakademie, dealt with the issue of whether a Facebook fan page administrator (FB-FP adm.), such as Wirtschaftsakademie (WA), was, in accordance with the DPD, a controller jointly responsible with FB, a social media networks, for the processing of personal data collected by FB via cookies placed on visitors devices, for statistical purposes (providing WA with ‘Facebook insight’ function), without first being informed. The court found that such was the case because WA as adm. took part in the determination of the purposes and means of the processing,by opening the FB-FP and agreeing to predetermined terms of processing, WA made it possible for FB to collect data of the visitors, and was involved with defining param- eters depending, in particular, on its target audience and the objectives of managing and pro- moting its activities, which ‘influenced’ the purposes and means of the processing.

The statistical information provided to FB-FP adm., i.e. demographical percentage of likes and visits, is the aggregated form of personal data collected and processed by FB, i.e. information which subject accessed and liked what on the FB-FP. It is presumed anonymous as the statistics are presented in a manner whereby the adm. cannot know which particular subjects, nor in what way they, belong to given statistics. If and when, the adm. collects received information and further processes it would fall outside the scope of data protection instruments as long as the original information collected was endurably anymous.³⁸ Where as it would fall inside the scope when the data object of collection and subsequent processing has undergone pseudonymisation, although the risk to identification would be reduced significantly in said case.

Comparatively, it can be argued that the aggregated data an adm. is supplied with in the

36 “Key Aspects Expleined: GDPR Proposal”, 2.

37 According to Article 4(5) of the GDPR, ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

(10)

Facebook insight function is neither the object of anomysastion or pseudonymised. Concern- ing the latter, the data (i.e. the key), which the statistics are based on, are (at least facebook likes but not who accessed the FB - FP) accessible to the FB-FN adm.

However, the notion of anonymous data should be interpreted narrowly, and with con- sideration to the fact that the ability of receivers to link data together and re-identifying subject is, now more then ever easily possible, e.g. due to the rise of sophisticated re- identification tactics.³⁹ This is especially true concerning location data do to the extensive re- identification capabilities of data driven marketing entities. For example, the criteria of personal data is meet where, e.g. the FB-FP adm. has copied down the ‘Facebook insights’ statistics, e.g. the number of likes of mid day posts, for further processing of some self determined purpose, e.g. knowing frequency of midday activity across services, and thereafter examines the midday posts themselves on his FB FP, to identify who the individuals are that are liking midday posts.

This is especially the case when collecting metadata as it is generally not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread.⁴⁰

This situation specifically, where this raw data is collected by and, or, through digital devices or services, also triggers particular rules of the ePD, i.e. art. 5(3) and 13 …REC 30 GDPR EDPB opinion on interplay 11-12.

2.1.3 Legal Requirements of M3DM Processing Activity

In accordance with the above, for the data driven marketing processing activity to be lawful it must both not be prohibited by law in combination with having legitimate purposes for, and which limits the, collection and processing and legitimate basis, i.e. either [1] subjects valid consents (this is likely the only legitimate basis where ePD applies, notably prior to the placement of cookies necessary for behavioural advertising, STH SPECIAL CHATO- GORYcf. next chapter)⁴¹ are obtained by controllers,⁴² i.e. the entities involved in the M3DM, that, alone or jointly with others, determine why and how data will be processed, i.e. who

40 (going dark, 5)

41 EDPB, guidelines on GDPR art. 6(1)(b), 13 [52]. AD REFERENCED MATERIAL THEREIN.

42 Reding, “The EU Data Protection Reform 2012”, 2

(11)

have the ‘factual influence’,⁴³ or [2] they have other legal permissions, e.g. prevailing legitimate interests (see chapter thereafter) or contractual necessity (this is generally not a suitable legal ground for behavioural advertising and associated tracking profiling,⁴⁴ but might be relevant, in some cases, for personalisation of content,⁴⁵ cf. chapter next).⁴⁶

Building on the above and will serve as the structure of analysis, unless consent is specifically required, if there does not exist a contract that is considered valid (as determined by, e.g.

e-commerce, contract law, etc. where applicable), and that the processing activity is either necessary either for the performance of a contract or in order to take pre-contractual steps at the request of a subject (7 [22]), they need to seek justification, in accordance with the principles of purpose limitation, in another appropriate legal basis,⁴⁷ e.g. consent or prevailing legitimate interest.

Whether a processing is seen as ‘unfair’ can be used when considering the need for-, and ability of control in that particular situation, will central to deciding whether legitimate interest can be deemed more appropriate, whether they can prevail over the rights of data subjects.

Yet what is considered fair is by itself difficult to define in abstract and will be discussed. It first needs to be established what is meant by control.

2.2 The Notion of Control in the EU Framework

What do major companies like Microsoft actually mean when they express a will to “[...] pre-

43 WP29, Opinion: “controller" and "processor", 10. The GDPR, 14, 17. GDPR, art. 4(7).

44 EDPB, guidelines on GDPR art. 6(1)(b), 13.

45 EDPB, guidelines on GDPR art. 6(1)(b), 13, 14.

46 The GDPR similar to its predesseor the DPD, provided six grounds for processing being lawful. Cf. GDPR, art. 6 (1)(a-f). NB. (d-e) only concern public authorities, therefore, as NRAs are likely not in the buisness of marketing, at least not on the scale of private entaties, they are exempt from this paper. (b) concerns processing for contractual neccessesity, this ground is irrelavant as this scope is limited to cases and data used to conclude a contract, e.g. such as shoping chart cookies, and not e.g. collection of data about buying behaviour because of a obligation stemming from a contract. Lastly, (c) deals with processing necessary for compliance with legal obligations, this ground is deemed irrelevant as it would appear exceptional if processing for marketing purposes would be necessary to comply with legal obligations, cf. Moerel and Prins, “homo digitalis - proposal: BD and IoT”,3. In principle, after the user has uninstalled the app, the app developer does not have a legal ground to continue processing of the personal data relating to that user, and therefore has to delete all data. An app developer that wishes to keep certain data, for example in order to facilitate reinstallation of the app, has to separately ask for consent in the uninstall process, asking the user to agree to a defined extra retention period.

The only exception to this rule is the possible existence of legal obligations to retain some data for specific purposes, for example fiscal obligations relating to financial transactions.The Working Party reminds all information society services, such as apps, in opinion on apps on smart devices, 24)that the European data retention obligation (Directive 2006/24/EC) does not apply to them and therefore cannot be invoked as a legal ground to continue to process data about app users after they have deleted the app. The Working Party takes this opportunity to highlight the especially risky nature of traffic data, which deserve special precautions and safeguards per se – as highlighted in the WP29’s Report on the enforcement of the Data Retention Directive (WP172) – where all the relevant stakeholders were called upon to implement the appropriate security measures.

47 EDPB, guidelines on GDPR art. 6(1)(b), 14 [19]. WHERE THEY TAKE DIFFERENT APPROACH.

(12)

serve the ability for [subjects] to control [their] data”⁴⁸? Soon after recent forms, ‘giving subjects control’ became as trendy as ‘we value your privacy’. Never the essence of the former statement is not within the grasps of subjects because of the plurality of different meanings frequently ascribed to the ‘notion of control’ and the vagueness of its supposed core mechanisms of empowering them.⁴⁹ This prompts the need for a greater comprehension of the notion before conducting an examination of whether the EU data protection framework allows data subjects more control in a way that allows trust in the DSM.

The ambiguity surrounding the meaning of ‘control’ likely stems from ‘misleading confla- tion’, firstly, between scholarly literature and materials produced by the EU regulator, DPAs and advisory bodies. Secondly, between the latter materials themselves, as well as their vagueness. It is important to realize that although the recent EU reform pushed for providing subject’s with greater control over their personal data, the notion of control is not new. In fact, privacy advocates, scholars, regulators, and the tech industry have for a long time advocated, for giving subjects more control as the key regulatory response to the problems raised by recent developments of digital technologies.⁵⁰ In the course of scholarly literature the notion of control has often been conceptualised in certain ways, notably as one of the foundations of privacy,⁵¹ which creates a misleading confliction with the deployment of the notion of control by EU institutions as a tool for data subjects to manage their privacy.⁵² In short, this means that if subjects control is guaranteed under EU law, their privacy (or aspects of it) is not sim- ultaneously guaranteed automatically but their ‘ability to manage’ it would be.

Secondly, by the scale of diverse EU material expressing the need for control,⁵³ often in an incoherent manner and leaving the meaning of control and its core elements vague and pervasive.⁵⁴ The GDPR best illustrates this lack of decisiveness as it briefly references in its recitals, the need for subjects to have control given the challenges brought by the technological development and the importance of creating the trust that allows for the development of

48 Nadella, Your data, powering your experiences, controlled by you, at https://privacy.microsoft.com/en-US

49 Lazaro, Christophe and Le Métayer, Control over Personal Data, 29. (ATH)

50 Ibid. Lazaro, Christophe and Le Métayer, Control over Personal Data, 4, 7, 15-16. Woodrow, The Case Against Idealising Control, 424.

51 Debates concerning the validity of such will be left out of this paper. For in depth analysis of the meaning of control as developed in privacy and data protection scholarship, see Lazaro, Christophe and Le Métayer, Control over Personal Data, 6-15. Leenes, DP and Privacy, 117-120.

52 Lazaro, Christophe and Le Métayer, Control over Personal Data, 15. Morel et al., IoT: Enhancing Transparency and Consent, 1.

53 e.g. preparatory legislation works, legislative text, experts’ opinions, and material addressed to citizens

54 Lazaro, Christophe and Le Métayer, Control over Personal Data, 15-19, 21.

(13)

the DSM.⁵⁵ No explanation is however given to the meaning of control (including its prag- matic modalities), how providing data subjects with greater control is among the crucial ele- ments that will create the trust that will allow the digital economy to develop across the inter- nal market?⁵⁶

2.2.1 The European Rhetorical Entanglement of the Meaning of Control

The EU rhetoric might provide an explanation to the promises of the commission that the EU legal framework, particularly with the addition of the GDPR, empowers data subjects to exercise effective control over their personal data.⁵⁷ Through an examination of the material produced by the EU regulator, the dominant rhetoric can be said to take a uniquely entangled approach to the notion of control where as it encompasses both subjective and structural agents.⁵⁸

Respectively, this empowerment to ‘manage’ their personal data could obliquely manifest through a combination of several categories of rules (i.e. a set of ‘micro rights’) that are frequently linked with or mentioned along side ‘the notion of control’.⁵⁹ These micro rights mainly surround the right to object and the requirements of consent⁶⁰ (and to withdraw it),⁶¹ as well as of transparency and information (including the rights of access).⁶² These provide

55 GDPR, rec. 6-7. Or as the commission puts it “Creating the right framework conditions and the right environment is essential to retain, grow and foster the emergence of new online platforms [...]”, cf. Commission, Online platforms: Opportunities and Challenges, 3. Q.v. Commission (EC), comprehensive approach on personal data protection, 3-4 [H-N], EU Committee, OP & DSM (HL Paper 129), 67 [255], regarding concerns on implementing GDPR, re. Yahoo (OPL0042) and ITIF (OPL0076) by ensuring individuals right to privacy are put in action while still sustaining development of the online environment and economy.

56 Ibid. Morel et al., IoT: Enhancing Transparency and Consent, 1-2.

57 Voigt, and Bussche. The EU GDPR, 141-147. Commission, Completing a trusted DSM, 3, 5. Commission, stronger protection, new oppertunities, 3. Important rules arising for secondary legislation concerns the burden of proof, obligations, safeguards, and rights deriving from data processing. Tackling the DSM unrelated to whether data is considered personal are the ECD, the Services Directive 2006/123/EC, the Directive on the re- use of public sector information (Directive 2003/98/EC, known as the ‘PSI Directive’, currently under review), the GDPR, which is complemented by the e-Privacy Directive 2002/58/EC (ePD) as modified by Directive 2009/136/EC (currently under review). The general provisions of the TFEU (Articles 49 and 56) could be applicable to the totality of data storage and other processing services. However, addressing existing barriers through infringement procedures against the Member States concerned has been identified as cumbersome and complicated, yet leaves a situation of legal uncertainty.

58 Lazaro, Christophe and Le Métayer, Control over Personal Data, 15-16.

59 Q.v. Reding, “EU DP Full Speed”, 3.

60 Ibid. Consent as defined in the Article 4(11) in the GDPR (see also rec. 43), is one of the legal grounds for processing personal data cf. GDPR, art 6(1)(a), q.v. rec. 32 and must be obtained prusuant to the requirements as stipulated in the GDPR, see art. 7-11 and rec. 42, 33. Q.v. GDPR, art. 7(3) on consent.

61 The right to object (GDPR, art. 21, rec. 69-70.) or to restrict data processing (GDPR, art. 18-19, rec. 67.), rights related to automated decision-making and profiling (GDPR, art. 22, rec. 71-73.).

62 Lazaro, Christophe and Le Métayer, Control over Personal Data, 21-22. See also Bygrave, DP Law, 158-163.

Q.v. concerning the requirement of transparency, as well as fairness, the controller must, before any processing operation of personal data begins, inform the data subject of its existence, what their legal basis and purposes

(14)

data subjects with the ability to make decisions through autonomous choice (and by a delib- erate and informed action) about the processing and, or, subsequent use of their personal data by others.⁶³

In comparison when the notion of control is conceptualised as privacy, the subjects would be considered to lose control over personal data as soon as they provide and entrust controllers with it,⁶⁴ whereas the EU rhetoric, in the same situation, would not consider control lost as long as the subject still has some measure of influence over the processing and subsequent use,⁶⁵ i.e. where subjects have the ability to be aware⁶⁶ of what, where and when personal data is processed and why, how, and by whom, and the ability to act in some manner to shape the use, e.g. to withdraw consent, to rectify⁶⁷ or erasure,⁶⁸ of the personal data that concerns them.⁶⁹

It would be impossible for subjects to exercise control over the use of personal data, that concerns them, by third parties, if the latter or otherwise responsible party, does not make the subject sufficiently aware of its collection,⁷⁰ nor the purpose and scope of the processing practice, i.e. by ‘effectively communicating’, directly or indirectly, ‘intelligible information,⁷¹ that is necessary’, in a ‘concise and transparent manner’, to the subject (q.v. chapter 3.),⁷² since it affects subjects ability to take action,⁷³ encompassing the exercise of their ‘micro rights’, cf.

are, to name a few. The communication itself must be governed by the principle of transparency, cf. GDPR, art.

5(1)(a), whereby controllers are obligated to create suitable information measures, cf. GDPR, art. 12. Qv. art.

2(1). whereas effective control by the data subject and by national data protection authorities requires transparent behaviour on the part of data controllers,

63 Lazaro, Christophe and Le Métayer, Control over Personal Data, 21-22. Bygrave, DP Law, 158, 160-162.

Compare similariteis with the principle of ‘data subjects influence’ descussed in Bygrave, DP Law, 158-163.

64 Lazaro, Christophe and Le Métayer, Control over Personal Data, 29. Leenes, DP and Privacy, 122-123.

65 Compare, EESC, “Opinion on ePRp”, (6.3).

66 ATH re. awareness in Bygrave, DP Law, 158-163.

67 GDPR, art. 15-16, rec. 63-65.

68 GDPR, art. 17, rec. 66. Also called the right to be forgotten.

69 See analysis on ‘data subjects influence’ in Bygrave.. (ADD). Reding, DP reform.. 2

70 Q.v. EESC, “opinion on ePRp”, (5.4), where EESC warns against the effets profetability resulting from the possibility to obtain greater acess to personal information by futher processing of metadat, re. (5.2) and the presumed lack of knowlidge thereof, by data subjects when expressing consent to the storega of metadata, which will bresumably have such effect, and therefore advvocates the need to inform and better educate subjects.

71 In the ‘event of uncertenty’ about the 'level of intelligibility’ and ‘transparancy of information' and 'effectivnes of user interface/ notices/ polices etc.', the 'controller' can: determine what the avarge member of which the privacy information is inteded for (the subjects, that the collected personal data cconcerns) based on collectors assumed knowledge about that group of subjects) or test them (i.e. mentioned uncertities relating to both the information and communication) through, firstly, a number of 'mechanisms' (e.g. user panels readability testing, consolidation with stakholders (indrusty and advocacy) and regulatory bodies) and , secondly, through other means, as appropriate to determine the suitability of the information and communication to allow understanding by aan avarge member of the intended audicance. WP29, GDPR Guidelines: Transparency, 6. Re. Morel et al., IoT: Enhancing Transparency and Consent, 4.

72 WP29, GDPR Guidelines: Transparency, 5.

73 Q.v. WP29, “opinion: apps on smart devicess”, 24.

(15)

ECJ, Bara and Others, where the court held that the requirement of fair processing precludes transfers between, and further processing by, NRAs without first informing the data subject, for the purpose of the processing by, and in its capacity as, the recipient of the data.⁷⁴

Control is similarly rendered unachievable when, although subjects are made sufficiently aware, subjects have no means of taken actions, both, ‘expressing the privacy preferences’

‘they have decided’, which is communicated, directly or indirectly, to, and ‘received’, and

‘upheld’ by ‘parties responsible for implementation of requirements to shape the processing accordingly’ as well as possibly to ‘allow the subject to monitor actual compliance’ with the privacy choices they gave.⁷⁵

The EU regulator appears to have recognized, or at least feels compelled to recognise, Q.v. I v. Finnland,⁷⁶ that duo to the digital design, notably its complexity,⁷⁷ for subjects to be able to ‘effectively exercise control’ (i.e. through use of these ‘micro rights’) providing the micro rights themselves is insufficient, rather a set of ‘structural measures’ must be placed within the digital environment that ensures its reliability and effectiveness,⁷⁸ as technical solu- tions facilitate more effective and sufficient means of making data subjects aware and em- powered to exercise control.⁷⁹ I v. Finnland (2008), which concerned confidentiality of patient data in a public hospital system. Specifically, the patient did not entrust the employees to refrain from accessing the data without authorisation as was required by law. However as the law did not require, and thereby by ensure that the law was implemented obligations under Article 8(1) under the convention were not fulfilled. As the hospital did not place measures within the health record system, that comprehensively logged access to the records, as well as stored such log in away making monitoring of compliance possible, i.e. whether the data had been accessed without proper authorisation.⁸⁰ The lack of logging undermined the applicant’s ability to litigate before the Finnish courts because it deprived her of concrete evidence that her health records had been accessed unlawfully. Had the hospital provided a greater control over access to health records by restricting access or by maintaining a log of all persons who

74 ECJ, Bara and Others, para 32, 33, 35.

75 Lazaro, Christophe and Le Métayer, Control over Personal Data, 30. Morel et al., IoT: Enhancing Transparency and Consent, 1.

76 Positive obligations extend to more then just putting legal rules in place. See Bygrave, privacy by design 109- 110.

77 There is ample disbelieve that enabling ‘subjective controls’, e.g. like requiring informed consent, can, by themselfs, provides subjects with sufficient control duo to the digital design, notably its complexity, cf. Morel et al., IoT: Enhancing Transparency and Consent, 2.

78 Lazaro, Christophe and Le Métayer, Control over Personal Data, 18-20. Q.v. Bygrave, Privacy by design, 107. Where Bygrave points out that Article 25 shows that the EU regulator embraces PbD idieals to such…

79 Reding, “The EU Data Protection Reform 2012”, 2. GDPR, rec. 59.

80 Bygrave, Privacy by design, 109-110.

(16)

had accessed the applicant’s medical file, the applicant would have been placed in a less dis- advantaged position before the domestic courts’: ibid, para. 44.

As seen above whether and to what extent structural measures need to be in place depends on the risk at case. Although the main elements of the ‘structural measures’ are not widely determined, EU material allows categorization of three pillars.⁸¹ There will be limited discus- sion in this paper devoted to the first two pillars.⁸² Respectively, they are ensuring effective enforcement⁸³ of effective and heterogeneous rules, which encompasses the need for comprehensive set of rules to cope with risks of the online environment.⁸⁴ These rules need to apply to the processing of personal data of EU citizens independently of the area of the world in which their data is being processed.⁸⁵ Finally, the rules need to be effective in a way that they are actually enforced, e.g. by independent national data protection authorities (NDPAs).

Secondly, the responsibility and accountability of data controllers⁸⁶ which entails, e.g., the designation of a data protection officer, the performance of impact assessments and possibly the observation of ‘the principle of privacy by design’ (DPbDsgn) (see chapter 3.3.).⁸⁷ The final pillar involves ‘measures’ i.e. that reinforce security or enhance privacy, such as implementation of an privacy certification scheme, using privacy enhancing technologies (PETs) and privacy friendly default settings (DPbDflt),⁸⁸ which deals with minimising the processing of personal data (see chapter 3.3.).⁸⁹

81 (ADD what material).

82 These can be said to entail mainly organisational measures q.v. Lazaro, Christophe and Le Métayer, Control over Personal Data, 18.

83 GDPR, rec. 7, 11, 13.

84 Ibid. 2-4, 18-20. Reding, “Your data, your rights”, 2-3. Q.v. such rules can now be found in the GDPR, e.g.

‘right to withdraw’, ‘burden of proof’ and ‘proof of need to collect and retain personal data’.

85 Lazaro, Christophe and Le Métayer, Control over Personal Data, 18-20. The GDPR applies “regardless of whether the processing takes place in the Union or not”, cf. GDPR, art. 3(1). Qv. in speech held 2014 Viviane Reding, then Vice-President of the European Commission, stated that “Europe must act decisively to establish a robust data protection framework that can be the gold standard for the world. Otherwise others will move first and impose their standards on us.”

86 Ibid. GDPR, rec. 103.

87 Lazaro, Christophe and Le Métayer, Control over Personal Data, 18-20. The GDPR increases NDPA’s powers, cf. GDPR, art. 51–59.

88 GDPR, art. 25(2).

(17)

2.2.2 The Placement of Structural Measures: Reasons and Consiquenses

The ‘structural measures’ placed in the EU framework aim at enhancing data subjects ability to take deliberate action and trust is placed on stakeholders, like Microsoft or Google,⁹⁰ to set up the measures in a way that will allow there customers, the data subjects, to take effective control.⁹¹

Thus, the placement of these ‘structural measures’ is not done in the pursuit of achieving

‘hard privacy’ or ‘privacy by architect’, where the system is designed in a way that ensures non disclosure of personal data and, more or less, thereby gives away with the need for data subject to take action. Without the ability to take some action based on subjects own deci- sions that in someway shapes the processing, e.g. whether or not to provide personal data in the first place, control would be delegated to the system (e.g. as the programming would dic- tated whether or not personal data would be provided from subjects) and trust would need to placed on non human actors (i.e. the programming) or at least the manufactures.⁹²

With reference to the GDPR, notably requirements of implementation of structural and organisational measures (TOM) such as relevant to ensuring, e.g. PDbDsgn & bDflt (PDbD:

here after used collectively reference both), as such provisions, counter to their rational, being limited in scope and loosely formulated, combined with there being little incentive to abide to them, strongly indicates that the EU regulator has not decided to employ mentioned ‘hard privacy’ approach, at least not to its full extent.⁹³ The rationale behind DPbD is that,⁹⁴ having implemented measures, designed to ensure compliance with DP requirements and principals,

90 Q.v. Google’s Privacy Policy, where, in the first pharagraph in big letters, Google acknowledges that trust is placed on them when subjects are using their services and that they work hard to put subjects in control, cf. X.

92 This notion of “privacy by architecture” differs from the usual vision of “privacy by control” as the user does not have to take any action: the design of the system ensures that his or her personal data will not be disclosed. in that case that control is entirely delegated to non-human actors. Privacy can be distinguished as hard privacy and soft privacy based on different trust assumptions. The data protection goal of hard privacy refers to data minimization, based on the assumption that personal data is not divulged to third parties (utilising privacy enhancing technologies (PETs)). The system model of hard privacy is that a data subject provides as little data as possible and tries to reduce the need to place ‘trust’ on other entities. The threat model includes service provider, data holder, and adversarial environment, where strategic adversaries with certain resources are motivated to breach privacy, similar to security systems. Soft privacy, on the contrary, is based on the assumption that data subject lost control of personal data and has to trust the honesty and competence of data controllers. The data protection goal of soft privacy is to provide data security and process data with specific purpose and consent, by means of policies, access control, and audit. The system model is that the data subject provides personal data and the data controller is responsible for the data protection. Consequently, a weaker threat model applies, including different parties with inequality of power, such as external parties, honest insiders who make errors, and corrupt insiders within honest data holders. Deng et al., “A privacy threat analysis framework”, 4-5. re. Lazaro, Christophe and Le Métayer, Control over Personal Data, 26-27.

93 See assessment, cf. Bygrave, “DP by design and default”, 114-119.

94 GDPR, art. 25(1). The duty extends to ensuring default application of particular data protection principles and default limits on data accessibility.

(18)

from the design stage right throughout the lifecycle, (i.e. effectuating systems architectures with built in DP compliance) would achieve greater results than through traditional regulatory methods, code of conduct or contractual obligations, in relation to, e.g. improving traction of DP principles, ensuring compliance and accountability as well as, likely, eliminate any phas- ing challenges.⁹⁵

In reality, contrary to DPbDflt, the GDPR might have reduced DPbDsgn effects in certain parts of the life circle, to act as no more than merely guidance.⁹⁶ Currently, only ‘controllers’ are subject to requirements relating to the principal of DPbDsgn under GDPR (similarly to the principal of DPbDflt). Furthermore, controllers use of processors is restricted to such use sufficiently guaranties DPbDsgn.⁹⁷ Where the definition of controller does not expend (as is likely where entities are involved with e.g. IoT or Search engines) to include ‘producers’ of digital devices, services and products, that collect, processing and, or, facilitates online behavioural advertisings, the latter are only ‘encourage’ under the GDPR to design there DS in accordance to DPbDsgn.⁹⁸ Moreover, in such case the producer might be subject to the same obligation under different legal instruments, as manufacturer of terminal equipment are required to implement measures ensuring DPbD in their construction according to ePD, cf. art.

14(3), irrespective of whether the manufacturers would be designated as controller in accordance to GDPR,⁹⁹Similarly, provisions on stakeholders responsibilities of ensure sufficient capabilities of subjects to ecsice their rights, e.g. provide information, request consent or enable objection, are implemented across legal instruments.

Admittedly, not all entities involved in developing any of the relevant DSPs (i.e. that facilitate 3DMPs) are covered. For example, in relation to the mass amount of data collected on subjects behaviour across the Internet, e.g. through use of cookies, the entities involved in developing the basic internet standards, which significantly effects such processing and could in practice make the Internet DPbDsgn would not be considered controllers, nor, generally, would the manufacturer of the digital device such as subjects PC where the cookies are stored

95 Bygrave, “DP by design and default”, 106. ICO, “Data protection by design and default”. Qv. GDPR, rec. 78.

pseudonymising personal data as soon as possible; ensuring transparency in respect of the functions and processing of personal data; enabling individuals to monitor the processing; and creating (and improving) security features .

96 The requirements relating to PbDsgn essentially prompts the implementation of measures where they are needed to ensure that the particular processing activity sufficiently meets requirments of GDPR and otherwise ensure information security and protection of subjects rights. Which measures are appropriate in the context of the processing activity can be concluded by an impact assessment

97 Bygrave, “DP by design and default”, 116.

98 Bygrave, “DP by design and default”, 116, 118. Compare The GDPR 64.

(19)

(although, such is more likely in relation to IoT devices see chapter X) nor the publisher or the ad network (although, such is more likely in relation to SMN websites). Comparatively, the advertiser and manufacturer of web browsers, such as Google Chrome, that allows access to the Internet, would be considered controllers.¹⁰⁰ Moreover, it remains a issue who should be required to inform.

The complexity of the various entities involved in various ways and at various 3stages of 3DMPs makes it extremely difficult to delineate clear lines of responsibility and accountability, notwithstanding designating a controller and processor. Information needed for suc- cessful provision of data driven marketing is the product of mixing the various data obtained by various entities across various services and platforms.¹⁰¹ Notably, Google as the device manufacturer of IoT devices (e.g. the Google Pixel phone) or as a DSP, collects themselves or obtains from Android, as the OS provider, affiliated or partnered services and third party apps (given that it was unveiled through the Google Appstore and uses one or more Google services, e.g. Google Maps, play, analytics etc.), information relating to subjects activity online (e.g. subjects telephony data and use of functions or third party apps) and offline (through device sensors), collected by services or devices, irrespective of platform or whether during subjects use or not.¹⁰²

2.2.3 Final Remarks

As mentioned in order to effectively combat the ‘contemporary challenges’¹⁰³ undermining subject’s trust,¹⁰⁴ relevant stakeholders, (as required by relevant legal instrument, q.v. discus- sion above) should intervene by implementation of structural measures.¹⁰⁵ However, NDPAs must ensure their accountability, as it is known that DSPs are prone to neglect their information duties, provide coercive and misleading consent request notification or all together avoid data subject’s involvement.¹⁰⁶

This placement of trust, achieved through the specific configuration of requirements (i.e.

implimentation of measures entailing the structural agent of control) in the EU framework, is likely the result of attempting to achieve balance between stakeholders and data subjects ra-

101 Google admits it may conduct such practices see Google Privacy Policy: Protect our Users, and the Public.

102 Google Privacy Policy: Your Activity.

103 GDPR, rec 58 AND.

104 WP29, Opinion: online behavioural advertising”, 6.

105 WP29, “opinion: IoT”, 3.

(20)

ther than being the decided regulatory approach because of it being the most suited for data subjects.¹⁰⁷

In reality determining whether these tools and measures provided, are in practice, realisti- cally effective in enabling control, and what the normative consequences from operating such control, hinges on ‘the scope of the instruments’ that give rise to data subjects control’.¹⁰⁸ Since, if the legal provision that enable control, as determined above, are not ‘available to data subjects’ to deal with situations where they don’t fully trust that there rights will be re- spected, such provisions would seemingly be ill equipped to foster trust.

Simply put data subjects cannot trust what they do not know or control. Thus mistrust starts appearing as subjects become aware of the connection between there digital behaviour and the presented targeted content without having oversight of what sort of data was being collected, or how, which companies received and utilised it to provide targeted advertising.¹⁰⁹

2.3 Concluding Remarks

Consent for collecting and processing personal data is an imperative barrier of potential misuses by private and public entities in today’s data driven society where marketers have access to vast amount of data and analytical technics to build user profiles containing information about subjects, who they are and how they behave, and can use such personal profiles in ways that might negatively affect subjects or the society as a whole. Therefore, It is essential to place importance on data subject's informed consent as one of the legal grounds allowing the processing of personal data and that its limits constrain possibilities to process the data, thus serving as a mechanism for the subjects to stay in control of the purposes for which her personal data are used.¹¹⁰

Although consent can be a fundamental tool for individual users to guard their sovereignty over their individuality, lifting some of the regulatory burdens of controllers is not necessarily bad, that is if it is done to maintain a balance of interests, similar to providing data subjects with greater protection. Importantly, data-driven business models can be pro-competitive, yielding innovations that benefit both consumers and the company. Collecting and analysing

107 Compare, Commission, “Guidelines: Social Media”, 32.

108 Ibid. Reding, “The EU Data Protection Reform 2012”, 2-3. [make more ref.]

109 https://www.datatilsynet.no/globalassets/global/english/privacy-trends-2016.pdf

110 With digitalization came big data whereby utilizing the cloud infrastructure private corporations have gained the capacity to search, aggregate, and cross-reference large datasets for analysis in order to identify previously undetectable patterns, as well as the power to monitor and profile individuals, calculate risks and even predict behaviour, cf. Chen and Cheung, The Transparent Self Under Big Data Profiling, 356.

(21)

data can provide the company with insights on how to use resources more efficiently and to outmanoeuvre dominant incumbents. The European Commission noted in 2015 that “the use of big data by the top 100 EU manufacturers could lead to savings worth €425 billion,” and that, “by 2020, big data analytics could boost EU economic growth by an additional 1.9%, equalling a GDP increase of €206 billion.” n.”[7]

In reality marketers are given some leeway when it comes to transparency of said use, because regulators have deemed it necessary to maintain balance between the formers and soci- eties economic interests and data subject’s privacy related interests. Therefore, the current, and evermore urgent issue lays in finding a balance between the exploitation of personal information and the protection of individual privacy.

3 Consent and Contracts: Similarly Shared Elements of Agreement 3.1 Establishment of Similarity Structure Demonstrating Simplicity of Issues

The various ways subjects can interact with PornHub.com, i.e. a self acclaimed “best adult porn website on the net!”,¹¹¹ to enter into a valid contract, will be used to illustrate not just a practical application of rules governing the formation and validity of online contracts but more importantly how and to what extent they interplay.

As stated in Pornhubs T&C subjects agree via access or use of the website, whether they click accept or not, to be bound and to abide by Pornhubs ToS and Privacy policy, which in- clud, e.g. the processing activities by Pornhub as the collector, concerning uses (i.e. tracking, profiling, analysing, predicting) of personal data (i.e. raw-, survay and usage data, as well as sensitive data) for the purposes of, and to the extent necessary to, provide their service, or for other purposes, e.g. development and optimisation based on personalisation, behavioural advertising, e.g. for their or third parties legitimate interest, or based on subjects consent.¹¹²

In relation to data driven marketing, applicable and overlapping rules can mainly be found in two distinct fields both in regard to determining the existence of a valid contract pursuant to contractual necessity, i.e. in data protection and e-commerce (and e-consumer) law, and in regard to valid consent for a particular purposes, i.e. e-privacy and data protection. The va- lidity of these agreements depends on which rules apply as well as what particular purposes can be justified based on those legitimate grounds. Logically it will therefore form the second legal issue assessed in this chapter.

111 www.pornhub.com

112 Ibid.