If it is true that data – and “personal” data in particular – are the lifeblood of the digital economy, it is equally true that their availability is essential for the performance of any type of activity, whether of a commercial or non-profit nature. Entering into the availability of personal data, having the legitimate right to use them for one’s own purposes, represents an increasingly essential aspect of doing business.
The lawfulness of the use of personal data is linked to the organization’s answer to the question, “in what capacity am I using this personal data?”, which is the equivalent of what, in technical terminology, we use to refer to as “the legal basis of the data controller’s processing”.
For personal data that do not fall into the particular category of so-called “sensitive data” (art. 9 of the GDPR) or judicial data under art. 10, the legal basis are only those listed in article 6 of the regulation. Among these, the one that best responds to the circumstance of the collection of personal data for the purpose of use for further needs of the controller, is the consent of the data subject, given in accordance with the validity requirements of the regulation.
Data collection by incentive
Practice has shown that the tendency of data subjects to provide their personal data to the data controller so that they can be used for its own purposes, registers very low percentages, unsuitable to satisfy the need. Consequently, it is necessary to identify solutions that encourage data subjects in this direction.
There are platforms of list editor websites that invite participation in contests with rich prizes in exchange for filling in forms with one’s personal data and the release of consents for multiple purposes. There are also app providers that provide different versions of the same app: one free of charge but subject to the provision of data for marketing purposes, and one paid, free of advertising. The search for incentives, however, raises a further question of legitimacy: the verification that the nature of the solicitation chosen is not likely to “force” the interested party to agree, thereby conditioning, or even eliminating, the requirement of freedom of choice that underlies the legal validity of consent.
This point is the subject of many discussions in doctrine and jurisprudence and, in summary, it is believed that consent can be considered “free” if the interested party is offered a truly equivalent alternative, to which he can have recourse in case of refusal to consent, without being subject to significant penalties or to a barrier on access to the good or the service.
Personal Data marketability
Preliminary to the aforementioned question regarding the modalities for the collection of a “free” consent, there is the question regarding the effective marketability of personal data: that is, we wonder whether it is legally permissible for personal data to be the subject of a contract for consideration where, in exchange for a good or service offered by the supplier, the beneficiary “pays” by releasing his/her personal data and consenting to the use of the same, for the supplier’s own purposes. A sort of barter in the context of the modern digital economy.
Personal Data economic value
There seems to be no doubt that personal data can be given an economic value; this is evidenced by the market practice of remunerating services by acquiring personal data. This is acknowledged by EU Directive 2018/1972, containing the new European Electronic Communications Code, which states that “[i]n the digital economy, market participants increasingly consider information about users as having a monetary value. Electronic communications services are often supplied to the end-user not only for money, but increasingly and in particular for the provision of personal data or other data. The concept of remuneration should therefore encompass situations where the provider of a service requests and the end-user knowingly provides personal data within the meaning of Regulation (EU) 2016/679 or other data directly or indirectly to the provider” [Recital (16), Directive (EU) 2018/1972].
Evidence of this, among many, is also the case that saw Facebook losing before the Italian antitrust authority for misleading clauses, having made social users understand that the service was free, rather than paid, where the consideration was represented precisely by the collection and exploitation of users’ personal data for marketing purposes.
From a legal point of view, the right to the protection of personal data “is not an absolute prerogative, but must be considered in the light of its social function and must be balanced with other fundamental rights, in accordance with the principle of proportionality” [Recital (4), GDPR. Therefore, it could be justifiably argued that it should be balanced with the protection of the freedom to conduct business recognized by Article 16 of the Charter of Nice and Article 41 of the Italian Constitution: it would be part of the freedom to conduct commercial transactions involving the release of personal data as compensation for products or services, which would otherwise be expensive.