File #2292: "2018_Book_PersonalDataInCompetitionConsu.pdf"

2018_Book_PersonalDataInCompetitionConsu.pdf

Text

1|Contents|6
1|Introducing a Holistic Approach to Personal Data|8
1|Part I: Fundamentals of Personal Data: Between Personal Property Rights and Regulation|12
2|The Golden Age of Personal Data: How to Regulate an Enabling Fundamental Right?|13
3|1 Introduction|14
3|2 The Rationale of Fundamental Rights Protection for Privacy and Personal Data|15
4|2.1 Privacy and Data Protection as Stand-Alone Fundamental Rights|15
4|2.2 Privacy and Data Protection as Enabling Rights|16
4|2.3 The Enabling Function of Privacy and Data Protection in the EU|18
3|3 Big Data, Algorithmic Decision-Making, and Interference with Individual Rights and Freedoms|21
4|3.1 Big Data and Algorithmic Decision-Making|21
4|3.2 Interference with Individual Rights and Freedoms|22
4|3.3 EU Data Protection Law|25
3|4 Contribution of Data Protection Law to Protecting Individual Rights and Freedoms|27
3|5 Conclusion|29
3|References|31
4|Additional Sources|32
2|From Personality to Property?|33
3|1 Introduction|34
3|2 Individualism and Privacy: Protection Against the Press|35
4|2.1 The Right to Privacy|35
4|2.2 Personality Rights|36
3|3 Dictatorship, Census and Eavesdropping: Protection Against Government|37
4|3.1 Oppressive Government and Technological Advance|38
4|3.2 Curious Government and Technological Advance|39
4|3.3 Disproportionate Balancing of Freedom and Security|40
3|4 Scoring and Ubiquitous Computing: Protection Against Enterprises|40
4|4.1 Blurring the Line Between Public and Private Spheres|40
4|4.2 Efficient Markets and Redistributive Effects of Data Protection|43
3|5 From Consent to Property: Taboo or Solution?|45
4|5.1 Autonomous Consent in a World of Information Asymmetries|46
4|5.2 Towards a Property Right in Personal Data?|47
5|5.2.1 Economic Rights to Personal Data|48
5|5.2.2 Right to One’s Data as a Solution to Legal Inconsistencies|49
5|5.2.3 Towards a Dualistic Data Protection Law?|52
3|6 Conclusion|53
3|References|54
4|Additional Sources|59
2|The Failure of Control Rights in the Big Data Era: Does a Holistic Approach Offer a Solution?|61
3|1 Introduction|62
3|2 The Notion of Control in EU Data Protection Law|64
4|2.1 Control as the Normative Anchor of Privacy and Data Protection|64
4|2.2 The Instrumental Dimension of Control in the EU Data Protection Law|66
5|2.2.1 The Right to Information|68
5|2.2.2 The Right of Access|68
5|2.2.3 The Right to be Forgotten or the Right to Erasure|69
5|2.2.4 The Right to Data Portability|70
5|2.2.5 The Right Not to be Subject to a Decision Based Solely on Automated Processing|71
3|3 Controlling Personal Data in the Big Data Era|72
4|3.1 Too Theoretical and Unworkable?|74
4|3.2 Controlling Anonymous Data|77
3|4 Discussing Solutions|78
4|4.1 Strengthening the Right to Information Through the Features of Consumer Protection Law|79
4|4.2 From Portability to Prosumer Law|81
4|4.3 Control Rights in Personal Data as a Replication of the Author’s Moral Right|83
3|5 Implications for the Future Policy and for Those Who Will Interpret the New Law: Conclusions|84
3|References|85
2|The Ambivalence of Algorithms|90
3|1 Introduction|91
3|2 Digital Market Failures|93
3|3 The Promise of Personalized Law|97
3|4 The Legitimacy of Personalized Law|100
4|4.1 Challenges Posed by Positive Law|100
5|4.1.1 Data Collection and Data Protection|101
5|4.1.2 Data Use and Data Abuse|101
4|4.2 Equality and Justice|103
5|4.2.1 Two Dimensions of Equality Before the Law|103
6|4.2.1.1 Equality of Sanctions|104
6|4.2.1.2 Equality as Reasoned Difference|105
6|4.2.1.3 Personalization and Equality|106
6|4.2.1.4 Stigmatization|107
5|4.2.2 Distributive Justice|108
4|4.3 Challenges Posed by Legal and Democratic Theory|110
5|4.3.1 Loss of the Expressive Function|110
5|4.3.2 Democratic Discourse|112
3|5 The Scope of Personalized Law: A Normative Approach|113
3|6 Conclusion|115
3|References|117
4|Additional Sources|121
1|Part II: Personal Data and Competition Law|123
2|Blurring Boundaries of Consumer Welfare|124
3|1 Introduction|125
3|2 Interaction of Competition, Consumer and Data Protection Law|126
4|2.1 Competition Law|126
4|2.2 Consumer Protection Law|129
4|2.3 Data Protection Law|131
4|2.4 Findings|134
3|3 Enforcement of Data Portability|135
4|3.1 Competition Law Angle of Data Portability|135
4|3.2 Comparing Data Protection and Competition Law|137
4|3.3 Possible Role of Consumer Protection Law|138
3|4 Assessing Exploitative Abuse Under Article 102 TFEU|140
4|4.1 Excessive Pricing|140
4|4.2 Benchmarks from Data and Consumer Protection Law|141
3|5 Potential Role of Data Protection and Consumer Law Considerations in Merger Review|144
4|5.1 Current Reluctance of the Commission and the Court of Justice|144
4|5.2 Consumer and Data Protection as Legitimate Interests Under Merger Review|147
4|5.3 Illustrations of Data Protection-Related Merger Remedies|149
3|6 Conclusion|151
3|References|152
4|Additional Sources|153
2|The Rise of Big Data and the Loss of Privacy|155
3|1 Introduction|156
3|2 Why Big Data Matters|158
3|3 Privacy as a Fundamental Economic Right|161
3|4 Informed Consent|165
3|5 The Case for Competition Intervention Against Targeted Advertising|167
3|6 A Comparative Assessment of Case Studies of Privacy|174
4|6.1 A Classification of the ‘Big Data’ Collection|177
5|6.1.1 Direct Personal Data|178
5|6.1.2 Highly Sensitive Personal Data|178
5|6.1.3 Behavioural Data|178
5|6.1.4 Content and Usage Data|179
5|6.1.5 Technical versus Authentication Data|179
5|6.1.6 Location Versus Authentication Data|179
5|6.1.7 Objectively Justifiable Personalised Service Experience Versus Authentication Data|180
5|6.1.8 Targeted Versus General Advertising|181
5|6.1.9 Written Email and Voice Data|181
5|6.1.10 Aggregated Data|182
4|6.2 Data Sharing|182
5|6.2.1 Inside Sharing of Data|182
5|6.2.2 Outside Sharing of Data|182
4|6.3 Consent|183
5|6.3.1 Subject to Consent|183
5|6.3.2 Opt-In (Explicit) Consent|183
5|6.3.3 Presumed Consent|183
5|6.3.4 Explicit Consent or Special Permission|184
5|6.3.5 Opt-Out Choice|184
5|6.3.6 No Consent|184
4|6.4 Disclosure of Data|185
3|7 A Response from Practice: Vidal-Hall v Google Inc [2015] EWCA|185
3|8 Conclusions|187
3|References|187
4|Additional Sources|190
2|Big Data, Open Data, Privacy Regulations, Intellectual Property and Competition Law in an Internet-of-Things World: The Issue of Accessing Data|192
3|1 Introduction|193
3|2 The [Intellectual] Property-Law Regulation of Big Data and Its Ecosystem|195
3|3 The Definition of Data|199
3|4 Standards for the Internet of Things, Industrial Internet and IoT Patent Platforms or Pools|202
3|5 The Application of Competition Law|203
3|6 Sector-Specific Regulations and Data-Protection Rules|208
3|7 Conclusion|212
3|References|212
4|Additional Sources|214
2|A Competition-Law-Oriented Look at the Application of Data Protection and IP Law to the Internet of Things: Towards a Wider ‘Holistic Approach’|216
3|1 What Is the Internet of Things?|217
4|1.1 Uses and Application in Contexts|218
4|1.2 Industry Impact and Future Trends|220
3|2 The Role of Law in the IoT|220
4|2.1 Threat to Privacy: Passive Data Transmission|221
4|2.2 Property Interest in ‘Big Data’ and Market Power Based on Data Ownership: The Intersection of Big Data and Antitrust Law|224
3|3 Protecting and Enforcing IoT Technologies Through Intellectual Property Rights|227
4|3.1 Patents|228
4|3.2 Software|229
4|3.3 Trade Secrets|231
4|3.4 Database Protection|232
4|3.5 Technical Protection Measures|232
3|4 The Value of and the Obstacles to Interoperability|234
4|4.1 Legal Tools to Safeguard Interoperability|235
5|4.1.1 Software|236
5|4.1.2 Patents|236
5|4.1.3 Trade Secrets|237
4|4.2 Obstacles to Effective Interoperability|237
4|4.3 Interoperability in the IoT: Competition-Law Issues in the Standardisation Context|238
3|5 Personal Data, Competition and IP Law: Towards a ‘Holistic Approach’?|240
3|6 The Policy Framework for Regulating Standard-Setting in the EU|242
3|7 Conclusion|244
3|References|244
4|Additional Sources|248
1|Part III: Personal Data, Civil Law and Consumer Protection|251
2|Proprietary Rights in Digital Data? Normative Perspectives and Principles of Civil Law|252
3|1 Introduction|253
3|2 Information: Theoretical Foundations|253
4|2.1 Classification of Information and Data|253
4|2.2 Data as Economic Input Factor|255
4|2.3 Data as Legal Input Factor|255
3|3 Legal Treatment of (Personal) Data in Different Fields of Civil Law|256
4|3.1 Inter Vivos|257
5|3.1.1 Property Law|257
5|3.1.2 Intellectual Property Law|260
5|3.1.3 Law of Obligations|262
4|3.2 Post Mortem: Inheritance Law|263
3|4 Interim Conclusions and Outlook|265
3|References|270
2|Personal Data After the Death of the Data Subject—Exploring Possible Features of a Holistic Approach|272
3|1 Introduction: Exemplary Scenarios for the Legal Treatment of Personal Data After the Death of the Data Subject|273
4|1.1 The Inductive Character of a Holistic Approach|273
4|1.2 Cases in Point for Post Mortem Access to Accounts and to Personal Data|274
3|2 Property Law and the Treatment of Personal Data Post Mortem|276
3|3 Intellectual Property and the Treatment of Personal Data Post Mortem|276
3|4 Data Protection and the Treatment of Personal Data Post Mortem|277
3|5 The Right of Personality and the Treatment of Personal Data Post Mortem|279
3|6 Data Portability and the Treatment of Personal Data Post Mortem|280
3|7 Contract Law and the Treatment of Personal Data Post Mortem|280
4|7.1 Exemplary Contract Clauses with Regard to Personal Data Post Mortem|281
4|7.2 Possible Imbalance of Interests and of Bargaining Power in a Contractual Agreement Regarding Data|282
4|7.3 Standards for the Legal Assessment of General Contract Clauses Regarding Data|282
4|7.4 Contractually Imposed Requirements Regarding the Legitimation of Heirs|284
4|7.5 Conclusions on Contract Law and Personal Data After Death|285
3|8 Inheritance Law and the Treatment of Personal Data Post Mortem|285
4|8.1 The Principle of Universal Succession and Formal Requirements|286
4|8.2 Inheritability and the Intangible Character of Personal Data|286
4|8.3 Inheritability and the Private Nature of Personal Data|287
4|8.4 Inheritability of a Personalized Contract?|289
4|8.5 Conclusions on Inheritance Law and Personal Data After the Death|290
3|9 Secrecy of Telecommunications and the Treatment of Personal Data Post Mortem|290
4|9.1 The Original Rationale of Telecommunications Secrecy and Its Three-Step Extension with Regard to OTT Services|291
4|9.2 Possible Exceptions to Telecommunications Secrecy with Regard to the Heirs|292
3|10 Conclusions|293
4|10.1 The Exemplary Case and a Possible Holistic Approach|293
5|10.1.1 Conflict with the Principle of Universal Succession|294
5|10.1.2 The Ratio Legis as Inherent Limitation of Telecommunications Secrecy|295
5|10.1.3 Conflict with Emerging Objectives of the Data Economy|295
5|10.1.4 The Need for Balancing Diverging Constitutional Rights|296
5|10.1.5 The Need to Adapt the Existing Provisions to Formerly Unknown Business Models|297
4|10.2 Possible Features of a Holistic Approach|297
3|References|299
4|Additional Sources|301
2|The General Data Protection Regulation and Civil Liability|302
3|1 Introduction|303
4|1.1 Previous v. New Data-Protection Legal Framework|303
4|1.2 Examples of Data Breaches|306
3|2 Civil Claims According to the Repealed Data Protection Directive and Other Claims|308
4|2.1 Article 23 of Directive 95/46/EC and Its Transposing National Provisions|308
5|2.1.1 Persons Having a Right to Claim Damages|308
5|2.1.2 The Person Responsible for Damages|309
5|2.1.3 Breach, Causality and Fault|310
5|2.1.4 The Requirement for Material Damage (?)|312
4|2.2 Other Tort Claims|313
4|2.3 Contract Breach Claims|315
4|2.4 Some Further Comments on Compensatory Claims|315
4|2.5 Requests for a Court Ruling|316
3|3 Civil Liability Under the New GDPR|317
4|3.1 Introductory Remarks|317
4|3.2 Material or Non-Material Damage|318
4|3.3 Liability of the Controller: Liability of the Processor|319
4|3.4 Joint Liability and the Right to Recourse|319
4|3.5 Persons Having the Right to Claim Damages|320
4|3.6 Presumption of Fault|321
4|3.7 Burden of Proof Regarding Infringement of the GDPR|322
4|3.8 Statute of Limitations and Other Procedural Rules|323
4|3.9 Other Effects of the GDPR|324
5|3.9.1 Effects on the Requests for a Court Ruling|324
5|3.9.2 Effects on Other National Civil Claims|325
3|4 Conclusions|325
3|References|326
4|Additional Sources|327
2|Protecting Children Online: Combining the Rationale and Rules of Personal Data Protection Law and Consumer Protection Law|329
3|1 Introduction|330
3|2 Children as Data Subjects and Consumers Online: Defining Roles and Responsibilities|333
4|2.1 Consumers of ‘Free’ Services?|336
4|2.2 Legally (In)capable Consumers in (In)valid Consumer Contracts?|339
4|2.3 (In)competent Data Subjects?|340
3|3 Beyond the Obvious and Explicit: A Multitude of Raisons D’Être for a Specific Personal Data Protection Regime|341
4|3.1 GDPR and the Lack-of-Knowledge Yardstick|341
4|3.2 Different Online Behaviour, Needs and Privacy Perceptions|342
4|3.3 Particular Vulnerabilities and Immaturities|344
4|3.4 Learning from Consumer Law: Vulnerability as a Legislative Benchmark|345
4|3.5 Critical Understanding and Susceptibility|348
3|4 Combining the Safeguards of the Personal Data and Consumer Protection Regimes… Benefiting Children?|350
4|4.1 Child-Adapted Transparency|352
5|4.1.1 Personalised Information|353
5|4.1.2 Information in Symbols|354
5|4.1.3 Participatory Transparency|357
4|4.2 Fairness|358
5|4.2.1 Fairness in Data Protection|359
5|4.2.2 Consumer Protection and Fair Data Gathering and Use|360
4|4.3 Services Offered Directly to Children|362
4|4.4 Defining an Average Child|364
3|5 Conclusions|365
3|References|366
4|Additional Sources|371
2|Personal-Data and Consumer Protection: What Do They Have in Common?|374
3|1 Premises|375
3|2 A Weaker Subject to be Protected|375
3|3 Similar Regulatory Techniques for Data-Subject and Consumer Protection|376
3|4 Information Requirements for Contracts and Data Processing|378
3|5 Withdrawal from the Contract and Withdrawal of Consent: The Same Rationale?|382
3|6 Jurisdiction Rules: An International Scenario|383
3|7 Data Processing and B2C Contracting in the Global Market|385
3|8 Two Emerging Critical Issues to be Settled|387
3|References|388
4|Additional Sources|389
1|Part IV: Personal Data, IP, Unfair Competition and Regulation|391
2|The Right to Data Portability and Cloud Computing Consumer Laws|392
3|1 Cloud Computing Services|392
3|2 Cloud Services Contracts|394
3|3 The Standardisation Process of Cloud Service Contract Clauses|395
3|4 Lock-In and Right to Data Portability|398
3|5 The Well-Being of the Consumer Through a Holistic Legislative Approach|400
3|6 Conclusions|402
3|References|403
2|The Interface Between Data Protection and IP Law: The Case of Trade Secrets and the Database sui generis Right in Marketing Operations, and the Ownership of Raw Data in Big Data Analysis|406
3|1 Introduction|407
3|2 Personal Data Processing for Commercial Purposes|408
4|2.1 Direct Marketing|409
4|2.2 Profiling|409
4|2.3 Customers’ Data Assignment|410
3|3 Protection of Personal Data Processed for Commercial Purposes as Trade Secrets|411
4|3.1 The Legal Regime of Trade Secrets Within the EU|411
4|3.2 Datasets of Customers’ Information as Protected Trade Secrets|412
4|3.3 Trade Secret Requirements in the Trade Secrets Directive and Protection of Business Information Under Italian Case Law|413
4|3.4 Customers’ Personal Data as Trade Secrets|416
3|4 Protection of Personal Data Processed for Commercial Purposes Under the Database sui generis Right|417
4|4.1 Database Right in Sets of Customers’ Personal Data|420
3|5 The Interface Between Data Protection and Intellectual Property|422
3|6 Ownership of Raw Data in Big Data|423
3|7 The Case of Cloud and CaaS Solutions|424
4|7.1 Data Protection Aspects|424
5|7.1.1 The Concept of Personal Data|425
5|7.1.2 The Data Controller/Data Processor Relationship|427
5|7.1.3 The Secondary Purpose Exception|428
5|7.1.4 Legitimate Interest|429
4|7.2 Intellectual Property Aspects|430
4|7.3 Towards an Ownership Regime for Raw Data?|431
3|8 Conclusions|434
3|References|435
2|Data as Digital Assets. The Case of Targeted Advertising|439
3|1 Introduction|441
3|2 The European Regulation of Targeted Advertising|449
3|3 European and International Self-Regulation of Targeted Advertising|456
3|4 Profiling, Direct Marketing and Algorithmic Decision-Making in the General Data Protection Regulation|462
3|5 “It’s a Google Market”: Adsense, a Recent Change to the Google Privacy Policy and Related Details|468
3|6 The Use of Digital Assets to Hinder Competition. Facebook and WhatsApp: From the Concentration to the Transfer of the Latter’s User Data to the Former’s IP Portfolio|475
3|7 Conclusions. A More Balanced Approach to Data as Digital Assets and the “Cooperative Charter on Online Behavioural Advertising”|483
3|8 Afterword. Of Chocolate Chips and Lavender Buds|487
3|References|488
2|Binding Corporate Rules As a New Concept for Data Protection in Data Transfers|494
3|1 Introductory Ideas|495
3|2 Economic Aspects of Personal Data|496
4|2.1 Theoretical Background|496
4|2.2 An Example|497
4|2.3 Contractual Aspects|499
3|3 Legal Background of International Data Transfers|501
4|3.1 Current Rules of the Data Protection Directive|503
4|3.2 General Data Protection Regulation and International Data Transfer|505
3|4 Binding Corporate Rules|506
4|4.1 BCRs as Legal Institution|507
4|4.2 Content|507
5|4.2.1 Binding Nature|507
5|4.2.2 Content of Expressly Conferred Enforceable Rights and Other Elements|508
4|4.3 Authorizing Process|509
3|5 SWOT of BCRs|511
4|5.1 About the Method|511
4|5.2 SWOT Chart|512
4|5.3 Evaluation|513
5|5.3.1 Strengths|513
5|5.3.2 Weaknesses|514
5|5.3.3 Opportunities|514
5|5.3.4 Threats|515
3|6 In Conclusion: Bottom Lines|516
3|References|517
4|Additional Sources|518
2|The Power Paradigm in Private Law|519
3|1 Introduction|520
4|1.1 Relevance|520
4|1.2 The Lack and Need of a Holistic Approach|521
4|1.3 The Private Power Approach in Private Law|522
4|1.4 Structure of the Study|524
3|2 Framing Power in Private Law|524
4|2.1 Need to Frame Power|524
4|2.2 Power Concepts|525
5|2.2.1 Causal Forms of Power|525
5|2.2.2 Modal Forms of Power|526
4|2.3 Particular Legal Areas|527
3|3 Power and Personal Data in Areas of Private Law|527
4|3.1 Contract Law|527
5|3.1.1 Subject Matter and Regulation of Power|527
5|3.1.2 Personal Data|529
4|3.2 Consumer Protection Law|532
5|3.2.1 Subject Matter and Regulation of Power|532
5|3.2.2 Personal Data|533
4|3.3 Competition Law|536
5|3.3.1 Subject Matter and Regulation of Power|536
5|3.3.2 Personal Data|538
4|3.4 (Intellectual) Property Law|544
5|3.4.1 Subject Matter and Regulation of Power|544
5|3.4.2 Personal Data|545
4|3.5 Data Protection Law|547
5|3.5.1 Subject Matter|547
5|3.5.2 Data Protection from a Power Perspective|548
5|3.5.3 Implications|552
4|3.6 Anti-Discrimination Law|552
4|3.7 Going Beyond: Power of Opinion as a Subject of Media Regulation|555
3|4 Findings and Implications|556
4|4.1 Towards a Holistic Approach|556
4|4.2 Descriptive Findings and Implications|557
5|4.2.1 Micro-Level: Changes in Areas of Law|557
5|4.2.2 Meso-Level: Power and Regulation|558
6|4.2.2.1 Observations on the Concepts of Power|558
6|4.2.2.2 Implications for Regulation|559
5|4.2.3 Macro-Level: Power Theory|560
4|4.3 Normative Implications|561
5|4.3.1 Normative Yardstick for Regulatory Intervention|561
5|4.3.2 Implications for Regulating Personal Data|562
3|5 Summary|563
3|References|565