The digital era is redefining what we consider valuable: without (too much) exaggeration, we can assert that today personal data have surpassed gold and currency in their value. At the heart of this revolution is an expanding phenomenon: giving consent for the use of one’s data has become the entry ticket to the world of free online services. In this article, we address the mechanism of personal data exchange, a trend rapidly emerging as the norm in digital commerce.
It is increasingly common for consent to the processing of personal data to be required as a condition for accessing digital goods or services. This economic model is evident in services such as search engines (e.g., Google), social networks (e.g., Facebook, TikTok, Instagram), and instant messaging platforms (e.g., WhatsApp). Users must accept terms and conditions that include consent for the processing of their personal data, even for purposes not essential to the service, such as profiling for advertising purposes.
As a result, although the service appears to be free, in reality, the user pays with their data, which can in turn be sold by the service provider to third parties.
This type of agreement presents complex issues related to the legality and admissibility of „exchanges“ of personal data in exchange for goods and/or services. Criticisms have also been raised by the Italian Data Protection Authority, which examined the initiative of various online newspaper and website that have implemented initiatives aimed at conditioning access to content on the subscription to a subscription (so-called paywall) or, alternatively, on the user’s consent to the installation of cookies or other tools for tracking personal data (so-called cookie wall).
Right to privacy as a personality right
To understand the issues arising from the phenomenon of data commercialization, consider that the right to privacy – as well as the right to physical integrity, name, and image – falls within the cluster of personality rights, which are traditionally considered non-proprietary, inalienable (both for inter vivos acts and for death), and imprescriptible, with the consequence that besides having strictly non-proprietary character, they cannot be transferred by contract. In fact, by law, the contract can only have as its object relationships of a proprietary nature (cf. Article 1321 of the Civil Code), resulting in the non-marketable nature of rights that have non-proprietary character.
In the matter of non-proprietary rights, different autonomy instruments can, however, operate, such as – for example – the consent of the entitled party (cf. Article 50 of the Penal Code), which constitutes a unilateral act capable of making intrusions into the individual’s private sphere lawful that would otherwise be considered unlawful (e.g., consent to the publication of one’s own image (cf. Article 10 of the Civil Code and Article 96 of the Copyright Law, or even consent to medical treatment, consent to the processing of personal data).
Considering the inalienable nature of personality rights, consent to the processing of personal data assumes a purely authorizing role, rather than a negotiable one, since these rights cannot be the subject of commerce and cannot be transferred by contract. What is exposed, however, finds exceptions in our legal system such as, for example, the moral right of authorship to which a right to the economic exploitation of the image and also of personality attributes can be associated. It is therefore necessary to ask whether – by analogy – a similar mechanism with reference to personal data is possible, or whether alongside the indisputable right to privacy, it is possible (subject to the consent of the entitled party) to add a proprietary right to the exploitation of personal data, suitable for commercialization and exchange.
If this were possible, it would imply that personal data are now susceptible to being commercialized, thus allowing their economic exploitation without the necessary consent of the individual concerned.
However, it is necessary to consider both the GDPR, which guarantees the right to revoke consent to the processing of data, and consumer contract regulations, which certainly apply to the contracts in question, being for consideration.
Personal data as assets
Reflecting on the possible proprietary nature of personal data, one might wonder if they can qualify as assets, according to the definition of Article 810 of the Civil Code, which identifies as assets things that are capable of forming the object of rights. Based on the above, if therefore a proprietary right to the economic exploitation of personal data is conceivable, it follows that such data can certainly be considered as assets.
It could, therefore, be assimilated the commercialization of personal data to the commercialization of the proprietary right of authorship, or even, to the economic exploitation of the image: it must be noted, however, that in this context, the „consideration“ for access to digital services or goods is not monetary, but consists of consent to the processing of personal data, which becomes the consideration for the provision of digital services or goods.
Marketability of personal data and consent under GDPR
A first order of difficulty arises with reference to consent to the processing of personal data. On the one hand, the GDPR indeed subordinates the processing of personal data to the consent of the entitled party (cf. Article 6, paragraph 1, letter a, GDPR), subjecting it to certain conditions (cf. Article 7 GDPR), on the other hand, consent is also an essential element of the contract (cf. Article 1325 of the Civil Code). Therefore, two possible scenarios arise:
- considering that the GDPR and the contract operate on separate planes implies that, in any case, the fundamental assumption of the contract is the consent to the processing of personal data. This leads to the possibility of two distinct consents: one relating to the processing of data and one relating to the contractual exchange. Each of them will be subject to its own regulations regarding the prerequisites and validity. In such a case, however, the revocation of consent to the processing of personal data would be capable of overturning ex nunc the contract by virtue of the principle „simul stabunt, simul cadent“;
- considering that the GDPR and the related contract are based on a single act, based both on the discipline of the data protection regulation and on the discipline of the contract in general.
What is exposed above, however, entails the need to observe multiple aspects relating to the relationship between interested consumers and the marketability of their personal data, in particular:
- the need to coordinate the discipline of the contract (specifically, the special provisions regarding consumer rights) with consent to the processing of personal data under the GDPR, which – as known – conditions the possibility of processing personal data to the consent of the entitled party (cf. Article 6, paragraph 1, letter A), GDPR);
- the issue of legal capacity, since the civil code establishes that this is acquired upon reaching the age of eighteen (cf. Article 2, paragraph 1, c.c.), while under Article 8 of the GDPR, consent to the processing of data can be provided from the age of sixteen; unless national legislators set a lower age limit (in Italy, this limit has been lowered to 14 years), provided that it is not less than 13 years;
- although often considered to be free services, they are generally onerous contracts, characterized by a mutual exchange of performances: therefore, in addition to the GDPR regulations, the provisions regulating consumer contracts also apply; with the consequence that clauses creating a substantial imbalance between the rights and obligations to the detriment of the consumer may be declared null and void;
- the individual’s right to revoke consent to data processing at any time, which entails (a) the cessation of the service provided by the individual and (b) the potential dissolution of the contractual agreement.
It is essential for the Data Protection Authority to intervene with clear directives regarding the sale of personal data. The current landscape presents significant challenges such as ensuring privacy, ensuring consent is based on complete information, and improving transparency in data exchange processes. To balance economic progress with the protection of individuals‘ rights, a common commitment and the adoption of appropriate regulations are necessary.
