In an audit it conducted at the end of last year, the Irish Data Protection Commissioner said of a certain online service:
“…we examined [its] practices and policies related to the extent to which [it] uses personal data of users to target advertising to them. [It] provides a service that is free to the user. Its business model is based on charging advertisers to deliver advertisements which are targeted on the specific interests disclosed by users. This basic “deal” is acknowledged by the user when s/he signs up…”.
The service referred to is Facebook. As part of the “deal”, the user doesn’t pay “money” to use Facebook, instead the user “pays” by providing Facebook with his/her personal data. The user’s personal data has a “value” because Facebook can monetise it by charging advertisers to target ads based on that personal data.
The first thing to note is that, broadly speaking, for the purposes of European data protection law, there’s nothing unlawful, in principle, about a model based on this kind of “deal”. Likewise, the Irish Commissioner concluded it was legitimate to target ads based on interests disclosed by users in their “profile” information or inferred from users’ activity on the service (e.g. by “liking” things). This is assuming, according to the Irish Commissioner, that users are “made fully aware, through transparent notices, that their personal data would be used in this manner to target advertisements to them.”
The second thing to note is that this kind of deal is, of course, not just operated by Facebook. The web is swamped with online services based on this business model. Any consumer who has used the web will have entered into this kind of deal with an online service provider many times.
From a legal perspective, this kind of “deal” is regulated by, amongst other things, a combination of data protection laws such as the UK Data Protection Act 1998 (DPA) (because it involves the processing of personal data) and contract law (because the user signs up to online terms and conditions). However, it seems that, increasingly, these types of “deals” draw parallels with transactions involving the licensing of intellectual property regulated by statutes such as the UK Copyright Designs and Patents Act 1988 (CDPA).
Take copyright as an example. It’s a very basic principle that copyright works “belong” to their owners. It’s specifically contemplated by the CDPA that a copyright work is a monetisable asset. The CDPA explicitly states that a “licence” is needed from the copyright owner in order to do certain “restricted” acts. The logic for this seems clear: Money can be made from doing the restricted acts, so it would be unfair if the restricted acts could be done without the owner’s permission. There are, of course, various exceptions in the CDPA where a licence isn’t required (e.g. research and private study, or incidental inclusion etc). However, broadly speaking, these exceptions all cover circumstances where the intellectual property isn’t being monetised.
Data protection law, however, isn’t conceptualised on the basis that data subjects “own” their personal data (i.e. that personal data is “property”). Likewise, unlike for intellectual property, the rights we have in relation to our personal data aren’t constructed on the basis that we have the exclusive right to make money out of data which relate to us. The point of data protection law is that we have the right for our privacy not to be abused through the use of our personal data. That’s why it’s called data “protection” and not data “property”.
Nevertheless, it’s interesting that, whilst the “deal” falls under the remit of the DPA as opposed to the CDPA, in practice, we come out with a similar net effect: I “licence” you my personal data so that you can monetise it. Under this parallel, the personal data is like the copyright work, the data subject (i.e. the user) is like the owner/licensor, the data controller (i.e. the online service) is like the licensee, and the targeting of ads is like the permitted use under an IP licence.
The above parallel assumes that consent (i.e. a “licence”) is required to process personal data. This is where the parallel breaks down a bit because consent is only one of several possible conditions which can legitimise the processing of personal data under the DPA. For example, under Schedule 2 to the DPA, subject to various other conditions, processing can be done without consent if there’s a “legitimate interest” in processing or if the processing is necessary for the purposes of performing a contract.
There’s also the issue of damages. Copyright owners can claim damages or an account of profits where their copyright has been infringed. Under the DPA, individuals are entitled to compensation, however, there are generally very few claims by individuals and they tend to be limited to situations where the individual suffers distress as a result of the breach.
The idea behind the award of an “account of profits” under an IP infringement claim is so that a party infringing another party’s IP, won’t be unjustly enriched by doing so. The concept of an account of profits doesn’t exist under UK data protection law. However it’s interesting to note that this is something which has been considered in the context of privacy cases involving the misuse of private information (such as Douglas v Hello). Given the increasing monetisation of personal data and the proliferation of online services which use the “deal” as their model, I wonder whether we’ll ever see data protection law evolve so that business models such as the “deal” and the potential for monetisation of, and making a profit from, personal data are brought more clearly within its scope. How much are our names worth anyway?