Beyond consent: improving data protection through consumer protection law

As a result of datafication (the generation and acquisition of personal data from automated processes), consumers’ activities generate large data streams. Analysis of these streams reduces privacy and shifts power towards data controllers. Consumers often contractually agree to this analysis of their data, but their autonomy can be questioned: the agreements often contain non-negotiable terms unilaterally drafted by data controllers. Consumer protection law can alleviate this power shift towards data controllers, but only if EU member states increase their enforcement efforts.


INTRODUCTION
Big data is shifting power away from consumers and data subjects towards data controllers. In a legal sense, natural persons often act as both a consumer and a data subject at the same time.1Controllers have come to collect data and metadata on an increasing number of common consumer activities like personal communications, online behaviour, shopping, banking and public transport -a trend known as datafication (Mayer-Schönberger & Cukier, 2013, p. 29).
The Internet of Things (IoT) will soon generate even more data (ITU-T, p. 1). The collection and analysis of big data streams can amount to consumers' permanent surveillance. This gives controllers the power to influence consumer behaviour through dynamic or discriminatory pricing, filter bubbles or subtly influencing individual decisions (nudging).
Big data's power shift has a significant privacy and data protection dimension. According to "Zimmermann's law",2 this happens by virtue of technological progress alone (Malik, 2013).
Data is also evolving into new currency. Increasingly, data controllers offer services like games and social networking not for money, but in exchange for the right to collect and use personal data. Consumers often enter these "privacy contracts" (Verhelst, 2012, Chapter 3) if they want to enjoy a service seemingly for free, but even paying customers are not safe from this practice (Perlroth, 2015). Nevertheless, the recently accepted General Data Protection Regulation (GDPR [PDF]) mentions consumer protection only once (Council of the European Union, 2016, p. 24 and note 1). Similarly, the European Commission's 2012 proposal for a consumer agenda mentions data protection efforts only in passing (2012a, pp. 3-4). The European Data Protection Supervisor, however, has stated that consumer protection law has a part to play in data protection, especially on the subject of transparency (2014, p. 2).
EU data protection law has facilitated the aforementioned power shift since the introduction of the 1995 Data Protection Directive (DPD).3 It allows the collection and use of personal data based on consumers' consent, or if it is "necessary for the performance of a contract to which the data subject is a party". The GDPR contains a similar provision.4 Compliance with the directive is then rewarded with the right to freely move this data within the European Union and to some other jurisdictions.5 These provisions seemingly empower data subjects, but data subjects acting as consumers lack effective participation options in the market (Rhoen, 2015, p. 65). They can hardly avoid privacy contracts: almost all banks, software and hardware vendors, social networking sites, digital content services, retail loyalty programmes and telecommunications providers employ them.
The difficulties consumers face when invoking fundamental rights in court complicate matters further: privacy law does not clearly describe a minimum level of privacy that should always be maintained; instead, it provides criteria for the balancing of individual privacy against other interests. As a result, it does not offer simple rules for courts to decide cases. Claiming damages for privacy breaches is hampered by the fact that consumers "give it away in exchange for so little" (Schneier, 2015, Chapter 14).
If data controllers become too powerful, the validity of consumers' and data subjects' consent or their autonomy when entering into privacy contracts can be questioned. Therefore, controllers' increasing power should not remain unchecked. Analogous to the notion of due process in United States law, Gutwirth and De Hert have seen the application of three requirements that serve as checks on the unlimited exertion of power: participation, transparency and accountability (Citron, 2007(Citron, , pp. 1256(Citron, -1257Gutwirth & de Hert, 2001, nos. 12-13). In western societies, many safeguards of fundamental rights at every level of government, for example the protection of suspects in criminal proceedings, can be "decomposed" into these three requirements.6 Now that privacy contracts and datafication give private companies capabilities similar to those of police, prosecutors or national security agencies when it comes to data collection and use, these requirements and their effects on the underlying power dynamics have also become relevant in contractual relations.
Barnett and Duvall define power as "the production, in and through social relations, of effects that shape the capacities of actors to determine their circumstances and fate" (2005, pp. 39, 45-57). They refine the concept further by qualifying the expression of power (either through interaction or constitution) and the specificity of the social relations through which it works (either direct or diffuse).7 Using this conceptualisation of power, this contribution examines the following research question: Can consumer protection law assist in attenuating the shift in power from consumers to data controllers caused by big data?
The following sub-questions will help to answer the research question: -How does big data cause power to shift?
-Are data protection and privacy law effective in preventing this shift?
-What opportunities does EU consumer protection law offer for addressing the shift?
In answering the main question, this article considers only cases where a natural person is both a data subject and a consumer at the same time. The text references the final text of the GDPR unless otherwise specified.

HOW BIG DATA SHIFTS POWER TOWARDS DATA CONTROLLERS
Data controllers use their existing structural power over data subjects in the contracting phase to increase their institutional power after the contract is concluded. Structural power (expressed through constitution in direct social relations) follows directly from the roles actors play, i.e. the roles of suppliers and consumers in the market, and enables the powerful party to limit the capacity of the less powerful party to act in their own best interest. Institutional power (expressed through interaction in diffuse social relations) is the power differential resulting from "constraint(s) that human beings devise to share human interaction" (Barnett & Duvall, 2005, pp. 51-55;North, 1990, p. 4).
In the contracting phase, structural power expresses itself in the market as a lack of bargaining power on the consumer side, resulting in non-negotiable terms (Océano Grupo Editorial SA v Roció Murciano Quintero and others, 2000, para. 25). This reduces consumers' party autonomy and therefore touches on a key element of private law in Europe (Study Group on a European Civil Code & Research Group on EC Private Law (Acquis Group), 2009, p. 123). The root cause of this smaller bargaining power is asymmetric information. For consumers, the cost of information per contract is higher than it is for data controllers, mainly because the controllers unilaterally draft the privacy contracts and reuse them many times. This has led Gomez to state that the primary goal of consumer protection law is to overcome information asymmetries (2004, p. 193 ff; see also Slawson, 1970, p. 544). This higher cost of information, in turn, can be explained by analysing the dynamics of market participation (cf. Komesar, 2001, p. 30). The uneven distribution of the costs of information and organisation favours data controllers when consumers and controllers decide on contract terms. Individual consumers usually lack expertise and have little to gain by pooling their resources to negotiate a better deal on privacy in each separate contract.
Data controllers then use this structural power to increase their institutional power. As noted before, collection and use of personal data is lawful insofar as a data subject has consented to it, or if the processing is necessary for the performance of a contract. If the consumers' consent allows for their permanent observation, the data controller has obtained a method of exerting power over the consumer (Bentham, 1787, p. Letter I;Schneier, 2014). Analysis and actual use of the data further increase this power. If the consumer has agreed to contract terms allowing it, the controller can then grant this power to third parties by using his right of free movement of data. Some of the largest of these third parties, data brokers, are not dealing with consumers directly; this makes the scale of the collection and use of their data less transparent to consumers (Federal Trade Commission, 2014, p. 46).
The increase in institutional power can express itself in many ways. Exposing a data subject to targeted advertising is an example of a subtle form of control: a data subjects' deeply personal characteristics can be gleaned from seemingly innocuous data. Such advertising is designed to appeal to personal desires which, although deeply and individually felt, are common to most people and therefore easily discovered (Packard & Miller, 2007, Chapter 7). The time frame and context in which these desires come into play in a consumer's life can become apparent by analysing data collected under privacy contracts and comparing it to previously determined patterns in a larger population (using "machine learning"). For example, a controller may determine whether someone is pregnant by observing a change in their buying patterns (Duhigg, 2012).
At least one possible effect of this increased institutional power is the further increase of data controllers' (already larger) structural power, for example, if loans to data subjects living in certain neighbourhoods only become available at discriminatory rates. In this way, the power shift could worsen the existing marginalisation of groups of people (Crawford & Schultz, 2014, pp. 99-101;Dwork & Mulligan, 2013, pp. 36-37).8Finally, the resulting power shift may allow controllers to leave consumers in the dark about the effectiveness of security measures against unlawful processing.

DATA AND PRIVACY PROTECTION LAW DO NOT PREVENT THE POWER SHIFT
EDRi (European Digital Rights), an EU-based advocacy group, asserts that the EU has a "strong, comprehensive and enforceable privacy protection framework" (EDRi, 2013, p. 1 [PDF]). This framework consists of EU data protection law (currently the Data Protection Directive, soon to be replaced by the GDPR), the Charter of Fundamental Rights of the European Union, national human rights law and the European Convention on Human Rights. Article 5(1) of the GDPR establishes a number of firmly worded principles governing the processing of personal data such as: lawfulness, fairness and transparency, purpose limitation, data minimisation, storage limitation and accountability. Article 6(1) limits the number of grounds for lawful processing. If performance of a contract depends on consent, article 7(4) stresses the need to carefully consider whether consent was freely given. Data subjects have the right not to be subjected to profiling (art. 21 (1)). Controllers must use principles like "data protection by design and by default" (art. 25). And of course, the Strasbourg and Luxembourg courts guard over fundamental rights, including the right to privacy.
But the complex reality of both data protection and privacy law makes these legal protections less effective. Privacy as a human right is a complex issue because every case is different; the European Court of Human Rights in Strasbourg can only decide individual cases based on all relevant facts, in complex and long proceedings requiring expensive legal representation and thus being not very accessible to individuals. Data protection law seems more easily applicable on its face, because it regulates data controllers' behaviour directly to ensure privacy (de Hert & Gutwirth, 2009, p. 44). But these formal requirements contain very complex standards aimed at specialised operators, intended to be enforced by specialised government agencies (Data Protection Authorities or DPAs). This is not necessarily a shortcoming of the GDPR: regulating controllers' behaviour is one way of keeping the GDPR enforceable, effective and relevant as technology progresses.
Even so, this complexity, combined with the increasing number of privacy contracts, makes consumer participation more difficult as it can make the effects of the GDPR unpredictable for consumers (Komesar, 2001, p. 28 Storage limitation only applies when identifiable data is kept on hand for "longer than is q necessary" (art. 5(1)(e), GDPR). However, the drafter of a privacy contract can unilaterally define the purpose and the necessity. To discover what this principle means in a specific context, consumers need to carefully examine all contracts they enter, which they often do not (Bakos, Marotta-Wurgler, & Trossen, 2014, pp. 20-21, 31); Purpose limitation itself is limited: if a controller wants to reuse personal data previously q collected for a different purpose, he "shall" take into account a number of complex factors, including the terms of the privacy contract itself (art. 6(4)(b)); Opaque contextual parameters, such as "appropriate technical and organizational measures" q determine the accountability of controllers and the "protection by design and by default" requirement (art. 24(1) and 25 (1)); Data protection impact assessments and data breach notifications should be carried out if q there is a "high risk to the rights and freedoms of natural persons" (articles 34 (1), 35 (1)) but what constitutes a high risk is left undefined; Consumers enter into agreements and give consent in very simple or almost imperceivable q ways. Ticking one of the ubiquitous "I agree" boxes on a website, and even the state of "technical settings for information society services", such as arcane browser or device settings can constitute consent (recital 32). The right to object to profiling may not apply in these cases (art. 21 (1)).
Finally, the complexity of data protection law encourages consumers to rely on enforcement by q DPAs. But that DPAs fall short in enforcing existing data protection is apparently an "open secret" (Moerel, 2014, n. 110). If consumers are unaware that enforcement is lacking, this reduces transparency for consumers as well as accountability for controllers.
Another reason for privacy and data protection law's reduced effectiveness for privacy contracts is the fact that the ECHR was originally drafted to protect citizens against their governments in the aftermath of World War II. That the ECHR governs relations between citizens, including contractual relations, has been established in case law but states have a very wide margin of appreciation -wider than in cases against governments (Rhoen, 2015, p. 66). Whether the Charter of Fundamental Rights of the European Union applies to contractual relations seems doubtful at the moment (Frantziou, 2015, p. 671).
Finally, data protection and privacy are not the only fundamental rights recognised in Europe.
Freedom of contract, party autonomy and freedom to conduct a business are also covered by fundamental rights.10 A consumer's or controller's appeal on these rights may be used to make permanent observation through privacy contracts lawful. For example, if a consumer enters into a loyalty programme, he "performs" by allowing collection and analysis of personal data, whilst the controller performs by proposing "personalized offers" by him and "selected partners" according to art. 6(1)(b). Based on the term "personalized", a controller can arguably justify collecting data for as long as the contract exists, and on anything that can assist in further segmenting the market to further personalise his offerings. Common (and legal) business practices such as tying (offering two different contracts in one transaction, e.g. one for a "regular" service and another for the processing of personal data) further expand these possibilities.
In short, any practical effect of data and privacy protection law on the power shift associated with big data is reduced by the fact that both work through complex standards instead of simpler rules (Schlag, 1985, pp. 381-390). This complexity, together with the increasing number of privacy contracts, reduces transparency and the opportunities for participation for consumers as well as accountability for data controllers.

CONSUMER PROTECTION LAW CAN HELP SHIFT POWER FROM DATA COLLECTORS TO CONSUMERS
If a data subject is also a consumer, the European Union aims for a "high level of protection" of his economic activities.11 The object of protection of consumer protection law is similar to that of data and privacy protection law: they both aim to protect the autonomy of the natural person (in the market for consumer protection; in a moral sense for data and privacy protection) (Gomez, 2004, p. 193 ff;Nissenbaum, 2009, p. 81-84). But the concept of protection for consumers is clearer. Where privacy and data protection law involve complex balancing of interests in an endless variety of contexts, consumer protection specifically aims to address power differentials based on information asymmetries in the market. Because of this specific applicability, applying EU consumer protection law to privacy contracts could help shift power back to consumers by improving participation and accountability. This follows from two features of EU consumer protection law: the scope of the fairness criterion and opportunities for participation.
Firstly, the scope of the fairness criterion is wider in consumer protection law than in data protection law. Applying consumer protection law would therefore increase the accountability of data controllers. This follows from the legal texts themselves.
The GDPR, as previously noted, mainly considers the processing of personal data unfair if it happens in secret or if profiling methods are faulty.12 This is the basis for the GDPR's extensive disclosure requirements.13 And indeed, mandatory disclosure is also an important regulatory technique in EU consumer protection law. But the resulting transparency is not enough to address substantive unfairness (Weatherill, 2013, p. 92-93). Therefore, in consumer protection law, fairness instead applies to the terms of the contract and to the way the consumer is Consumer advocacy groups have been giving guidance on their application, and taking offenders to court, since they came into force (Bultmann, 2008, no. 14;Verbraucherzentrale Bundesverband, 2013).
Applying consumer law's fairness criterion to privacy contracts can expand the accountability of data controllers when compared to only applying the GDPR. Consider the hypothetical case of a provider of a smartphone app enabling the user to use his camera flash LED as a flashlight (see Vincent Fleming, 2013). The provider could present an agreement in which he grants the consumer a license to use the app in return for which the consumer allows the provider, acting as a data controller, to collect location and usage data to provide advertising for as long as the app is installed.
In terms of data protection law, this case could arguably be made GDPR-compliant by presenting all the relevant clauses and obtaining agreement to them in exchange for a software license. Applying article 7(4) of the GDPR, containing a criterion for determining whether consent is freely given, may not improve matters for the consumer. Because the data collected is not one of the special categories of data as defined by article 9(1), explicit consent may be unnecessary. "Necessary for the performance of the contract" probably suffices to make the processing of personal data lawful, because the criterion of necessity is interpreted in the light of the clauses in the contract. Party autonomy dictates that consumers are free to perform their part by offering their personal data, even if this data is not necessary to turn a phone's LED on or off.
However, such a case would almost certainly violate art. 3, UTD. Allowing surveillance in exchange for the ability to switch an LED on or off seems like such a bad deal, that the "requirement of good faith" has probably not been met. Depending on how the app was advertised, offering the app under these conditions could also be called misleading according to article 6(1)(a) of the Unfair Commercial Practices Directive, insofar as it presents an offer with data protection relevance as a standard software license agreement -especially since consumers hardly ever read software licenses.
Secondly, consumer law offers better participation options than the GDPR when seeking a remedy in court or before an administrative authority. This is often burdensome for consumers, especially against an opponent with large resources (Galanter, 1974). Limited individual stakes in the outcome of costly proceedings may discourage him from bringing a matter to court.
Article 11(1) of the Unfair Commercial Practices Directive and 7(2) of the Unfair Terms Directive state that EU member states "shall ensure" that consumer rights organisations can bring an action before the national courts. This allows consumers to pool resources, reducing the cost of information and participation; it also allows consumers to build on previous organisation efforts, reducing the cost of organisation. This improves the dynamics of participation for consumers (Komesar, 2001, p. 30). The GDPR does not require member states to allow complaints by advocacy groups, it merely allows them to do so (art. 80 (2)).17 A more indirect way in which consumer protection law offers better participation options stems from the treaties establishing the EU and the levels of harmonisation within the EU that follow from them. EU data protection law is based on conferral of competence by the member states, whereas consumer protection law is based on shared competence.18 As a result, member states cannot increase the level of protection that EU data protection law provides unless it is expressly allowed, whereas for consumer protection law this is possible unless it is expressly forbidden (Bodil Lindquist, 2003, paras 96-67;European Commission, 2012b, pp. 5-6).19 This can help consumers: for them, participation in legislation efforts is much harder at the EU level than at the national level (Rhoen, 2015, p. 65).
Thus, applying consumer protection law to privacy contracts can increase accountability for data controllers and offer better participation options for consumers. Both effects will decrease the institutional power of data controllers in favour of consumers.

CONCLUSION: IMPROVE ENFORCEMENT OF CONSUMER PROTECTION LAW
When compared to the GDPR, existing EU directives regarding unfair contract terms and unfair commercial practices can increase the accountability of data controllers and offer more effective participation options for consumers. This is important in addressing the increase in institutional power that data controllers stand to gain from big data.
However, this possibility can only materialise if consumer protection law is effectively enforced.
Determining the effectiveness of the current enforcement regime is not easy, but in 2012 the Commission claimed that "(r)edress and enforcement mechanisms need to be further improved" and launched the European Consumer Agenda, partly to achieve this. The commission also identified perceived low individual stakes as one of the reasons why consumers often do not seek redress (European Commission, 2012a, sec. 3.4). Apparently, lack of effective enforcement and low individual stakes similarly affect the effectiveness of both consumer protection and data protection law. Under these circumstances, expecting beneficial effects from applying consumer protection law without increasing enforcement efforts can only lead to disappointment.
Ensuring proper coordination between national and European authorities for data protection and consumer protection may also be needed. Having two or even more competent authorities in each member state on the subject of privacy contracts may not have any beneficial effect if this joint competence leads to indecision, turf wars or other intra-governmental inefficiencies.
At the same time, very strict enforcement has its own risks and limits. The power shifts associated with big data are too complicated to be addressed only by applying consumer protection law to privacy contracts. Yes, putting consumers under surveillance will become easier with time according to Zimmermann's law.20 But big data is also driving important innovations and, in an important way, datafication is the price we pay for automation. Billing, correction of errors and malfunctions, and detection of hacking and crime all rely on data generated by automated processes -"It's impossible to overstate the importance of logging" (Prevelakis & Spinellis, 2007). Any well-intentioned effort to suppress the creation, storage and analysis of event logs -in other words, to suppress datafication -could disempower both consumers and data controllers, as it takes away their opportunity to construct or counter evidence of mistakes or wrongdoing.21 Data streams are also becoming a way of personal expression, e.g. in the "quantified self" movement, which means that curtailing their creation and use can interfere with yet another fundamental right (Nafus & Sherman, 2014). Addressing big data's power shifts by narrowly focusing on privacy contracts can cause unforeseen power shifts all by itself.
Nonetheless, spirited enforcement of consumer protection law for privacy contracts seems like the way forward. Both the Unfair Terms Directive and the Unfair Commercial Practices Directive offer open norms with ample possibilities to develop a nuanced approach. Controllers who necessarily have access to data streams on many aspects of consumers' lives, like banks and telecommunications providers, should probably be prevented from seducing consumers to allow permanent observation all too easily. On the other hand, consumers should have a reasonable amount of freedom to enter into contracts with providers of specialised data-intensive services.
A nuanced approach has a lower risk of negatively affecting related fundamental rights and halting innovation, than blanket bans on the generation, storage and use of data. Of course, improving the enforcement of data protection law will also help.
Increasing enforcement efforts will certainly have a cost. Member states will have to provide additional funding; they also need to strengthen co-ordination between consumer-and data protection authorities, both at the national and the EU level. It may also be necessary to improve the dynamics of participation for consumers. For example, targeted subsidies for consumer and privacy advocacy groups at the national level, aimed at representation both in civil society and in court, could somewhat offset consumers' costs of information and organisation. This would complement similar subsidies at the EU level in member states that do not currently subsidise these efforts.22 But the benefits may very well outweigh the costs. The more consumers feel their privacy really is protected and enforceable, the faster industrialised societies can collectively benefit from datafication. Addressing the power shift associated with big data will therefore be an important part of Europe's economic future.