Strategies of consumer protection of privacy in internet communication

I. The appropriate scope of paternalism in the law

From a rational choice perspective, it would be easy to dismiss every sort of paternalism concerning the disclosure of personal data. But the picture changes if we take into account bounded rationality, framing effects and context dependency, hyperbolic discounting and other behavioural biases²⁷ which hinder rational decision making regarding privacy. To overcome such tendencies, regulatory measures against information asymmetry are necessary but not sufficient. This is even more the case considering exter-nal effects on freedom in social interaction in general (as mentioned above); such effects can be accelerated by peer pressure or even herd be-havior in social networks like Facebook, etc. The problem further increases when dealing not with adults but with young people.

Because the protection of privacy is a necessary prerequisite of the free enhancement of one’s personality, it would be wrong to label every pater-nalistic approach from the outright as “anti-freedom”. Certainly, a strong form of paternalism would neglect that it is an essential part of liberty to individually and freely balance costs and benefits of disclosure of private information. But a weaker “libertarian paternalism”²⁸, which only frames the balancing process to enhance rationality, is in accordance both with the insights of bounded rationality and the doctrine of the fundamental right to privacy.²⁹

26 For a discussion of the means to ascertain the “value of privacy” to individuals, see Acquisti et al. (2009).

27 See in general, in the context of cost-benefit-analysis, Sunstein (2005), 65–69; Ad-ler/E. Posner (2006), 124–153.

28 Sunstein/Thaler (2003); Thaler/Sunstein (2008), similar Camerer et al. (2003);

more sceptical because of the difficulties to distinguish this approach from “stronger”

paternalism Schäfer/Ott (2010), chapter 4.3.1.

29 Compare Acquisti (2009), describing the benefits of a soft paternalistic approach of

“nudging” privacy; Tene/Polonetsky (2012), 347, citing Thaler/Sunstein (2008), 1–4.

II. Judging legislation on internet privacy from this perspective Legislative measures must – first of all – reduce transaction costs for pro-tecting private information taking into account the framing effect and other features of consumers’ bounded rationality. In accordance with libertarian paternalism there should be a strict regime of data protection in general with the opportunity to waive this protection by positive action. Therefore, the opportunity for opting-out might not be sufficient. Prior consent in data processing as a form of opting-in is necessary, if data processing is more than minimally intrusive and not clearly socially desirable.³⁰ In addition, measures have to be taken to overcome the information asymmetry so that an informed consent is really possible. Too much information is not enough information. Therefore, the information about storage and usage of personal data should be accompanied by a short and easy-to-read sum-mary, preferably using standardized symbols.³¹ The last proposal has been broadly discussed – but unfortunately not realized – for disclosing nutri-tional values of food;³² the arguments are nearly the same. In more general terms: If the way notice is given takes into account cognitive limitations then transparency can be both a means for achieving consent and an inde-pendent policy goal which serves personal autonomy and dignity.³³

Second, specific legislative safeguards are necessary to limit the scope of data processing even after collecting data on the basis of an informed consent. Thus, there should always be a right to revoke consent for the future (not for the past). The legislator should even think about a general time limitation for such a consent,³⁴ so that, unless the consumer has ex-plicitly allowed otherwise (libertarian paternalism!), information in social networks must be deleted after a certain period³⁵ – which of course might not hinder the fact that such information might be still accessible some-where else on the internet. A change of purpose for using and processing of data must be forbidden without a special (second) consent for this.

30 See Tene/Polonetsky (2012), 341; compare furthermore ibid., 334, noting that the decision between opt-in or opt-out, which requires a value judgement, determines the level of privacy protection as well as the fate of entire business models.

31 For a detailed discussion of “non-linguistic notice”, “privacy nutrition labels” and

“behavioural tracking icons” see Tene/Polonetsky (2012), 344–346 with further refer-ences.

32 For some aspects of the discussion see Behnsen (2009); Sosnitza (2010); in the U.S.

compare Kelley et al. (2010); Hill (2011).

33 Tene/Polonetsky (2012), 343, citing Calo (2012).

34 The German Bundesrat proposed such a time limitation in its comment on the EU-proposal for a new General Data Protection Regulation, see BR-Drucks. 52/12 (2) of 30 March 2012, no. 23.

35 Similar, Tene/Polonetsky (2012), 354, argue for a “regular deletion period”.

Third, in principle a company should not be allowed to refuse a business contract (or the participation in a social network) simply for the reason that the user does not agree with the usage of his or her data for purposes not directly linked to the contract. Instead, the company could charge an (ade-quate) small compensation fee if using and selling privacy-relevant infor-mation is part of its business calculation.

Fourth and last, legal remedies must be construed in a way to reduce transaction costs as well. There must be an adequate mixture of private enforcement and state control.

III. The legal framework on data protection

European and German law on data protection have implemented some but not all of these features.

In general – there are exemptions – a prior consent of the data subject is needed for collecting and processing his or her personal data (Art. 7 lit. a of the current EU-Data Protection Directive [DPD]³⁶; §§ 4, 4a Federal Data Protection Act – Bundesdatenschutzgesetz [BDSG]). But the wording does not tell us exactly what is necessary for a legally valuable consent (com-pare the definition in Art. 2 lit. h DPD “freely given, specific and in-formed”; § 4a Sec. 1 S. 1 BDSG: “freie Entscheidung” – free decision). In the proposal for a new European General Data Protection Regulation³⁷ a bit more can be found – but still only general terms open for judicial interpre-tation. In particular, Art. 7 Sec. 4 of the draft regulation states that “con-sent shall not provide a legal basis for the processing, where there is a sig-nificant imbalance between the position of the data subject and the controller”. Taken literally, this would be regularly true in internet com-merce and in social networks due to the information asymmetries between the private party and the multinational company. This can hardly be in-tended.³⁸

36 Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, O.J. L 281 of 23 November 1995, 3111, amended by Regu-lation (EC) No. 1882/2003 of the European Parliament and the Council of 29 September 2003, O.J. L 284, 1; for an overview see Charlesworth (2003).

37 Proposal for a Regulation of the European Parliament and the Council on the pro-tection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final; for an analysis see Härting (2012).

38 In fact, recital 34 of the proposal itself states that a “clear imbalance” is namely given in circumstances “where the data subject is in a situation of dependence from the controller”, as can be the case “in the employment context”, or, “where the controller is a public authority, (…) where [it] can impose an obligation by virtue of its relevant public powers (…)”.

Even more problematic is the legal provision dealing with the information necessary for an informed consent. According to Art. 11 of the current Di-rective (similar § 4 Sec. 3 BDSG) a data subject must be provided with the purpose for which the data are intended and the recipients of the data. In addition, “any information” has to be given in so far as it is necessary, with regard to the specific circumstances. Art. 11 of the proposed regulation tells us much more but is in itself very difficult to read. The information given according to this article might not be easier to understand.

Up to now, there is no explicit right to revoke the consent – this may not be confused with the data subject’s right to object on compelling legitimate ground to a particular processing of data for which a consent is not needed (Art. 14 DPD). But at least the German doctrine recognizes such a right if executed in good faith.³⁹ A time limitation (limited period of validity) for the consent does not exist at all. In this regard, the proposed European Regulation would – as already mentioned by Professor Ko – bring some progress with a “right to be forgotten and erasure” (Art. 15 of the draft); it is explicitly mentioned that the storage of data might be consented for a fixed period of time and that the data subject is entitled to withdraw con-sent on which the processing is based (both Sec. 1 lit. b). But there is still no time limitation in general.

According to German law (§ 28 Sec. 3b S. 1 BDSG), a company may not refuse a contract only for the reason that the consumer does not agree to the usage of his or her data, if there is no feasible alternative for the consumer, for example contracting with a competing company. But this obligation to contract has been construed narrowly.⁴⁰ In particular, the con-sumer has no right to pay a modest fee instead of giving away private in-formation.

Closely related to the necessity of an informed consent, there is a sec-ond cornerstone of data protection law. Personal data must only be used and processed for the specified purposes on which the data subject has giv-en his or her consgiv-ent and must not be further processed in a way incompat-ible with these purposes (Art. 6 Sec. 1 lit. a DPD; compare for the public sector § 14 BDSG – “Zweckbindungsgrundsatz”, for the private sector compare in particular § 28 and § 31 BDSG). But this is only a very weak protection against the abuse of personal data on the internet, because – as pointed out by Professor Ko – the person affected typically will not know about the exact processing of his or her data due to the technical complexi-ty.

Of course, every person has the right to obtain “confirmation as to whether or not data relating to him are being processed” and to know “the

39 For details see Kühling/Seidel/Sivridis (2011), 126–127.

40 For a detailed discussion see Kühling/Seidel/Sivridis (2011), 117–121.

purposes of the processing, the categories of data concerned and the recipi-ents to whom the data are disclosed” (Art. 12 lit. a DPD). But few people will bear the transaction costs without probable cause or even strong suspi-cion. And very few will be able to estimate whether they have been in-formed correctly or not.

There are many provisions for building trust in the technical infor-mation infrastructure⁴¹ to make sure that manipulations do not take place on the technical level. This is the major subject of the Directive on Privacy and Electronic Communications, which in Art. 5 Sec. 3 also deals with cookies, calling in principle for opt-in consent but with several unclear exceptions.⁴² But again safeguards against technical manipulations do not help much against the abuse and unlawful transmission of data which a company got lawfully in the first place.