There is a lack of legal framework on selling one’s personal data, despite the numerous efforts of the European Union to protect our privacy online. The latest communication of the Union, European Data Strategy, does not even mention data trade. It only briefly encourages the use of ‘personal data libraries’ and plans a new Data Act in 2021 to regulate the use of these intermediaries:
“Personal data libraries (personal data wallets/stores/spaces) operated by a trusted intermediary can avoid the proliferation of copies of personal data held by too many organisations and minimise related risks.”
So what happens when such intermediaries like Wibsom, Datum, DataWallet, or Digi.me also empower individuals to sell their personal data in exchange for money (or tokens)? Previously, in the Digital Single Market mid-term review in 2017, the Commission took the position that ‘privacy is not a commodity to be traded’ and the European Data Protection Supervisor (EDPS) also adviced strongly against the commercialisation of personal data:
“There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation. One cannot monetise and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction.”
The EDPS writes more in the footnote 27, of the Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content:
“Popular catchphrase like “digital currency” and “paying with data” may not only be misleading, but can also be dangerous, if it is taken literally and turned into a legal principle.”
Notwithstanding, the Directive on certain aspects concerning contracts for the supply of digital content came into force in 2019, with the consequence that the EU recognises that data can be a part of sales transactions. For example, when a user signs up to a social media platform such as Facebook. In such a case, individual exchanges data for service or content. Does the Directive then also include situations when an individual makes a transaction where she gives her data in exchange for money? It is unclear.
The General Data Protection Regulation provides no clarity to the situation either. It does not include situations where an individual proceeds to sell her personal data. The lack of reference can mean that it is not explicitly forbidden. Provided that an individual gives her consent freely following Article 7 of the Regulation. The same can be induced from the EU Charter of Fundamental Rights, as Janeček and Malgieri observe:
“While Article 3(2) affirms that body parts cannot be ‘a source of financial gain’ and thus sends a clear message as regards trade in human organs, Article 8 merely declares that everyone has the right to the protection of personal data concerning her. It does not prohibit financial gain from one’s own personal data, which suggests that the Charter does not take any position relation to (in)alienability of personal data.”
Janeček and Malgieri have examined in detail the legal framework governing privacy and data protection to establish whether personal data can be sold, mostly from the perspective of business-to-business sales. In their view:
“Commerce in some data is, and should be, limited by the law because some data embody values and interests (in particular, human dignity) that may be detrimentally affected by trade.”
However, this view overlooks the economic gains of data trade and the benefits it can give to an individual as Christopher Tonetti notes:
“Some worry that financial incentives would encourage consumers to sacrifice even more of their privacy than they do now. But that is a choice consumers should be allowed to make — which data is worth selling for the price they would receive, and which isn’t. Some firms allow consumers to sell their data to competitors already. We should make this a universal right.”
Either way, there should be an answer to the question ‘can you legally sell your data’ because technically you can already do it — and if you can already do it, you should also be able to know the consequence of selling your data.