- Published: September 9, 2022
- Updated: September 9, 2022
- University / College: The University of Queensland
- Language: English
- Downloads: 27
General Research Structure
This research is going to be written from a legal perspective. Therefore, the research will cover relevant legislation, case law, and literature. In terms of contract law, as there is no unified code that applies across the EU, this research is going to be divided into several chapters to cover certain national law. The question concerning fairness requires a normative choice as to how far contract law should go in protecting the rights of individuals with regard to personal data. The project, therefore, will include a normative analysis from an internal legal perspective, i. e. normative choices will be considered from within the framework for fairness in contract law of the chosen legal systems.
In addition to this, interviews will be conducted to ascertain how the practice of processing personal data is being conducted. In other words, what happens in the real world will also be included. Therefore, problems that are arising with data processing through a desk study of legal scholarship are going to be combined with explorative interviews with a selection of stakeholders. At this point, there is a distinction to be made. There is a type of research in which empirical study is the main method for the research with statistics, tables, and so forth. In this study, however, this will not be the case. The main aim of the interviews is to have a better idea about problems that companies and/or users have in practice related to fairness. Therefore, to this extent, our research is going to be an explorative study to gather information and follow issues occurring in the practice.
Choice of Specific Contracts
The distinction between contract law and privacy law plays an important role in this research. The perspective of contract law, in fact, is different than privacy law. In privacy law consent is given as fixed and clear but this only works if to what consent is given is already known by the party. In other words, consent does not create any problems if the person who gives his or her consent is informed correctly. However, the problem is that it is very difficult to be correctly informed about to what consent is given because it is often ambiguous how personal data is going to be used which eventually makes consent useless.
In other words, consent in privacy law is useful if the purpose for the collection and processing of data is known. Privacy assumes that permission is always required to conduct or process the data.
With regards to the permission, the main issue is the consent of data subject. Consent can be asked for specific purposes. Another problem about consent is that consent can be broadened. In fact, consent can be meaningless if it is framed in a manner that is too broad. On the other hand, it cannot upfront be said in all cases how the data collected is going to be used. Companies in reality desire to keep the data and to plan how they are going to use the data. If a company does research, for example, it is going to need certain data. This can either be done through the company itself or certain specialists can be hired to conduct this research. So, it does not necessarily have to be the same organization. If the data were to be transferred to a third party, then a separate consent would be required. This can be given as an example to the difference between controllers and processors. However, this does not work in the era of big data.
The recent Facebook case is one of the examples of this. Facebook asks consent for processing personal data of data subjects. It is also said in the offer that the data can be shared with third parties. In the past this would be asked separately. In the past, the data subject would now that who the processing party is going to be. In the recent Facebook case, when the data was passed on a third party, Facebook lost the control over it. In the data economy, once the data is transferred to a third party, the control is lost. This may not be regulated through the contract either as the data is passed on a third party, the rest may not be predictable. To tackle these issues, instruments of specific contracts can be used. Specific contracts are a body of knowledge contain a number of contracts.
Specific contracts law doctrine is very much developed in civil law. Some of these contracts, such as processing, storage, medical treatment, sales, and so on can be found in the DFCR. Approaches to these contracts differ from one country to another in the EU. Indeed, with regards to many of the specific contracts that are covered in the DFCR, it is hard to argue that there is a self-contained regulation within the existing European codifications.
By analyzing specific contracts within different jurisdictions, this study also aims at broadening the knowledge of specific contracts and the way in which the instruments of specific contracts exist and can be applied. There are many specific contracts that can never be exhausted or the lines between certain specific contracts may not be easily drawn.
Many of the specific contracts, if not all, are part of national laws of EU member states and most of these contracts are not influenced by EU law. Therefore, since going through all specific contracts exceeds the limit of this research, choosing relevant specific contracts is of an utmost importance. In this vein, contracts that are more relevant to the question of consent and information that are going to constitute the specific contracts for this study are consumer sales, processing, storage, medical treatment, and digital content contracts.
This body of law is relevant for a number of reasons. First of all, the rules for these contracts are an interesting mixture of mandatory law and default law, partly aimed at protecting weaker parties. Indeed, there are specific mandatory rules on specific types of terms in specific contracts, such as consumer sales in general which restrict the freedom of contract.
For example, if the terms and conditions of a specific contract are not in line with mandatory rules, then it can lead a court to invalidate the contract or contractual clause. Secondly, many specific contracts, such as a contract for storing and processing, are long-term contracts, in which it is more important to take into account later developments than in the dominant one-shot model of the contract of sale. Storage and processing contracts will be analyzed as well due to the fact that when a good is handed in someone for processing or storing it, the owner of the good is weaker as the processor or storer can do anything with it.
For example, if there is a processing contract for a car or building, it may be there for a long time and a lot of the developments concerning the property at stake are difficult to foresee upfront. Consent needs to be developed over time and the processing contract allows it by providing rules to guide them concerning how they should behave to receive an outcome.
This is also closer to the long-term relationship that is usually involved in privacy law where the individual can at a later stage still invoke remedies against the processing organization. A contract for service is a long-term contract which can be terminated. The consumer may have to pay damages or fees for the termination of the contract. However, it is always possible to terminate the contract and put an end to the contractual relationship. Indeed, for instance, when a woman makes a contract with a company for cleaning her house, she can terminate the contract in the future. As opposed to this, the woman cannot be ordered to allow the person to enter the house for cleaning because the woman has a very fundamental right which is the right of ownership. In this case, unlike contracts that involve processing personal data, the consumer is in control rather than the other party.
Similarly, medical treatment contracts also involve data and in medical treatment contracts, unlike one-shot contracts, such as contracts for sale, the doctor has continuous obligations to inform the patient correctly.
Rather than giving blanket consent to cover all future transactions, through the application of specific contracts a more nuanced way can be established. In other words, specific contracts either preserve certain rights that the parties may not contract them away or it can be retracted by the parties. In particular, certain specific contracts, such as contracts for medical treatment explicitly recognize that a contract may have to be elaborated during the course of the relationship as it gradually becomes clearer what parties want to achieve with the contract. This may provide an analogue with the gradual clarification of the specific purposes of data use. Furthermore, specific contracts regularly involve various relationships with a property, which may provide inspiration for rules regarding the handling of data. Likewise, storage contracts have duties of care that require the good be treated in a proper way so that it is not lost or damaged. Processing contracts are different than storage contracts because processors are allowed to process on the good which they do not own. In a contract for processing, for example, the contract for repairment of a car is made to improve the car’s quality for the owner’s benefit. In terms of processing data, it can be also said that, for example, Facebook not only stores the data, but also it is allowed to process the data for both the benefit of users and Facebook.
Another specific contract that will be examined in this research is medical treatment contracts for the number of reasons. First of all, in addition to above information, medical treatment contracts require an informed consent that is significant for our study and also these contracts have a fundamental right aspect. For example, in contracts for medical treatment, the patient cannot contract away his or her right to refuse medical treatment. Indeed, when patients make contracts for medical treatment, they usually give their consent to all treatment. Different than what is currently occurring in the data economy, however, patients are allowed to retract their consent in every stage of the medical treatment because it is a fundamental right. Unlike contracts in which personal data is processed, the patient is informed about all stages of the treatment and observes treatment which makes it easy for the patient to retract. It is argued by data processors that it is a general issue of contract law that blanket consent can cover all future purposes. Within this context, specific contracts do not allow the use of data subjects’ consent for the future processing of their personal data. Thus, in case of any possible violation of the fundamental right of data subjects consent needs to be asked every time. Consumer sales contracts are relevant for this research. For example, when a consumer uses a mobile application, although the application seems to be provided for free, what usually happens is that the user accepts the share his or her personal data with the service provider. So, within this context, it is usually argued that personal data constitutes consideration. In some countries, it is not accepted as a contract of sale but the contract of barter yet the rules applicable to contract of sales are applied to contract of barter by analogy.
Finally, certain specific contracts, such as medical treatment, interact with public law regulation and fundamental rights and may provide inspiration on how to solve issues of concurrence between contract law and inalienable rules of public policy. In relation to personal data, this tension has to some extent been addressed by specific contract rules for digital content – e. g. in the UK Consumer Rights Act 2015 and the proposed EU Directive on Digital Content – but those rules are narrow in scope and do not as yet control the problems of data processing sketched above.