How Uninformed is the Average Data Subject? A Quest for Benchmarks in EU Personal Data Protection

AutorGloria González Fuster
CargoResearcher at the Law, Science, Technology and Society (LSTS), Vrije Universiteit Brussel (VUB)
Páginas92-104
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
www.uoc.edu/idp
Published: October, 2014
Universitat Oberta de Catalunya
Abstract
Information obligations have always been crucial in personal data protection law. Reinforcing these
obligations is one of the priorities of the legislative package introduced in 2012 by the European
Commission to redefine the personal data protection legal landscape of the European Union (EU). Those
responsible for processing personal data (the data controllers) must imperatively convey certain pieces
of information to those whose data is processed (the data subjects), and they are expected to do so in
an increasingly transparent manner. Beyond these punctual information requirements, however, data
subjects appear to always be and inevitably remain in a state of relative ignorance, as in almost constant
need of further guidance. Data subjects are nowadays often depicted as unknowing consumers of online
services, services which surreptitiously take away from them personal data thus conceived as a valuable
asset. In light of these developments, this contribution critically investigates how EU law is envisaging
data subjects in terms of knowledge. The paper reviews the birth and evolution of information obligations
as an element of European personal data protection law, and asks whether thinking of data subjects as
consumers is consistent with the notion of average consumer functioning in EU consumer law. Finally, it
argues that the time might have come to openly clarify when data subjects are unlawfully misinformed,
and that, in the meantime, individuals might benefit not only from accessing more transparent information,
but also from being made more aware of the limitations of the information available to them.
Keywords
data protection, transparency, European Union, data subject, privacy, information, average consumer
Topic
data protection
ARTICLE
How Uninformed is the Average
Data Subject?
A Quest for Benchmarks
in EU Personal Data Protection*
Gloria González Fuster
Researcher at the Law, Science, Technology and Society (LSTS)
Vrije Universiteit Brussel (VUB)
Gloria González Fuster
92
* This article constitutes the communication presented by the author at the International Conference on Internet Law
and Politics 2014,and as such was included in the Proceedings of the Conference, which are available at
handle.net/10609/36801>.
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
93
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
93
¿Hasta qué punto está desinformada la persona interesada?
Una búsqueda de parámetros en la protección
de datos personales de la UE
Resumen
Las obligaciones de información siempre han sido un elemento esencial de las leyes de protección de
datos personales. Reforzar estas obligaciones es una de las prioridades del paquete legislativo intro-
ducido en 2012 por la Comisión Europea para definir el panorama legal en materia de protección de
datos personales de la Unión Europea (UE). Los responsables del tratamiento de datos personales (los
controladores de datos) tienen que transmitir obligatoriamente determinada información a las personas
de quienes se procesan estos datos (las personas interesadas) y se espera que lo hagan de forma cada
vez más «transparente». Sin embargo, más allá de estos requisitos de información puntual, las personas
interesadas siempre parece que se encuentran –e inevitablemente permanecen– en un estado de relativa
ignorancia, casi en una necesidad constante de nuevas orientaciones. Actualmente, suelen describirse
como consumidores desinformados que desconocen el funcionamiento de los servicios en línea, servicios
que se apoderan subrepticiamente de datos personales considerados valiosos. Teniendo en cuenta todo
esto, este artículo explora críticamente la manera como la legislación de la UE concibe a las personas
interesadas en términos de conocimiento, analiza el origen y la evolución de las obligaciones de informa-
ción en la legislación europea sobre protección de datos personales y se pregunta si el hecho de concebir
a las personas interesadas como consumidoras es consecuente con la noción de consumidor mediano
que funciona en la legislación sobre consumo de la UE. En último lugar, sostiene que quizás ha llegado el
momento de aclarar abiertamente cuándo las personas interesadas están ilícitamente mal informadas y
señala que, mientras, podrían beneficiarse no tan solo de acceder a una información más «transparente»
sino también de conocer mejor las limitaciones de la información que tienen a su disposición.
Palabras clave
protección de datos, transparencia, Unión Europea, persona interesada, privacidad, información, con-
sumidor medio
Tema
protección de datos
1. Introduction
Individuals are not properly informed about the processing of
personal data about them. This recurrent statement can hide
behind its apparent simplicity many different assumptions.
It can be used to justify the need for (better) laws on privacy
and personal data protection, or, on the contrary, to prove
their limitations or ineffectiveness. It can be presented
as a problem to be tackled imposing obligations on those
who process data (the data processors) or to inform those
whose data are processed (the data subjects), but it can also
be viewed as proof of a persistent resistance of such data
processors to provide data subjects with the full picture of
what is happening to the data about them.
This contribution
1
investigates how data subjects are
envisaged in relation to knowledge in European Union
(EU) law. It looks for useful references to assess the
extent to which individuals are supposed to be informed
or uninformed about data processing practices concerning
them, as well as to understand the conceptualisations
1. The present research has been carried out in the context of the EU-funded project Privacy and Security Mirrors (PRISMS).
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
94
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
94
2. L. A. Bygrave (2002, p. 107).
3. See, notably: M. Hildebrandt and B. J. Koops (2010,).
4. A. F. Westin (1970).
5. Secretary’s Advisory Committee on Automated Personal Data Systems (1973).
6. Loi n°78-17 relative à l’informatique, aux fichiers et aux libertés du 6 janvier 1978, see Arts. 3 and 27.
7. Volksz̈hlungsurteil, BVerfGE Bd. 65, S. 1 ff. Describing this right as a right to control the use of information about oneself: J. Q. Whitman
(2004, p. 1161).
8. Annex to the Recommendation of the Council of 23 September 1980: OECD Guidelines Governing the Protection of Privacy and Transborder
Flows of Personal Data, § 12.
9. OECD Guidelines, § 13 and § 27.
10. Ibid., § 7.
and operationalisations of such (mis)information. To this
purpose, the paper first offers a brief historical review
situating the roots of the recognition of an individual’s
lack of knowledge at the very origins of personal data
protection. This is followed by a review of information
obligations of data processors and their relation to fairness
and transparency. We then introduce the increasingly
popular conception of data subjects as consumers, which
leads to an inquiry into the possible applicability of the
legal notion of average consumer in the context of EU data
protection law.
2. (Forever) Informing the Data
Subject
The idea that individuals must be informed when data
about them is processed came to light as early as the
1960s. Historically, the surfacing of modern notions of
privacy and personal data protection was precisely based
on a perception of a dangerous loss of control and lack
of awareness suffered by citizens due to the advent
of computerisation. This feeling of disorientation and
disempowerment
2
was eventually described as resulting
from a knowledge asymmetry between those managing vast
quantities of data and those whose data are processed.
3
Privacy and personal data protection were thus promoted
as legal tools enabling individuals to counter loss of control
over what happens to data concerning them.
2.1. Early recognition
When Alan F. Westin put forward his powerful vision
of privacy as control over personal information,
4
he
was indeed reacting to the realisation that computers,
and especially large databases, threatened to deprive
individuals of any effective oversight of the fate of data
about them when in the hands of others. In 1973, an
influential report warned of the lessening of individuals’
control over data in the United States (US), and proposed
a set of recommendations to mitigate this problem. One of
them was the general prohibition of secret record keeping
systems.
5
In France, since 1978 individuals have the right to be
informed about any data used in automated processing
practices affecting them. Since then, citizens are also
entitled to receive information whenever somebody asks
them for data, such as who the recipients are.
6
In Germany,
in 1983 the German Federal Constitutional Court recognised
a fundamental right to informational self-determination, and
did so by emphatically noting that such right is incompatible
with a society where citizens do not know who knows what
about them.
7
International data protection instruments have always
imposed information obligations on those who process
data. In 1980, the Organisation for Economic Co-operation
and Development (OECD) set out in its Guidelines on the
Protection of Privacy and Transborder Flows of Personal
Data the openness principle. According to this principle, there
must be ‘a general policy of openness about developments,
practices and policies with respect to personal data’,
whereby, whenever personal data are processed, individuals
should be able to establish the existence and nature of such
data, the main purposes of their use, who are the data
controllers, and where to find them.8 In the OECD Guidelines,
the openness principle functions as a prerequisite for the
individual participation principle, which grants individuals
a right to access information about data concerning them
held by others.
9
In addition, the collection limitation principle
states that, as a general rule, collection of data must occur
with the knowledge of the data subject.
10
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
95
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
95
In 1981, the Council of Europe’s Convention for the
Protection of Individuals with regard to Automatic
Processing of Personal Data (Convention 108)
11
prescribed
that everybody shall ‘be enabled to establish the existence’
of any automated data files containing data about them, as
well as the main purposes of such files, and the residence,
or place of business, of the file’s controller.
12
Furthermore,
individuals were entitled to obtain confirmation of whether
data about them are stored by controllers, and a right to
communication of the data.
13
All in all, these developments describe the progressive
incorporation into privacy and personal data protection
laws of a certain right to know, as one of the components
of a set of measures aimed at compensating a risk of loss of
control over data suffered by individuals. Thus, this right to
know emerges as a key to reduce ‘deficits in data subjects’
cognitive sovereignty’.
14
This right does not correlate
exactly with the duty to inform of data controllers,
15
as it
can also be addressed through other means.16 Importantly,
however, the perceived lack of knowledge is not remedied
by privacy and personal data protection laws, as various
interlinked cognitive problems
17
appear to persist and
always seem to lead back to the reality of the uninformed
individual.
18
2.2. Existing obligations
The right to personal data protection nowadays has the
status of a fundamental right of the EU. It is recognised
as such by Article 8 of the EU Charter of Fundamental
Rights, a provision that, however, does not refer explicitly
to any right to know, or even to any duty to inform.
19
Despite
this formal absence, a right to receive information can be
regarded as implicitly acknowledged by the statement of the
Charter’s Article 8 according to which personal data must
be processed fairly, when read in conjunction with EU’s main
instrument on personal data protection, Directive 95/46/
EC (the Data Protection Directive).
20
The Data Protection Directive indeed sets out that
personal data must be processed fairly and lawfully,
21
and
its preamble observes that, for the processing to be fair,
‘the data subject must be in a position to learn of the
existence of a processing operation’.
22
The preamble goes
on to clarify that data subjects must be given accurate and
full information when data are collected, or when used in
a way that could not have been anticipated at the time
of collection.
23
Hence, Directive 95/46/EC connects the
data controller’s duty to inform to the requirement of fair
processing.
The Directive’s provisions establishing obligations to inform,
namely Articles 10 and 11, corroborate this link. They mark
a distinction between compulsory information (such as the
controller’s identity, and the purposes of the data processing)
and some further information only required in certain cases.
Such further information concerns the identification of the
recipients of the data, and the existence of a right of access
and a right to rectify, and must be given only when, having
regard to the specific circumstances of the processing, it
is required to guarantee fair processing.
11 . Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Council of Europe, Strasbourg, 28.I.1981.
12. Art. 8(a) of Convention 108.
13. Ibid., Art. 8(b).
14. Bygrave, op. cit., p. 111.
15. In relation to the Spanish fundamental right to personal data protection, the Spanish Constitutional Court has alluded to the existence of
both a right to know and a right to be informed of the use of data and its purpose (see § 6 of Sentencia 292/2000, de 30 de noviembre
de 2000).
16. For example, early national laws gave great importance to the notification of data processing practices to supervisory authorities, and to
the availability of public registers, which aim generally to increase public awareness of those practices.
17. D. J. Solove (2013, p. 1888).
18. Ibid., p. 1883.
19. M. C. Ruiz (2003, p. 39).
20. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, 31-50.
21. Art. 6(a) of Directive 95/46/EC.
22. Recital 38 of Directive 95/46/EC.
23. Recitals 38, 39 and 40 of Directive 95/46/EC.
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
96
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
96
These provisions on information obligations have been
commonly labelled transparency measures,
24
even if
Directive 95/46/EC does not use the term transparency in
this context.
25
Accepting the labelling, transparency can be
described ‘a pre-condition to fair processing’,
26
and the data
controllers’ duty to inform
27
may be depicted as a crucial
measure to promote transparency.
28
Insofar as it as an
element of fair processing, in any case, the data controller’s
duty to inform may also be accepted as an integral part of
the EU fundamental right to personal data protection.
A certain right to information can moreover be regarded as
derived from the recognition in Article 8 of the EU Charter
of a right to access and rectify data, both presented as
constitutive elements of the EU fundamental right to
personal data protection. To exercise such rights, data
subjects need to be aware, first, of the fact that somebody
is or might be processing data about them, and, second, of
the fact that they enjoy the rights in question. Awareness
of both issues is thus to some extent instrumental to the
exercise of their rights.
Finally, Article 8 of the EU Charter also refers to the
possibility to ground the legitimacy of data processing
on the consent of the data subject. This brings in another
link between the right to personal data protection and
information requirements, as, to be valid, consent must
be informed. The Data Protection Directive indeed defines
consent as a freely given specific and informed indication
of the data subject’s wishes signifying agreement to the
processing of personal data.
29
2.3. A need to inform more and better
Already more than a decade ago, the European
Commission’s first report on the implementation of the
Data Protection Directive30 concluded that the Directive’s
provisions on the data controllers’ duty to inform were
being put into effect across the EU in very divergent
ways, and sometimes incorrectly. In 2004, European
data protection authorities put under the spotlight the
proliferation of inappropriate online notices, accused
of often being very long and containing legal terms and
industry jargon.
31
They called for more readable formats,
32
and expressed support for multi-layered notices, which
comprise a condensed notice from which more detailed
information can be reached.
33
2.3.1. Towards a new transparency
In 2009, the European Commission formally inaugurated
the review of Directive 95/46/EC. A 2009 study sponsored
by the United Kingdom’s Information Commissioner’s
Office (ICO) corroborated that there was a problem with
the Directive’s information obligations, and argued that one
of the main aspects of the problem was the way in which
privacy policies were being written.
34
The report stressed
that, according to statistics, consumers felt strongly that
mechanisms in place did not help them to understand their
rights.
35
In 2010, the European Commission published a
Communication delineating its approach to the future of EU
24. ICO (2009). The Information Commissioner’s response to the European Commission’s consultation on the legal framework for the fundamental
right to protection of personal data. On transparency as an element of fairness, see: A. Kuczerawy and F. Coudert (2011) and Bygrave, op.
cit., pp. 58-59.
25. Actually Directive 95/46/EC never uses the term transparency, except once in the preamble, concerning the obligation of national supervisory
authorities to publish annual reports (Recital 63).
26. Art. 29 Working Party (2009). The Future of Privacy: Joint contribution to the Consultation of the European Commission on the legal
framework for the fundamental right to protection of personal data. WP 168, p. 8.
27. EU Agency for Fundamental Rights and Council of Europe (2014). Handbook on European Data Protection Law. Luxembourg: Publications
Office of the EU, p. 99.
28. Analysis and impact study on the implementation of Directive EC 95/46 in Member States accompanying the European Commission’s First
report on the implementation of the Data Protection Directive (95/46/EC), Brussels, 15.5.2003, COM (2003) 265 final, p. 19.
29. Art. 2(h) of Directive 95/46/EC.
30. COM (2003) 265 final.
31. Art. 29 Working Party (2004). Opinion 10/2004 on More Harmonised Information Provisions. WP 100, p.5.
32. WP 100, p.5.
33. Ibid., p. 4 and 6.
34. N. Robinson et al. (2009, p. 26).
35. Ibid., p. 29. In another section the same study states that the interest and awareness of consumers have been demonstrated, citing another
survey (p. 25).
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
97
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
97
personal data protection.
36
Here, transparency was presented
as ‘a fundamental condition for enabling individuals to
exercise control over their own data and to ensure effective
protection of personal data’.
37
The Communication advanced
as a basic element of such transparency that information
to data subjects must be ‘easily accessible and easy to
understand, and that clear and plain language is used’.
38
It observed that this was particularly relevant in the online
environment, where privacy notices are often unclear and
non-transparent, as allegedly proved by the results of a
survey.
39
To tackle this problem, the European Commission
announced that it would consider introducing in EU law
‘a general principle of transparent processing of personal
data’.
40
The 2010 Communication thus set in motion a subtle
change in the meaning of transparency as a principle of
EU data protection law. Whereas transparency had been
traditionally understood as a principle implied in the
principle of fair processing, encompassing a series of
substantive requirements applicable to the data controller’s
duty to inform, it started then to acquire an additional sense,
primarily concerned with the form in which information is
to be delivered to data subjects. A sort of new transparency
was seeing the light.
Still in the name of transparency, children were portrayed
as deserving special consideration, because ‘they may be
less aware of risks, consequences, safeguards and rights in
relation to the processing of personal data’,
41
thus requiring
specific information practices. On top of that, the European
Commission warned that it might contemplate drawing up
EU standard forms, or harmonised privacy information
notices.
42
In parallel to these measures targeting transparency, the
2010 Communication articulated a need to raise awareness,
particularly among young people.
43
The boundaries between
transparency and awareness-raising were rather vague:
for instance, the provision of clear information on web-
sites was depicted as pursuing both.
44
As a matter of fact,
the European Commission appeared concerned with the
proliferation of opaque privacy notices in general, also
raising the question of their impact on the very possibility
for individuals to give informed consent to data processing
practices.
45
2.3.2. Proposal on the table: The new transparency principle
The European Commission presented in 2012 its proposal
for a General Data Protection Regulation, designed to
replace Directive 95/46/EC.46 According to the Explanatory
Memorandum accompanying the text, it introduces a new
transparency principle,
47
which is not defined. The principle
primarily takes the shape of a general declaration that
personal data must be ‘processed lawfully, fairly and in a
transparent manner in relation to the data subject’
48
.
The proposal has a Chapter on the Rights of the Data Subject,
with a Section titled ‘Transparency and modalities’. This
36. European Commission (2010), Communication to the European Parliament, the Council, the Economic and Social Committee and the
Committee of the Regions: A comprehensive approach on personal data protection in the European Union. Brussels, 4.11.2010, COM(2010)
609 final.
37. COM(2010) 609 final, p. 6.
38. Idem.
39. Idem.
40. Idem. During the elaboration of its proposal, the European Commission received input from many respondents alerting of the fact that
transparency was already an integral part of EU data protection (see Annex 4 accompanying the Impact Assessment: Summary of Replies
to the Public Consultation on the Commission’s Communication on a Comprehensive Approach to Personal Data Protection in the European
Union, p. 56).
41. COM(2010) 609 final, p. 6.
42. Idem.
43. Ibid., p. 8.
44. Idem.
45. Idem.
46. European Commission. Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with
regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Brussels, 25.1.2012,
COM(2012) 11 final.
47. Ibid., p. 8, where it is presented as a new element.
48. Art. 5(a) of the proposed Regulation (cf. Art. 6(1)(a) of Directive 95/46/EC, stating that personal data must be processed fairly and lawfully).
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
98
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
98
Section opens with Article 11, on ‘Transparent information
and communication’, foreseeing that controllers ‘shall have
transparent and easily accessible policies
49
with regard to
the processing of personal data and for the exercise of data
subjects’ rights’,
50
and that any information to data subjects
shall be provided ‘in an intelligible form, using clear and plain
language, adapted to the data subject, in particular for any
information addressed specifically to a child’.
51
According to the
proposed General Data Protection Regulation, therefore, the
notion of transparent information should translate into easily
accessible and (in spite of the tautology) transparent policies.
The substance of the data controller’s duty to inform is
drawn up in the Section ‘Information and access to data’,
which the proposal’s preamble connects to the principles
of fair and transparent processing.
52
This section specifies
the information to be given to data subjects,
53
extending
minimum requirements to include informing about the period
of storage of data, and making it compulsory to notify the
existence of a right to access and to rectify,
54
as well as of a
right to lodge a complaint to a supervisory authority.55 This is
to be complemented with ‘any further information necessary
to guarantee fair processing in respect of the data subject’.
56
The European Commission also advances that it may adopt
implementing acts laying down standard forms for providing
information to data subjects, ‘taking into account the specific
characteristics and needs of various sectors and data
processing situations where necessary’.
57
The suggestion,
however, has been publicly opposed by the Article 29
Working Party, which considers it unnecessary,
58
and also
failed to find the support of the European Parliament.
59
According to the impact assessment prepared by the
European Commission before proposing its draft for the
General Data Protection Regulation,
60
data subjects are
generally unaware of the risks linked to personal data
processing, and they thus fail to take appropriate measures
to protect their personal data.61 Of all data subjects, children
are the most unaware of the risks at stake, which are however
considerable, especially for them: ‘(i)n particular for young
people’, the impact assessment states, ‘the disclosure of
personal data can cause immense social and mental harm’.
62
It is not clear, however, how any increased awareness of
children of the risks at stake might be capable of affecting
their protection, as according to the proposed Regulation
children are not to decide whether they consent or not to
data processing practices. The decision is entrusted to the
authorised parent or custodian.
63
Globally speaking, the discussions on the draft of the General
Data Protection Regulation hint towards a reinforcement of
information obligations, regarding both the content of the
information and formal requirements (in the spirit of the
49. Privacy policies appears to be used here in the sense of privacy notice, or texts destined to the users of services (on the meanings of the
term: B. Van Alsenoy (2012, p. 4).
50. Art. 11(1) of the Proposed Regulation.
51. Ibid., Art. 11(2). This provision is inspired by the 2009 Madrid Resolution on International Standards on the Protection of Personal Data and
Privacy, where the openness principle was developed indicating that information must be provided to the data subject ‘in an intelligible
form, using a clear and plain language, in particular for any processing addressed specifically to minors’, and by a provision proposed for a
future Regulation on a Common European Sales Law, concerned with the duty to provide information when concluding distance contracts.
52. Recital (48) of the proposed Regulation.
53. For applicable exemptions, see Art. 14(5) of the Proposed Regulation.
54. Ibid., Art. 14(1)(d).
55. Ibid., Art. 14(1)(e).
56. Ibid., Art. 14(1)(h).
57. Ibid., Art. 14(8).
58. Art. 29 Working Party (2013). Working Document 01/2013: Input on the proposed implementing acts, WP 200, p. 6.
59. Amendment 110 of European Parliament’s Resolution of 12 March 2014, P7_TA-PROV(2014)2012.
60. European Commission, Staff Working Paper: Impact Assessment accompanying the document Regulation of the European Parliament
and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data
(General Data Protection Regulation), and Directive of the European Parliament and of the Council on the protection of individuals with
regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution
of criminal offences or the execution of criminal penalties, and the free movement of such data, Brussels, 25.1.2012, SEC(2012) 72 final, p. 22.
61. SEC(2012) 72 final, p. 23.
62. Ibid., p. 29.
63. Art. 8 of the proposed Regulation.
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
99
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
99
new transparency). They also suggest a strengthening of
the conceptual link between being informed and exercising
data subject’s rights. In parallel to all this emphasis on the
need of individuals to be better informed, EU institutions are
increasingly promoting the idea that data subjects, when
disclosing personal data, shall be protected as consumers
presumably trapped in a situation that very much escapes them.
3. A Portrait of the Data Subject
as a Consumer
There is no doubt that consumers, and most notably
online consumers, might also be regarded as data subjects
insofar as, when consuming, they engage in communicating
or making available data about them. In addition to this,
however, data subjects are increasingly portrayed as
being consumers whenever data about them is collected
in exchange for access to free online services. This image
is used to stress that free online services might not be as
free as they look, because the data that is collected through
them about individuals has a certain economic value.
The rationale behind the image of the data subject as a
consumer is thus intrinsically tied to a depiction of users
as typically uninformed and confused about the nature
of the services they use, and hence misinterpreting their
own behaviour. According to the impact assessment for
the proposed General Data Protection Regulation, some
individuals simply do not realise that many free online
services rely on the processing of their personal data.
64
In this sense, some data subjects appear to be ill-informed
to the point of misconceiving the very way in which online
services function, leading them to engage in inattentive and
incautious data practices.
Individuals would indeed not only be unaware of the fact that
when using certain services they are celebrating in a way an
economical transaction, but also ignorant of the price they
are paying for it. An increasingly pervasive mantra depicts
personal data as the new currency of the digital age,
65
and,
concomitantly, consenting to the collection of personal data
is conceived of as an exchange, where access to services
is traded with data that hence constitutes an asset. This
mantra is sustained by research studying how individuals
decide to disclose or not personal data from the perspective
of behavioural economics.
66
The depiction of data subjects as consumers is sometimes
put forward to promote the need to reinforce the protection
of users of online services, notably by resorting to safeguards
and notions borrowed from consumer law.
67
Taking this step,
nevertheless, requires a prior careful examination of how
consumers are actually envisaged in consumer law.
3.1. The average consumer
EU law protects consumers through different instruments,
and, in some areas, is guided by the ideal of the average
consumer. This notion originally emerged in the case law
of the EU Court of Justice
68
in connection with the free
movement of goods, labelling and misleading advertising;
further delineated in cases about trademark infringement,
it eventually integrated EU secondary law.
69
Currently, the
notion is notably employed in EU law to define misleading
commercial practices, which shall be regarded as misleading
if they would mislead an average consumer.
70
3.1.1. Reasonably well informed, observant and circumspect
The average consumer is a theoretical figure described as
reasonably well informed and reasonably observant and
circumspect, even if this depiction can vary taking into
account social, cultural and linguistic factors.
71
The average
consumer is regarded as a critical consumer, as opposed
to a naïf consumer who would believe, for instance, any
promotional marketing tricks.
72
64. SEC(2012) 72 final, p. 22.
65. Noting this trend in EU policy: E. Wauters et al. (2013).
66. See, for instance: A. Acquisti (2004); L. Brandimarte et al. (2013).
67. See: European Data Protection Supervisor (EDPS) (2014).
68. See: Case C-210/96, Gut Springenheide and Tusky (1998) ECR I-4657, para 31.
69. R. Incardona and C. Poncibò (2007, p. 22).
70. B. Van der Meulen and M. Van der Velde (2011, p. 421).
71. European Commission (2009). Commission Staff Working Document: Guidance on the Implementation/Application of Directive 2005/29/
EC on Unfair Commercial Practices, Brussels, SEC(2009) 1666, pp. 25-28.
72. Case C-470/93, Verien gegen Unwesen in Handel und Gewerbe Koln e. V. v Mars GmbH (1995) ECR I-01923, para 24.
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
100
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
100
Reliance on the figure of the average consumer is supposed
to help in striking a fair balance between the need to protect
consumers and promoting free trade. By discarding the idea
that consumers are, as a general rule, weak, credulous or
in need of help, it is possible to refute the validity of a
number of protective measures that could be perceived as
unjustified trade barriers.73 From this viewpoint, the birth of
the average consumer has been described as a move away
from a paternalistic view of consumer law.
74
The average consumer test is never a statistical test.
Courts and responsible authorities must always exercise
their own faculty of judgement, having regard to the case
law of the EU Court of Justice, to determine the typical
reaction of the average consumer in a given case.
75
In
principle, they should not need to commission any expert’s
report or consumer research poll.
76
It will ultimately
always be up to courts and responsible authorities to
determine the percentage of consumers misled by a
measure sufficiently significant to justify prohibiting such
measure,
77
remembering that survey results are subject
to the frailties inherent in the formulation of survey
questionnaires.
78
The notion of the average consumer as
a reasonably well informed individual has been widely used
in the area of food law regardless of the fact that many
studies have demonstrated that an important number of
consumers are unable to actually understand much of the
information on food labels.
79
3.1.2. Actively looking for information to make the right
choices
The prototypical average consumer has an attitude
that contributes to the constant improvement of
knowledge:
80
always ready to obtain more information to
make efficient choices, always in a position to acquire
available information, and to act wisely on it.
81
On the
basis of this conception of the average consumer, the EU
Court of Justice considers that it is generally preferable to
provide information to consumers so they can make their
own choices, instead of trying to think on their behalf.
82
Information appears, thus, in the context of EU consumer
law as a tool placed in the hands of consumers to enable
them to decide freely.
83
3.1.3. Not an obstacle to protect vulnerable consumers
Taking generally as a benchmark the average consumer
is not incompatible with the protection of especially
vulnerable consumers. Vulnerable consumers are
recognised as existing, even if they are not regarded as
the norm. Where a practice specifically targets a particular
group of consumers, it is desirable that the impact of the
practice be assessed from the perspective of the average
member of that specific group.84 According to EU consumer
law, individuals can be particularly vulnerable because of a
mental or physical infirmity, because of their age (notably,
the elderly, children and teenagers), or because of their
credulity.
85
The vulnerable consumer test applies when it is foreseeable
that a practice will affect the economic behaviour of a group
of consumers. Hence, companies are only responsible for the
negative impact of their practices on vulnerable consumers
if they could reasonably expect such impact, and if they fail
to take steps to mitigate it.
86
73. SEC(2009) 1666, p. 25.
74. Incardona and Poncibò, op. cit., p. 22.
75. SEC(2009) 1666, p. 25.
76. Ibid., p. 28.
77. Case C-220/98, Estée Lauder Cosmetics GmbH & Co. OHG v Lancaster Group GmbH (2000) ECR I-00117, para31.
78. Opinion of Advocate General Fenelly for Case C-220/98, para 29.
79. C. MacMaoláin (2007, p. 78).
80. Identifying attitude and knowledge as basic elements of the average consumer: L. González Vaqué (2005).
81. SEC(2009) 1666, p. 25.
82. Van der Meulen and Van der Velde, op. cit., p. 422.
83. See, for instance, Art. 3(1) of Regulation (EU) No 1169/2011 of the European Parliament and of the Council of 25 October 2011 on the provision
of food information to consumers, OJ L 304, 22.11.2011, 18-63.
84. SEC(2009) 1666, p. 28.
85. Ibid., p. 29.
86. Ibid., p. 31.
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
101
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
101
3.2. Reconstructing the standard
data subject
The described sketch of the average consumer makes visible
some important frictions between this notion and the way
in which the concept of data subject operates in EU law.
First and foremost, it seems extremely difficult to maintain
that the data subject is regarded in EU law, by default, as
being well informed. On the contrary, as noted above, one
of the elementary assumptions behind the emergence
of personal data protection law is that individuals lack
sufficient knowledge of data processing practices affecting
them, or are on the verge of losing control over data. Data
subjects appear to be originally and generally deprived of
a satisfactory level of information. Once some pieces of
information have been transmitted to them, the processing
of their personal data might be regarded as fair, and they shall
be able to make punctual informed decisions on whether
to consent to some practices, but generally speaking they
remain predominantly uninformed.
Information provided to individuals shall allow them to
decide whether to consent or not,
87
but is not envisaged
as generally contributing to making choices between data
processing options. In Deutsche Telekom,
88
the EU Court
of Justice had to clarify whether, when an undertaking
responsible for assigning telephone numbers wishes
to pass on personal data on subscribers to a company
providing publicly available directories, it is necessary for
the undertaking to rely on the subscriber’s consent, or on
the subscriber’s lack of objection.
89
The Court of Justice,
analysing Directive 2002/58/EC,
90
stated that its provisions
do not establish a selective right of subscribers to decide
in favour of certain providers of public directories. And the
Court went on to add that when subscribers consent to their
data being published in a directory with a specific purpose,
assuming the detrimental impact of such decision,
91
they
will ‘generally not have standing to object to the publication
of the same data in another, similar directory’.
92
Individuals’ level of knowledge is very closely linked to
their attitude towards information. Data subjects do not
appear to be especially zealous to acquire more information,
particularly when they are online, and might thus probably
not be described as observant and circumspect. The
appreciation of the eagerness of the data subject towards
seeking information can affect the way in which information
obligations are designed. In this context, multi-layered
notices open the question of the extent to which information
that is not given in a first layer, but only indirectly received
or made available, has been received or made available at all.
In 2012, the EU Court of Justice ruled that, in the context of
distance contracts, consumer protection obligations compel
to assess that where information that should be provided on
a seller’s website is made accessible only via a link sent to
consumers, that information is neither given to consumers,
nor received by them, for the purposes of EU law.
93
3.3. A confused consumer
and disoriented policy-making?
Against this background, it appears that configuring the
data subject as a consumer has some important conceptual
drawbacks. In the name of the alleged persistent
misconceptions affecting the behaviour of online users,
who seemingly indulge in using free online services that in
reality might not be free, data subjects are pushed towards
a field of law where individuals are actually portrayed as
by default well informed, observant and circumspect, and
thus offered somehow limited protection. This leads to a
paradoxical situation in which, because they are regarded
as ignorant of how the Internet functions, individuals might
qualify to be treated by law as reasonably well informed
subjects.
87. Expressing awareness of some data processing practices does not equal consenting to them. See, notably: Joined Cases C-92/09 and
C-93/09, Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen, 9 November 2010, paras 61-64 and 88, as well as the Opinion
of Advocate General Sharpston delivered on 17 June 2010, Joined Cases C-92/09 and C-93/09, para 77.
88. Case C-543/09 Deutsche Telekom, 5 May 2011.
89. Para 48.
90. Specifically, Art. 12(2) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing
of personal data and the protection of privacy in the electronic communications sector, OJ L 201, 31.07.2002, 37-47.
91. Para 62.
92. Idem.
93. Case C-49/11, Content Services Ltd v Bundesarbeitskammer, 5 July 2012, para 37.
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
102
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
102
Similarly, the role entrusted to information in EU personal
data protection law and in EU consumer law is appreciably
different: whereas for the latter it can facilitate making
choices between products and services, for the former it
has instead other purposes (namely, contributing to fair
and transparent processing, and allowing for consent).
It is somehow delicate, thus, to attempt to expand on
the conception of the data subject as consumer in order
to configure information obligations imposed on data
controllers as helping to make choices between different
data processing practices.
94
There are also, however, dimensions of personal data
protection law that could benefit from taking into account
the way in which EU law conceptualises consumers. One
of them is the construal of vulnerability: it is not limited
to children, but can be recognised as also affecting other
groups, and is in any case something different than a mere
(temporary) unawareness of risks, which is what the European
Commission habitually identifies as affecting children.
More importantly, defining a standard notion of data subject
in terms of information and capability to make choices
appears as a necessary prerequisite to define which online
practices are unlawfully misleading. It is striking that
despite the significance of the data subject’s right to know
and of information obligations imposed on data controllers
for European personal data protection, there is no clear
benchmark in EU law as to the level of misinformation of data
subjects to be regarded as unlawful. The current stress on
the need for information provided by data controllers to be
transparent is based on the concession that the instruments
typically presented as supposedly complying with the data
controllers’ duty to inform (the privacy policies or privacy
notices proliferating online) are commonly uninformative.
In defiance of this contention, however, the legislator does
not appear to be ready to directly qualify uninformative and
deceptive so-called privacy tools as unlawful, or to provide
clearer specifications as to what is always to be regarded
as untransparent and unfair.
4. Concluding Remarks
This contribution has examined the relationship between
information and the protection of individuals from the
perspective of EU personal data protection. It has identified
the existence of a kind of structural ignorance that is
ascribed to the data subject, partially mitigated through the
imposition of information obligations on data controllers.
The recently reinvented notion of transparency as a set
of formal demands applicable to information obligations
confirms their importance in the building up of EU personal
data protection. Together with this approach, the idea that
data subjects shall be protected as unaware consumers of
not free online services is gaining momentum.
Data subjects are more than consumers. They are the
individuals to whom is granted the EU fundamental right
to the protection of personal data, and it is the responsibility
of the EU to respect and promote its fundamental rights.
As described, the right to personal data protection brings
about the need to inform individuals about what happens
to their personal data, but also about the existence of
their subjective rights, and, possibly, about the risks or
consequences of consenting or refusing to consent to
certain data processing practices.
In reality, the active exercise of this right by individuals
might actually require not only the existence of a certain
right to know, but also an awareness of the limitations of the
information they are legally entitled to receive, as an open
invitation to act very observantly and with circumspection
even in the absence of satisfactory levels of information –or
precisely because of such absence. Perhaps data subjects
able to make better decisions online are not data subjects
surrounded by more transparent privacy notices, but data
subjects more acutely aware of the fragility of the knowledge
at their disposal.
94. Which is the path followed by the EDPS in European Data Protection Supervisor (EDPS) (2014), op. cit. (see notably p. 34).
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
103
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
103
5. Bibliography
ACQUISTI, A. (2004). “Privacy in electronic commerce and the economics of immediate gratification”.
Proceedings of the 5th ACM conference on Electronic commerce, New York, May 17 – 20. Pp. 21-29
org .10.1145/988772.988777>.
BRANDIMARTE, L.; ACQUISTI A.; LOEWENSTEIN, G. (2013). “Misplaced Confidences: Privacy and the
Control Paradox”. Social Psychological and Personality Science, no. 4, p. 340,
org/10.1177/1948550612455931>
BYGRAVE, L. A. (2002). Data Protection Law: Approaching Its Rationale, Logic and Limits. The Hague:
Kluwer Law International.
EUROPEAN DATA PROTECTION SUPERVISOR (EDPS) (2014). Preliminary Opinion of the EDPS: Privacy
and Competitiveness in the Age of Big Data: The Interplay between Data Protection, Competition
Law and Consumer Protection in the Digital Economy, March.
GONZÁLEZ VAQUÉ, L. (2005). “La noción de consumidor en el Derecho comunitario del consumo”.
Estudios sobre consumo, no. 75, pp. 25-42.
HILDEBRANDT, M. AND KOOPS, B. J. (2010). “The Challenges of Ambient Law and Legal Protection in
the Profiling Era”. The Modern Law Review, vol. 73, no. 3, pp. 428-460.
org/10.1111/j.1468-2230.2010.00806.x>
INCARDONA R. AND PONCIBÒ, C. (2007). “The Average Consumer, the Unfair Commercial Practices
Directive, and the Cognitive Revolution”. J Consum Policy 30, 21–38.
org/10.1007/s10603-006-9027-9>
KUCZERAWY, A.; COUDERT, F. (2011). “Privacy Settings in Social Networking Sites: Is It Fair?” In: SIMONE
FISHER-HÜBNER et al. (eds.). Privacy and Identity Management for Life. International Federation for
Information Processing (IFIP), pp. 231-243.
MacMAOLÁIN, C. (2007). EU Food Law: Protecting Consumers and Health in a Common Market. Oxford:
Hart Publishing.
ROBINSON, N.; (2009). Review of the European Data Protection Directive, RAND Europe.
RUIZ, M. C. (2003). “El derecho a la protección de los datos personales en la carta de derechos
fundamentales de la Unión Europea: Análisis crítico”. Revista de Derecho Comunitario Europeo, vol.
7, no. 14, pp. 7–43.
SECRETARY’S ADVISORY COMMITTEE ON AUTOMATED PERSONAL DATA SYSTEMS (1973). Records,
Computers and the Rights of Citizens.
SOLOVE, D. J. (2013). “Privacy Self-Management and the Consent Dilemma”. 126 Harvard Law Review
1880; GWU Legal Studies Research Paper No. 2012-141.
VAN ALSENOY, B. (2012). D6.1: Legal Requirements for Privacy-Friendly Model Privacy Policies. Security
and Privacy in Online Social Networks (SPION).
VAN DER MEULEN, B.; VAN DER VELDE, M. (2011). European Food Law Handbook. The Netherlands:
Wageningen Academic Publishers.
WAUTERS, E., LIEVENS, E.; VALCKE, P. (2013). D1.2.4: A Legal Analysis of Terms of Use of Social Networking
Sites, Including a Practical Legal Guide for Users: Rights & Obligations in a Social Media Environment.
WESTIN, A. F. (1970, originally published in 1967). Privacy and Freedom. New York: Atheneum.
WHITMAN, J. Q. (2004). “The Two Western Cultures of Privacy: Dignity Versus Liberty”. Yale Law Journal,
no. 113, pp. 1151–1221.
IDP Issue 19 (October, 2014) I ISSN 1699-8154 Journal promoted by the Law and Political Science Department
Eloi PuigEloi Puig
Jose R. Agustina
www.uoc.edu/idp
Universitat Oberta de Catalunya
104
How Uninformed is the Average Data Subject?
Eloi Puig
Eloi Puig
Gloria González Fuster
104
Recommended citation
GONZÁLEZ FUSTER, Glòria (2014). “How Uninformed is the Average Data Subject?
A Quest for Benchmarks in EU Personal Data Protection”. IDP. Revista de Internet, Derecho y Política.
No. 19, pp. 92-104. UOC. [Accessed: dd/mm/yy].
/idp/article/view/n19-gonzalez/n19-gonzalez-en>
org/10.7238/idp.v0i19.2424
The texts published in this journal, unless otherwise indicated, are subject to a Creative
Commons Attribution-NoDerivativeWorks 3.0 Spain licence. They may be copied, distributed
and broadcast provided that the author, the journal and the institution that publishes
them (IDP Revista de Internet, Derecho y Política; UOC)are cited. Derivative works are not
permitted. The full licence can be consulted onhttp://creativecommons.org/licenses/by-
nd/3.0/es/deed.en.
About the author
Gloria González Fuster
gloria.gonzalez.fuster@vub.ac.be
Researcher at the Law, Science, Technology and Society (LSTS)
Vrije Universiteit Brussel (VUB)
Gloria González Fuster is a postdoctoral researcher at the Law, Science, Technology and Society (LSTS)
Research Group at the Vrije Universiteit Brussel (VUB). Having studied law, journalism, languages and
modern literature, she worked at various European institutions before becoming a researcher specialising
in the field of privacy and personal data protection and, in general, the study of fundamental rights in
the EU. She has actively taken part in various excellence and research project networks, including the
currently running Privacy and Security Mirrors (PRISMS) project, and combines her academic work with
supporting the dissemination of music distributed under open license.
Law Science Technology & Society (LSTS)
Building B, room 4B317
Vrije Universiteit Brussel
Pleinlaan 2
B-1050 Brussels
Belgium

VLEX utiliza cookies de inicio de sesión para aportarte una mejor experiencia de navegación. Si haces click en 'Aceptar' o continúas navegando por esta web consideramos que aceptas nuestra política de cookies. ACEPTAR