Selling Personal Data: The Legal Framework and Nature of Personal Data Selling Transactions Under GDPR

Selling Personal Data: The Legal Framework and Nature of Personal Data Selling Transactions Under GDPR

Konstantina Samara
DOI: 10.4018/978-1-5225-9489-5.ch003
(Individual Chapters)
No Current Special Offers


The prevalent and currently unanimous European legal system regarding personal data comprises a set of protective rules, enshrining, amongst others, the prerequisites for lawful processing. The venture of the ensuing aims to examine, under the scope of both constitutional rules and the ius cogens provisions of the Regulation (EU) 2016/679, the validity of a transaction pertaining to the processing of personal data. The objective of the herein argumentation specifically focuses on the juridical act of selling personal data, in accordance with the principle of contractual freedom and its compatibility with the core of constitutional provisions, which safeguard human value. The correlations examined below are referred to the contractual interaction between the subject of the personal data and the data controller under the scope of a double facet approach of GDPR, as a legal system both personal and property oriented.
Chapter Preview


The prevailing perception in the literature of personal data law tends to trace as a common denominator of all European respective legislation a human right, dignity-based approach. As expected, the currently set in effect Regulation (EU) 2016/679 (hereinafter GDPR) has been founded on terms of core human rights, for the safeguard of which provides for accordingly. Through this lens, the interpretation of data subject's “consent” seems to be limited to the mere operational aim of “consent” as a legal base for processing; as a consequence, the predominant normative value of “consent” has been delimited to a ground precluding the initially unlawful character of processing, which constitutes a harmful act against protected human rights. However, this unilateral perception of “consent” disregards every thought relating to its precise constituent compounds, according to which consent can be perceived as a statement of will aiming to an act with lawful consequences, or in other words, as a legal transaction. Hence, according to Christodoulou (2013, pp. 50-54), consent is a unilateral judicial act, whilst it is argued, hereinafter, that consent is manifested as a bilateral judicial act and specifically as a contract, since it constitutes the acceptance of a prior contracting proposal. For this reason, the author of this chapter strictly believes that the prevalent human right approach is deficient because it fails in thoroughly depicting the current data-driven economy, where personal data are traded as “assets”, “goods” and “commodities”. Simultaneously, “human right approach” does not guarantee an accurate construe of the GDPR provisions, which imply the existence of a “proprietorial” relationship between data subjects and their personal data. The herein chapter ventures a dual-based interpretation of GDPR, as a set of legal provisions deriving from the anxiety to safeguard both, personal and property nature of personal data, as well as the respective rights, stemming from them.

The basic underlying argument of this chapter consists in the thought that the mere fact of regulative intervention causally linked to the protection of a right does not, by definition, prohibit a potential commercial exploitation of the right in question; thus, regulative rules do not always indicate an “inalienable” character of the regulated right. Therefore, having considered that the regulative initiative of GDPR comprises a set of provisions safeguarding the individual interests during the processing of their personal data, it can be inferred that these inherently mandatory rules may also govern every potential relevant contractual relation, expressed as a manifestation of the contractual freedom principle. In the context of individual autonomy “consent” can connote the expression of data subject's “power of disposal”, in a way that the data subject itself capitalizes or adversely withholds their data.

In other words, the herein chapter ventures to examine the validity of a personal data vending transaction between the data subject and the controller, under the scope of GDPR provisions which mirror fundamental constitutional principles regarding privacy, personhood and human value. In order to probe the legal accuracy of the aforementioned venture, the author estimate that the most expedient method should initially encompass the conceptual and normative approach of personal data right in the light of core constitutional values, and subsequently the systemic linkage of personal data right with “family” notions. The ultimate undertaking of this method is to mine the personal and property-based elements of GDPR, which as a whole comprise the idiosyncratic nature of personal data right, both as a right important for human dignity and personality and as a right of economic nature. Blending the “duality” of the right with “de facto personal data marketplaces”, this chapter aims to question the inalienability of personal data per se.

Key Terms in this Chapter

Personal Right: A right pertaining to the quality of persons as “individuals”. The claims deriving from personal rights aim to compensate the claimant for non-pecuniary (moral) damages.

Obligational Right: A right related to personal obligation. An obligational right, when not “ex lege”, is linked with the legal doctrine of privity, according to which contracts bind only the contracting parties; hence, no third party can take legal action with regard to the contract in favour or against the contracting parties. The term is contracted to the term “ right in rem” or its interchangeable “real right”.

De Facto Personal Data Marketplaces: A marketplace (usually a platform) which enables convenient buying and selling of data between data brokers and companies.

End-Users: Individual consumers, citizens or persons about and from whom personal data are created. The term resembles its “family” term “prosumer”, currently used to attribute to a person the quality of a producer and consumer at the same time.

Raw Data: Data that hasn't undergone processing. This term is herein used in contradiction to the term “inferred data” in order to underline the financial value that even a single raw datum embodies and to emphasize the dynamic economic sign of personal data across their evolving course.

Property Right: A right in favour or against specific property. The claims deriving from property rights aim to compensate the claimant for pecuniary damages.

Juridical Act: A lawful act or expression of will intended to have legal consequences. It may be unilateral, bilateral and multilateral. “Legal transaction” is an interchangeable term for a juridical act.

Right in Rem Effect: The effect of legal powers over a tangible thing, which “run with” the thing and being exercised “erga omnes”. These powers stem from a “dominative” ownership relation between a person and a (usually) tangible thing.

Individualization of Person's Identity: The enclosing of information related to human personality, in the exact way privacy embodies data regarding the individual's authenticity; the term is not used as interchangeable of «Identifiable», which is a compound element of the notion of personal data in general.

Complete Chapter List

Search this Book: