The legal construction of “free services” on the Internet, which are provided to consumers while their personal data is requested or harvested, is currently undergoing a change of paradigm. Until recently, service providers like social media services, search engines, communication services, and hosting platforms, presented their business model as purely ad-funded services based on a two-sided market, in which the advertisers pay for the service and the users only have the advantages of attractive and cost-free services.  If the service asked the users consent to any data processing, this consent was treated under the old paradigm as being independent from the supply of the service. This idea of two independent legal transactions – supply of service and transmission of data – has been criticised by some commentators in recent years.  The European Commission's - Proposal for a Directive on certain aspects concerning contracts for the supply of digital content of December 2015  (DSDC) may now change the landscape.
The DSDC proposes to introduce harmonised rules on contracts for the supply of digital content in a broad sense, also comprising many services contracts, including services allowing the creation, processing, or storage of data and services allowing sharing of and any other interaction with data in digital form provided by other users of the service, see Art. 2 N° 1. For all those contracts, Art. 3 para. 1 DSDC explicitly provides that the Directive shall apply to any contract where the supplier supplies digital content to the consumer “and, in exchange, a price is to be paid or the consumer actively provides counter-performance other than money in the form of personal data or any other data.” The language of Art. 3 para. 1 DSDC is broad and seems to cover all cases in which the service providers use the personal data of the consumer as the basis for the refunding of its service. However, the Commission's concept is more restrictive and covers only actively provided data. According to Recital 14, the Directive should apply only to contracts where the supplier requests and the consumer actively provides data, such as name and e-mail address or photos. To the contrary, the Directive should not apply to situations where the supplier collects data necessary for the digital content to function in conformity with the contract; for example geographical location for a mobile application to function properly. Additionally the Directive should not apply to situations where the supplier collects information, including personal data, such as the IP address, or other automatically generated information such as information collected and transmitted by a cookie, without the consumer actively supplying it. If the final text of the Directive would exclude all the scenarios mentioned in Recital 14, its scope of application would be rather limited. Yet, the Draft Report of the European Parliament's Committee on Legal Affairs sets forth a proposal to give the provision a broader scope and to include cases in which the personal data is “collected by the supplier or a third party in the interest of the supplier”.  It is indeed hardly convincing to exclude personal data collected by the service provider – e.g. search terms, geographical location data etc. – if such data is processed and used beyond the usage necessary for the functioning of the service.  Such a processing of personal data will regularly depend on the consumer’s consent.  Thus, the consumer provides a valuable counter-performance in exchange for the service and should profit from the protection given by the Directive. The same is true for data whereby the collection of which was initially strictly necessary for the performance of the contract or for meeting legal requirements, if the supplier later continues to process the data for commercial purposes, e.g. if a streaming service later uses data on the supplied content to offer other content or services to the consumer.
The DSDC provides rules on the supply and conformity of digital content, on the rights and obligations of the parties, and on the termination of the contract. It does not harmonise the rules on the formation of contracts, especially in case of personal data as counter-performance, see Art. 3 para. 9. This leaves some of the most important practical legal issues raised by contracts with data as counter-performance to national law, as determined by Art. 3, 4 and 6 of Regulation 593/2008 on the law applicable to contractual obligations (Rome I).  The following analysis is based on the application of German law. Other jurisdictions will encounter comparable problems.
The first requirement for the formation of a contract with personal data as counter-performance is a respective offer to conclude such a contract. In terms of typical contracts for the supply of digital content, it will be the service provider who offers to conclude a contract for the use of its service.  It is therefore a question of interpretation of the terms and conditions of the service, of the explanations on the website, and the general appearance of the service, whether the service provider offers to conclude a contract with personal data as counter-performance. This interpretation, according to German contract law, is based on objective standards, as stated in section 157 of the German Civil Code: “Contracts are to be interpreted as required by good faith, taking customary practice into consideration.” The decisive test is therefore how an average and reasonable addressee would understand the declarations and conduct of the service provider. In this regard, empirical evidence from Germany shows that users understand “free” services as services they pay for with their personal data. In a recent study  conducted in 2014 with 1002 randomly chosen German Internet users, 67% declared that they acknowledge that delivery of personal data and consent in data processing is a method of payment for Internet services. It is therefore quite plausible that an average user of a data-driven Internet service will understand an offer for a “cost-free use” in fact as an offer to exchange his or her personal data against the service.
Acceptance of such an offer may be declared explicitly, especially by ticking boxes, or implicitly by mere use of the service. German contract law has developed several means to avoid formalistic obstacles. According to section 151 sentence 1 German Civil Code, a contract comes into existence through the acceptance of the offer without the offeror needing to be notified of acceptance, if such a declaration is not to be expected according to customary practice. Based on this provision, it is well established in court practice that the use of Internet services may be interpreted as acceptance of the contract offer to use the service in accordance with the terms and conditions.  With regard to services that process the data of the users, one could even go further and understand such data processing as an indicator that the service has taken note of the user's acceptance of the contract terms.
As to the validity of contracts, several issues deserve attention. The validity of the contract for the supply of digital content will not be harmonised by the DSDC, but will remain in the realm of autonomous national contract law, Art. 3 para. 9 The validity issues are diverse and complex and can only be sketched out here.
The principles of contract law may conflict with the principles of data protection law, if a minor concludes a contract which comprises a counter-performance in the form of personal data. This scenario is apparently of high practical importance, given the relevancy of social media and other Internet services for juveniles. According to general contract law, at least in Germany, the validity of the contract depends on the authorisation given by the parents. The known exceptions to this principle, especially contracts which are legally beneficial for the minor according to section 107 German Civil Code or contracts performed with “pocket money” according to section 110 German Civil Code, do not match the case. 
Consent in data protection law follows different principles, see Art. 8 General Data Protection Regulation 2016/679 (GDPR): “The processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.” Member States may determine a lower age than 16 “provided that such lower age is not below 13 years”. One way to solve this inconsistency is to separate the contract on the one hand and the delivery of data and consent of the minor on the other hand.  For the contract with all its consequences, the stricter general contract law principles of minor protection must be respected. If the parents have not authorised the contract, it must be regarded as void. Still, the consent given by the minor could be regarded as valid based on Art. 8 GDPR. The consequences of such a split solution would not be significant in most cases given the fact that consent is nevertheless revocable according to Art. 7 para. 3 GDPR. If the minor objects to any use of his personal data, they may revoke the consent for the future without further requirement. The only remaining question then would be whether the service provider must restitute the profits made before the revocation of the consent. Given the fact that Art. 7 and 8 are mainly focussed on unilateral declarations of consent, one could well argue that the stricter national principles for the conclusion of contracts with minors should also apply to the minor's consent if it has been given in the framework of a contractual relationship. As a consequence, contract and consent would be void.  The minor could then claim for damages for the unauthorised use of his data, which leads to the difficult follow-up question of how courts should assess the economic value of the data set of a single person. 
Regarding the assessment of fairness, one may discuss whether the provision of data by the consumer and his/her consent are the “main subject matter” of the contract and as such exempted from the assessment of their fairness according to Art. 4 para. 2 of the Unfair Terms Directive. However, even if one applies Art. 4 para. 2, such an exemption should only cover the transfer of data and the consent as such, but not the specific conditions laid down in the privacy policies. German courts have repeatedly judged terms in privacy policies as being unfair in the sense of Art. 3 para. 1 of the Unfair Terms Directive if the purpose of the data processing was drafted in vague and unspecific language.  This jurisprudence is in line with both the Unfair Terms Directive and the GDPR. 
Regarding the transparency of privacy policies, Art. 7 para. 2 GDPR specifies the more general requirements from the Unfair Terms Directive. According to Art. 7 para. 2 GDPR, the service provider's request for consent “shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” One may have doubts whether lengthy and detailed privacy policies, even if drafted in accordance with the cited requirements, can help to balance information asymmetries and to ensure that the consumer takes a rational decision with regard to his personal data.  Still, even if consumers do not read privacy policies they can still rely on the fact that privacy policies which are incompatible with the general principles of the GDPR do not meet the fairness test of the Unfair Terms Directive and may therefore not be enforced. 
A specific validity concern for contracts with personal data as counter-performance is raised by Art. 7 para. 4 GDPR: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” At first glance, the rule seems to provide a clear ban of contracts that establish a link between the consent of the data subject and the provision of a service.  According to Article 3 para. 8, the DSDC is “without prejudice to the protection of individuals with regard to the processing of personal data.” Thus, the DSDC cannot supersede the GDPR. Does this mean that, at the end, there is no such thing as data as counter-performance? Such a conclusion would certainly be premature. It would ignore that the European legislature of the DSDC apparently wanted to permit data as counter-performance. The solution must be found in a coherent interpretation of both texts. The wording of Art. 7 para. 4 GDPR is flexible: “Utmost account shall be taken” does not regulate a clear prohibition of data as counter-performance. Therefore, the provision may also be interpreted as an appeal to contracting parties and courts to pay special intention to the voluntary nature of the consumer's consent when consent is given within the framework of a contractual relationship. The question is whether consent has been given freely. Factors that may support the voluntary nature of the consumer's consent are the existence of competing services, the non-essential or dispensable character of the service for the consumer, and the character of the service as recreational or professional etc. It would be simplistic to infer from the mere wish of a consumer to use a service or to be part of a social network to a coercion effect. 
The DSDC is mainly focussed on the consumer's rights and the supplier's obligations and leaves the consumer's duties in the realm of autonomous national contract law.  According to Article 5 DSDC, the supplier shall supply the digital content to (a) the consumer or (b) a “third party which operates a physical or virtual facility making the digital content available to the consumer or allowing the consumer to access it and which has been chosen by the consumer for receiving the digital content”.  Besides the fact that Art. 3 confirms the possibility to use data as counter-performance, the DSDC does not further specify the contractual obligations of the consumer in such a case.
This one-sided approach of the DSDC raises the question of whether one may construe a bilateral contractual relationship between the consumer and the service provider with personal data as counter-performance, which does not recognise any obligations of the consumers or contractual rights of the service provider. The answer must be found in light of two principle considerations. First, if one accepts data as an alternative “counter-performance”, one may hardly deny the contracting party to claim for that counter-performance. Any other interpretation would neglect the fact that the service provider supplies the digital contents in exchange for the data and vice versa. Second, the binding effect of such a contract cannot undermine the right of the consumer to revoke his consent at any time. The duty of the consumer is therefore limited by the consumer's right to withdraw the consent at any moment. Nonetheless, this limitation does not change the correlation between the rights and duties of the supplier and the consumer. The supplier provides its service in exchange for the consumer's data even if his consent is revocable. “Synallagmatic contracts” with a right for one party to withdraw its consent are not unknown to the traditional contract law theory, at least in Germany. 
Another question concerns accuracy and updating of personal data. Terms and conditions of typical platforms oblige the user to submit correct data and changes to the data, examples are Xing (“The user is obliged (a) to provide only true and non-misleading statements along with its real name, and to refrain from using pseudonyms or pen names …”)  , Facebook (“Facebook users provide their real names and information, and we need your help to keep it that way. Here are some commitments you make to us relating to registering and maintaining the security of your account…”)  or Amazon (“You are responsible for ensuring that the details you provide us with are correct and complete, and for informing us of any changes to the information you have provided.”)  If the consumer, who submits data as counter-performance, may claim to be treated on equal footing as a paying customer, why then should the service provider not have the right to claim for such personal data as they could claim for the payment of the money consideration? It is the very nature of a contract to be bound by the promises given. Still, a duty to update the personal data without a respective request of the service provider should be assessed as being unfair in the sense of Art. 3 para. 1 of the Unfair Terms Directive. The average consumer does not read terms and conditions or privacy policies. If an update clause was valid, consumers would be in breach of contract without being aware of it. Services should therefore ask their customers from time to time for an update.
The consumer may immediately terminate the contract, if the service fails to supply, Art. 11, 13 DSDC.  In addition, the consumer may claim for damages in accordance with Art. 14 DSDC, which limits the damage claim to the “economic damage to the digital environment of the consumer”, a restriction which has been thoroughly criticised. 
By contrast, if the consumer fails to supply his data although he promised to, the service provider can only rely on national law. Under German law, the service provider may terminate the contract in accordance with section 323 German Civil Code. Moreover, the service provider may claim for damages on the basis of section 281 German Civil Code. Both remedies require that the supplier has specified, without result, an additional period for performance or cure. To award damages under section 281 German Civil Code is only consequent given the fact that the supplier has fulfilled his own contractual obligations but has not received the promised counter-performance. Such a claim for damages again raises the question how courts should assess the value of a concrete data set of a consumer. 
Lack of conformity of the digital content, as defined by Art. 6 DSDC  , leads to the remedies specified in Art. 12, 13 DSDC. The service provider must bring the digital content into conformity, otherwise the rules on termination and damages may be applied.
By contrast, if the submitted data is incomplete or incorrect, the national contract law principles on non-conformity apply. The German Civil Code provides different remedies for cases of non-conformity depending of the nature of the contract, especially for sale, service, and lease contracts. Contracts on the submission of personal data are not regulated in German contract law so far. One obvious solution would be to apply the principles that have been developed for license contracts. Courts and commentators agree that license contracts should be treated analogous to the provisions on lease contracts with regard to the issue of non-conformity.  The service provider could claim for the submission of correct data, section 535 German Civil Code, for a restitution of the value of its own performance (instead of a rent reduction, section 536), for damages, section 536a, and for the termination of the contract in accordance with section 543 German Civil Code.
The DSDC provides detailed rules for the right of the consumer to terminate the contract, whereas it remains silent on the termination right of the supplier.
Where the supplier has failed to supply the digital content in accordance with Art. 5, the consumer is entitled to immediately terminate the contract in accordance with Art. 11 and 13.  If the digital content has been supplied but is not in conformity with the contract, the consumer may terminate the contract under the conditions of Art. 12 para. 3. Long term contracts may be terminated any time after the expiration of the first 12 months, Art. 16 DSDC.
The effects of the termination of the contract in case of data as counter-performance are provided for in Art. 13 and 16 DSDC. Art. 13 para. 2 lit. b) provides that the supplier shall take all measures “which could be expected in order to refrain from the use of the counter-performance other than money which the consumer has provided in exchange for the digital content and any other data collected by the supplier in relation to the supply of the digital content including any content provided by the consumer (...)”. Other duties of the supplier in case of termination concern the portability of data and user generated content retained by the supplier, Art. 13 para. 2 lit. c).  Art. 16 para. 4 provides similar rules for the termination of long-term contracts. What is not provided for in the DSDC is a claim for restitution of the profits made by the supplier based on the consumer's data before termination. However, given the full-harmonisation approach of the DSDC, it seems hardly conceivable to refer to national law for such a claim.
The right of the supplier to terminate the contract is left to national law. If German law is applicable, the supplier has a right to terminate the contract in accordance with sections 323, 535 et seq. German Civil Code if the consumer fails to supply the promised data, or in case of a lack of conformity of the data as discussed in section 5 of this article. Such a termination has an effect ex post. This means that the consumer may be obliged to compensate the supplier for the use of digital content before the termination of the contract, see section 346 para. 1 and 2 German Civil Code. In addition, the supplier must have a right to terminate the contract without notice in application of section 543 para. 2 N° 1 German Civil Code, if the consumer withdraws its consent in the use of the data.  Such a termination only has effects on the future. For the time period in which the supplier could legally use the consumer's data, the supplier may not claim for compensation of the use of the digital content.
* By Prof. Dr. Axel Metzger, LL.M. (Harvard), Professor of Law, Humboldt-Universität zu Berlin.
 See, e.g., : “Sign Up. It’s free and always will be.”
 See e.g. Bräutigam MMR 2012, 635; Buchner DuD 2012, 39, 41; Rogosch, Die Einwilligung im Datenschutzrecht, 41.
 COM(2015) 634 final.
 Draft Report of the Committee on the Internal Market and Consumer Protection and of the Committee on Legal Affairs 7.11.2016, C8‑0394/2015 – 2015/0287(COD) drafted by MEPs Evelyne Gebhardt and Axel Voss.
 See European Law Institute, Statement on the European Commission's Proposed Directive on the Supply of Digital Content to Consumers, 15-16; Faust, Digitale Wirtschaft – Analoges Recht, Gutachten zum 71. Deutschen Juristentag, 2016, A 18; Spindler MMR 2016, 147, 149-150.
 But see Härting CR 2016, 735-740.
 The parties may choose the applicable law according to Art. 3 Rome I based on the service terms and conditions. However such a choice may not deprive the consumer from the protection afforded to him by the law of his habitual residence under the conditions of Art. 6 para. 1, 2 Rome I.
 See e.g. the terms and conditions of , de-de.facebook.com/terms, .
 See DIVSI, Daten – Ware und Währung, Hamburg 2014, , 16.
 See e.g. LG Frankfurt am Main CR 2006, 729, 731.
 See Bräutigam MMR 2012, 635, 637; Jandt/Roßnagel MMR 2011, 637, 639-640.
 Compare Faust, Digitale Wirtschaft – Analoges Recht, Gutachten zum 71. Deutschen Juristentag, 2016, 8 et seq.
 See Metzger AcP 2016, 817, 839-840 for German law.
 Reliable economic data on the value of a set of personal data is not available yet. Facebook's price paid for WhatsApp is often cited as a proxy: 55 $ per user, see . Other criteria may be taken from the pricing mechanism of services like datacoup.com who offer to pay money for the use of personal data. From the German legal academic literature see Schwartmann/Hentsch PING 2016, 117, 125, who value the data set of car from a three years lease contract at 1.500-2.000 €. See also Wandtke MMR 2017, 6.
 “In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.”
 See Art. 6 para. 1 lit. a): “1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes (…).”
 Faure/Luth Journal of Consumer Policy 34 (2011) 337–358.
 See Adams, Ökonomische Analyse des Gesetzes zur Regelung des Rechts der Allgemeinen Geschäftsbedingungen (AGB-Gesetz), in Neumann (ed.), Ansprüche, Eigentums- und Verfügungsrechte, 1983, 655, 664; Basedow in Münchener Kommentar zum BGB, 7th ed., 2016, Vorbemerkung zu § 305, N° 4-5; Beimowski, Zur ökonomischen Analyse Allgemeiner Geschäftsbedingungen, 1989, 15.
 See also the very restrictive language in Recital 43 GDPR: “Consent is presumed not to be freely given (…) if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”
 See also Frenzel in Paal/Pauly (ed.), Datenschutz-Grundverordnung, 2017, Art. 7, N° 18-21; Plath, BDSG/DSGVO, 2016, Art. 7, N° 14-16; Schantz NJW 2016, 1841, 1845. Compare also the more restrictive interpretation by Albrecht CR 2016, 88, 91.
 Recital 10.
 See Art. 5 DSDC.
 See, e.g., Westermann in Erman (found.), Bürgerliches Gesetzbuch, 14th ed., 2014, Vor § 320, N° 5 et seq.
 See the critical comment of the European Law Institute, Statement on the European Commission's Proposed Directive on the Supply of Digital Content to Consumers, 27-28 for cases in which a digital product is developed to the consumer's specification.
 European Law Institute, Statement on the European Commission's Proposed Directive on the Supply of Digital Content to Consumers, 32; Spindler MMR 2016, 219, 222.
 Supra Fn. 14.
 See the deviating concept of conformity in the Draft Report of the Committee on the Internal Market and Consumer Protection and of the Committee on Legal Affairs 7.11.2016, C8‑0394/2015 – 2015/0287(COD) drafted by MEPs Evelyne Gebhardt and Axel Voss.
 BGH GRUR 2006, 435; see also BGH CR 2007, 75 f.; Hoeren, IT-Vertragsrecht, 2nd ed., 2012, 251 ff.; Marly, Praxishandbuch Softwarerecht, 6th ed., 2014, N° 752 et seq.
 But see supra Fn. 28.
 The portability provision must be read in context with Art. 20 GDPR. See the contribution of Janal in this issue of JIPITEC; see also Spindler MMR 2016, 219, 221-222.
 See also Buchner, Informationelle Selbstbestimmung im Privatrecht, 2006, 272 et seq.; Langhanke/Schmidt-Kessel EuCML 2015, 218, 222; Rogosch, Die Einwilligung im Datenschutzrecht, 2013, 137.
Fulltext as PDF. ( Size 210.5 kB )
Any party may pass on this Work by electronic means and make it available for download under the terms and conditions of the Digital Peer Publishing License. The text of the license may be accessed and retrieved at http://www.dipp.nrw.de/lizenzen/dppl/dppl/DPPL_v2_en_06-2004.html.