I.

The smartphone is now not only the memory and companion of day-to-day activities, but also the main object for datafication of everyday life. It feels like there is an application for every problem in our daily lives, which leads to a large number of installed apps. Most of the apps are free of charge—but at what cost? Usage data is regularly analyzed and sooner or later exploited. Even if the exact value of one's own (personal) data is debatable, it remains obvious when looking at microtargeting and real-time bidding in the advertising sector that free applications are being financed by the usage data or entered data of the users. Knüppel's work—“Data Financed Apps As a Matter of Data Protection Law”—is devoted to a classification of such applications in the applicable data protection law from a legal perspective.

The analysis is divided into three parts. Part 1 defines basic terms such as the property of data financing, followed by a detailed discussion of data protection law de lege lata and the classification of data-financed apps in Part 2. Part 3 then takes a look at the conclusions from Part 2 and develops them into reform ideas de lege ferenda.

II.

Accordingly, Chapter 1 introduces the methodology and course of the analysis. The existence of the thesis is justified by the fact that there is a lack of consideration of data-financed apps from different perspectives; previous works have only dealt with the topic sporadically. Thus, to a certain extent, the thesis or the editor aims at a meta-analysis of the topic area. Chapter 2 is dedicated to the definition of data-financed services by presenting the process of data financing with examples. This type of financing is dissected based on the value of the data and a legal description of the value in the Digital Content Directive (EU) 2019/770.

Methodologically, the procedure seems comprehensible. The chapter sets the foundation for the further investigation and is intended to introduce readers to the author's understanding of the term. However, it is problematic that the author biases the conceptual definition with his premise: Data is money. For the author, both terms seem almost synonymous, which can be seen in several places in chapter 2. According to the author, the quantity and coding of the data are not relevant; what matters is the content alone (p. 40). This concept overlooks the fact that it is certainly of value for the evaluation whether the data are enriched or simple. Also, whether the information is encrypted can have an impact when trading data. Why individual personal data should have “no separate value” (p. 41) is similarly not clear. These characteristics are relevant at least for the risk assessment in the sense of the risk-based approach of the GDPR, making it interesting to draw a parallel here.

Furthermore, the author attempts to scale possible data protection risks on the basis of his own categories or to prepare them for further investigation. Yet this, too, is only moderately successful and rather superficial. Knüppel apparently tries to separate “free” models from freemium models or even paid applications by means of a clear categorization and a binary approach. In the context of the thesis, data-financed offerings are exclusively applications that “require registration or some other form of personalization” (p. 38). Therefore, he excludes applications without a collection of user data (p. 39). In this way, the author thinks predominantly in binary terms—every free app is a data-funded app, and vice versa. Border cases such as the freemium model, which switches advertising in free mode or is intended to persuade users to buy the upgrade, are omitted by the author. The paid model is also omitted, as the author assumes that every application with a monetary counter value also covers all development and maintenance costs. In practice, however, this already proves to be a misguided approach when the change from one-time financing to the subscription or freemium model tends to increase and successively displaces the one-time payment. In addition, there is the deficient indication that registration is always required: According to the author, the data is of particular relevance when using a search engine (p. 43). However, this regularly functions without registration, so it would not be a “data-financed offer”. If other criteria in the chapter are taken into account, such as the type of collection and use, the correlation with Big Data, and the profiling by means of cookies or other identifying parameters, it is precisely such an application in the sense of the doctoral thesis. It is completely incomprehensible why the author does not take the opportunity to confront his thesis of data funding with the Commission's elaborated view in the Digital Content Directive. The author merely states that, according to the Directive, data cannot be equated with money; it is protected by fundamental rights and thus cannot be regarded as a commodity (p. 56). Without criticism, the author continues to adopt and apply his term. Why the Directive assumes that personal data are now “made available” seems not clear to the author. The reason for this is that a few pages earlier, the problem of freedom from costs at the level of awareness of the users is only touched upon. A provision includes that users provide the data voluntarily and self-determined; this presupposes an action in knowledge. Simply treating data as money would neglect the core of human dignity of informational self-determination. Similarly, the European legislator seeks to avoid this (see also Buttarelli, Opinion 4/2017, pp. 3, 6). Chapter 2 thus moves on the surface in terms of content without addressing problematic cornerstones of its own definition. This seems understandable, because otherwise the framework of the work would fall apart. Nevertheless, the definition seems unstable in this respect.

Chapter 3 is primarily concerned with a civil law classification in order to highlight the special features of data-financed apps. The main focus is on the constellation in the triangular relationship between user, app store, and app manufacturer/developer. It is shown that the users regularly conclude the contract with the developers or companies; the respective store is only an intermediary that acts as a commercial agent. This seems to make sense insofar as this could be relevant for the assessment as jointly responsible persons or processors. Nevertheless, the comments on the TMG are not purposeful; references to the TTDSG should have been made sub specie after a classification in the construct of the GDPR. The rejection of the DSA seems reasonable; for the sake of completeness, the DGA could also have been excluded—app stores are not to be understood as intermediary services as defined by the DGA, after all.

Chapter 4, with its rather illustrative nature, introduces Part 2 of the thesis and provides an overview of constitutional or primary as well as secondary data protection law. In addition to the aforementioned detailed overview, the author presents which fundamental rights apply to data processors, i.e., Big Data analysts. In the abstract, he concludes that entrepreneurial freedoms such as fundamental communication rights, in addition to the subsidiary freedom of action, can be considered under both national and Union law. These conclusions are then anchored in a consideration of the constitutional court's assessment through the Right to be Forgotten I and II decisions. The author concludes that the economic and data protection interests are diametrically opposed. This would be reinforced by the privacy paradox.

In chapters 5 and 6, the author focuses on the basic requirements for data processing under the GDPR. Chapter 5 is therefore addressed to the general data protection principles of Article 5 GDPR and applies them steadily to the subject of the analysis: data-financed services. The approach appears differentiated overall, but remains substantively on the surface. The conclusion that there is a close connection between the degree of complexity of data processing and compliance with data protection principles, which becomes more difficult with increasing complexity, follows almost logically from the risk-based approach of the GDPR. Indeed, the author is able to illustrate this in a predominantly comprehensible manner using the object of investigation. In some cases, however, the author draws hasty conclusions. If a processing is incompatible with the purpose of collection, this cannot steadily lead to a change of purpose; if only because it is not intended for all cases according to Article 6(4) of the GDPR, but only for certain purposes or processing bases of Article 6(1) of the GDPR. Similarly, a steadily assumed nexus between Big Data and data-funded offerings runs through the work. According to the author, the broad concept of data-financed offerings includes both non-personal and personal data. Big Data—especially the aspect of marketing purposes, which is often used in the thesis—refers to personal data for the purpose of microtargeting or similar methods that lead to real-time bidding. The author does not see the conclusion that not every data-financed app is part of Big Data and that, as a result, it is not necessary to constantly draw on Big Data. Further, he overlooks the scope of the definition of Big Data by excluding statistical purposes—whereas the cited BITKOM already includes these purposes in 2015. Thus, the chapter predominantly presents itself as a summary of existing teachings and content on the principles of the GDPR.

As mentioned, chapter 6 analyzes the usual legal bases for data-financed offers—namely the contractual basis of Article 6(1)(b) GDPR, the legitimate interest of lit. f and, to a large extent, the consent of lit. a. The contractual basis of Article 6(1)(b) GDPR is the only legal basis for data-financed offers. In this context, Knüppel comes to the conclusion that the contractual basis represents a narrow synallagma, since the necessity of the data processing for the fulfillment of the contract ties the framework tightly. Data financing arising from advertising use or the analysis of personality profiles would therefore not be permissible as a direct obligation to perform in order to receive the app use as a service in return. If making the app available free of charge always specified or presupposed the type of service in the form of the data, the necessity principle of Article 6(1)(b) GDPR would be undermined. In terms of content, the contractual use of personal data could relate exclusively to the scope of functions (p. 229). It is fundamentally easier to base data financing on legitimate interests pursuant to Article 6(1)(f) of the GDPR. However, in Knüppel's view, the comprehensive weighing of interests in individual cases leads to a similar result: personal data must be limited to the functional scope for business reasons and in consideration of informational self-determination. For long-term storage, subsequent use or disclosure to third parties, a case-by-case assessment is required, in which the impairment via collection or processing may only be of minor extent. Interestingly, Knüppel brings up informed consent as a subsidiary instrument and examines the justification ground after analyzing potential legitimate interests. In doing so, he recurs to the possible breadth of the object of consent and the independence from a case-by-case examination as in the context of Article 6(1)(f) GDPR. Accordingly, the details of consent (i.e., voluntariness, informedness, etc.) and possible problems due to revocability or in GTC-like data protection declarations are introduced and commented on in detail. In the context of the prohibition of tying, the author concludes, after a detailed analysis of the state of the dispute, to understand the necessity of Art. 7(4) more broadly in terms of content than that of Art. 6(1)(b) GDPR. According to Knüppel, a performance with a contractual character in a consent situation should therefore have a relation to the subject matter of consent to the main performance obligation or consideration (pp. 272, 273). According to this, data financing is possible as a main performance in exchange for consideration; the concepts of necessity for contract and consent are not to be equated (p. 276). In a classic free app situation, however, this conclusion does not seem entirely mature: if the user and the manufacturer of a free app conclude a usage contract, this is probably to be classified as a contract according to lit. b. Knüppel presumes that this is not the case. Rarely—as Knüppel correctly recognizes in the analysis of data protection declarations—will a declaration identify data utilization as a performance. Consent is mostly given later, during or with the start of use, and is located in declarations as a secondary purpose or without a direct link between performance (based on consent) and consideration. Thus, the advertising use and the contractually based exchange of the app are adjacent or superimposed. The two justifications start to blur and it is hardly possible to differentiate. This supports Knüppel's view that, with a view to Section 327q (2) of the German Civil Code (BGB) as the implementation of Directive EU 2019/770, the app manufacturer's obligation to perform also ceases to apply when consent is revoked. Thus, Knüppel elevates the consent relationship to a quasi-synallagma. Justification via consent is thus clearly to be read in a liberal context in the context of the thesis.

Part 2 concludes with a presentation of problems arising from the cross-border data processing of data-financed apps, which could occur in all variants of the categories of apps listed by Knüppel. Materially, the legal requirements and the consequences of the Schrems II decision are presented in detail. However, with respect to the subject matter of the study, there are no notable differences from the details of the decision.

The previously rather general chapters on general concepts in data privacy law and a classification of data-funded apps de lege lata are followed by a consideration de lege ferenda. Chapter 8 deals in detail with maintaining the existing level of data protection despite the liberal view taken in the thesis. To this end, legislative as well as practical measures are proposed: one possibility would be to contrast the data-financed usage models with a monetary and collection-free model (p. 348 ff). Even though the author does not name the term, he refers to existing freemium models in terms of the basic idea. Whether this is more likely to be solved by a direct (objective) obligation of the manufacturers or a subjective claim of the users against the manufacturer is left open. However, regulatory implementation seems to be difficult, among other things, and tends to be rejected because it would generate an increasing effort in programming (“considerable additional costs”, p. 358). Small and medium-sized companies and app manufacturers would not be able to cope with this (p. 355). Then, however, the question would also have to be asked whether the app manufacturer of the data-financed application did not deliberately overlook the technical reading of data minimization or storage limitation from the very beginning. In addition, the argument of the size of the company hardly holds water, also in view of current plans of the European Union—in such cases, exemptions for small and medium-sized companies are regularly provided for. Knüppel sees the strengthening of transparency as a further point of contact de lege ferenda. It is true that suitable means and approaches are available with the multi-layer approach and mouseover effects. The discussed one-pager solution therefore also seems plausible. In addition, however, explanations could be provided with image icons that pick up on the regulation of Article 12(7) GDPR. Various proposals (e.g., EU Parliament, PrimeLife research project) are discussed in detail. As a result, both the picture symbols and structural solution approaches can only be a tool and make existing information obligations from Articles 13 and 14 GDPR more accessible. The fundamental challenge of directing and maintaining awareness to the information remains.

III.

Knüppel succeeds in creating an overview for the data protection law consideration of data-financed apps. The reader is then provided with a mental map for the regulations de lege lata, which, however, leaves “white spots” in view of the discussion points mentioned. The potential for more in-depth coverage could be exploited by further work, especially in the consideration de lege ferenda.

*by Oliver Vettermann, Scientific Co-Worker, FIZ Karlsruhe, Intellectual property rights in distributed information infrastructures