The EU policy of the Digital Single Market promotes the free circulation of data to develop the “data economy”; considering this, it is necessary to examine “how” data circulate, or in other words whether data can be the subject of contractual counter-performance.
The question is: can the authorisation to process personal data given by the data subject be the consideration for a good or a service?
The subject is widely debated today.
With Directives 770/2019, 771/2019, and 2161/2019, the European Union responds in the affirmative, explicitly stating that citizens may authorise the processing of their data as payment for the use of digital content or a digital service.
The acknowledgment of the transfer of personal data and the authorisation to process them for commercial purposes, therefore, become a “contractual counter-performance”, as well as with the payment of money, so much so that the user who has “paid” by allowing access to his personal data, according to EU Directive 2019/770, may activate all the remedies provided for by the consumer discipline in the event of non-delivery or defect of the service or digital content, such as, for example, withdrawal, price reduction, compensation.
We, therefore, speak of “personal data contracts”.
The question then arises as to which Italian Civil law rules may be deemed applicable to such contracts.
At first glance, it appears that none of the known institutions of Italian Civil law are entirely adequate to regulate the data contract.
Not the sale (Art. 1470 Italian Civil Code: “A sale is a contract for the transfer of ownership of a thing or the transfer of another right in return for a price”) nor a service contract (Art. 1655 Italian Civil Code: “A contract is a contract whereby one party assumes, with the organisation of the necessary means and with management at its own risk, the performance of a work or service for monetary consideration”); both contractual institutions in the definitions of both the Civil Code and the Italian Consumer Code provide for the payment of a price.
European legislation, on the contrary, expressly excludes the commodification of data: indeed, EU Dir. 770/2019 states “In addition to fully recognising that the protection of personal data is a fundamental right and that such data cannot, therefore, be regarded as a commodity, this Directive should ensure that consumers are entitled to contractual remedies, within the framework of such business models”. This provision precludes considering the transfer of data as a “price” and thus applying the institution of sale or service contract.
Also, the exchange is defined by the Italian Civil Code in Art. 1552 as “the contract that has as its object the mutual transfer of ownership of things or other rights, from one contracting party to another”, does not appear to be entirely suitable to regulate the data contract; the user, in fact, in data contracts does not transfer the ownership of his personal data but rather allows its access and processing to the other contracting party.
One may therefore think of an “atypical contract”, i.e. a contract that does not belong to a specific case but is nevertheless intended to realise interests worthy of protection according to the legal system.
Especially because this is an atypical contract, it seems relevant (both for reasons of transparency and for reasons of legal value) that the contract itself be comprehensively regulated in the General Terms and Conditions that the digital service provider will submit to the user, keeping two concepts in mind