When firms promote their on-line providers as ‘free’ whereas gathering and commercially exploiting client information, ought to such promoting be thought of as deceptive below European client legislation? In September 2025, Germany’s highest jurisdiction in civil issues, the Bundesgerichtshof (BGH), stayed its proceedings and referred this query on the interpretation of the 2005 Unfair Business Practices Directive to the CJEU.
At first look, it would look like a trivial and slender query. This weblog put up, nevertheless, contextualises and explores the broader significance of the referral – each for the European client legislation framework and for the EU’s ambiguous and, at instances, incoherent strategy to the regulation of the information financial system. Whereas people are protected via the elemental proper to information safety (Article 8 CFREU) which rejects the commodification of private information, the European authorized order should concurrently deal with the financial actuality that firms derive substantial worth from the industrial exploitation of client information.
Contradictions within the EU’s regulatory strategy to the information financial system have turn out to be more and more obvious for the reason that regulation of information is now not confined to the European information safety framework however extends throughout a number of authorized domains, together with client legislation. Whereas client and information safety legislation would possibly look like a pure slot in collectively safeguarding customers on-line, this weblog put up explains why their relationship is much from easy. To this date, EU client legislation provides little steering on the way it interacts with the regulation of client information whereas being ‘with out prejudice’ to European information safety legislation.
Moreover, this put up outlines doable outcomes of the BGH referral and the way the CJEU would possibly convey better readability. In the end, nevertheless, it argues that the Court docket’s judicial activism can solely go thus far in untangling this regulatory quagmire, and that real coherence requires a legislative replace of the European client legislation acquis, which stays firmly rooted within the analogue period.
Paying with Shopper Information and the Ambiguous Relationship between European Shopper and Information Safety Legislation
Over the previous 10 years, students have more and more argued that an built-in strategy from information and client safety legislation could be important to manage the digital financial system, providing extra full safety in trendy markets. But, as much as today, their relationship stays ambiguous. This ambiguity largely stems from their divergent rationales: European information safety legislation, grounded in basic rights, focuses on the honest processing of private information, whereas European client legislation primarily safeguards customers’ financial pursuits and ensures honest market transactions. Though each intention to deal with energy imbalances between events, their targets don’t essentially align.
For a very long time, their completely different rationales had been of no concern. The regulation of information was confined to European information safety legislation, whereas European client legislation was strongly rooted in and confined to the analogue world. Core devices such because the 1993 Unfair Contract Phrases Directive and the 2005 Unfair Business Practices Directive weren’t designed to guard customers in digital markets. With the rise of Large Information and the belief that supposedly ‘free’ on-line providers extract vital industrial worth from consumer information, this disconnect grew to become inconceivable to disregard. Most famously, Zubhoff in her landmark guide on the Age of Surveillance Capitalism wrote how customers grew to become the objects ‘from which uncooked supplies are extracted and expropriated for Google’s prediction factories’. European client legislation and its give attention to analogue market transactions was clearly ill-equipped to deal with these new data-driven enterprise fashions.
When the European Fee introduced plans to adapt the EU client acquis to the digital age, its first initiative revealed how client and information safety legislation can not solely complement but in addition basically contradict one another. With a 2015 proposal, the Fee supposed to make sure that customers will not be solely protected once they pay for digital content material and providers with cash, but in addition when offering their information as ‘counter-performance’. The proposal thus supposed to overtly recognise private information as a type of cost – an idea basically at odds with the inalienable nature of the elemental proper to information safety. In response, the European Information Safety Supervisor strongly condemned the proposal, evaluating markets for private information with markets for reside human organs that ought to by no means obtain the blessing of laws. From an information safety perspective, private information shouldn’t be handled as a commodity, and the safety of basic rights shouldn’t be lowered to easy client pursuits. Complementarity actually sounds completely different.
The proposal ultimately was adopted because the 2019 Digital Content material and Providers Directive. As a substitute of utilizing the time period ‘counter-performance’, the Directive highlights that it applies to contracts the place compagnies supply digital providers, and customers present private information, awkwardly making an attempt to sidestep any accusation that it would recognise client information as a kind cost. A somewhat unsatisfactory resolution that fails to hide the Directive’s preliminary intent and, as a substitute, displays a continuity within the EU’s strategy to the regulation of the information financial system that ignores the elephant within the room, i.e. the strain between the elemental proper to information safety and the promotion of the information financial system. The 2019 Digital Content material Directive masks this rigidity behind declaratory statements comparable to ‘private information will not be a commodity’ and that it applies ‘with out prejudice’ to the GDPR. The primary EU client legislation instrument to explicitly handle the regulation of client information thus revealed how its market-transaction logic conflicts with the elemental rights logic underpinning EU information safety legislation — but it stopped wanting confronting and resolving these underlying tensions.
The Unfair Business Practices Directive and ‘Free’ Content material and Providers within the Digital Financial system
When firms promote their digital providers as free whereas extensively gathering and exploiting client information, ought to this increase issues below client or information safety legislation? From an information safety perspective that rejects any notion of ‘paying with information’, this promoting doesn’t appear problematic. But, below EU client legislation, and notably the 2005 Unfair Business Practices Directive, firms are prohibited from deceptive customers, together with by promoting merchandise as ‘free’ when customers should in actual fact pay (see Annex I, level 20). When Fb lengthy used the slogan ‘It’s free and all the time will probably be’ may that be deceptive below EU client legislation?
This query has divided authorities throughout Member States. In Italy, the competitors authority (AGCM) investigated Fb following complaints from client associations. Fb argued that client legislation didn’t apply, as solely information safety legislation as lex specialis ought to govern points associated to the regulation of private information. Referring to the European Information Safety Supervisor’s earlier assertion that non-public information will not be a commodity, Fb claimed that client legislation, with its give attention to market transactions, ought to be irrelevant in that context. An argument that was actually disingenuous, coming from an organization that constructed its wealth on the industrial exploitation of client information and sought to tailor its defence to the very contradictions throughout the EU’s regulatory framework.
The AGCM rejected Fb’s defence however didn’t ban the “free” slogan. It discovered the promoting deceptive not as a result of the service was labelled “free,” however as a result of customers weren’t knowledgeable that their information could be used for industrial functions past the social media service. Fb was due to this fact required so as to add extra data, to not withdraw the declare. The Italian Council of State confirmed this strategy in 2021.
In Germany, the same case was introduced by a client affiliation earlier than the Regional Court docket Berlin in 2018. Fb didn’t contest the applying of client legislation. In Germany, courts had already held in 2013 that Fb was actually not donating its providers to customers and that, accordingly, client legislation utilized. In contrast to the Italian competitors authority, nevertheless, the German Regional Court docket held that Fb’s promoting was not deceptive. It reasoned that the time period ‘price’ within the 2005 Unfair Business Practices Directive referred solely to financial or monetary burdens. The availability of private information, it argued, would solely have an effect on immaterial pursuits comparable to informational self-determination and may due to this fact fall outdoors the Directive’s scope. The ‘common client’ in accordance with the court docket, would perceive this distinction.
Seven years later, the case has now reached Germany’s highest civil court docket, the Bundesgerichtshof (BGH). The BGH questioned whether or not this interpretation was right. It doubted that it was apparent what the notion of ‘price’ covers and whether or not it would prolong to the disclosure and industrial exploitation of private information. The BGH famous that different EU devices explicitly refer to non-public information as de facto remuneration for digital communication providers comparable to WhatsApp (see recital 16 of the European Digital Communications Code) or, as could be the case within the above-mentioned 2019 Digital Content material Directive, regard the supply of private information as equal to financial funds. Towards this background, the BGH has now stayed the proceedings and referred the next query to the CJEU:
Does the time period ‘price’ throughout the which means of the 2005 Unfair Business Practices Directive cowl the disclosure and subsequent industrial exploitation of private information?
European Shopper Legislation’s Future Function in Regulating the Digital Financial system
How would possibly the CJEU determine? Three foremost eventualities appear doable.
First, the Court docket could observe the 2018 choice of the German Regional Court docket and maintain that the time period ‘price’ within the present type of the 2005 Unfair Business Practices Directive doesn’t prolong to conditions the place customers present entry to their information.
Second, it might disagree and discover that ‘price’ additionally covers cases the place customers consent to the gathering and use of their information however with out specifying the authorized penalties of such a broader interpretation. In that case, the ‘Italian possibility’ may prevail: firms should promote their providers as free offered they concurrently inform customers that their information will probably be for industrial functions.
Third, the Court docket could undertake the extra far-reaching view than each of the conclusions reached on the nationwide degree. It may discover that firms ought to be prohibited from advertising and marketing their providers as free the place private information constitutes a type of counter-performance.
From a client coverage perspective that strives in the direction of a ‘excessive degree of client safety’ within the Union, the final possibility could be essentially the most convincing. Because the German BGH has underlined in its reference to the CJEU, falsely promoting a product as ‘free’ is expressly prohibited below the 2005 Unfair Business Practices since ‘free’ provides have a very robust enchantment to customers. Moreover, describing providers as ‘free’ the place client information serves as counter-performance conceals the information’s financial worth and undermines knowledgeable client alternative. The answer required by the Italian authorities – merely including extra textual content to make clear a slogan that’s deceptive by itself – clearly doesn’t appear passable from a client safety perspective.
Importantly, prohibiting the usage of ‘free’ in such contexts wouldn’t quantity to legally recognising ‘paying with information’ or attaching to it the identical authorized penalties as financial funds. Any such recognition would, in actual fact, battle with the GDPR’s notion of freely given consent, which may be withdrawn at any time—in contrast to financial funds that, as soon as made, can’t be merely revoked in all instances. The intention could be to stop firms from deceptive customers concerning the financial actuality of data-driven enterprise fashions, to not absolutely equate the disclosure of private information with monetary transactions.
On the identical time, nevertheless, one could query whether or not such a extra in depth and consumer-friendly interpretation ought to emerge via judicial activism by the CJEU, or whether or not it’s for the European legislator to replace and make clear client legislation devices to the digital period. In its present kind, the 2005 Unfair Business Practices Directive makes no reference as to if and the way it applies to industrial practices involving the processing of client information, nor to its relationship with the European information safety framework. A legislative replace, nevertheless, may probably come within the not-too-distant future in type of the Digital Equity Act. The previous constitutes a response to the 2022 Health Verify on digital equity which examined three client legislation devices (together with the 2005 Unfair Business Practices Directive) and concluded that the present framework could be inadequate to make sure equity in digital markets and dangers shedding relevance with out reform.
It’s the Digital Equity Act which may present the long-awaited alternative to make clear how client legislation can stay efficient in defending customers within the digital sphere and the way it interacts with information safety legislation with regard to the regulation of client information. Such clarification ought to transcend the recurring components that client legislation applies ‘with out prejudice to the GDPR’. It ought to incorporate classes from the 2019 Digital Content material Directive (and different more moderen digital legal guidelines) which, past such declaratory statements, didn’t make clear the connection between client and information safety legislation and their contrasting cores. It ought to as a substitute articulate how distinct authorized regimes, one grounded within the safety of basic rights, the opposite in guaranteeing honest market transactions, can coherently function collectively within the regulation of client information. Information that’s, directly, protected as a basic proper and exploited as a industrial asset.
Delegating these inquiries to nationwide lawmakers or just leaving them unresolved inevitably leads to authorized fragmentation, as illustrated by the divergent approaches taken by the German and Italian authorities mentioned above. The BGH’s referral to the CJEU thus epitomises each the uncertainty and the contradictions embedded within the EU’s present strategy to regulating the information financial system. The longer term CJEU choice, although just one piece of the broader puzzle, could nonetheless turn out to be a constructing block in defining what a excessive degree of client safety means within the data-driven financial system—and in clarifying how European client legislation can meaningfully complement information safety legislation within the digital age.
Onntje Hinrichs is a researcher on the Legislation, Science, Expertise & Society (LSTS) Analysis Group on the Vrije Universiteit Brussel. In his analysis, he explores rising types of information governance and investigates how client legislation shapes the regulation of information.
![[CFP] The Legacy of the Big Bang EU Enlargement: Lessons Learned and Future Perspectives](https://i2.wp.com/assets.pubpub.org/dszqce38/favicon-61724872708457-01724931428186.png?w=350&resize=350,250&ssl=1)
