As a response to the growing challenges of the modern data economy, the General Data Protection Regulation (GDPR) provides an advanced level of protection of the privacy interests of persons living in the EU. Yet the legal challenges of the digital economy cannot be reduced to a conflict between the economic interests of firms and the privacy interests of citizens. Internet platforms operators as well as manufacturers of connected (‘smart’) devices also provide users with new and innovative digital services that often build and depend on the processing of a large amount of personal and non-personal data collected from the users. This has given rise to a series of new legal issues that go beyond classical data protection rules, such as whether the provision of data should be considered a counter-performance in the framework of EU consumer contract law, whether there is a need for recognizing a new data ownership right and whether the legislature should adopt new rules on data portability and data access to guarantee open and competitive markets in the digital sector. With a particular focus on the question of whether such rules should be limited to personal data, this article discusses these issues against the backdrop of a comprehensive regulatory theory that integrates the personality interests of data subjects as well as broader public interest grounds as objectives that need to be taken account of in addition to the classical economic objectives of guaranteeing functioning competitive markets and enhancing innovation. While this article rejects the logic that the legislature should feel obliged to recognise an economic data ownership right of the data subjects in ‘their’ data, it argues in favour of extending the application of consumer contract rules as well data portability and data access rules to also include non-personal data. In sum, the model advocated here is one of coexistence of a generally applicable data economy law, which will have to be spelled out in more detailed, often sector-specific rules, on the one hand, and strong protection of the privacy interests in personal data under the rules of the GDPR, on the other hand.
Also published as: Max Planck Institute for Innovation & Competition Research Paper No. 18-23