Browsing by Subject "data protection"

Health apps that are used by individuals in multiple ways to improve their health and wellbeing are promoted as empowering the individual to control their health. Their increasing use means that they also gather more data concerning the health of the users. This data could be used for research or other public interest purposes, but its availability for secondary use is limited. In the EU there is also political interest to both increase availability of personal data in the inner market, as well as facilitate the use of eHealth solutions, including health apps. In this thesis, I will use legal dogmatics as a method to analyse how health apps could be used to gather data for public interest purposes. I look at what type of data is gathered by the health apps and why it is useful, how the GDPR sets criteria for the gathering of data through the apps and it’s secondary use, and how in special cases of research and other public interests, the rights of the data subject can be derogated. I will also compare this to the planned regulatory framework for data sharing, of the proposal for the Data Governance Act has been published. The main conclusion of the thesis is that that the framework for processing data for public interest purposes does not, in most cases, suit either gathering data by health apps, or secondary use of this data. This is both because the public interest as a processing basis needs to be based on law and needs to be balanced similar to a limitation of fundamental rights in the Charter of Fundamental Rights of the European Union. This approach would in most cases be too heavy for this purpose. Instead, the processing is mainly possible on a consent basis. This could, even with the possibility of easier mechanisms for data sharing through data altruism organisations, affect the quality of the data gained, as the willingness to share data – and to even use a health app - vary between different demographic groups.

The purpose of the thesis is to assess the compatibility of the business model of providing free online services in exchange for processing of the personal data for advertising purposes, in particular for the Online Behavioural Advertising purpose, with the GDPR. Online Behavioural Advertising is a main way through which the free online services are funded. At the same time large-scale personal data collection and intrusive profiling, the controllers engage into pose significant risks for the rights of the data subjects. Empirical findings show that the companies using such business model oftentimes collect large amount of personal data in violation of GDPR. In addition, the researchers highlight the power asymmetries between the large online platform and the data subjects. Therefore, whether such a business model is compatible with the GDPR from legal perspective is of a particular importance. The first part of the thesis focuses on the lawfulness of the existing data collection practices in the context of the business model in question. The second part of the thesis discusses the profiling and data sharing in the context of such model and the third part focuses on the principles of the data protection by design and by default. The mentioned legal provisions are analysed with the focus on their compatibility with the business model in question. The research found that the business model seems to be compatible with the GDPR in a sense that it is in principle possible to comply with its requirements for the controllers. Such a compliance however would likely lead to a decrease in revenue for the controllers who relied on unsuitable legal basis or who manipulated users into giving away more PD. At the same time such a compliance still would not give the effective protection to the data subjects’ rights due to the lack of more explicit, precise and specific rules in GDPR.

Data is the fuel of the digital economy and has become vital for innovation and consumer targeting. Data use is therefore also becoming a central factor for the competitiveness of markets. The increased processing of personal data has prompted a response from the EU legislators to improve the right of individuals to control their data through data protection rules. Now, it has been called for considering the of role competition law in striking down market conduct that reduces the users’ privacy. The question has been brought up in the Facebook case by the German Federal Cartel Office, and has accordingly become an issue EU competition law cannot ignore. Therefore, this thesis will examine to what extent the imposition of user terms that are disadvantageous to the end user’s privacy or breach of data protection rules can be considered an abuse of dominance under competition law. This will be done through a critical analysis of the Facebook decision, and an examination of the possibilities for similar conduct to be considered abusive according to Article 102 TFEU. Chapter 2 explains central factual and economic concepts that contribute to understanding how competition works in data-driven markets. First, Big Data is defined based on its central characteristics. This establishes data’s importance for digital markets. Secondly, economic concepts such as network effect, switching costs and economies of scale that typically occur in these markets, are examined. Finally, the chapter presents the legal notion of abuse of dominance under German and EU competition law, and the general concept of data protection law in the EU. This provides the foundation for the further analysis. Chapter 3 provides an overview of the Facebook decision and proceeds with a critical analysis. The Federal Cartel Office found Facebook’s data processing policy to violate data protection rules and to constitute an abuse of a dominant position. Members of the social networking platform had to agree to the collecting of data from outside of Facebook and merging it with the user profile. In particular, two aspects of the decision call for examination. First, the geographical scope of Facebook was found to be national, which means that German, and not EU, competition law was to be applied. Ensuring the national competition authority to be competent to investigate the case, this thesis questions whether the scope should have been wider. Secondly, relying on a breach of data protection law to establish an abuse is novel. As the case law on exploitative abuses is limited, a critical evaluation is done of the reasoning to assess the decision’s value in this regard. Chapter 4 examines the possibility for the imposition of contractual terms that decrease the user’s privacy to constitute an abuse of dominant position under Article 102 TFEU. This is done through first drawing up guidelines based on the relevant case law on exploitative abuses, which identifies a proportionality test for unfair trading terms. Further, the possibilities for relying on the breach of other legal provisions, in particular data protection rules, in the abuse analysis is explored. The analysis concludes that such practices can constitute unfair trading conditions and therefore be an abuse of dominance. However, the analysis heavily relies on the facts of the case where the objects and benefits of contract terms imposing data processing is central in the assessment of proportionality. The second part of the chapter considers potential issues of applying competition law parallel with data protection law. Especially, it focuses on how the principles of ne bis in idem and rule of law can be safeguarded. Chapter 5 explores the intersection between competition, consumer and data protection law and asks if competition law is a suitable tool to pursue data protection goals. The similarities and differences between the three legal fields are considered, as well as experiences with conduct similar to that of Facebook in Germany in other jurisdictions. The thesis then considers the role of EU competition law de lege ferenda for such behaviour. It is argued that a holistic approach to violations of data protection rights or similar reduction of privacy through contractual terms is necessary, and that competition law should not distance itself from these issues. It is concluded that competition law can play an important role, but it must be evaluated on a case-by-case basis whether competition law is the suitable legal tool for intervention. The thesis concludes that practices similar to that of Facebook can be considered to constitute an abuse of dominance under Article 102 TFEU. However, caution must be exercised based on the facts, to determine whether it should be applied in the case at hand. This way, competition law can contribute to creating a holistic approach to the issues arising in the market due to data protection issues.