Italy introduces law regulating data monetisation and digital contracts
A recently enacted law in Italy expressly states that personal data can be traded to receive digital content and services.
Legislative Decree no. 173 of 2021 (the "Decree") amended the Consumer Code (Legislative Decree no. 206 of 2005) in implementation of Directive (EU) 2019/770 by introducing a set of articles – namely, from Article 135-octies to Article 135-vicies ter – in force from 1 January 2022 concerning contracts for the supply of digital content and services.
In this context, the newly introduced Chapter I bis recognises that consumers' personal data can be used to trade digital content and services and it extends consumer protection to contracts for such content and services (e.g. clauses guaranteeing the conformity of the good to the contract, prescriptions regarding remedies in the event of defect of conformity or lack of supply). The Decree does not, however, regulate the privacy aspects of the contracts or the lawfulness of the processing of personal data.
For the first time in an Italian legislative act, data is recognised as a sort of 'currency'. Following a number of consistent decisions handed down by privacy and competition authorities, as well as administrative courts, which have elaborated the notion of "data monetisation", the Decree regulates the contract based on the exchange of digital contents for consumer data.
More specifically, the Decree applies to contracts for the supply of:
- digital content, defined as "data produced and provided in digital format" (e.g. music files, digital games, e-books) and
- digital services, including either "a service that enables the consumer to create, transform, store, or access data digitally [or] a service that enables the sharing of data in digital form, uploaded or created by the owner and other users of such service, or any other interaction with such data" (e.g. video and audio sharing, social media) ("Digital Contracts").
The Decree applies to Digital Contracts when the parties involved are, on the one hand, the consumer and, on the other hand, a "Trader", i.e. "any natural or legal person, irrespective of whether privately or publicly owned, that is acting, including through any other person acting in that natural or legal person's name or on that person's behalf, for purposes relating to that person's trade, business, craft, or profession, in relation to contracts covered by this Chapter, including the platform provider if acting for purposes relating to that person's activity and as consumer contractual counterparty for the provision of digital content or digital services".
Pursuant to the Decree, consumer rights and the Trader's obligations in Digital Contracts are the same as those accorded by ordinary law on consumer rights, including the subjective and objective requirements for the conformity of the digital services or contents to contractual requirements and market standards. Under the Decree, the objective requirements of the goods in the case of Digital Contracts mainly involve the service/content complying with the market, technical and security standards that consumers may reasonably expect and that are normal given the nature of such service or content.
However, one of the most notable aspects of the Decree is the fact that it incorporates, as an essential part of the subject matter of Digital Contracts, the provision of personal data in order to obtain digital content or services. In other words, personal data is treated as a contractual asset rather than from a privacy perspective (and, in fact, no amendments to the GDPR or Italian privacy law are provided for by the Decree). And the intersection between this approach and the "ordinary" data protection rules leaves a large number of unresolved issues.
Indeed, it is not clear which personal data fall within its scope since, by way of example, special categories of personal data are not explicitly excluded. Moreover, the legal basis for processing personal data seems to be the performance of the agreement, but this is not clearly stated by the Decree and, according to certain scholars, it would be more appropriate to obtain the consent of the data subject. The onerous transfer of data does indeed create an information asymmetry to the detriment of the consumer, who is not fully aware of the actual value of its personal data.