Big Data Misuse and European Contract Law

2.1 Contributing Factors to the Shift in the Balance

Earlier experiments have shown that having social media accounts has the potential to influence users emotionally and behaviourally.^[17] The mere combination of data and platform subscriptions has therefore already an influence over the user. This becomes even more apparent when considering the amount of personal data companies extract and process daily for commercial or R&D purposes. In one example, the average was estimated to be 1.7 megabytes of personal data per person each second, or around 143 gigabytes each day.^[18] A correlation between the amount and quality of information a company has and the success of its direct marketing already324 exists,^[19] and the same model naturally applies to big data-associated marketing and contracting.

The application of big data could also evoke trust from the user, as the cultural reputation of algorithmic calculations and recommendations entails the tendency to believe that these calculations are objective, devoid of bias, noise and failures of human intervention.^[20] Such misplaced trust might for example be a particular drawbacks against the user in price discrimination practices.^[21] It has also been reported that some companies have tried to make their multiplication ratios uneven because even multipliers such as 2.0 or 3.0 raise distrust in the user due to looking artificial.^[22]

Misuse of big data is also difficult to spot since the computations and other personalisations take place before the final transaction and in the background and in most cases the user is not even aware of the personalisation being undertaken.^[23] This is in part why this paper calls for a partially reversed burden of proof in big data-related discrimination claims, where the onus is sometimes on the company to prove that it is not at fault for the discrimination that has occurred and/or that it has taken the appropriate efforts in its algorithmic practices to prevent such discriminations from taking place.^[24]

Larger companies – the so-called old dogs – also enjoy a competitive advantage over their smaller rivals through the exploitation of big data.^[25] Not only do they have the ability to tailor their offers, which their competitors do not, but they can also directly target and discriminate against smaller companies. Smaller firms then lose twice: once by being the target of disadvantageous contracts, and again by not having325 the same contractual opportunities with other customers. Thus, simultaneously, not only contractual but also competition problems arise.^[26]

A similar dynamic also takes place against inexperienced users. A savvy customer with enough online experience could, for example, use price comparison techniques to avoid price discrimination, or a VPN service to circumvent steering and geo-blocking practices, whereas an inexperienced user – especially the elderly and teenagers – could not prevent themselves from the same discriminating activities.^[27] Even in cases where a user could avoid discrimination by using such services, the mere opportunity cost of investing the time, money, and effort to prevent them from getting discriminated against would make the market as a whole less efficient.^[28]

The misuse of big data would mean that the powerful entities become even more powerful, while the vulnerable parties become increasingly disadvantaged. This dynamic affects both B2C and B2B transactions. Consequently, the balance shifts in a manner that contradicts the fundamental principles of contract law, which aim to ensure fairness and equality between contracting parties.

2.2 Big Data and Contracting: What’s New?

It is by no means a new phenomenon that some parties to a contract have more bargaining power than others.^[29] One of the main objectives of contract law – and certainly of European law – is to establish a balance between such disparities in negotiating ability. Achieving such a fair balance is proving increasingly more challenging given the tools of big data,^[30] which tend to favour companies with the resources to harness it over customers and other smaller market participants.^[31]

Using such tools, companies can benefit from the following advantages over smaller market players that they would not have, or not to the same extent, had they not been able to harness the capabilities of big data:326

1. Companies gain significant insights into behavioural activities and patterns by monitoring users’ online activities, which aids in predicting their future conduct.^[32] This, in turn, enhances the efficiency of direct marketing, a practice companies have been striving to optimize for much of the last century.^[33]

2. They can personalize and tailor individual contracts, manipulating various deal characteristics, from the individualization of advertising to the customization of the consideration.^[34] Companies can even steer customers such that certain goods and services are inaccessible to specific individuals, or available but with the user directed towards other options rather than the optimal choice.^[35]

3. Not only can companies influence the contract’s content, but they can also dictate the timing of the transaction.^[36] This alters the traditional market dynamic where the buyer decides when to enter the market, shifting the advantage to the seller, who can strategically time advertisements to potential buyers. This increases the likelihood of a successful contract, regardless of its optimality.

4. These practices are often legitimized by the fact that websites and applications obtain user consent through general terms and conditions and terms of use.^[37] Companies therefore also want to appear to be able to avoid mandatory regulation, at least in the eyes of their contractual partners. They also try to privatise redistribution, even though redistribution is a task for the state. However, they do not necessarily give resources back to the general public. This questionable practice that appears to lack authority is challenged by various national and European codes.327

2.3 Different Practices of Misuse

3.1 An Overcview of the Discussion

The debate on the connection between public good regulation and private law is not only a historical but also a contemporary one.^[69] In Germany, the discussion could be331 traced back to the ordoliberal thoughts in the mid-20th century^[70] and split into four main approaches, with the fourth one gaining momentum in recent years.^[71]

The ordoliberal approach regarded private law and the regulation of the public good as two completely distinct paths and was therefore named the separation approach.^[72] Next followed the milder, more economic approach, which maintained the separation between the two but treated private law and the regulation of the public good on par.^[73]

Following George Akerlof’s distinguished essay ‘Market for Lemons’^[74] a third approach developed, which correlated between private interests and public good.^[75] Akerlof argued in a nutshell that information asymmetries in a market are not only harmful to individuals but also to the market itself over time. A market that does not function optimally due to information failures could in the long run lead to adverse selection, which then could collapse the market as a whole.^[76]

The fourth-mild regulation (or as this paper calls it, harmonic) approach is still an ongoing discussion,^[77] yet in principle, it does not view these two as ‘either-or’^[78] propositions but rather as linked and complementary. This paper follows the harmonic approach also in the framework of big data regulation in the EU and the personal rights of individuals. A recent decision of the CJEU becomes quite central moving forward, as it has matching implications.332

3.2 Recent Jurisdiction of the CJEU: Private Law and Regulation in Harmony

The CJEU recently ruled against the Mercedes-Benz Group AG^[79] that car buyers are entitled to compensation for damages caused by the use of called thermal windows,^[80] based on § 823(2) BGB [§ 49(2) TBK] and even in the case of negligence.^[81] This precedent ruling has not only overturned the previous decisions of the BGH but has also paved the way for a wave of similar legal actions in the future.^[82]

In the words of the CJEU, the European regulations on this matter^[83] ‘(…) must be interpreted as protecting, in addition to public interests, the specific interests of the individual purchaser of a motor vehicle vis-à-vis the manufacturer of that vehicle, where that vehicle is equipped with a prohibited defeat device within the meaning of the latter provision.’^[84]

The importance of the decision reaches beyond its subject matter as it has the potential to shift the aforementioned discussion towards the fourth view, namely the mild regulatory approach.^[85] Even in cases where the regulation does not confer an applicable individual remedy, member EU states should acknowledge at least one such remedy^[86] within their national norms.

The aftermath of the debate has indeed already shown impact on both European and German legislation, as an Article 11a was added to the Unfair Commercial Practices Directive^[87] amidst the ongoing discussions above, encouraging member states to provide individual protection against unfair commercial practices.^[88] This333 was then implemented into the German UWG in § 9(2) in 2022 for cases against the consumer.^[89]

Based on this decision, some European and German statutes will be specified since, in cases of big data misuse, an individual claim is now always presented, whether due to a violation of an individual or the public interest of the EU. It is also worth mentioning that for future cases, a specific individual remedy from European regulation will no longer be a necessity, as the decision grants individual claims notwithstanding the regulatory picture at a given time.

3.3 Remedies from European Law Against Big Data Misuse

With regard to several aspects of the big data, European regulation has a wide range of new rules, such as the DSA,^[90] the DMA,^[91] the Geoblocking-Regulation,^[92] the Data Act^[93] and the proposed AI-Act.^[94] This paper, however, identifies three main contractual sources under the topic and proceeds to discuss national private law claims from the BGB. Although actually pre-dating the EU regulations, the UWG reforms since 2004 have mainly served to harmonise German competition law with the corresponding European regulations.^[95] For this reason, the UWG is also considered under the European scope.334

4.1 § 138(1)/§ 138(2) as Limits to Party Autonomy

One major link between European principles and likewise the Constitution and private law is § 138 BGB [§ 27(1) TBK], which declares contracts contradicting the public policy void.^[124] This is defined as the sense of morality of all who think fairly and lawfully.^[125] Defining such an abstract term carries some potential risks, but it also gives the private law a chance to combat the misuse of big data. In particular, in cases of privacy violations where sensitive data is used for commercial pursuits, either as part of the advertising strategy or as a pressuring tool over certain users, the transaction could be declared void. This might also apply to data swap agreements between companies, where sensitive personal data is transferred from one company to another.^[126]

This limitation of party autonomy might also come in the shape of usury, as some big data misuse practices involve taking financial advantage of the vulnerability of the other side of the contract.^[127] Usury is more concrete than the public policy option to some degree because its’ facts^[128] are easier to identify.^[129] First, there needs to be an exploitation of a contract in such a manner that the consideration is disproportionately inflated.^[130] This should also result from the exploitation of the inferiority of the other party, either by taking advantage of their lack of experience, their inability to exercise sound judgment, or an emergency.^[131] 338

With a few exceptions such as rental agreements,^[132] the German BGH regards disproportionality as the doubling of the consideration.^[133] The previous information regarding the power of big data becomes important for the examination of subjective facts, as the excessive use of algorithmic capabilities could lead to a lack of experience, especially for older and inexperienced users. In some cases, a more traditional form of usury could also occur by taking advantage of a predicament – as in the Uber low battery example.^[134]

Contrary to the general view, this paper accepts the possibility of usury in cases of misuse of big data.^[135] In cases where a user is disproportionately discriminated against due to inexperience or emergency, the obligatory transaction could be void under § 138(2) BGB (§ 28 TBK). In milder cases, where the conditions are not fully met, a usury-like transaction under § 138(1) BGB (§ 27 TBK) could also assist.^[136]

4.2 § 134 as Another Limit

The violation of a statutory prohibition can also lead to the nullity of the transaction unless the statute leads to a different intended result.^[137] According to § 2 EGBGB, a statute refers to any legal rule, including national and international norms as well as customary law, with some exceptions.^[138]

According to the prevailing opinion, there is no subjective element in § 134 BGB [§ 27(1) TBK] and it is sufficient if the objective elements are fulfilled.^[139] There should only be a prohibiting statute according to § 2 EGBGB, which is not lex perfecta, and this statute should be violated. So § 134 BGB and § 27 TBK take339 incomplete statutes^[140] and transform them into leges perfectae by providing the previously lacking result.^[141]

The obligatory transaction is then annulled and the performing transaction generally remains valid, but an obligation to return the goods and deeds may arise under § 812 BGB (§§ 77 et seq TBK).^[142]

All European codes and principles are also statutes under § 134 BGB. As long as these norms do not set their legal consequences, the questionable legal transactions might be cancelled according to § 134 BGB.

The review of content under § 134 BGB applies not only to individual contracts between companies and users but also to contracts for the acquisition of such data. For example, in the case of personalised advertising, the acquisition of sensitive data may be void under § 134 BGB in conjunction with the GDPR and the BDSG.^[143] An earlier decision of the OLG Frankfurt^[144] demonstrated this connection by declaring a data transfer contract between two companies to be void due to a violation of § 134 BGB in conjunction with Article 28(3) BDSG – old version.

In this sense, the application of § 134 BGB is also essential concerning the focus of the CJEU decision (section III-2 above), as it links European law and national law, especially in cases where European rules lack providing individual claims.

4.3 § 123 through Deceit by Silence

Contracts concluded by declaration of intent subject to misuse of big data could, on the other hand, be voidable on the ground of deceit. § 123 BGB (§ 36 TBK) provides for the voidability of a declaration of intent based on duress and deceit.^[145] A misuse of big data leading to deception might appear rather unlikely. However, deception could also occur through the silence of the contracting party if this party is obliged to disclose information to avoid misunderstandings or damage to the other party.^[146] Facts about fundamental parts of a contract should be disclosed without request,340 especially when one contracting party has superior knowledge compared to the other.^[147]

This principle also holds for contracts in the context of big data misuse, data-driven companies enjoy special leverage over users as a result of excessive information asymmetries.^[148] Users lack basic information regarding the role of data in their daily contractual relations, not to mention the technical expertise to fully grasp how their data is being against them, were they to be provided with such information. Furthermore, European law also forces data handlers to process and transfer personal data transparently.^[149] Failure to disclose such information threatens as a result not only contract law but also the very principles of European data regulation.^[150]

Particularly in cases where the privacy of the user is violated by data-driven companies, as well as transparency problems, this might lead to the voidability of the declaration of intent according to § 123 BGB. Companies that use big data as a tool for tailoring contracts should also be held accountable for cases of unjustified discrimination directly resulting from such contracts.

There is no general obligation to disclose all information that might be important to the other party’s decision-making.^[151] In determining whether such an obligation exists, principles such as good faith and the prevailing views of the particular business are relevant. If there is information asymmetry, one contracting party’s business or professional inexperience may require the other party to provide information in good faith.^[152]

In cases of personalisation based on big data, the essentialia negotii are usually involved, e.g., the price paid. In contrast to the thresholds required for usury in § 138(2) BGB (§ 28 TBK), it could be argued that even a one per cent discrepancy could be meaningful to the user if such discrepancy results from data-driven-personalisation. The information asymmetry between the parties, which puts the user in a considerably inferior position, fosters the necessity of disclosure as well.

Therefore, in cases of big data and personalisation of contracts, companies should keep the necessary information on the existence of personalisation as well as the basic metrics used for such calculations (location, purchase history, credit points et cetera) available to the user. This information should be provided in plain and simple language and should straightforwardly convey the essence. For example, phrases such as ‘you will pay 20 % more due to personalisation’, ‘this price is341 calculated just for you’ or ‘this ad is personalised’ might be considered acceptable, with the option to read more if the user so decides.^[153] Otherwise, the user’s declaration of intent is at risk of being voided through § 123 BGB (§ 36 TBK) during the period of avoidance as set by § 124(2) BGB (§ 39 TBK).

4.4 Culpa in Contrahendo

As part of the principles of contractual liability within the BGB, culpa in contrahendo or pre-contractual fault constitutes an alternative pillar against cases of misuse where the user suffers loss. The BGB does not only deal with some specific cases of culpa in contrahendo, such as the liability of the party declaring the contract to be void^[154] or of an unauthorised agent^[155] but also, after the reform in 2002,^[156] with a provision of typical application in § 311,^[157] which includes further scenarios.^[158]

Culpa in contrahendo under § 311 BGB grants a compensation claim for pre-contractual fault and, in extremely limited cases, even a quasi-contractual claim when a contract does not materialise and one of the contracting parties thereby suffers a negative effect.^[159] The main requirement is that there needs to be a binding relationship between the parties,^[160] which is often established by initiating a contract.^[161]

Similar to some preceding discussions, this paper also accepts culpa in contrahendo as a pivotal instrument against big-data-related misuses.^[162] Unlike usury, it does not require an obvious disproportion between the performances, and unlike voidability in § 123 BGB (§ 36 TBK), it is not dependent on intent as a subjective342 element. Another advantage is that culpa in contrahendo compensates for the damage caused by the contract while keeping the transaction in force. Furthermore, it only covers the negative interests of the user, putting him in the position he would have been in had there been no misuse, which could serve as a practical countermeasure against such cases.^[163]

The general framework of § 311 BGB could be applied to a variety of cases, not only price discrimination but also all forms of abuse and even cumulative cases. All misuse cases resulting in damages to the user, where there is a deficit of rationality and this deficit is abused or strengthened by the big data controller, could be covered by culpa in contrahendo.^[164] To avoid this, such companies should disclose the relevant elements beforehand and the same principles should apply as in § 123 BGB above.^[165]

4.5 §§ 305 et seq BGB

The terms and conditions leading to the discriminatory practices could also be invalid through the law of terms and conditions (AGB-Law) or §§ 305 et seq BGB (§§ 20 et seq TBK).^[166] First of all, there is stricter protection of the consumer, as in § 310(3) BGB (§ 4 TKHK), where the facts are easier to prove, and their once-only use may also constitute a standard term rather than three in normal contracts.^[167]

For other contracts, standard terms are invalid under certain circumstances.^[168] According to § 307(1) BGB (§ 21 TBK), such provisions are invalid if, in violation of good faith, they unreasonably disadvantage the other party.^[169] Such a disadvantage may also result from the ambiguous and incomprehensible nature of the provision according to § 307(2) BGB (§ 21 TBK). If certain provisions are removed from the343 contract, it will still be maintained with the rest of the provisions according to § 306(1) BGB (§ 22 TBK), and the gaps will be filled by statutory provisions.

In the context of big data, excessive secondary obligations are also disadvantageous if they are not related to the main obligation and do not bring any additional value to the other party.^[170] Thus, if consent is given for additional obligations, such as advertisement obligations, such obligations could also constitute an unreasonable disadvantage under § 307 BGB (§ 21 TBK) and be declared ineffective.

A pivotal feature of the AGB-Law is that in the case of cumulative clauses, the entire clause could be invalid, even if the individual clauses would not be declared invalid on their own.^[171] Such a multiplier effect could be particularly useful in the case of cumulative personalisation practices, where they may appear harmless or negligible in isolation, but when taken together pose an unreasonable disadvantage to the user.

5.1 Meta (Australia)

In the first example, a leaked internal Meta^[172] Australia document claimed that the company had the tools to identify younger users as young as 14 and calculate the perfect time to advertise mental support.^[173] According to the document, the company could also identify users who felt insecure, worthless, stressed, overwhelmed or even stupid and useless.^[174] This would allow advertisers to reach them at their most vulnerable by targeting the exact moments when young people needed a confidence boost, which would naturally increase the chances of them clicking on an advertisement and ultimately entering into a contract.

Meta had to this point already been involved in some questionable practices. An earlier study in the US showed the power of social media platforms such as Facebook by proving that users’ emotional states could be transferred to others through344 regular use of such platforms.^[175] Another study showed that just 300 likes on Facebook were enough to predict a user’s traits and predict their future behaviour better than their spouse.^[176] Similarly, Meta was already able to identify 52,000 different data points from the data sets the company was working with in 2014.^[177] Another notorious example was the Cambridge Analytica scandal, where voters were manipulated by political advertising through social media.^[178]

In the example of targeted advertising to young people to increase the chances of making contact, several private and European law institutions are violated.^[179] The first contract between Meta and the advertisers on the insecurities of the users embodies a violation of privacy and contradicts multiple principles of Article 5 GDPR (Article 4 et seq KVKK), such as lawfulness, purpose limitation and data minimisation. Furthermore, there is no informed consent within the meaning of Article 7 GDPR (Article 6 KVKK). Therefore, this first B2B contract also violates § 134 BGB (§ 27 TBK) and is invalid. There could also be sanctions against Meta based on Article 83 GDPR.^[180]

The second contract is the contract concluded by the young user as a result of the advertisement, where his privacy was violated beforehand. For this contract, there should be a right to avoidance in the sense of § 123 BGB (§ 36 TBK) and as a result of deceit by silence, as Meta does not disclose a central feature of the respective contract, which the user could expect to be disclosed in good faith.

A liability based on culpa in contrahendo is also possible, as neither Meta nor the advertisers fulfil the pre-contractual obligations towards the younger users in good faith. If this breach causes damage to the user, e.g., if he pays more for the contract because he was in need, this damage should also be equalized by § 311 and according to § 249 BGB. If the discrepancy reaches the usury threshold, a nullity from § 138 (2) BGB (§ 28 TBK) could also apply. Individual claims to damage compensation from Article 82 GDPR and § 9(2) UWG (§ 56 TTK) are still applicable.345

5.2 Decolar (Brazil)

There have already been examples of price discrimination depending on several characteristics of the user. In the Uber variant, low battery status multiplies prices;^[181] in the Orbitz variant, it is the operating system used that leads to discrimination.^[182] The most common of these practices is also known as geopricing, where discriminatory pricing occurs based on the location of the user.^[183] The existence of geopricing in the United States has been demonstrated in a previous survey.^[184] There has also been scientific proof of the existence and dynamics of this phenomenon.^[185]

In the case of Decolar, a big hotel and flight reservation platform operating in South America,^[186] users from Brazil were not able to access several search results during the 2016 Olympic Games held in Rio de Janeiro, while the same hotel rooms were accessible to other users from Argentina and several other countries, and even when they were able to access the same results, the prices were different.^[187] For some hotel rooms, the discrepancies reached as much as 500 %.

Not only did Decolar engage in price discrimination in this case, but it also practised steering in the form of geoblocking.^[188] As a result, Brazil’s Department of Consumer Protection and Defence fined the company 7.5 Million Brazilian Real^[189] for infringements of Article 4,^[190] 6^[191] and 39^[192] of the Brazilian Consumer Protection Code (CDC).^[193]

In addition to the administrative sanctions, the geopricing/steering practices in the Decolar case also trigger several private law claims for individual users.^[194] First346 of all, the disproportionality threshold of usury is met as the differences reach up to five times the original price. If the other facts are also present, meaning if the user is in an emergency or an extreme inexperience and the company acts with intent (which is assumed in this particular example), the undertaking could be void under § 138(2) BGB (§ 28 TBK).

The same transaction is also subject to avoidance by silence if the company does not disclose the necessary information behind the calculation of price, as the price belongs to essentialia negotii of a sales contract and such disclosure could be expected in good faith. Again, the assumption is that the company acts at least with intent.

A culpa in contrahendo also takes place on the assumption that the company acts at least negligently, and users who have been subjected to such discrimination could be compensated under § 249 BGB. Individual claims for damages according to Article 82 GDPR and § 9(2) UWG (§ 56 TTK) are still granted.

5.3 Google (France)

One last example came from France immediately after the GDPR came into force. The French National Commission for Information Technology and Freedom (CNIL)^[195] fined Google € 50 million for not having the legal basis to engage in personalised advertising.^[196] Google’s terms and conditions and privacy policy were required to be accepted by the user, otherwise the Android devices would have been unusable. According to the court, Google shared necessary data with its customers, but the amount of information was too large to identify data processing operations. As a result, the Article 12 GDPR (Article 11 KVKK) was violated due to the lack of accessibility of the information.^[197]

The CNIL also concluded that the consent was not validly obtained by a positive act but rather by an opposition to another procedure,^[198] nor was it specific to each processing activity. The total fine was € 50 million and was fully upheld by Conseil d’Etat ^[199] in mid-2020.^[200] 347

In addition to being sanctioned by Article 83 GDPR up to 4 % of the annual turnover of the company, such practices could also trigger individual claims from Article 82 GPDR. The terms and conditions leading to the questionable practices of data usage and transfer could also be invalid through §§ 305 et seq BGB (§§ 20 et seq TBK). The user could also resort to § 311 BGB (§ 2 TMK) and also § 9(2) UWG (§ 56 TTK) in cases of damage.