concorrenza e mercato - Dipartimento di Giurisprudenza

Transcript

Concorrenza e mercato. è la prima rivista annuale italiana specializzata in materia di concorrenza, proprietà intellettuale, pubblicità ingannevole e pratiche commerciali scorrette. Dal 1993 offre un panorama
aggiornato della prassi e degli orientamenti antitrust nazionali e comunitari, nonché delle decisioni più
rilevanti dei giudici civili e amministrativi. I contributi dottrinali, in italiano e in altre lingue straniere,
rappresentano il fulcro dell’approfondimento scientifico dei temi più significativi e innovativi in materia
antitrust e di tutela dei consumatori, nell’ottica di una riflessione accademica di primaria importanza
nello scenario nazionale e internazionale
CONCORRENZA
E M ERCATO
Rivista classificata in “fascia A” dalla Agenzia Nazionale di Valutazione del Sistema Universitario e della
Ricerca - ANVUR (1720-2698)
Antitrust,
Regulation,
Consumer Welfare,
Intellectual Property
vol . 23/2016
numero speciale
BIG DATA
E CONCORRENZA
a cura di
ISBN 978-88-14-21827-9
E 75,00
024197735
9 788814 218279
(ISSN 1720-2698)
F. Di Porto
CONCORRENZA
E MERCATO
Antitrust, Regulation, Consumer Welfare, Intellectual Property
vol . 23/2016
numero speciale
BIG DATA E CONCORRENZA
a cura di
Fabiana Di Porto
CONCORRENZA
E MERCATO
vol . 23/2016
numero speciale
a cura di
Fabiana Di Porto
ISSN 1720-2698
ISBN 9788814218279
Direttori
Comitato scientifico
Gustavo Ghidini
Piergaetano Marchetti
Marcello Clarich
Fabiana Di Porto
Laura Ammannati
Sandro Amorosino
Emanuela Arezzo
Marco D’Alberti
Francesco Denozza
Josef Drexl
Giuliano Fonderico
Mario Libertini
Vincenzo Meli
Enrico Minervini
Giorgio Monti
Antony Ogus
Pier Luigi Parcu
Roberto Pardolesi
Alberto Pera
Riccardo Perissich
Luigi Prosperetti
Nicoletta Rangone
Jacqueline Riffault-Silk
Mario Siragusa
Marina Tavassi
Giuseppe Tesauro
Richard Whish
Comitato di redazione
Marilena Filippelli (coordinatore)
Antonio Dell’Atti
Fabio Di Cristina
Luca Di Donato
Valeria Villella
Sede della direzione
Via Santa Sofia 12, 20122 Milano
Tel +39 02 58300433
Fax +39 02 58301508
Sede della redazione
Osservatorio di Proprietà intellettuale, Concorrenza
e Comunicazioni LUISS Guido Carli
Via Parenzo 11, 00198 Roma
Tel +39 06 85225810
email: [email protected]
Rivista classificata in fascia “A” dall’ANVUR.
I contributi pubblicati nella sezione “Dottrina” sono sottoposti a procedura di doppio referaggio anonimo.
Gli abstract di tutti i contributi, il regolamento di referaggio, l’elenco dei referees, i dati sulle
procedure di referaggio relativi al vol. 23 del 2016 nonché i testi dei Call for papers 2016 e
2017 sono consultabili all’indirizzo http://dream.luiss.it/osservatori-laboratori/opicc/concorrenza-e-mercato/.
La Rivista è presente negli archivi elettronici DoGI, ACNP, Google Scholar, Google Books,
Essper
©
Copyright Dott. A. Giuffrè Editore, S.p.A. Milano - 2016
VIA BUSTO ARSIZIO, 40 - 20151 MILANO - Sito Internet: www.giuffre.it
La traduzione, l’adattamento totale o parziale, la riproduzione con qualsiasi mezzo
(compresi i microfilm, i film, le fotocopie), nonché la memorizzazione elettronica,
sono riservati per tutti i Paesi.
Tipografia «MORI & C. S.r.l.» - 21100 V ARESE - Via F. Guicciardini 66
INDICE
Parte I
DOTTRINA
a cura di FABIANA DI PORTO
La rivoluzione big data. Un’introduzione, di FABIANA DI PORTO . . . . . . . . . . .
Big data, competition and privacy: a look from the antitrust perspective, di GIOVANNI
PITRUZZELLA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ten legal perspectives on the “big data revolution”, di VINCENZO ZENO-ZENCOVICH e
GIORGIO GIANNONE CODIGLIONE . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data portability and big data analytics. New competition policy challenges, di ROLF
H. WEBER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The big data relevant martket, di VICENTE BAGNOLI . . . . . . . . . . . . . . . . . . .
Big data e prezzi personalizzati, di MARIATERESA MAGGIOLINO . . . . . . . . . . . .
Asimmetrie informative e concorrenzialità nel mercato assicurativo: che cosa
cambia con i big data?, di DONATELLA PORRINI . . . . . . . . . . . . . . . . . . .
La politica europea per i big data e la logica del single market: prospettive di
maggiore concorrenza?, di CAMILLA BUZZACCHI . . . . . . . . . . . . . . . . . .
Big data e pubblica amministrazione nell’era delle banche dati interconnesse, di
GHERARDO CARULLO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
“There ain’t no such thing as free lunch”. Una riflessione sui meccanismi di mercato
dell’economia digitale e sull’effettività delle tutele esistenti, di GAIA ANNA
MARIA BELLOMO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
15
29
59
73
95
139
153
181
205
Parte II
RASSEGNA DEGLI ORIENTAMENTI EUROPEI ED ITALIANI
EUROPEAN COMPETITION LAW (a cura di MARIO SIRAGUSA) . . . . . . . . . . . . . . .
Selection of recent developments in EU competition law (Year 2015), di MARIO
SIRAGUSA e ANNA VIOLA ROCCHI . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ANTITRUST ITALIANO (a cura di FABIANA DI PORTO) . . . . . . . . . . . . . . . . . . .
Le intese restrittive della concorrenza nell’attività dell’Agcm (anno 2015), di CHIARA
GARILLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
231
233
265
267
VI
INDICE
Abusi di posizione dominante (anno 2015), di VALERIA VILLELLA . . . .
Le operazioni di concentrazione (anno 2015), di ANTONIO DELL ATTI . .
Decisioni con impegni, misure cautelari e programmi di clemenza (anno
CARLO EDOARDO CAZZATO . . . . . . . . . . . . . . . . . . . . . . . . .
Il rating di legalità delle imprese (anno 2015), di GIOVANNA MASSAROTTO
. . . . . .
. . . . . .
2015), di
. . . . . .
. . . . . .
ANTITRUST E REGOLAZIONE (a cura di LAURA AMMANNATI) . . . . . . . . . . . . . . .
La tutela della concorrenza nei mercati regolati: le decisioni dell’Agcm in materia di
servizi di interesse economico generale, di intermediazione finanziaria, bancaria e assicurativa (anno 2015), di ALESSANDRO CANDIDO e MATTIA SUARDI . . .
L’attività di advocacy dell’Agcm: i pareri resi ai sensi degli artt. 21-bis e 22 (anno
2015), di FRANCESCA SCARAMUZZA e ALLEGRA CANEPA . . . . . . . . . . . . . .
GIUDICE ORDINARIO (a cura di MARINA TAVASSI) . . . . . . . . . . . . . . . . . . . . .
Rassegna di giurisprudenza civile in materia antitrust (2015), di MARINA TAVASSI,
GAIA ANNA MARIA BELLOMO e PAOLO CAPRILE . . . . . . . . . . . . . . . . . . .
GIUDICE AMMINISTRATIVO (a cura di GIULIANO FONDERICO) . . . . . . . . . . . . . . .
La giurisprudenza amministrativa in materia antitrust (anno 2015), di GIANLORENZO
IOANNIDES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TUTELA DEL CONSUMMATORE (a cura di ENRICO MINERVINI) . . . . . . . . . . . . . . .
L’Autorità Garante della Concorrenza e del Mercato e la violazione dei diritti dei
consumatori nei contratti, di ENRICO MINERVINI . . . . . . . . . . . . . . . . . . .
Gli orientamenti della Autorità Garante della Concorrenza e del Mercato in materia
di pratiche commerciali scorrette (anni 2014-2015), di ALESSIA FACHECHI . . .
La tutela amministrativa contro le clausole vessatorie alla luce dell’attività provvedimentale condotta dell’Agcm nel triennio 2013-2015, di MARCO ANGELONE .
ANTITRUST E PROPRIETÀ INTELLETTUALE NEL DIRITTO EUROPEO (a cura di EMANUELA
AREZZO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introductory notes regarding the section devoted to the interplay between intellectual
property rights and competition law, di EMANUELA AREZZO . . . . . . . . . . .
La valutazione concorrenziale dei patent settlement agreements nell’esperienza
europea: i casi Lundbeck e Servier (Perindopril), di MARIALIBERA D ERRICO e
PIERA FRANCESCA PISERÀ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
La sentenza della Corte di Giustizia nel caso Huawei: is this the end of the story?,
di AURORA MUSELLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Diritti di proprietà intellettuale e disciplina delle concentrazioni - Rassegna delle
decisioni comunitarie (anno 2015), di VALERIO MOSCA . . . . . . . . . . . . . .
291
315
333
353
367
369
383
417
419
445
447
483
485
497
525
553
555
559
595
611
TEN LEGAL PERSPECTIVES
ON THE “BIG DATA REVOLUTION”
di Vincenzo Zeno-Zencovich (*) and Giorgio Giannone Codiglione (**) (***)
Abstract
This paper aims at exploring from a civil law perspective the impact that the “big
data revolution” may have on traditional legal categories. The last decade has been
characterized by the emergence of three phenomena linked to technological evolution: a)
the massive extraction and accumulation of any information which relates to humans,
their life and the environment in which they live; b) the introduction on large-scale of
entities capable of acting independently from man s will; c) the use of Internet as a
sensitive, connective tissue capable of recording, processing and disseminating information and thus influencing the relationship between the human/sentient paradigm and the
automated/predictive one.
The article examines these phenomena using ten typical legal categories: ownership,
control over one s data, access to data, transactions concerning data, consumer transactions, contractual and extra-contractual liability, competitition issues, choice of law and
jurisdiction, state sovereignty, philosophical and ethical issues.
Keywords:
Big Data, IoT, Data protection, Property, Vicarious Liability, Digital consumers
JEL classification:
K10 General, K11 Property Law, K12 Contract Law, K13 Tort Law and Product Liability, K21
Antitrust Law, K36 Family and Personal Law.
SUMMARY: Introduction. — 1. Ownership. — 2. Personal data. — 3. Access to data. — 4. Data
transactions. — 5. Consumer transactions. — 6. Liability in data driven innovation contexts. —
7. Competition issues. — 8. Choice of law and jurisdiction. — 9. Sovereignty. — 10. Philosophical and ethical issues in big data.
(*) Full Professor of Comparative Law, University of Roma Tre.
(**) Ph.d. in Comparative Law (University of Salerno), Lecturer on ICT Law, University of
Palermo.
(***) This article is the result of a common research. Paragraphs 3, 4, 6, 7 and 8 are by G.
Giannone Codiglione; Introduction, conclusions and paragraphs 1, 2, 5, 9, 10 are by V. ZenoZencovich.
30
DOTTRINA
Introduction.
The term “Big Data” has invaded (also) the legal debate, despite its inevitably fuzzy
notion. Associated with it are the terms “Internet-of-things” and “Data driven innovation”. We shall not attempt to provide yet another description of the phenomenon. We
shall take it for granted that the reader has some background knowledge on these topics.
And at any rate he/she can be usefully referred to the over 400 page report by the OECD
on “Data driven innovation” issued in October 2015 which contains the acquired
knowledge and provides technical, economic, and socio-political data and analysis which
are useful to understand the setting in which we suggest some legal insights (1).
Clearly, the “ten legal perspectives” are simply conventional, and do not wish to
mold in a lawyer s plate a very mobile phenomenon, which is likely to have already
changed when this article will have been published.
The aim is more of a methodological nature. Those who have studied the impact
that digital technologies have had on the law, should have learned in the last four decades
that the attempts to set rules for the future are scarcely rewarding. Turning the
philosophical paradox straight, lawyers, who are the tortoises, will never catch up with
the technologies, which are Achilles. But they can — and should — avoid falling for the
dernier-cri. Trying to provide comprehensive and holistic points of reference appears to
be much more productive. Digital technologies are always innovative and disruptive. But
so were trains, electricity, telegraph, automobiles, radios and television sets, etc. A
historical perspective, therefore, is always sobering.
One further preliminary remark: civil lawyers like to organize social and economic
phenomena into their categories which have been forged in the last two thousand years.
Clearly there is path-dependency. But if those paths led nowhere they would have
discarded them a long time ago.
We shall be using many traditional private law categories, not because they are the
only ones, or are the only way to try to put order in complexity, but because in the
drawers and on the shelves which metaphorically a civilian uses we can find many similar
legal objects and problem-solving tools.
1.
Ownership.
Individuals, institutions, enterprises have always held data since antiquity: Egyptian
and Mesopotamic empires, and even more the Roman Empire held census data, tax
payer rolls, land registries. Iris Origo s delightful biography of the “Merchant of Prato”
(Marco Datini) illustrates the wealth of information we can draw from a medieval
merchant s books (2).
In the moment in which data become (one of) the most important raw materials for
contemporary enterprises and institutions, it is not idle to ask ourselves who owns “big
data”.
We are already aware of some useful indications which come from economic theory.
(1) The report is available at url: http://www.oecd.org/sti/data-driven-innovation9789264229358-en.htm/ (accessed 30/8/2016).
(2) I. ORIGO, The Merchant of Prato, London, Jonathan Cape, 1957.
TEN LEGAL PERSPECTIVES ON THE
“BIG
DATA REVOLUTION”
31
Data are “public goods”: they are non-rival and non-consumable (3). But this increases
the need for a legal qualification: in other words, can anyone claim access to big data
simply because they can be used at the same time by more than one user?
The reply to the question is, understandably, multi-faceted.
a) In the first place a civilian is in no way intimidated by the fact that we are talking
generally of billions of data, each of which may not have an economic value (or has an
insignificant value). The time-old notion of universitas, used for selling swarms of
honey-bees, libraries, collections of stamps, can be easily adapted to non-material entities
such as data which should be considered in their entirety, and can therefore be the object
of exclusive rights (4).
b) However, from a civil law perspective, it is clear that exclusive rights on
non-material entities tend to be a numerus clausus (5). Copyright, trademarks, patents
and all that follows are protected (in the whole world) on the basis of legislative
definitions and regulated procedures. In the EU, data-banks are protected by Directive
96/9 under two systems: copyright on data bases which are an “intellectual creation” “by
reason of the selection or arrangement of their content” (6). And a sui generis right on
databases which are the result of “qualitatively and/or quantitatively substantial invest-
(3) In the sense of “collective consumption goods” assumed i.e. by P.A. SAMUELSON, The Pure
Theory of Public Expediture, in The Review of Economics and Statistics, 36, 1954, 387 ff. K.J. ARROW,
Economic Welfare and the Allocation of Resources for Invention, in NBER, The Rate and Direction
of Inventive Activity: Economic and Social Factors, Princeton, Princeton University press, 1962,
609-626, investigating the optimal allocation of information as commodity, finds that (615) « no
amount of legal can make a thoroughly appropriable commodity of something so intangible as
information ». See also J. HIRSHLEIFER, The Private and Social Value of Information and the Reward
to Inventive Activity, in The American Economic Review, 61, 1971, 561 ff; E. MACKAAY, Economics
of Information and Law, Dordrecht, Kluwer-Nijoff, 1982, and more recently J.E. STIGLITZ, Information and the Change in the Paradigm in the Economics, in The American Economic Review, 92, 2002,
460 ff; C. HESS - E. OSTROM (eds.), Understanding Knowledge as a Common, Cambridge (Mass.)London, MIT Press, 2007, 9 ff. For further remarks V. ZENO-ZENCOVICH, Informazione (profili
civilistici), in Dig. disc. priv., sez. civ., Torino, UTET, 1993, 420 ff; R. PARDOLESI - C. MOTTI,
L’informazione come bene, in G. DE NOVA - B. INZITARI - G. TREMONTI - G. VISINTINI (eds.), Dalle res
alle new properties, Milano, Giuffrè, 1991, 37 ff; V. ZENO-ZENCOVICH - G.B. SANDICCHI, L’economia
della conoscenza e i suoi riflessi giuridici, in Dir. informaz., 6, 2002, 971 ff.
(4) The old Roman notion of “universitates facti” or “rerum” (totality of things) as opposed to
“universitates iuris” (asset of entitlements/rights) has deeply influenced Western legal tradition,
involving the taxonomic distinction between “goods” and “things”. On the matter, see B. WINDSCHEID, Diritto delle Pandette, Torino, UTET, 1925, vol. I, part II, 2, 433 ff (translated and commented
by C. FADDA - P.E BENSA) and S. PUGLIATTI, Beni e cose
in senso giuridico, Milano, Giuffrè, 1962, 259,
304, who remarks that the concept of ‘universitas gives rise to a sort of functional — and not
structural — unification of things. See also E.W. KITCH, The Law and Economics of Rights in
Valuable Information, in J. Legal Studies, 9, 1980, 683 ff; P. CATALA, Ebauche d’une théorie juridique
de l’information, in Inf. e dir., 1, 1983, 15 ff; ID., La protection juridique des productions immateriélles,
in P. CATALA - G. GARZON - W. KILIAN - P. ECLERCQ - A. LUCAS - J. MACDONNELL - E. MACKAAY - J.
RULE - J.E. SCHOETTL - O. TORVUND (eds.), L’appropriation de l’information, Paris, Librairies
techniques, 1986, 84 ff (focusing on legal protection of information by type and with regard to use
and transformation processes).
(5) In order to explore the new fields of non-material goods “propertization” phenomenon see
G. RESTA (ed.), Diritti esclusivi e nuovi beni immateriali, Torino, UTET, 2010; H. HANSMANN - R.
KRAAKMAN, Property, Contract, and Verification: The Numerus Clausus Problem and the Divisibility
of Rights, in J. Legal Studies, 31, 2002, 373 ff; J.H. VAN ERP, A numerus quasi-clausus of property
rights as a constitutive element of a future European property law, in Electronic Journal of
Comparative Law, 7, n. 2, 2003, 1 ff; V. ZENO-ZENCOVICH, Cosa, in Dig. disc. priv., sez. civ., Torino,
UTET, 1989, 453 ff.
(6) Article 3, dir. 96/9/EC: « In accordance with this Directive, databases which, by reason of
the selection or arrangement of their contents, constitute the author s own intellectual creation shall
32
DOTTRINA
ment” (7). One would generally place “big data”in this second category mainly because
of the extreme variety of the data included (8). But this entails that the protection
afforded by the law is less intense than that generally related to intellectual property. In
fact the “sui generis” right allows the rights holder to “prevent extraction and/or
re-utilization of the whole or of a substantial part, evaluated qualitatively of the content of
the database”. It is extremely difficult to establish what a “substantial part” of big data is.
Hypothetically one could extract enormous quantities of data which do not appear to be
a “substantial part” and join them with other data obtaining similar, profitable, results.
One could doubt, therefore, that this provision is considered sufficiently protective of the
expectation of exclusive exploitation of big data holders
c) A different — and not unusual in contemporary economies — approach would be
that of avoiding traditional ownership (in a civilian sense) issues over big data and
consider that the economic value is not in the data itself, but in the availability of
mainframe computers able to store and process these huge amounts of data, and,
foremost, of algorithms and data analytics software which are able to extract value from
data. We are shifting the legal framework from ownership to service provision. Whether
the latter is provided by the data holder, or the third party is granted a license to extract
certain results from the data, we have moved from property to contract (9). Clearly the
three perspectives (traditional property, intellectual property, contract) are not mutually
exclusive, but one can image that they will be used in different contexts, according to
which situation is considered prevailing: e.g. the first one in a bankruptcy procedure; the
second one when contrasting unfair competition (10); the third one in the ordinary
business of the big data holder with third parties.
be protected as such by copyright. No other criteria shall be applied to determine their eligibility for
that protection.
The copyright protection of databases provided for by this Directive shall not extend to their
contents and shall be without prejudice to any rights subsisting in those contents themselves ».
(7) Articles 7-11, dir. 96/9/EC.
(8) On the one hand, sui generis right could protect big data because of their content. On the
other hand, IP right in databases is focused on the structure and the organization of data as an
intellectual creation but in a static perspective, not compatible with the exploitation and value
extraction processes related to Big Data dynamics. See P.B. HUGENHOLTZ, Implementing the European Database Directive, in Int’l Intell. Prop. L. & Pol’y, 4, 2000, 70-1 ff; A. ZOPPINI, Commento alla
Direttiva 96/9 dell’11 marzo 1996 sulla tutela giuridica delle banche dati, in Dir. informaz., 3, 1996, 490
ff.
(9) A typical example is represented by the daily access to searching, car traffic monitoring,
rating services provided to users by OTT companies (apparently) for free.
(10) According to US state and federal trade secrets law the re-use of data without appropriate
compensation to right holders may be unfair in terms of misappropriation, : See Restatement
(Third) of Unfair Competition § 39 (1995), according to “A trade secret is any information that can
be used in the operation of a business or other enterprise and that is sufficiently valuable and secret
to afford an actual or potential economic advantage over others.”. On the matter, see M.A. LEMLEY,
The Surprising Virtues of Treating Trade Secrets as IP Rights, in Stan. L. Rev., 61, 2008, 311 ff; M.
MATTIOLI, Disclosing Big Data, in Minn. L. Rev., 99, 2014, 535 ff; W. NICHOLSON PRICE II, Big Data,
Patents, and the Future of Medicine, in Cardozo L. Rev., 37, 2016, 1401 ff. IP rights may also be useful
in contrasting anticompetitive behaviour by market participants: in AOL/Time Warner merger case
(2001/718/CE - October 21, 2001), EU Commission said that « a company holding a dominant
position in the market for the licensing of
music publishing rights required for on-line delivery would
be in a position to play the gatekeeper s role dictating the conditions for the delivery of music via
the Internet by refusing to license or threatening to withhold the rights ». For further information
also related to US case law see G. ROSSI, Cyber-antitrust, Internet e tutela della concorrenza, in Dir.
informaz., 2003, 247 ff and with specific attention to the connections between IP on informational
goods and competition, R. PARDOLESI - M. GRANIERI, Proprietà intellettuale e concorrenza: conver-
“BIG
DATA REVOLUTION”
33
From a civilian point of view, which organizes rights, entitlements, legal relationships on the basis of a millenary partition of the law, it is rather difficult to present a
coherent legal system if one does not, from the out start, establish:
a) who holds rights over big data;
b) what is the nature and extent of these rights;
c) what remedies are available.
2.
Personal data.
Personal data are among the most valuable components of big data. Inasmuch as
Internet-of-things will be increasingly deployed it will provide an incredible wealth of
data coming directly from objects or machines (11). Clearly this data will be related to the
object or machine itself but it can and will be easily related to an individual or a small
group of individuals (e.g. a family) though localization and related data (e.g. ownership
of the automobile collecting and transferring the information).
Big data have a significant impact on the legal framework surrounding personal
data. Two approaches appear viable.
a) The first is related to the common notion of personal data as a personality right,
which has been consistently developed in German and Italian legal doctrine since the
70ies and early 80ies. Inasmuch as data provide a substantial representation of the
person (“informational patrimony” in Germany; “personal identity” in Italy) personal
data has been generally considered akin to other traditional personality rights such as
one s name, reputation or image (12). However the extent of this right is — quite
differently from others — nearly entirely defined by legislative instruments, starting from
Directive 95/46 and arriving to the General Regulation on Data Protection (13), which in
“only” 173 preambles and 99 articles tries to regulate every possible detail in data
genza finalistica e liaisons dangereuses, in G. COMANDÈ - G. PONZANELLI, Scienza e diritto nel prisma
del diritto comparato, Torino, Giappichelli, 2004, 193, 209 ff.
(11) See. Communication from the Commission to the European Parliament, the Council, the
European Economic and Social Committee and the Committee of the Regions: Internet of Things
— An action plan for Europe (COM(2009) 278 def., June 18, 2009) 2; European Parliament
resolution of 15 June
2010 on the Internet of Things (2009/2224(INI)), under which « the term
‘Internet of Things refers to the general concept of objects (both electronic artefacts and objects in
everyday use) that can be read, recognised, addressed, located and/or controlled remotely through
the internet ».
(12) A. DE CUPIS, I diritti della personalità, 2nd ed., Milano, Giuffrè, 1982, 428; P. RESCIGNO,
Personalità (diritti della), in Enc. giur., vol. XXIII, Roma, Treccani, 1991; V. ZENO-ZENCOVICH,
Identità personale, in Dig. disc. priv., sez. civ., Torino, UTET, 1993, 294 ff; G. FINOCCHIARO, Identità
personale (diritto alla), ibid., Torino, UTET, 2010, 721 ff. In Germany, the first Federal Law on data
protection was enacted in 1977 and reformed in 1990, following the jurisprudence of the Federal
Constitutional Court in Microcensus [27 BVerfGE 1 (1969)] and Census Act [65 BVerfGE (1, Dec.
15, 1983)] cases, in which the Court has progressively extended to personal data the protection
provided by “general personality right” (allgemeines Persönlichkeitsrecht) under the articles 1 and 2
of the Basic Law. For a comparative perspective see H. STOLL, The General Right to Personality in
German Law: An Outline of its Development and Present Significance, in B. MARKESINIS (ed.),
Protecting Privacy, Oxford, Oxford Univ. Press, 1999, 29 ff; F. BIGNAMI - G. RESTA, Transatlantic
Privacy Regulation: Conflict And Cooperation, in Law & Contemp. Probs., 78, 2015, 231 ff.
(13) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (2016) OJEU L 119/1.
34
DOTTRINA
processing. There is however a blind spot — due to the mentioned tortoise syndrome of
lawyers and legislators — which is the definition of “personal data” i.e. “any information
relating to an identified or identifiable natural person” (14).
Now, one of the main scopes of data mining and data analytics is that of drawing
inferences from data coming from the most diverse sources. Even though this data has
been rigorously anonymized, and therefore should not fall under the GDP Regulation (15), once it is matched with other, equally anonymous data, it is possible — and
often quite easily — to relate certain information to a specific person or to very small
groups (e.g. a household).
It would appear therefore that no data can be entirely anonymized, and therefore all
data could be considered “personal” and therefore fall within the very strict rules of the
GDP Regulation. This has consequences also on the second approach (16).
b) If big data are one of the main elements of production in contemporary societies,
it appears necessary to accept that they have a value. This patrimonial approach has been
for a long time shunned by those who feel that personality rights belong to the moral
sphere of a person and therefore should not be commodified (17). This clearly — and
increasingly in the last decades — is simply wishful thinking, and ends up by justifying
appropriation of data without any consideration. An invaluable asset of the persona is
considered without value.
(14) Article 4, n. 1): “‘personal data means any information relating to an identified or
identifiable natural person (‘data subject ); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural
or social identity of that natural person”.
(15) See article 4, n. 5): “‘pseudonymisation means processing of personal data in such a
manner that the personal data can no longer be attributed to a specific data subject
without the use
of additional information”. In fact, one of the most important GDPR s policy goals is the
enforcement upon data controllers and processors of a business model based on risk assessment:
data shall be processed using techniques to prevent and minimize risk to the subject to whom data
refers. See. e.g. “whereas” n. 28: “The application of pseudonymisation to personal data can reduce
the risks to the data subjects concerned and help controllers and processors to meet their
data-protection obligations. (...)”. In some cases, the consequence may be represented by the
inapplicability of privacy rules to Big Data, as clearly noted by Article 29 Data Protection Working
Party, Opinion 05/2014 on Anonymisation Techniques (WP216 - April 10, 2014) 10: “Where a third
party processes a dataset treated with an anonymisation technique (anonymised and released by the
original data controller) they may do so lawfully without needing to take account of data protection
requirements provided they cannot (directly or indirectly) identify the data subjects in the original
dataset. (...)”. In argument, see also I. WALDEN, Anonymising Personal Data, in Int’l J.L. & Info.
Tech., 10, 2002, 224 ff; G. RESTA, Identità personale e identità digitale, in Dir. informaz., 3, 2007, 511
ff; G. FINOCCHIARO, Anonimato, in Dig. disc. priv., sez. civ., Torino, UTET, 2010, 12 ff.
(16) See “whereas” n. 26: « The principles of data protection should apply to any information
concerning an identified or identifiable natural person. Personal data which have undergone
pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. (...) ». V. MAYERSCHÖNBERGER - Y. PADOVA, Regime Change? Enabling Big Data Through Europe’s New Data
Protection Regulation, in Colum. Sci. & Tech. L. Rev., 17, 2016, 315 ff, 335 describe the GDPR s
approach as muddled, complicated and confusing; for preliminary remarks see also P.M. SCHWARTZ
- D.J. SOLOVE, The PII Problem: Privacy and a New Concept of Personally Identifiable Information,
in N.Y.U. L. Rev., 86, 2011, 1814 ff.
(17) For an historical and comparative inquiry see H.P. GÖTTING, Persönlichkeitsrechte als
Vermögensrechte, Tübingen, Mohr-Siebeck, 1995; C. AHRENS, Die Verwertung persönlichkeitsrechtlicher Positionen. Ansatz einer Systembildun, Würzburg, Claus Ahrens, 2002; H. BEVERLEY SMITH,
The Commercial Appropriation of Personality, Cambridge, Cambridge Univ. Press, 2004; G. RESTA,
Autonomia privata e diritti della personalità, Napoli, Jovene, 2004; V. ZENO-ZENCOVICH, Personalità
(diritti della), in Dig. disc. priv., sez. civ., Torino, UTET, 1995, 437 ff.
“BIG
DATA REVOLUTION”
35
But if one follows the opposite view, according to which personal data have an
economic value and therefore can and should be provided only for an adequate
consideration, on the one hand we are asserting an exclusive right on one s data (18), on
the other hand we are opening the discussion — as one shall see soon — to a wide debate
on the contractual nature of such a relationship (19).
The patrimonial approach has several theoretical uncertainties. Each of us is a
producer of a commodity (personal data) which can present economic significance only
if it is joined with other data. The larger the size of the data-base, generally, the greater
its value. But each of us can extract from our own data — which hypothetically we control
— very little use. The whole (big data) is much, much more than the sum of its single
parts. This has effects as we shall see, on pricing of data.
c) To make the situation more complex it is necessary to point out that the term
“personal data” hides many ambiguities and pit-falls. The first stumbling block is the term
“personal”. There is a multiplicity of data which do not “belong” to a single person, but
to several persons: typically genetic information which is shared by generations of
persons who have common ancestors, parents, relatives.
But on a more down-to-earth scale most data which is collected within a contractual
relationship “belong” to both (or all) parties of the contract. The data concerning the
buyer is essential for the seller and vice versa; or the data concerning the tenant is
essential for the landlord, and vice versa (20). In a contract — and one could expand the
notion also to non-economic aspects —“relational” data is produced which “belong” to
all the parties, and as in all forms of co-ownership complex legal issues arise when it
comes to establishing to what extent one party may exert its rights without depriving the
other party of its legitimate expectations.
But also the second term, “data” is ambiguous. Should metadata — id est data which
is produced from (or provides information of) original data — be considered “personal
data”? (21) And whose is it?
The question are far from idle and come forcibly to the forefront when examining
(18) K.N. PEIFER, Eigenheit oder Eigentum - Was schütz das Persönlichkeitsrecht?, in Gewerblichen Rechtschutz und Urheberrecht, 2002, 495 ff; S. RODOTÀ, Tecnopolitica, 2nd ed., Roma-Bari,
Laterza, 2004, 155; N. PURTOVA, Property in Personal Data: A European Perspective on the
Instrumentalist Theory of Propertisation, in Eur. J. Legal Stud., 2, 2010, 193 ff. For a Common Law
perspective see also M.J. RADIN, Property and Personhood, in Stan. L. Rev., 34, 1982, 957 ff; J.
LITMAN, Information Privacy/Information Property, in Stan. L. Rev., 52, 2000, 1283 ff; L. LESSIG,
Privacy as Property, in Social Research: An International Quarterly of Social Sciences, 69, 2002, 247
ff; P.M. SCHWARTZ, Property, Privacy and Personal Data, in Harv. L. Rev., 117, 2004, 2056 ff; R.S.
HEIMES, Privacy and Innovation: Information as Property and the Impact on Data Subject, in New
Eng. L. Rev., 49, 2015, 649 ff.
(19) V. ZENO-ZENCOVICH, Profili negoziali degli attributi della personalità, in Dir. informaz.
1993, 545 ff; A. BÜCHLER, Die Kommerzialisierung von Persönlichkeitsgutern, in Archivfür die
civilistische Praxis, 2006, 300 ff; J. HELLE, Privatautonomie und kommerzielles Persönlichkeitsrecht,
in JZ, 2007, 444 ff.
(20) We are now speaking about “neutral areas”, not (or less effectively) protected by privacy
law. For example, article 1, b) (and whereas n. 44) of GDPR, generally acknowledges processing of
personal data when necessary in the context of a contract or while expressing the intention to enter
into a contract. See V. ZENO-ZENCOVICH, La ‘comunione’ di dati personali. Un contributo al sistema
dei diritti della personalità, in Dir. informaz. 2009, 5.
judge Leon granted
(21) In Klayman v. Obama, 957 F. Supp. 2d 1 (D.D.C. 2013), circuit
Klayman s motion of a preliminary injunction, finding that the Plaintiffs reasonable expectation of
privacy was violated when the Government randomly collected and analyzed telephone metadata
for national security purposes without obtaining prior consent.
36
DOTTRINA
issues such as “portability of data” (article 20 of the GDPR) (22), and post-mortem
entitlement to data of the deceased person (e.g. the e-mail, the Facebook account,
etc.) (23).
3.
Access to data.
Data are — in an economic perspective — non-rivalrous and non-consumable public
goods. Does this mean than anybody or that qualified third parties may have access to
data? Here the issue of ownership is inter-twined with those of competition law.
Generally the discussion on big data is associated with that on “open data”.
a) It is well known that public authorities, both national and local, have been and
still are among the most important “producers” of data. Statistical data of all kinds are
among the most obvious public “big data” but there are many other ambits in which huge
amounts of data are collected but scarcely used. In the EU, Directive 2013/37 sets rules
on the re-use of public sector information (24). The declared aim is that of making such
information available on a non-discriminatory, near-to cost basis, with some notable
exceptions such as cultural heritage data and metadata, in order to favour the knowledge
society (25). It is, however, far from clear how the Directive fits in the “big data
revolution”.
One of the factors which have turned data in an essential element of present-day
economy is its dynamicity, in the production, in the processing, in the consumption.
Public data, instead — at least that envisaged by Directive 2013/37 — is mainly static and
(out)-dated, which therefore is of limited importance and value.
Although there are significant areas in which public authorities are promoting of
data-driven services (e.g. “smart cities”) it remains to be decided whether they are under
an obligation to render such data available to third parties in real-time. Typical examples
are those of a great number of enterprises (restaurants, cafés, taxis, shop owners) who
would dearly need to know from the airport or main train station managers how many
(22) Article 20 provides that in some cases (processing based on consent or carried out by
automated means) data subject shall have the right to receive and transmit to others a copy of the
personal data concerning him or her in a structured, machine-readable and interoperable format.
According to article 4, nn. 3 and 4, the exercise of this right shall be without prejudice to the right
to erasure (‘right to be forgotten ) and shall not adversely affect the rights and freedoms of others.
(23) According to “whereas” n. 27, personal data of deceased persons are not protected by the
GDPR. Therefore, in absence of specific rules introduced by Members States, general provisions on
successions or/and contractual clauses adopted by controllers and processors should be applied. For
further remarks see G. RESTA, La ‘morte digitale, in Dir. informaz., 2014, 891 ff; D. MCCALLIG,
Facebook after death: an evolving policy in a social network, in Int. J. Law Info Tec., 22, 2014, 107
ff.
(24) See V. ZENO-ZENCOVICH, Uso a fini privati di dati personali in mano pubblica, in Dir.
informaz., 2003, 197 ff; G. RESTA - D. SOLDA KUTZMANN, I beni immateriali dello Stato e degli Enti
pubblici: un itinerario tra property e commons, in AA.VV., I beni pubblici. Dal governo democratico
dell’economia alla riforma del Codice civile, Roma, Accademia Nazionale dei Lincei, 2010, 145 ff; D.
SOLDA KUTZMANN, Circolazione dell’informazione del settore pubblico, in Dig. disc. priv., sez. civ.,
Agg. III, Torino, UTET, 2007, 173 ff; G. AICHHOLZER - H. BURKERT, (eds.), Public Sector Information
in the Digital Age, Between Markets, Public Management and Citizens’ Rights, Cheltenham, Edgar
Elgar, 2004; M. VAN EECHOUD - K. JANDSEN, Rights of Access to Public Sector Information, in Masaryk
U. J.L. & Tech., 2012, 471 ff.
(25) See articles 5 and 9 (and “whereas” nn. 15 and 19), Directive 13/37/UE.
“BIG
DATA REVOLUTION”
37
people are expected — and are actually arriving — in a town for a certain event (a sports
event, a concert, a rally, etc.).
b) This kind of data is, instead, collected by a number of semi-public entities, mainly
operating in the field of public utilities and in services of general economic interest
(SGEI, in EU acronym). Some of these entities are in the public hand in the sense that
they are controlled by the State or by local authorities. Others, instead, are private
business entities which are entrusted — often on an exclusive basis — with a public
service remit. These entities clearly are operating in the market and therefore use the
data they collect to strengthen their market position (26). In EU legislation one can find
various examples (especially in the transport sector) in which they may have to share with
competitors certain information, even in real-time (e.g. delay in connections (27)).
These cases however confirm that while it may be necessary and in the general
interest that certain data should be made available to third parties, this can only be on the
basis of specific normative provisions. There does not appears to be to a general rule
establishing limited ownership rights over data, or to see things from a different
perspective one cannot envisage a general right to access data of a third party, unless
there is a normative or administrative entitlement (28).
c) These last conclusions might be read as excluding the possibility to access data
(and big data) held by private entities. However one should not forget that if data is
considered an essential infrastructure of digital economy competition rules might be used
to oblige the data holder to provide this information to competitors. The principle is
embedded in software protection legislation where it allows reverse engineering (i.e.
access to information and algorithms governing it) in order to develop inter-faces (29). Or
(26) See i.e. T. VAN DER VEN - M. WEDLOCK, Study regarding guaranteed access to traffic and
travel data and free provision of universal traffic information, Final Report, European Commission,
Directorate-General Mobility & Transport, 9 March 2011, available at url: http://ec.europa.eu/
transport/themes/its/studies/doc/2011_03-final-report-study-data-access-free-safety-trafficinformation.pdf/ (accessed 1/9/2016), 27: “Data held in the private sector whether for its own
purposes or within an industrial and commercial public service is protected by intellectual property
rights and other commercial considerations, assuming that the copyright and ownership is not
transferred. Unless requested (for example) as part of a police investigation, there is very little
power to extract information collected by the private sector, subject to competition rules, where the
essential facilities theory1 applies and under which the refusal to grant a license may be regarded as
an abuse of a dominant position. However, in many cases private operators are keen to collaborate
with public authorities in order to gain access to multiple data sources for validation of accuracy”.
1371/2007 of the European Parliament and of the Council of 23
(27) See Regulation (EC) No
October 2007 on rail passengers rights and obligations.
(28) For a comparative overview, see R.L. OKEDIJI, Government as Owner of Intellectual
Property? Considerations for Public Welfare in the Era of Big Data, in Vand. J. Ent. & Tech. L., 18,
2016, 331 ff.
(29) See Article 1, n. 2, directive 2009/24/EC. The appropriation of information by private
companies for pursuing general interest purposes (like health care or disasters prevention) could
grow in the future thanks to the Internet of Things. European lawmaker has adopted a policy of
exception in order to encourage IoT services. The recent regulation on “Open Internet” allows - in
some cases and without detriment of the availability and general quality of internet access services
for end-users - the provision of electronic communication services other than internet access, for
which specific levels of quality are necessary. Such specific levels of quality are, for instance, required
by some services responding to a public interest or by some new machine-to-machine communications services, like IoT services. See Regulation (EU) 2015/2120 of the European Parliament and of
the Council of 25 November 2015 laying down measures concerning
open internet access and
amending Directive 2002/22/EC on universal service and users rights relating to electronic communications networks and services and Regulation (EU) no 531/2012 on roaming on public mobile
communications networks within the Union, in OJEU, 2015, L 310/1, “whereas” nn. 16 and 17.
38
DOTTRINA
in the ECJ Magill case where information on tv programming was considered an essential
facility (30). The issue will be further analyzed in a following paragraph. What should be
considered is that entitlement, ownership and property rights may be limited or established through many legal paths.
4.
Data transactions.
If data is a commodity, clearly it is the object of transactions, at a “wholesale” level,
and at a “retail” level. Let us focus on the former, which is more directly related to the
big data phenomenon.
The first obvious distinction is between sale of data, which transfers control over the
database; and data-services which imply that ownership is not relinquished, but simply
that temporary usage rights are granted.
a) In the first case typical common terms, conditions and warranties have to be
considered in order to establish validity of the contract, fulfilment of obligations,
guarantees on the absence of defects and so on. It is not usual in this area of business that
controversies are brought to the light of the courts. In a rare occasion the French Court
of Cassation declared that the sale of a database containing personal data was void
because the existence of the database had not been — prior to the sale — notified to the
French Data Protection Commissioner (CNIL) (31). The decision states the contractual
relevance of privacy and data protection in relation to the transfer by purchase of
personal information, even when they have been lawfully collected, and the role of public
institutions in the contractual circulation of data-banks containing personal data.
Even more revealing of the complexities surrounding data transactions is the
RadioShack case. RadioShack, an electronic equipment retail franchise, went bankrupt
in 2015. The US Bankruptcy Court for the District of Delaware started liquidating the
assets in order to repay debts. One of the most valuable asset was RadioShack s database
which contained around 117 million customer records, including those of consumers and
of commercial customers.
Similarly, GDPR immunizes all information processed for pursuing relevant purposes of public or
vital interests of the data subject or of another individual (article 1, n. 1, lett. d) such as monitoring
the evolution,
or the prevention of natural catastrophes, providing also some limitations to data
subjects rights. See i.e. “whereas” nn. 43, 76 and 52: “Derogating from the prohibition on processing
special categories of personal data should also be allowed when provided for in Union or Member
State law and subject to suitable safeguards, so as to protect personal data and other fundamental
rights, where it is in the public interest to do so, in particular processing personal data in the field
of employment law, social protection law including pensions and for health security, monitoring and
alert purposes, the prevention or control of communicable diseases and other serious threats to
health. Such a derogation may be made for health purposes, including public health and the
management of health-care services, especially in order to ensure the quality and cost-effectiveness
of the procedures used for settling claims for benefits and services in the health insurance system, or
for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes. A derogation should also allow the processing of such personal data where necessary for
the establishment, exercise or defence of legal claims, whether in court proceedings or in an
administrative or out-of-court procedure.”
(30) ECJ, 6 April 1995, C-241/91 P and C-242/91 P, RTE and ITP v. Commission of the
European Communities, in ECR, 1995, I-00743.
(31) Cour de Cassation civile (France), Chambre commerciale, 25 June 2013, no 12-17.037, available at url: https://www.legifrance.gouv.fr/affichJuriJudi.do?idTexte=JURITEXT000027632440/
(accessed 30/8/2016).
“BIG
DATA REVOLUTION”
39
The bankruptcy trustee offered for sale 67 million records which included complete
customer names and physical address, of which around 8.3 million included an e-mail
address. Furthermore 200.000 e-mail addresses that were not associated with a physical
mailing address were part of the offer. A coalition of 38 US states, led by Texas, objected
to the sale of personally identifiable information on the basis of existing online and
in-store privacy policies.
The bankruptcy court of appointed a “privacy ombudsman” which reached an
agreement with the buyer (General Wireless) with a considerable amount of limitations:
— The sale would concern only e-mail addresses that had been active for the last
two years.
— The buyer will be bound by RadioShack s privacy policies which prohibited
further sale or transfer of data to third parties.
— The data was to be used in substantially the same line of business of RadioShack
(therefore excluding use in other commercial activities).
— Customers were given an opportunity to opt-out from having their data transferred to the buyer within one week from being served a notice.
— 14 data fields were removed from the data sold, which included only 7 fields such
as store number, ticket date and time, stock keeping unit number, description of product
and selling price, tender types and amount.
The RadioShack case should be kept in mind not only in the case in which a
company is liquidated (32), but also in the much more common, and less traumatic, case
of the transfer of a business unit, which reasonably should include all the data concerning
purveyors and customers, and represent a fundamental content of the transaction (33).
From these two cases one understands that in bulk-data transfers, one is selling/buying
much more than “data”. We are more realistically — from an economic point of view —
talking about the goodwill of an enterprise. But while traditionally this was considered an
exclusive asset of the seller, one understands that now other parties — data subjects —
have a saying in the transaction.
b) One should also consider that in many cases, already now, big data holders
extract value by providing data services to third parties on the basis of a consideration.
One can envisage two possibilities: in one case the third party is given access, for a limited
time, to data and may use them without withholding them, but simply keeping the result
of the processing. In the second case the third party is given access to data analytics tools
which enable it to search certain results. In both cases the contract has the nature of a
licence, and the rights conferred upon the third party are very narrowly described,
following typical forms of IP licences. Therefore one does not apply the typical law of
sales — which historically imposes upon the seller a certain amount of binding obligations and warranties — but one is removed to the much more flexible context of
(32) Similarly, in FTC v. Toysmart.com, LLC, and Toysmart.com,
Inc. (July 21, 2000) a
bankrupt
Disney-owned company tried to sell its customer s personal information including con
sumers names, addresses, billing and family information. This attempt had legal consequences with
respect to the enforcement of consumers privacy rights. In fact Toysmart agreed to settle the
charges brought by the Federal Trade Commission that the company had violated Section 5 of the
FTC Act by misrepresenting to consumers that personal information would never be shared with
third parties
and then disclosing, selling, or offering that information for sale in violation of the
company s own privacy statement.
(33) For further information on merger cases involving the transfer of data assets see infra,
para 7.
40
DOTTRINA
“provision of services” in which the notion of full and proper performance is much more
fluid.
At any rate service transactions concerning big data are very much in line with
digital transactions (typically “lease” of digital capacity) widely used in the business
community.
5.
Consumer transactions.
As we have seen big data pose complex contractual issues when it comes to their use
in third party relations. However it is necessary to consider also upstream relations: in
order to create a big data database it is necessary to collect this data from persons or
objects belonging to, or under the control of, persons.
Traditionally this was done purely on a de facto basis. The collector of the data —
mostly operating through a telecommunication network — provided rather perfunctory
information to the user compliant with data protection laws and nothing more than that.
The services provided were, purportedly, “free”, and if one had the curiosity to read the
general terms and conditions of the services, generally tucked away in a remote and fine
print page, the legal framework — built around common law templates — was that of
gratuitous promises: no consideration from the user, no duty upon the provider.
To the contrary of this formal setting, it was not difficult to detect in this operation
a very clear exchange, relevant both economically and legally, between data and
services (34). One does need to be refined lawyers to realize that valuable consideration
(to express the notion in common law terms) is not only a monetary amount but can be
personal data, which have a much higher intrinsic value than the proverbial peppercorn.
Relations between providers of a on-line service and users have therefore always
been of a contractual nature (35). One had only to look at the business model to
understand the reality, which now has become clear to everybody, except for Facebook
which insists on using as a motto on its home page “It is free, and will always be”, a phrase
(34) See R. CATERINA, Cyberspazio, social network e teoria generale del contratto, in AIDA,
Milano, Giuffrè, 2011, 96 ff; P.A. DE MIGUEL ASENSIO, Social Networking Sites: An overview of
Applicable Law Issues, ibid., 3 ff; P. SAMMARCO, Le clausole contrattuali di esonero e trasferimento
della responsabilità inserite nei termini d’uso dei servizi del web 2.0, in Dir. informaz., 2010, 631 ff;
S. SICA - G. GIANNONE CODIGLIONE, I social network sites e il “labirinto” delle responsabilità, in Giur.
merito, 2012, 2714 ff; D. LEVINE, Facebook and Social Networks: the Government’s Newest Playground for Information and the Laws That Haven’t Quite Kept Pace, in Hastings Comm. &Ent. L.J.,
33, 2011, 481 ff.
(35) See terms and conditions of Twitter (21/7/2016): “You may use the Services only if you can
form a binding contract with Twitter and are not a person barred from receiving services under the
laws of the United States or other applicable jurisdiction. If you are accepting these Terms and using
the Services on behalf of a company, organization, government, or other legal entity, you represent
and warrant that you are authorized to do so. You may use the Services only in compliance with
these Terms and all applicable local, state, national, and international laws, rules and regulations.”,
or Facebook (21/7/2016): “This Statement of Rights and Responsibilities (“Statement,” “Terms,” or
“SRR”) derives from the Facebook Principles, and is our terms of service that governs our
relationship with users and others who interact with Facebook, as well as Facebook brands, products
and services, which we call the “Facebook Services” or “Services”. By using or accessing the
Facebook Services, you agree to this Statement, as updated from time to time in accordance with
Section 13 below. Additionally, you will find resources at the end of this document that help you
understand how Facebook works.”
“BIG
DATA REVOLUTION”
41
which, at its least, is a misleading and deceptive commercial statement, as one can easily
see if one takes the time to read the general terms and conditions of service (36).
The valuable consideration which the user exchanges for the services is made even
more evident in certain terms and conditions in which the user grants the provider (e.g.
Facebook and Twitter) with an unlimited and non-exclusive license to use all contents he
or she posts on the services (37).
Something that clearly is much more — and much more valuable — than simple
traffic data.
Once settled the legal classification of the relationship between provider and user
the obvious consequence is that of establishing which rules apply to it. The reply is that,
at least in the EU, we are faced with a consumer contract inasmuch as the user who has
agreed to the contract is acting outside his or her professional activity (38).
One should also consider that, at least in EU law, equal protection in quality
standards and pricing is provided to both consumers and professional users of telecommunication services (39).
Once one has established the subjective extent of the EU consumer protection laws
to most online services, it becomes evident that the general terms and conditions of
services which are attached to them are radically void from A to Z not only because they
are written on the wrong assumption (see further at para. 8) that US law applies to the
relationship, but because they clearly conflict with the unfair terms directive (93/13) (40).
In particular all the terms and conditions which state that the provider is not bound to any
standard of service, may at will change or suspend the service, and grants no continuity
of service (41). Equally invalid are all the clauses which exonerate the provider from
(36) In the sense of “interested free-giving” see F. ASTONE, Il rapporto tra gestore e singolo
utente: questioni generali, in AIDA, Milano, Giuffrè, 2011,113 ff. S. RODOTÀ, Gratuità e solidarietà tra
impianti codicistici e ordinamenti tradizionali, in A. GALASSO - S. MAZZARESE (eds.) Il principio di
gratuità, Milano, Giuffrè, 2008, 97 ff, 103, emphasizes the importance of functional connection
between free-giving and human dignity.
(37) See terms and conditions of Twitter: “By submitting, posting or displaying Content on or
through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to
sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute
such Content in any and all media or distribution methods (now known or later developed)” or
Facebook: “You grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide
license to use any IP content that you post on or in connection with Facebook .”
(38) This subjective element entails complex issues considering that in many cases the use of
the service (typically, an e-mail account) can be both personal and professional. S. SICA - G.
GIANNONE CODIGLIONE, I social network sites e il “labirinto” delle responsabilità, cit., 2719, describe the
phenomenon talking about “mutant subjectivity”.
of the European Parliament and of the Council of
(39) See e.g. Article 1, directive 2002/22/EC
7 March 2002 on universal service and users rights relating to electronic communications networks
and services (Universal Service Directive), as amended by Directive 2009/136/EC.
(40) Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts,in
OJEC, 1993, L 095.
(41) See terms and conditions of Twitter: “The Services that Twitter provides are always
evolving and the form and nature of the Services that Twitter provides may change from time to time
without prior notice to you. In addition, Twitter may stop (permanently or temporarily) providing
the Services (or any features within the Services) to you or to users generally and may not be able
to provide you with prior notice. We also retain the right to create limits on use and storage at our
sole discretion at any time without prior notice to you.”, or Facebook: “we try to keep Facebook up,
bug-free, and safe, but you use it at your own risk. we are providing Facebook as is without any
express or implied warranties including, but not limited to, implied warranties of merchantability,
fitness for a particular purpose, and non-infringement. we do not guarantee that Facebook will
always be safe, secure or error-free or that Facebook will always function without disruptions, delays
42
DOTTRINA
responsibility, or limit it to a symbolic sum (generally US $100) (42); together with the
provisions on the applicable law and the competent jurisdiction. The model should be
that of European telecommunication services, with a particular attention to data protection issues.
Inasmuch personal data is the main consideration provided by the user, he or she
should be clearly warned on what use will be made of that data. One could attempt to
frame such an obligation within the rule set in the Annex, letter (l), to the Unfair Terms
directive according to which suppliers of services may not “increase their price without
in both cases giving the consumer the corresponding right to cancel the contract if the
final price is too high in relation to the price agreed when the contract was concluded” (43). However there is considerable pressure to enact specific regulations aimed
at providing explicit protection to Internet users considered as consumers (44).
At the same time it appears necessary to provide contractual terms and conditions
concerning the portability of personal data, the exercise of the right of removal of
personal data etc.
In other terms framing the relations as a contractual one does not imply only
one-sided obligations. Fairness and good-faith are obligations which bind also consumers.
The relationship becomes more complex in an internet-of-things context. Generally
the common scenario will be that of the sale (or lease) of an object which is engineered
to collect and transmit data on itself, its use, the environment in which it is placed.
We have here two cases: the sale (or lease) is based on a written contract which
contains terms and conditions concerning the IoT devices (e.g. an automobile which
provides data on it use to the producer). Here the issue is whether the buyer may refuse
to grant consent to the collection of data without forfeiting ancillary (but essential)
collateral services, such as maintenance.
or imperfections. Facebook is not responsible for the actions, content, information, or data of third
parties, and you release us, our directors, officers, employees, and agents from any claims and
damages, known and unknown, arising out of or in any way connected with any claim you have
against any such third parties. (...).”
(42) See term and condition of Twitter: “In no event shall the aggregate liability of the Twitter
entities exceed the greater of one hundred U.S. dollars (US $100.00) or the amount you paid Twitter,
if any, in the past six months for the services giving rise to the claim.”, or Facebook: “If you are a
California resident, you waive California civil code §1542, which says: a general release does not
extend to claims which the creditor does not know or suspect to exist in his or her favor at the time
of executing the release, which if known by him or her must have materially affected his or her
settlement with the debtor. we will not be liable to you for any lost profits or other consequential,
special, indirect, or incidental damages arising out of or in connection with this statement or
Facebook, even if we have been advised of the possibility of such damages. our aggregate liability
arising out of this statement or Facebook will not exceed the greater of one hundred dollars ($100)
or the amount you have paid us in the past twelve months. applicable law may not allow the
limitation or exclusion of liability or incidental or consequential
damages, so the above limitation or
exclusion may not apply to you. in such cases, Facebook s liability will be limited to the fullest extent
permitted by applicable law”.
(43) See M. GRANIERI, Le clausole ricorrenti nei contratti dei social networks dal punto di vista
della disciplina consumeristica dell’Unione europea, in AIDA, 2011, 125 ff; F. AGNINO, Disponibilità
dei diritti nei s.n.: fino a che punto è possibile disporre contrattualmente dei propri diritti? (vedi
contratto FB), in Giur. merito, 2012, 2555 ff, 2558.
(44) C.H. BUSCH - H. SCHULTE-NÖLKE - A. WIEWIÓROWSKA-DOMAGALSKA - F. ZOLL, The Rise of the
Platform Economy: A New Challenge for EU Consumer Law?, in EuCML, 5, 2016, 3 ff; J. SÉNÉCHAL,
The Diversity of the Services provided by Online Platforms and the Specificity of the Counterperformance of these Services - A Double Challenge for European and National Contract Law, in
EuCML, 1, 2016, 39 ff.
“BIG
DATA REVOLUTION”
43
In over-the-counter sales (e.g. in a supermarket) it is doubtful that the sales
agreement can contain an implied term allowing collection of data, even if that data
should not be considered “personal”. The first reason is that a sale transfers to the buyer
property on the object i.e. a ius utendi et abutendi. There does not seem to be any legal
right for the seller to continue to control the sold object once it has been transferred to
the buyer (45). A stronger legal framework could be that the buyer, after the sale, grants
consent to the producer — e.g. by activating a QR file and a RFID embedded in the
product — to collect and process data (46). This legal relationship is autonomous from the
sale, but it is unclear what is its object: the buyer provides valuable data on the product
(one for all: rate of consumption), but what does he or she receive in exchange? Clearly
marketing techniques will play an important role in suggesting new models, but at the
same time it will be necessary to verify their compliance with the law.
What is clear is that these aspects should be very carefully examined and solutions
should be tailored according to the various cases (47).
In those relating to medical devices implanted in the body of the patient (cardiac
valves; prosthesis, etc.) provision of data — highly sensitive data — is essential for the
continuous monitoring on the functioning of the device and the conditions of the patient.
One might even challenge the compliance with safety standard if the device did not
provide such data.
Other cases are less obvious: for example a drug (prescribed or not) whose package
leaflet is available only on-line, or by downloading it via QR on a mobile phone.
Wearable devices present further complexities, especially those related to sports
activities which provide data related to the performance of the user, but also to his/her
health conditions.
Conclusively, on this point, once we have entered in the realm of contract there is
a clear need to merge consumer protection clauses with data protection rules in one
comprehensive text. This brings us rather far away from the original theoretical frame of
“simple” consent to the processing of personal data: from status to contract.
6.
Liability in data driven innovation contexts.
Liability issues related to the use of ICT technologies have been studied since their
(45) In argument, M. SCOTT BOONE, Ubiquitous Computing, Virtual Worlds, and the Displacement of Property Rights, in ISJLP, 4, 2008, 91 ff.
(46) E. GERMANI - L. FEROLA, Il wearable computing e gli orizzonti futuri della privacy, in Dir.
informaz., 2014, 75 ff, speak about the need to modify and adapt the current legislation so as to
reconcile the right to free access to information with the right to data protection; A. THIERER, The
Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns Without
Derailing Innovation, in Rich. J.L. & Tech., 21, 2015, 6 ff, on the other hand remarks that ex ante
(preemptive and precautionary) regulation is often highly inefficient, even to the extent of being
dangerous: “Prospective regulation based on speculation about future harms that may never
materialize is likely to come at the expense of innovation and growth opportunities. When corrective
actions are needed to address more serious harms, ex post measures - especially via common-law
actions and FTC enforcement activities - will generally be more sensible”.
(47) For an overview on recent opinions see S.R. PEPPET, Regulating the Internet of Things: First
Steps Toward Managing Discrimination, Privacy, Security, and Consent, in Tex. L. Rev., 93, 2014, 85
ff; J. BRILL, The Internet Of Things: Building Trust And Maximizing Benefits Through Consumer
Control, in Fordham L. Rev., 83, 2014, 205 ff; T.M. LENARD - P.H. RUBIN, Big Data, Privacy and the
Familiar Solutions, in J.L. Econ. & Pol’, 11, 2015, 11 ff.
44
DOTTRINA
appearance. In one of the first articles on the topic, the starting example was that of an
airplane crash due to the malfunctioning of an air traffic control system which collected
certain flight information and was meant to provide safe landing and take-off routes and
slots (48). Increasingly potentially dangerous objects will function on the basis of data
collected, data analytics, and data search algorithms.
The most obvious example is that of the driverless automobile (49). Who should be
liable? De lege lata it is quite easy to fall into inextricable questions such as: is software
a product and therefore subject to product liability rules? Is an algorithm (ex hypothesis
faulty and therefore source of wrong and damaging actions) a product? Can one consider
data (and big data) part of the product? What rules of causation, and what evidentiary
rules, should apply?
The courts can easily be bogged down by these questions, especially because each
case is different from another, and the extent of human participation in the damaging
action or decision can vary considerably.
A general policy approach appears much more satisfactory and was set out a century
ago when facing the analogous technical revolution which was brought about by the
production and sale of automobiles.
As Justice Benjamin Cardozo stated in the 1916 MacPherson v. Buick Motors
case (50), the producer of an inherently dangerous product will be held strictly liable. The
principle was quickly picked up in civil law contexts or by adequately construing existing
provisions (article 1384 of the Code Napoléon interpreted in the sense that the producer
(48) See S. NYCUM, Liability for malfunction of a computer program, in Rutgers J. Comp. Tech.
& L., 7, 1979, 1 (“Three devastating accidents have occurred. First, an air traffic controller, relying on
his instruments has directed two passenger jets onto an intersecting course. The jets have crashed and
all aboard are killed”), and also C. ROSSELLO, La responsabilità per inadeguato funzionamento di
programma per elaboratore elettronico: aspetti e problemi dell’esperienza nord-americana, in G. ALPA
(ed.), Computers e responsabilità civile, Milano, Giuffrè, 1985, 87-142; K.P. CRONIN, Consumer
Remedies for Defective Computer Software, in Wash. U. J. Urb. & Contemp. L., 28, 1985, 273 ff.
(49) The National Highway Traffic Safety Administration (NHTSA) is investigating a recent,
fatal accident involving a Tesla Motors Inc. car that was driving on autopilot, drawing scrutiny to a
key technology the electric-vehicle maker is betting on for the future of self-driving cars. The crash
involved a 40-year-old Ohio man who was killed when his 2015 Model S drove under the trailer of
an 18-wheeler on a highway near Williston, Florida, according to a Florida Highway Patrol
statement.
(50) MacPherson v. Buick Motor Co., 217 N.Y. 382, 111 N.E. 1050 (1916). Another legal
solution follows the doctrine of agency - respondeat superior, for which — as landlords and tenants
— employers are liable for the actions of an employee when the actions take place within the scope
of employment. See P.S. ATIYAH, Vicarious Liability in the Law of Torts, London, Butterworths,
1967, 12 ff. In the practice of many US states, the employee who suffers damage (from things or
machines) during work, cannot claim damages against the employer where there
is some kind of
insurance rate compensation for accidents occurred, except when the employer s conduct rises to the
level of intentional conduct. For a case-law review involving workplace liability (or death) caused by
robots see Miller v. Rubbermaid Inc., 2007 Ohio App. LEXIS 2672 (Jun. 13, 2007); State ex rel. Scott
Fetzer Co. v. Industrial Comm’n of Ohio, 692 N.Ed 2d 195 (Ohio 1998) (per curiam); Edens v. Loris
Bellini, S.p.a., 597 S.E.2d 863 (S.C. Ct. App. 2004): only in one case (Scott Fetzer Co.) ultracompensative damages were granted for the omission of necessary safety measures by employer. See
also Jones v. W + M Automation, Inc., 818 N.Y.S.2d 396 (App. Div. 2006), app. denied, 862 N.E.2d
790 (N.Y. 2007), in which the producer was held liable for the damage causally attributable to an
automaton defect since the time of purchase. For a more exhaustive review see S. WU, Unmanned
Vehicles and US Product Liability Law, in J. L. Info. & Sci., 21, 2012, 234 ff.
“BIG
DATA REVOLUTION”
45
is the “gardien de la chose”) or introducing appropriate provisions (e.g. article 2050 of the
Italian civil code, which establishes strict liability for “dangerous activities”) (51).
This trend was strengthened in the last half-century by the law & economics theories
which pointed out that strict liability in the field of damages brought by defective
products and services is more efficient than fault-based systems because:
i. a strict liability reduces moral hazard and induces enterprises to buy insurance
against third party liability;
ii. the insurance premium — a fixed sum, instead of the future payment of uncertain
amount — can be easily internalized in the cost of the firm and transferred to final
consumers as a component of the price (52);
iii. strict liability tends to eliminate inefficient firms, therefore increasing the level of
competition on quality and reliability;
iv. insurance reduces corporate, social and administrative costs related to litigation (53).
Against this background one should consider that liability rules generally take into
account — and therefore vary — a series of elements, the most relevant of which is the
nature of the damage which has been brought and which one intends to redress (54). The
most serious cases are those of damage to life and limb an example could be that of
(51) G. GILMORE, Products Liability: A Commentary, in U. Chi. L. Rev., 38, 1970, 103 ff; C.J.
PECK, Negligence and Liability Without Fault in Tort Law, in Wash. L. Rev., 46, 1971, 225 ff; M.
SHAPO, The Law of Product Liability, New York, Aspen/Wolters Kluwer, 2012. In Italian literature
see G. GHIDINI, La responsabilità del produttore, Giuffrè, Milano, 1975; C. CASTRONOVO, Problema e
sistema nel danno da prodotti, Milano, Giuffrè, 1979; G. ALPA - M. BESSONE (eds.), Danno da prodotti
e responsabilità dell’impresa. Diritto italiano ed esperienze straniere, Milano, Giuffrè, 1980; G. ALPA
- M. BIN - P. CENDON (eds.), La responsabilità del produttore, in F. GALGANO (dir. by), Trattato di
diritto commerciale, vol. XIII, Padova, CEDAM, 1990; G. PONZANELLI, La responsabilità civile. Profili
di diritto comparato, Bologna, Il Mulino, 1992, 107 ff; ID., La responsabilità del produttore negli Stati
Uniti d’America, in Danno resp.,1999, 1066 ff.
(52) See i.e. the ‘RoboLaw Project final report, available at url: www.robolaw.eu/.,E. PALMERINI - F. AZZARRI - F. BATTAGLIA - A. BERTOLINI - A. CARNEVALE - J. CARPANETO - F. CAVALLO - A. DI
CARLO - M. CEMPINI - M. CONTROZZI - B.J. KOOPS - F. LUCIVERO - N. MUKERJI - L. NOCCO - A. PIRNI H. SHAH - P. SALVINI - M. SCHELLEKENS - K. WARWICK, D6.2 Guidelines on Regulating Robotics, 2014,
185, available at url: http://www.robolaw.eu/RoboLaw_files/documents/robolaw_d6.2_guide
linesregulatingrobotics_20140922.pdf/ (accessed 30/8/2016); A. BERTOLINI - P. SALVINI - T. PAGLIAI - A.
MORACHIOLI - G. ACERBI - L. TRIESTE - F. CAVALLO - G. TURCHETTI - P. DARIO, On Robots and
Insurance, in Int. J. of Soc. Robotics, on line (3 March 2016).
(53) G. CALABRESI, The Costs of Accidents: A Legal and Economic Analysis, New Haven, Yale
Univ. Press, 1970; G. CALABRESI - G.T. HIRSCHOFF, Toward a Test for Strict Liability in Torts, in Yale
L. J., 81, 1972, 1055 ff; R.A. POSNER, Strict Liability: A Comment, in J. Legal Stud., 2, 1973, 205 ff; W.
LANDES - R. POSNER, The Economic Structure of Tort Law, Cambridge (Mass.)-London, 1987, 54 ff;
P.G. MONATERI, Responsabilità civile, in Dig. disc. priv., sez. civ., Torino, UTET, 1998, 1 ff; R. COOTER
- U. MATTEI - P.G. MONATERI - R, PARDOLESI - T. ULEN, Il mercato delle regole, I, Bologna, Il Mulino,
1999, 204 ff; D.D. FRIEDMAN, Law’s Order. What economy has to do with law and why it matters,
Princeton (New Jersey), Princeton Univ. Press, 2000, 198 ff.
(54) M. WOLF, Schuldnerhaftung bei Automatenversagen, in JuS, 1989, 899 ff; M. NAGENBORG R. CAPURRO - J. WEBER - C. PINGEL, Ethical Regulations on Robotics in Europe, in AI & Society, 22,
2008, 349 ff; P. ASARO, Robots and Responsibility from a Legal Perspective, IEEE ICRA’07
Workshop on Roboethics, Rome, 2007; A. BERTOLINI, Robots as Products: The Case for a Realistic
Analysis of Robotic Applications and Liability Rules, in Law Innovation and Technology, 5, n. 2,
2013, 214-247; F.P. HUBBARD, Sophisticated Robots’: Balancing Liability, Regulation, and Innovation,
in Fla. L. Rev., 66, 2014, 1803 ff; R. CALO, Robotics and the Lessons of Cyberlaw, in Cal. L. Rev. 103,
2015, 513 ff.
46
DOTTRINA
defective control on medical devices which results in the death of the patient or remote
control surgical operations (55).
On quite a different scale one should consider damage which is only economic, such
as that which might arise from an expert system that leads to wrong financial decisions.
Here the whole age-hold discussion on liability for wrong information emerges (56): who
has a duty to provide correct information? Who is protected by such duty? How to
establish the causal link with wrong human decisions and with damages stemming from
such decisions? Can one include lost business opportunities, and less efficient organization of lucrative activities?
A further case is that of expert systems whose failure determines mass disruption of
public services: a traffic light system, an energy distribution network. Thousands — even
millions — of people might be affected but on the one hand it is extremely difficult to
quantify the damage; and on the other hand generally one has to do with public entities
which, at least in the European administrative system, are not-for-profit and therefore
their liability simply means that the related cost will be distributed among tax payers or
will bring to a rise of service fees.
Another, interesting hypothesis is that robots, using their own artificial intelligence
(also driven by real-time information flow provided by IoT) may have legal personality:
will they be, in the near future, held liable of their own mistakes? (57) Or a legal nexus
will always bind them to humans? (58)
One should not consider only extra-contractual liability. If one construes the
(55) In Mracek v. Bryn MawrHosp, 363 Fed. App x 925 (3d Cir. 2010), cert. denied, 131 S. Ct.
82 (2010) a patient sued a hospital after a prostatectomy surgery using the “da Vinci robot”. Plaintiff
alleged that the robot malfunctioned during the surgery and displayed “error” messages.The surgical
team attempted to make the robot operational, but was unable to do so. Then, the medical equipe
used laparoscopic equipment instead of the robot for the remainder of the surgery. One week later,
plaintiff suffered a gross hematuria and was hospitalized. After that, he has erectile dysfunction and
severe groin pain. The Court of Appeal for the Third
Circuit granted summary judgment for the
defendant on the grounds that the plaintiff “did not introduce evidence from which a rational finder
of fact could be found in his favour”. For a review of recent US case law see G. GUERRA, Diritto
comparato e robotica: riflessioni sulla litigation americana in materia di chirurgia robotica, in Dir.
informaz., 2, 2016, forthcoming; U. PAGALLO, The Laws of Robots, Drodrecht-Heidelberg-New
York-London, Springer, 2013, 89 ff.
(56) T.M. TURLEY, Expert Software Systems: the Legal Implications, in Computer L.J., 8, 1988,
455 ff; G.S. COLE, Tort Liability for Artificial Intelligence and Expert Systems, in Computer L.J., 10,
1990, 127 ff; M.G. LOSANO - C. CIAMPI (eds), Artificial intelligence and legal information systems,
Amsterdam-Tokyo, North Holland, 1982; G. SARTOR, Le applicazioni giuridiche dell’intelligenza
artificiale. La rappresentazione della conoscenza, Milano, Giuffrè, 1990; M.G. LOSANO, Informatica
per le scienze sociali, Torino, Einaudi, 1985, 38 ff.
(57) V. FROSINI, Cibernetica diritto e società, Milano, Edizioni di comunità, 1968, 111 ff,
considers a robot endowed with artificial intelligence as a moral subject, in conflict between inner
consciousness (characteristic of man born from ζωÞ) and outer consciousness (technical upgrading
of the first). See also B. SOLUM, Legal Personhood for Artificial Intelligences, in N. C. L. Rev., 70,
1992, 1231 ff; G. TEUBNER, Rights of Non-humans? Electronic Agents and Animals as New Actors in
Politics and Law, Max Weber Lecture No. 2007/04; S. RODOTÀ, Il diritto di avere diritti, Roma-Bari,
Laterza, 2012, 312, 341 ff.
(58) Focusing on bargains made by a robot (or between robots), U. PAGALLO, Robotica, in M.
DURANTE - U. PAGALLO (eds.), Manuale di informatica giuridica
e diritto delle nuove tecnologie,
Torino, UTET, 2012, 146 ff. equates robots to Ancient Rome s slaves, recalling the legal concept of
peculium, according to which unemancipated slaves (or sons) could receive from their master (or
pater familias) a sum of money or property for their management and use. This peculium was
protected under Roman law and inaccessible to the owner. See also V. DHAR, Should You Trust
Your Money to a Robot?, in Big Data, 3, 2015, 55 ff.
“BIG
DATA REVOLUTION”
47
relationship between users and on-line providers as a contractual one, many issues arise
especially when the provider is an intermediary for services. The most obvious cases are
those concerning providers through which travel, accommodation and catering services
are offered. The sources of revenue of these intermediaries are two: on the one hand they
receive a commission fee, mostly from the enterprise (airline, hotel, and restaurant)
which is booked via its services. Sometimes this commission is paid also by the user. On
the other hand they collect extremely valuable data from both sides of the market (e.g.
occupancy rate of hotels; comments by users on the service; ranking) which is invaluable
in market research and forecasts (59).
If one examines the terms and conditions of service the provider declines any
responsibility in the case of non-performance by the enterprise which provides the final
service. One could ask oneself if such provisions are compliant with the principle of good
faith and if there is a reliance interest of the user which deserves to be protected in a more
stringent way, especially when the consideration offered to the on-line intermediary is of
a certain value. In a policy perspective one can image that there will be an increasing
pressure to burden liability on the best risk-avoider or the deep-pocket party.
7.
Competition issues.
If data is one of the main raw materials of contemporary economics, inevitably there
is a “data market”. Unfortunately however we are still at a rather early stage of the
debate both in economic theory and in legal framing (60).
What is the “relevant market” for data? How does one assess market power? What
is the geographical market? Are data all the same, and how, eventually, should one
segment them? The answers to these questions are still unclear or, at any rate, not
univocal (61). There is a widespread agreement, among economists, that data (and big
data in particular) are an infrastructure which is essential to run an enterprise. But does
(59) M. COLANGELO - V, ZENO-ZENCOVICH, Online Platforms, Competition Rules and Consumer
Protectionin Travel Industry, in EuCML, 2, 2016, 75 ff.
(60) For a preliminary study on competition in the Internet see G. GORKAYNAK - D. DURLU - M.
HAGAN, Antitrust on the Internet: a Comparative Assessment of Competition
Law Enforcement in the
Internet Realm, in Bus. L. Int’l, 14, 2013, 51 ff; F. CUGIA DI SANT ORSOLA - R. NOORMOHAMED - D.
ALVES GUIMARÃES, Communication and Competition Law, Alphen aan den Rijn, Wolter Kluver,
2015, 69 ff; V. ZENO-ZENCOVICH, Internet e concorrenza, in Dir. informaz., 2010, 697 ff; R. PARDOLESI,
La concorrenza sleale nell’era di Internet, in R. PARDOLESI - R. ROMANO (eds.), La concorrenza reale
e la tutela dell’innovazione, N. LIPARI - P. RESCIGNO (dir. by) Diritto civile, vol. IV, I, Milano, Giuffrè,
2009, 105 ff; A. GENTILI, Internet e antitrust, in AIDA, Milano, Giuffrè, 1996, 45-58; G.M. RICCIO,
‘Concorrenza sleale e tutela dei consumatori nelle reti telematiche’, in Dir. informaz., 2006, 307 ff.
(61) For a review of recent opinions about “data markets” in ICT sector see also European
Commission, A Digital Single Market Strategy for Europe, 6 May 2015 COM(2015) 192 final;
European Data Protection Supervisor, Privacy and competitiveness in the age of big data, Bruxelles,
5/2014; European Parliament - Directorate General For Internal Policies Policy Department A:
Economic And Scientific Policy, Challenges for competition policy in a Digitalised Economy,
IP/A/ECON/2014-12, Bruxelles, 7/2015, 25 ff; N. NEWMAN, Search, Antitrust, and the Economics of
the Control of User Data, in Yale J. on Reg., 31, 2014, 401 ff; P. JONES HARBOUR . T.I. KOSLOV, Section
2 In A Web 2.0 World: An Expanded Vision Of Relevant Product Markets, in Antitrust L. J., 76, 2011,
769 ff; C. TUCKER - A. MARTHEWS, Social networks, Advertising and Antitrust, in Geo. Mason L. Rev.,
19, 2012, 1211 ff; G. ROSSI, Social network e diritto antitrust, in AIDA, 2011, 77 ff; E. CAMILLERI,
« Facebook credits » e commercializzazione di beni virtuali per social games: l’abuso di posizione
dominante alla prova di un mercato con piattaforma plurilaterale, ibid., 144 ff; A. MANTELERO, Big
Data: i rischi della concentrazione del potere informativo digitale e gli strumenti di controllo, in Dir.
48
DOTTRINA
this mean that data can be considered an “essential facility”? (62) If that were so, the
holder of data in a dominant position should be under an obligation — a special
obligation — to grant its competitors access to this facility. As one has seen there are
cases in which certain information have been considered as essential and the legislators
or the court have imposed access and/or disclosure: transport schedules, software
interfaces, TV programming (63).
It remains however doubtful that data — precisely the data held by one enterprise
— are essential and cannot be substituted by other data than can be collected with one s
own means. This could be said with reference to certain information, but it appears
difficult to express a general rule by which certain enterprises should be considered
holding a natural monopoly or a dominant position in a data market, and using their
position to prevent competitors from entering the market (64). Experience over the last
decade shows us that there is an extreme mobility in the market and among its players.
informaz., 2012, 135 ff; G. GIANNONE CODIGLIONE, Libertà d’impresa, concorrenza e neutralità della
rete nel mercato transnazionale dei dati personali, in Dir. informaz., 4/5, 2015, 909-938.
(62) Z. ABRAHAMSON, Essential Data, in Yale L. J., 124, 2014, 867 ff, 880, remarks that
“revitalizing essential facilities in the context of data may speed innovation and increase consumer
welfare”.
(63) In the Microsoft case, European Commission required Microsoft to disclose the interface
documentation that is necessary to achieve the development of non-Microsoft work group servers
which are fully interoperable with Windows PCs and servers. The decision has been confirmed by
the Tribunal of First Instance. European Commission, 24 may 2004, 2007/53/EC, COMP/C-3/37.792
— Microsoft, in OJEU, 2007, L 32, 23; Court of First Instance, 17 September 2007, T-201/04,
Microsoft v. Commission, in ECR, 2007, II-3601; ECJ, Second Chamber, 27 June 2012, T-167/08,
Microsoft Corp. v. European Commission, in ECR, 2012. See also United States v. Microsoft Corp.,
84 F. Supp. 2d 9, 20 (D.D.C. 1999); Massachusetts v. Microsoft Corp., 373 F.3d 1199, 1226 (D.C. Cir.
2004). Microsoft antitrust case law concerns also some decisions about Internet browsers such as
Explorer or Netscape: European Commission, 16 December 2009, COMP/C-3/39.530 - Microsoft
(tying), in OJEU, 2009, C 242, 20-21; United States v. Microsoft Corporation, 253 F.3d 34 (D.C. Cir.
2001).
(64) The most recent antitrust case law is characterized by long duration of proceedings,
involving both EU and US authorities, often with favorable judgments for the companies under
investigation: FTC, Google/DoubleClick, FTC File No. 071-0170 (Dec. 20, 2007), 12: “(...) Yet, the
evidence indicates that neither the data available to Google, nor the data available to DoubleClick,
constitutes an essential input to a successful online advertising product. (...)” and European
Commission, 11 March 2008, COMP/M.4731 — Google/DoubleClick, C(2008) 927 final, par. 365;
U.S. DoJ, Statement of the Department of Justice Antitrust Division on Its Decision to Close Its
Investigation of the Internet Search and Paid Search Advertising Agreement Between Microsoft
Corporation and Yahoo! Inc., 18 February 2010: “(...) The increased queries received by the
combined operation will further provide Microsoft with a much larger pool of data than it currently
has or is likely to obtain without this transaction. This larger data pool may enable more effective
testing and thus more rapid innovation of potential new search-related products, changes in the
presentation of search results and paid search listings, other changes in the user interface, and
changes in the search or paid search algorithms. This enhanced performance, if realized, should
exert correspondingly greater competitive pressure in the marketplace (...)”; European Commission,
18 February 2010, COMP/M.5727 - Microsoft/ Yahoo/Search Business, C(2010) 1077, par. 223;
European Commission, 3 October 2014, COMP/M.7217 - Facebook/Whatsapp, C(2014) 7239 final,
par. 186: “As regards the incentive of the merged entity to start collecting data from WhatsApp users
(for example, age, gender, country, message content), a number of respondents pointed out that, if
the merged entity were to do so, this may prompt some users to switch to different consumer
communications apps that they perceive as less intrusive. Moreover,
the Commission notes that, as
explained above (174), the need to abandon WhatsApp s plan for [...] may reduce Facebook s
incentive to start collecting data from WhatsApp messages”. See also PeopleBrowsr, Inc.
v. Twitter,
Inc., No. C-12-6120 (N.D. Cal. Mar. 6, 2013), in which the Court granted plaintiff s motion to
remand, declaring Twitter s anticompetitive practices in seeking to limit access to its data to a select
subgroup of companies, excluding PeopleBrowsr, a company that analyzed tweets “to sell informa-
“BIG
DATA REVOLUTION”
49
Enterprises that were pioneers in this field have been gradually ousted. New business
models how been experimented successfully. Ways to collect data have varied considerably and the informational value of data can also vary considerably.
From another point of view, some scholars have analyzed the phenomenon trying to
show that the “relevant market” will be also influenced by data processing as a
stand-alone “product”. We can think, for instance, about the opportunity of choosing
between privacy-friendly search or social network services (in the sense of access to a
better service quality), designed specifically to eliminate or reduce personal data collection and processing (65).
There also are considerable regulatory asymmetries, in particular between telecommunications companies which are limited in the use of traffic data, and so-called
over-the-top enterprises which thrive on it.
Certainly data is used — and withheld — by big data companies in order to enlarge
their market-share, protect investments, enter new fields. But it is the essence of
competition and at this current stage it is extremely difficult to establish on very solid
grounds that an artificial barrier to entry has been created and should be dismantled. It
would seem therefore necessary to wait and see: surely not for long because this is an area
in which killer-applications are continuously being developed.
8.
Choice of law and jurisdiction.
Most of the terms of service of online providers contain a clause concerning the
applicable law and the competent jurisdiction. Generally the reference is to US state law
and to the Courts of California.
These provisions should apply to any controversy whether contractual or noncontractual arising from the relationship between the user and the online services
provider. We have seen, however, that within the EU and with regards to consumers they
are void as they clearly are in violation with Directive 13/93 and in particular with its
Annex letter q) in which depriving the consumer from his or her domestic jurisdiction is
one of the “black list” clauses.
For contractual claims, according to article 15 of the 2001/44 Regulation (Bruxelles
I), the consumer has a choice between his or her domestic court, and that where the
provider is domiciled. But when the consumer is the defendant he/she can be brought in
front only of his/her domestic court (actor sequitur forum rei) (66).
tion to its clients, such as insight regarding consumer reactions to products and services as well as
identification of the Twitter users who have the most influence in certain locations or communities”.
(65) P. JONES HARBOUR, The Transatlantic Perspective: Data Protection and Competition Law, in
H. HIJMANSAND - H. KRANENBORG (eds.), Data Protection anno 2014: How to Restore Trust?:
Contributions in Honour of Peter Hustinx, European Data Protection Supervisor (2004-2014),
Cambridge, Intersentia, 2014, 25 ff; A.P. GRUNES, Another Look at Privacy, in Geo. Mason L. Rev.,
20, 2013, 1107 ff; M.K. OHLHAUSEN - A.P. OKULIAR, Competition, Consumer Protection, And The
Right [Approach] To Privacy, in Antitrust L. J., 80, 2015, 121 ff.
(66) In argument, see D. GRISBERGER, The Internet and Jurisdiction Based on Contracts, in Eur.
J.L. Reform, 2002, 165 ff; Z.S. TANG, Law Applicable in the Absence of Choice the New Article 4 of
the Rome I Regulation, in Mod. L. Rev., 71, n. 5, 2008, 785-800; M. BOGDAN, Contracts in Cyberspace
and the new Regulation “Rome I”, in Masaryk U. J.L. & Tech. 3, 2009, 219 ff; F. GALGANO - F.
MARRELLA, Diritto del commercio internazionale, 3rd ed., Padova, Cedam, 2011, 328 ff; I.P. CIMINO,
Problemi di giurisdizione e profili di diritto internazionale privato nei contratti telematici per il
commercio elettronico, in G. CASSANO - G. VACIAGO - G. SCORZA (eds.), Diritto dell’Internet, 2nd ed.,
50
DOTTRINA
If the claim is extra-contractual, according to article 5, par. 3 of the 2001/44
Regulation (now article 7, n. 2 .of the 1215/2012 Regulation), the jurisdiction is that of the
place where the harmful event occurred or may occur. With regards to the place where
the damage has occurred, one should consider that, generally, damage on the Internet is
considered ubiquitous and therefore there is a general preference for the domestic court,
where the plaintiff suffers the most important part of the damage (67).
As to the applicable substantive law, one should consider that with regards to
contractual relations consumer law is more or less the same in all 28 member states.
At any rate Regulation 2008/593 (Rome I) states (article 6) that, in the absence of
choice by the parties, the applicable law is that of the country where the consumer has
his/her habitual residence, provided that the professional pursues his commercial or
professional activities in the country where the consumer has his habitual residence, or
directs such activities to that country or to several countries including that country, and
the contract falls within the scope of such activities (68).
For non-contractual obligations Regulation 2007/864 (Rome II) at its article 4 states
that the applicable law is that of the country in which the damage has occurred
irrespective of the country in which the event that determined the damage occurred (69).
Again one should consider the ubiquitous nature of the damage, and therefore the
possibility — established in several ECJ decisions — that one should/could bring action
in front of several courts, applying different substantive laws (70).
Padova, Cedam, 2012, 313 ff; E. IORIATTI FERRARI, Responsabilità contrattuale nel diritto dell’Unione
Europea, in Dig. disc. priv., sez. civ., Torino, UTET, 2013; F.F. WANG, Jurisdiction and Cloud
Computing: Further Challenges to Internet Jurisdiction, in Eur. Bus. L. Rev., 24, n. 5, 2013, 589-616.
(67) ECJ, 30 november 1976, C-21/76, Handelskweberij G.J. Bier B.V. c. Mines de Potasse
d’Alsace S.A., in ECR, 1976, 1735 ff, held that “the expression place where the harmful event
occurred , (...), must be understood as being intended to cover both the place where the damage
occurred and the place of the event giving rise to it. The result is that the defendant may be sued,
at the option of the plaintiff, either in the courts for the place where the damage occurred or in the
courts for the place of the event which gives rise to and is at the origin of that damage”. See G. ZARA,
Conflitti di giurisdizione e bilanciamento dei diritti nei casi di diffamazione internazionale a mezzo
Internet, in Riv. dir. internaz., 4, 2015, 1234 ff.
(68) If these requirements are not fulfilled, the law applicable to a contract between a
consumer and a professional shall be determined pursuant to Articles 3 (freedom of choice
principle) and 4 of the same Regulation.
(69) Article 1, par. 2, lett. g), excludes from the application of “Rome II” Regulation
non-contractual obligations arising out of violations of privacy and rights relating to personality. For
further remarks see T. HEUKELS - A. MCDONNEL (eds.), The Action for Damages in Community Law,
Alphen aan den Rijn, Kluwer Law International, 1997; T. VAN OVERSTRAETEN, Droit applicable et
juridiction compétente sur internet, in Rev. dr. aff. int., 1998, 373 ff; O. BIGOS, Jurisdiction over
Cross-Border Wrongs on the Internet, in Int. & Comp. Law Quart., 54, 2005, 585 ff; U. DRAETTA,
Internet e commercio elettronico nel diritto internazionale dei privati, Milano, Giuffrè, 2005, 27 ff; H.
KOZIOL - R. SCHULZE (eds.), Tort Law of the European Community, Wien-New York, Springer, 2008;
E. IORIATTI FERRARI, Responsabilità extracontrattuale nel diritto dell’Unione europea, in Dig. disc.
priv., sez. civ., Torino, UTET, 2011; A. DE SOUSA GONÇALVES, The Application of the General Rule
of the Rome II Regulation to Internet Torts, in Masaryk U. J.L. & Tech., 8, 2014, 57 ff; P. PIRODDI,
Profili internazionalprivatistici della responsabilità del gestore di un motore di ricerca per il trattamento di dati personali, in Dir. informaz., 4/5, 2014, 623 ff.
(70) With regard to the “mosaic principle” see ECJ, 25 October 2011, C-509/09 and C-161/10,
Date Advertising GmbH v. X and Olivier Martinez and Robert Martinez v. MGN Limited, in ECR,
2011, I-10269: “Article 5(3) of Council Regulation (EC) No 44/2001 of 22 December 2000 on
jurisdiction and the recognition and enforcement of judgments in civil and commercial matters must
be interpreted as meaning that, in the event of an alleged infringement of personality rights by
means of content placed online on an internet website, the person who considers that his rights have
been infringed has the option of bringing an action for liability, in respect of all the damage caused,
“BIG
DATA REVOLUTION”
51
When the relationship is with a non-consumer, the answer to jurisdiction and
applicable law issues is much more complex. One could, in fact, imagine that the terms
and conditions of service could apply, unless they — or some of the clauses — may be set
aside because of lack of formal requirements (e.g. specific and written approval) or for
ordre public reasons (e.g. violation of good faith, unconscionability). A typical case which
could be used as hypothetic on which to test the different options could be that of an
online provider which loses all the valuable data of a business (e.g. its Facebook
contacts). According to the standard terms of services there is no (or very limited)
liability, and any rate one should apply US law in front of a US jurisdiction (71). As this,
clearly, prevents any reasonable expectation of redress, are there substantive and
procedural alternatives?
If, instead, the claim by the non-consumer is non-contractual one could apply, in the
EU, Regulation 2001/44 for jurisdiction and Rome II for substantive law. A further case
could be that of contributory IPR infringement by the online provider (e.g. making
available data that has been illegally copied) (72).
9.
Sovereignty.
Collection, processing and transfer of data are the main activities which are made on
the telecommunication networks. They generally fall under administrative law regulations, as most other activities, including those related to the setting up and the management of telecommunication networks and services. To these one should add the growing
criminal and criminal procedure laws enacted to control activities on the network and to
collect evidence.
either before the courts of the Member State in which the publisher of that content is established or
before the courts of the Member State in which the centre of his interests is based. That person may
also, instead of an action for liability in respect of all the damage caused, bring his action before the
courts of each Member State in the territory of which content placed online is or has been accessible.
Those courts have jurisdiction only in respect of the damage caused in the territory of the Member
State of the court seized” and also ECJ, 7 march 1995, C-68/93, Fiona Shevill and others v. Press
Alliance SA, in ECR, 1995, I-415: “(...) the victim of a libel by a newspaper article distributed in
several Contracting States may bring an action for damages against the publisher either before the
courts of the Contracting State of the place where the publisher of the defamatory publication is
established, which have jurisdiction to award damages for all the harm caused by the defamation, or
before the courts of each Contracting State in which the publication was distributed and where the
victim claims to have suffered injury to his reputation, which have jurisdiction to rule solely in
respect of the harm caused in the State of the court seised”.
(71) On the matter, see F. JUENGER, Judicial Jurisdiction in the United States and in the
European Communities: A Comparison, in Mich. L. Rev., 82, 1984, 1195 ff; H.H. PERRIT, Jurisdiction
in Cyberspace, in Vill. L. Rev., 41, 1996, 1 ff; J.R. REIDENBERG, Technology and Internet Jurisdiction,
in U. Pa. L. Rev., 153, 2004, 1951 ff; S. SICA - V. ZENO-ZENCOVICH, Legislazione, giurisprudenza e
dottrina nel diritto dell’Internet, in Dir. informaz., 3, 2010, 377 ff.
(72) ECJ, 3 october 2013, C-170/12, Peter Pinckney v. KDG Mediatech AG, in ECR (digital),
recently held that “Article 5(3) of Council Regulation (EC) No 44/2001 of 22 December 2000 (...)
must be interpreted as meaning that, in the event of alleged infringement of copyrights protected by
the Member State of the court seised, the latter has jurisdiction to hear an action to establish liability
brought by the author of a work against a company established in another Member State and which
has, in the latter State, reproduced that work on a material support which is subsequently sold by
companies established in a third Member State through an internet site also accessible with the
jurisdiction of the court seised. That court has jurisdiction only to determine the damage caused in
the Member State within which it is situated”.
52
DOTTRINA
Which laws should apply? Clearly in these cases one cannot resort to private
international law rules, as the conflict is not among private law rules. With regards to data
there has been a lingering contrast between the EU and the US in the aftermath of the
9/11 terrorist attacks. The contrast has focused mainly on PNR data of airline passengers
and on financial transactions recorded by the SWIFT payment system. The US has
claimed, de iure but most often de facto, access to such data, and the EU has in general
resisted on the basis of its all-encompassing data protection laws (73).
A point of equilibrium seemed to have been reached with the so-called “Safe
Harbour” agreement which was meant to grant reciprocity status to the transfer of data
from the EU to the US.
This was shattered as a consequence of the so-called Snowden case — which
unveiled massive intrusion and wire-tapping by US authorities to European networks
and data, even governmental. With two ground-breaking decisions the ECJ first twisted
its “establishment” rules in the 2014 Google Spain decision stating that the advertising
collecting subsidiary of the foremost search engine provider dragged the whole company
under EU law, and specifically data protection laws (74). Subsequently, in the 2015
Schrems v. Facebook decision it declared invalid the “Safe Harbour” agreement inasmuch as the US did not guarantee an equivalent protection of personal data, and
therefore trans-Atlantic transfer of data was blocked (75).
This is only the most discussed case in a global trend towards what might be called
“data nationalism” (76). As data are the main source of wealth of contemporary
economies, each country tends to safeguard this resource, just as it does with other
economic prime materials, or its industrial and financial system. This data is in the first
(73) F. BIGNAMI, European Versus American Liberty: A Comparative Privacy Analysis Of
Antiterrorism Data Mining, in B.C. L. Rev., 48, 2007, 609 ff; P.M. SCHWARTZ, The Eu-U.S. Privacy
Collision: A Turn To Institutions And Procedures, in Harv. L. Rev., 126, 2013, 1966 ff; P.M SCHWARTZ
- D.J. SOLOVE, Reconciling Personal Information in the United States and European Union, in Calif.
L. Rev., 102, 2014, 877 ff and also G.S. GROSSMANN, Transborder Data Flow: Separating the Privacy
Interests of Individuals and Corporations, in Nw. J. Int’l L. & Bus., 1982, 1 ff.
(74) ECJ, Big Chamber, 13 May 2014, C-131/12, Google Spain, Google Inc. c. AEPD, Costeja
González, in Dir. informaz., 4/5, 2014, 535-562 (special issue, with comments by T.E. FROSINI, O.
POLLICINO, G. FINOCCHIARO, G.
CAGGIANO, P. PIRODDI, G. SARTOR - M. VIOLA DE AZEVEDO CUNHA, A.
MANTELERO, S. SICA - V. D ANTONIO, C. COMELLA, G.M. RICCIO, R. FLOR, F. PIZZETTI), now also
available under CC license in G. RESTA - V. ZENO-ZENCOVICH (eds.), Il diritto all’oblio su Internet
dopo la sentenza Google Spain, Roma, RomaTrE Press, 2015, at url: http://ojs.romatrepress.
uniroma3.it/index.php/oblio/ (accessed 30/8/2016).
(75) ECJ, Big Chamber, 6 October 2015, C-362/14, Maximillian Schrems c. Data Protection
Commissioner, in Dir. informaz., 4/5, 2015, 603-635, with comments by V. ZENO-ZENCOVICH, G.
RESTA, C. COMELLA, O. POLLICINO - M. BASSINI, G. FINOCCHIARO, S. SICA - V. D ANTONIO, P. PIRODDI,
G.M. RICCIO, A. MANTELERO, G. GIANNONE CODIGLIONE, now also available under CC license in G.
RESTA - V. ZENO-ZENCOVICH (eds.), La protezione transnazionale dei dati personali, Roma, RomaTrE
Press, 2016, at url: http://ojs.romatrepress.uniroma3.it/index.php/PTD/ (accessed 30/8/2016). On 2
February 2016, the European Commission and the US Government reached a political agreement
on a new framework for transatlantic exchanges of personal data for commercial purposes: the
EU-US Privacy Shield (IP/16/216). The Commission presented the draft decision texts on 29
February 2016. Following the opinion of the article 29 working party of April 13th and of the
European Parliament resolution of May 26th, the Commission finalised the adoption procedure on
July 12th 2016. The text of the decision is available on line at url: http://ec.europa.eu/justice/dataprotection/files/privacy-shield-adequacy-decision_en.pdf/ (accessed 3/9/2016).
- U.P. LÊ, Data Nationalism, in
(76) See the literature that illustrates the trend: A. CHANDLER
Emory L.J, 64, 2015, 677 ff. Others talk about ‘balkanisation of the Internet: J. DASKAL, The
Un-Territoriality of Data, in Yale L.J, 125, 2015, 326 ff.
“BIG
DATA REVOLUTION”
53
place personal data, but one can easily comprise also other data, collected from IoT
devices.
This trend clearly can create significant obstacles to the deployment of all the
potentialities of the so-called “big data revolution” inasmuch the first V (volume) is
down-sized.
Many questions arise. The first concerns “data transit”: are States allowed to block
and inspect data which passes through the networks that are under their control? The
question is particularly delicate considering that the whole Internet system has been
developed in such a way that data-packets do not take a pre-determined route to go from
A to B, but may choose the route which is less engaged (77).
The second one concerns limitations set by public law to the “exportability” of
certain data: personal data are the first example, but one can easily include data of public
authorities, such as those concerning taxation and social security. International trade of
data might therefore be subject to restrictions.
One must furthermore consider the issues related to cyber-investigations, when in
order to acquire evidence concerning crimes affecting one country it is necessary to
access systems which are placed in a different jurisdiction.
Data can also be — and already are — the object of cyber-espionage and cyberwarfare (or near-to) activities.
All these aspects require an international law perspective on data in order to
promote international cooperation avoiding that the enormous advantages that derive
from being able to access and share data be stifled. The obvious parallels (also for the use
of common linguistically terms) are those of the law of the sea, of the air, and of
outer-space which enable maritime activities, air transport, use of satellites (78). But also
international trade law can offer useful starting points for the regulation of the flow of big
data.
10. Philosophical and ethical issues in big data.
Until now we have focused on typical normative issues, whether de lege lata or de
lege ferenda, surrounding big data and Data Driven Innovation. We are however well
aware — or we should be aware — that legal responses to novel questions are influenced
by much more general intellectual contexts, which change over the centuries and the
(77) According to Baran s and Licklinder s theories: P. BARAN, On distributed communication
networks, memorandum RM-3420-PR, Santa Monica, RAND, 1964 available at url: http://
www.rand.org/content/dam/rand/pubs/research_memoranda/2006/RM3420.pdf/ (accessed 29/7/
2016); J.C.R. LICKLIDER, Memorandun for members and affiliates of the intergalactic computer
network, 23 April 1966, available at url: http://www.packet.cc/files/memo.html/ (accessed 29/7/2016).
(78) See V. ZENO-ZENCOVICH, Intorno alla decisione nel caso Schrems: La sovranità digitale e il
governo internazionale dell ereti di telecomunicazione, in Dir. informaz., 4/5, 2015, 683 ff, 690; L.
LESSIG, Code v. 2.0, New York, Basic Books, 281 f; T.S. WU, Cyberspace Sovereignty? The Internet
and the International System, in Harv. J. L.&Tech., 10, 1997, 647 ff; W. HEINTSCHEL VON HEINEGG,
Legal ‘Implications of Territorial Sovereignty in Cyberspace, in C. CZOSSECK - R. OTTIS - K.
ZIOLKOWSKY (eds.), 4th International Conference on Cyber Conflict, 2012 NATO CCD COE Publications, 9 (available at url: https://ccdcoe.org/sites/default/files/multimedia/pdf/1_1_von_
Heinegg_LegalImplicationsOfTerritorialSovereigntyInCyberspace.pdf/). For an interesting, structural comparison between legal order and electronic communication networks see also T.A. SMITH,
The Web of Law, University of San Diego Law and Economics Research Paper Series, Paper 8, 2005.
54
DOTTRINA
decades (79). The first aspect that one should point is of an epistemological nature: big
data and big data analytics are one way of acquiring knowledge about society and the
environment which surrounds it. And as we take decisions — also legal decisions — on
the basis of data (one just has to think of contemporary use of the age-old maxim “id
quod plerumque accidit”) the way this data is collected, processed, and analyzed influences the final outcome. But there is more: big data analytics give a great importance to
inferences (“if A, then B”) which inevitably will influence legal reasoning and decisionmaking (80).
In many fields of the law the notions of “standard behavior”, “normal procedure”,
“state of art”, “proportionality”, “margin of error”, are used in order to apply — or not
apply — a legal rule. The increasing role of statistical data and of “datification” will be
used in order to establish compliance, conformity, performance, liability (81).
There is a further issue which is at odds with many basic axiological notions of the
law in the Western legal tradition: i.e. that the law is about values, not about numbers.
The law is prescriptive; not descriptive. Lawyers therefore do not need numbers. But if
in our society what counts is what can be counted — and big data express this notion at
its highest numerical level — can one reconcile the law with the pervasive ideology which
is behind big data?
Big data do not influence only individual decisions and judgment, but also public
choices and decisions taken by institutions (82). Legislatures, and even more so administrative bodies, collect enormous quantities of data to ground their decision on a
purported rational basis. Setting aside issues concerning the quality of data collection and
and of the analytics used, the first difficult question is if this does not lead us to a so-called
“tyranny of the majority” in which only majoritarian trends are taken into account. There
is also a very high risk that data collected in one context — e.g. online — be used to make
choices in a different context — e.g. material life. The epistemological import of big data
is very clear if we consider predictive analytics, and therefore when decisions are taken
on the expectation of future events. In this perspective one cannot ignore the importance
of the so-called De Finetti theorem which considers the importance of subjective
epistemic expectations in the formation of the law of probabilities. In other words:
(79) M.G. LETA AMBROSE, Lessons from the Avalanche of Numbers: Big Data in Historical
Perspective, in ISJLP, 11, 2015, 201 ff; N.M. RICHARDS - J.H. KING, Big Data Ethics, in Wake Forest
L. Rev., 49, 2014, 393 ff.
(80) We are speaking of the transition from “causality” to “correlation”, favored by the
adoption of algorithms to Big Data processing and analytics. V. MAYER-SCHÖNBERGER - K CUKIER, Big
Data, Boston-New York, Houghton Mifflin Harcourt, 2013, 76, speak of “correlation” as a « statistical relationship between values referred to two different data ». In chapter IV, the Authors argue
that correlations analyze a phenomenon not by shedding light on its inner working but by identifying
a useful proxy for it thereby enabling to capture the present and to predict the future. See also G.U.
YULE, On The Methods Of Measuring Association Between Two Attributes, in Journal of the Royal
Statistical Society, 765, 1912, 579 ff; K. PEARSON, Notes on the History of Correlation, in Biometrika,
1920, 1 ff; F. VIOLE - D.N. NAWROCKI, Causation, in SSRN, 2013, available at url: http://ssrn.com/
abstract=2273756/ (accessed 30/8/2016).
(81) See E.E. JOH, Artificial Intelligence And The Law: Essay: Policing By Numbers: Big Data
And The Fourth Amendment, in Wash. L. Rev., 89, 2014, 35 ff; K. CRAWFORD - J. SCHULTZBIG, Data
And Due Process: Toward A Framework To Redress Predictive Privacy Harms, in B.C. L. Rev., 55,
2014, 93, talking i.e. about “a right to procedural data due process”.
(82) F. MUSIANI, Governance by algorithms, in Internet Policy Review, 2, 2013; N. KIM - J.
TELMAN, Internet Giants as Quasi-Governmental Actors and the Limits of Contractual Consent, in Mo.
L. Rev., 80, 2015, 723 ff.
“BIG
DATA REVOLUTION”
55
probability describes, much more than reality, the subjective expectation that a certain
event will, or will not, occur.
Big data do not influence only epistemological issues, challenging the way lawyers
tend to see and build reality, but, on a very practical scale, present a number of ethical
issues, which are intrinsic in any legal decision.
This brings us to the hardest questions concerning the use of big data. We have seen
that they enable us not only to understand what has happened and, more importantly,
what is actually happening (a traffic jam, a flu epidemic etc.), but project their effects on
the future.
In particular so-called predictive analytics are meant to enable us to foresee today
what, predictably, will happen tomorrow. When this highly sophisticated analysis is used
for weather or economic forecasts, the main legal issue is that of the reasonable standard
of care and the liability which might arise from completely wrong and harmful forecasts.
But when it is used — and presently it is used — with regards to individuals, serious
ethical and legal issues arise. The most obvious case is that of medical screening of people
who, owing to their genetic heritage, their ethnic or geographic origin, might be subject
to illnesses (cancer, heart failure, diabetes etc.) which can be diagnosed at a very early
stage and therefore probably cured. In these cases individual data is matched with that
of thousands, if not millions, of other cases allowing a reasonably accurate inference. At
any rate it is possible to measure the risk to which the person is exposed.
However, if this data is used not in a context of preventive medicine, but in order
to select workers or to issue (or not issue) an insurance policy, or set the premium rate,
the discriminatory potential of predictive analytics, which are based on an algorithm
extracted from millions, billions of data, is very clear (83).
Certain people will not be hired because they are at risk of serious and/or recurrent
illnesses; other will be denied a life or health insurance. Looking at things from a realistic
point of view, what the interested person rightly considers as discriminatory, is seen, from
the other side, as a rational risk-avoiding measure, which could even be mandatory under
prudent business judgement.
The difficulty to strike a balance between principle of discrimination and riskavoidance is rendered even more complex by the fact that often there is a significant
informational asymmetry between the parties of the contract: in our example the
insurance company or the employer have big data concerning the cost of insuring or
(83) See S. RODOTÀ, Repertorio di fine secolo, 2nd ed., Bari-Roma, Laterza 1999, 214, who
underlines that the use of profiling “can determine discrimination of those who do not correspond
to general models, accentuating the stigma of any form of social deviance and the penalization of
minorities”; I.S. RUBINSTEIN - R.D. LEE - P.M. SCHWARTZ, Data Mining and Internet Profiling:
Emerging Regulatory and Technological Approaches, in U. Chi. L. Rev. 75, 2008, 261 ff, 284; D.
HIRSCH, That’s Unfair! Or is it? Big Data, Discrimination and the FTC’s Unfairness Authority, in Ky.
L.J., 103, 2015, 345, analyzes Big Data impact on consumer transactions. Furthermore, see GDPR s
“whereas” n. 71: “(...) In order to ensure fair and transparent processing in respect of the data
subject, taking into account the specific circumstances and context in which the personal data are
processed, the controller should use appropriate mathematical or statistical procedures for the
profiling, implement technical and organisational measures appropriate to ensure, in particular, that
factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised,
secure personal data in a manner that takes account of the potential risks involved for the interests
and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons
on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership,
genetic or health status or sexual orientation, or that result in measures having such an effect.
Automated decision-making and profiling based on special categories of personal data should be
allowed only under specific conditions”.
56
DOTTRINA
hiring a person who is at a high risk of falling ill. On the other side the interested person
may already know, because of family experience or previous medical examinations, that
he/she is at risk. In these cases withholding this relevant information may bring to the
declaration of nullity of the insurance contract.
Therefore the insured person has a duty to disclose relevant health information
concerning him/her and one s family. Can such a duty be imposed on perspective
employees? Can the provision of such information be a pre-requisite for a job selection?
Can one request a prior medical examination?
But even if the interested person does not release such sensitive data it is not
difficult to retrieve information concerning the group (ethnic, social, geographical) to
which the person belongs.
Among the most used sources are social networks, but increasingly huge amount of
data is retrieved through sports wearable devices which are meant to collect and provide
information on performances, but which are very important indicators of the health
condition of the person and his/her life-style. Even if one were not to de-anonymize the
data, one can easily form groups that are more or less preferable in a selection procedure.
Obviously the use of all this information is equally relevant for forecasts on
performances of already hired employees, their ability to hold posts of higher responsibility, changing tasks or working environment.
And while data scientists and social scientist must reframe actuarial rules in the big
data environment (e.g. who is an accident-prone car driver?), legislators, lawyers and the
courts must attempt to give a sense to the principle of “non-discrimination” in a context
in which predictive analytics provide us with a much clearer idea of what is likely to
happen in a near/medium-range period.
We have until now considered relations between individuals which may be — and
already are — influenced by big data. Even more troubling are the issues concerning the
use of predictive analytics by public authorities in activities of social control. This can
range from monitoring school performances — and therefore suggesting certain academic careers to students with an identifiable group background — to crime prevention (84). The notion of “reasonable suspicion” backed by big data and predictive
analytics allows police authorities to single out persons also on the basis of geo/time
localization, links — even quite remote — with previous criminal occurrences, inferable
behavior (e.g. excess spending) (85). Standards for preventive action move towards
likelihood of involvement in future criminal activities.
(84) These procedures are already in use and have received recently a legal status in the EU
Directive 680/2016 on “Processing of personal data by competent authorities for the purposes of the
prevention, investigation, detection or prosecution of criminal offences or the execution of criminal
penalties, and on the free movement of such data”. Preamble 27 states that “For the prevention,
investigation and prosecution of criminal offences, it is necessary for competent authorities to
process personal data collected in the context of the prevention, investigation, detection or
prosecution of specific criminal offences beyond that context in order to develop an understanding
of criminal activities and to make links between different criminal offences detected” (italics added).
And Directive 681/2016 on the “Use of passenger name record (PNR) data for the prevention,
detection, investigation and prosecution of terrorist offences and serious crime” states at its
preamble 7 that “assessment of PNR data allows identification of persons who were unsuspected of
involvement in terrorist offences or serious crime prior to such an assessment and who should be
subject to further examination by the competent authorities. By using PNR data it is possible to
address the threat of terrorist offences and serious crime from a different perspective than through
the processing of other categories of personal data” (italics added).
(85) M.L. RICH, Machine Learning, Automated Suspicion Algorithms, and the Fourth Amendment, in U. Pa. L. Rev., 164, 2016, 871, explores the legal questions involving Automated Suspicion
“BIG
DATA REVOLUTION”
57
This brings us to a final point, which clearly is related to philosophical and
theological issues which the Western civilization has been heatedly discussing for nearly
three millennia: the contrast between “free will” theories and “deterministic” theories,
with the manyfold meanings we can give to these terms and the infinity of shades that sit
in-between. Expressing the two opposite approaches in a very simplistic way, in a free
will setting we assume that a human being has the ability to choose between different
possible courses of action. Infants, mentally incompetents, people under duress are
impaired in their free will, and therefore we shall apply a different set of rules.
In a deterministic approach one course of events is possible and is generally
determined or by past events or by external and unsurmountable circumstances (fate,
destiny, the gods).
Predictive analytics provide a very strong scientific argument towards deterministic
theories, if not by eliminating altogether liability, at least in limiting it: an abandoned
child, brought up in a slum, with no parental supervision and immediately immersed in
a criminal environment, how many chances does he or she have to make free will
decisions, or are they predictable with near certainty?
Here we are faced again with a departure from the principle of equality: liability
standards, both criminal and civil, might be differentiated according to the group to which
the person belongs to and its probabilistic propensity to civil wrongs or criminal acts.
***
The “ten perspective” from which one has looked at the “Big Data revolution” are,
at this point, clearly only an attempt to verify to what extent time-old categories can bear
the stress of new situations. In many cases, if one goes down to the basic facts, it would
appear that nihil sub sole novi, and “Big Data” may be only a catchy expression.
What should be stressed, however, is:
a) “Big Data” are not simply a bigger phenomenon to which one can simply apply
well know rules. “Big data” are ontologically different from “small data” because of the
use which is made of them and their potentialities for human decisions, cooperation, and
commerce.
b) The law, as most other areas of knowledge, evolves incrementally. Big data are
not a destination but a transit point towards what appears to be still a terra incognita in
the development of societies increasingly influenced, at all their levels, by digital
technologies. We are still, metaphorically, coping with the tip of the iceberg.
c) The most significant change appears to be not so much of a technical nature, but
epistemological. The great founding fathers of digitalization, Pascal first, Leibniz after
him, were aiming at presenting a new, more precise, complete and rational way of
describing reality. Big data are an evolution of this trajectory inasmuch as we shall be
presenting reality not looking at a single fact, but in its connection with millions, billions,
trillions of other facts (i.e. data). To govern this complexity we — including lawyers —
shall be increasingly dependent on algorithms.
d) This brings us to a last caveat: lawyers, who have always had, in the Western
tradition, a deontic approach to all the extraordinary changes which have occurred in
society, should continue to play this role, without being intimidated by the would-be
assertiveness of algorithms.
Algorithms, or ASAs, which are created by applying machine learning methods to collections of
government data with the purpose of identifying individuals likely to be engaged in criminal activity.
Concorrenza e mercato. è la prima rivista annuale italiana specializzata in materia di concorrenza, proprietà intellettuale, pubblicità ingannevole e pratiche commerciali scorrette. Dal 1993 offre un panorama
aggiornato della prassi e degli orientamenti antitrust nazionali e comunitari, nonché delle decisioni più
rilevanti dei giudici civili e amministrativi. I contributi dottrinali, in italiano e in altre lingue straniere,
rappresentano il fulcro dell’approfondimento scientifico dei temi più significativi e innovativi in materia
antitrust e di tutela dei consumatori, nell’ottica di una riflessione accademica di primaria importanza
nello scenario nazionale e internazionale
CONCORRENZA
E M ERCATO
Rivista classificata in “fascia A” dalla Agenzia Nazionale di Valutazione del Sistema Universitario e della
Ricerca - ANVUR (1720-2698)
Antitrust,
Regulation,
Consumer Welfare,
Intellectual Property
vol . 23/2016
numero speciale
BIG DATA
E CONCORRENZA
a cura di
ISBN 978-88-14-21827-9
E 75,00
024197735
9 788814 218279
(ISSN 1720-2698)
F. Di Porto
CONCORRENZA
E MERCATO
vol . 23/2016
numero speciale
a cura di
Fabiana Di Porto

concorrenza e mercato - Dipartimento di Giurisprudenza

Transcript

Documenti analoghi

master “global regulation of markets”

extra virgin olive oil - Castello della Paneretta

RHINOPLASTY INTERNATIONAL DISSECTION COURSE

Coording error

WE MATTER WHAT THE FUTURE BRINGS CALL FOR PAPERS

EUROPEAN COMMISSION Brussels, 26.01.2016 Subject

letters

Pope Sisto IV della Rovere`s House

Film Music Setlist - The Gurt Lush Choir

Definition and views of Information Systems IS, high level

Martinico STALS - Sant`Anna Legal Studies | Sant`Anna Legal Studies