The Disclosure Backlash Case—Information Transparency in Effective Contractual Management

Abstract

This case study presents a problem which Internet-based companies often face, namely the fact that their terms of service are not sufficiently transparent. When customers fail to understand how a product or service is handled, a company is in a difficult position. On the one hand, it needs to preserve its business model which relies on the processing and sale of customer data to third parties. On the other, it has to improve disclosure practices to its clients if it wants to avoid extreme negative reactions among its customer base. Taking an Internet startup as an example, this case study demonstrates how the duty of Internet-based companies to inform their customers requires transparent information about both pre- and post-transactional processes. The case study implements all five steps of the CM Model and places special emphasis on knowledge management considerations as the best bringers of positive change in such circumstances.

The research on transparent disclosure presented in this chapter is funded by the DFG (German Research Foundation; project number: WU 824/1-1). The authors are participating in the international collaborative research project “The ABC of Online Disclosure Duties. Towards a More Uniform Assessment of the Transparency of Consumer Information in Europe” supported by the DFG and the NWO, Netherlands Organisation for Scientific Research under the Open Research Area for the Social Sciences funding program. The authors thank Joasia Luzak, Marco Loos and Mia Junuzović for their cooperation in this research project.

Appendices

Appendices

1.1 Appendix 1: Extract from Directive 2011/83/EU

Enacted by the European Parliament and of the Council of 25 October 2011 on the subject of consumer rights [25].

“[…]

[Recital] (34) The trader should give the consumer clear and comprehensible information before the consumer is bound by a distance or off-premises contract, a contract other than a distance or an off-premises contract, or any corresponding offer. In providing that information, the trader should take into account the specific needs of consumers who are particularly vulnerable because of their mental, physical or psychological infirmity, age or credulity in a way which the trader could reasonably be expected to foresee. However, taking into account such specific needs should not lead to different levels of consumer protection.

[Recital] (35) The information provided by the trader to the consumer should be mandatory and should not be altered. Nevertheless, the contracting parties should be able to expressly agree to change the content of the contract subsequently concluded […].”

1.2 Appendix 2: Extract from Directive 2002/58/EU

Enacted by the European Parliament and of the Council of 12 July 2002 on the subject of processing of personal data and the protection of privacy in the electronic communications sector [24].

“[…]

[Recital] (6) The Internet is overturning traditional market structures by providing a common, global infrastructure for the delivery of a wide range of electronic communication services. Publicly available electronic communication services over the Internet open new possibilities for users but also new risks for their personal data and privacy.

…

[Recital] (9) The Member States, providers and users concerned, together with the competent Community bodies, should cooperate in introducing and developing the relevant technologies where this is necessary to apply the guarantees provided for by this Directive and taking particular account of the objectives of minimizing the processing of personal data and of using anonymous or pseudoanonymous data where possible.

[…]

[Recital] (30) Systems for the provision of electronic communications networks and services should be designed to limit the amount of personal data necessary to a strict minimum. Any activities related to the provision of the electronic communications service that go beyond the transmission of a communication and the billing thereof should be based on aggregated, traffic data that cannot be related to subscribers or users. Where such activities cannot be based on aggregated data, they should be considered as value added services for which the consent of the subscriber is required.

[Recital] (31) Whether the consent to be obtained for the processing of personal data with a view to providing a particular value added service should be that of the user or of the subscriber, will depend on the data to be processed and on the type of service to be provided and on whether it is technically, procedurally and contractually possible to distinguish the individual using an electronic communications service from the legal or natural person having subscribed to it.

[Recital] (32) Where the provider of an electronic communications service or of a value added service subcontracts the processing of personal data necessary for the provision of these services to another entity, such subcontracting and subsequent data processing should be in full compliance with the requirements regarding controllers and processors of personal data as set out in Directive 95/46/EC […].

Article 13

Unsolicited Communications

1. 1.

   The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.

2. 2.

   Notwithstanding paragraph 1, where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46/EC, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use.

3. 3.

   Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing, in cases other than those referred to in paragraphs 1 and 2, are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation.

4. 4.

   In any event, the practice of sending electronic mail for purposes of direct marketing disguising or concealing the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such communications cease, shall be prohibited.

5. 5.

   Paragraphs 1 and 3 shall apply to subscribers who are natural persons. Member States shall also ensure, in the framework of Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons with regard to unsolicited communications are sufficiently protected.”

1.3 Appendix 3: Extract from Directive 95/46/EC

Enacted by the European Parliament and of the Council of 24 October 1995 on the subject of protection of individuals with regard to the processing of personal data and on the free movement of such data [26].

“[…]

For the purposes of this Directive:

1. (a)

   ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

2. (b)

   ‘processing of personal data’ (‘processing’) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

3. (c)

   ‘personal data filing system’ (‘filing system’) shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

4. (d)

   ‘controller’ shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;

5. (e)

   ‘processor’ shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

6. (f)

   ‘third party’ shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data;

7. (g)

   ‘recipient’ shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients;

8. (h)

   ‘the data subjectʼs consent’ shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

[…]

SECTION II

CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE

Article 7

Member States shall provide that personal data may be processed only if:

1. (a)

   the data subject has unambiguously given his consent; or

2. (b)

   processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or […]

3. (f)

   processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

SECTION III

SPECIAL CATEGORIES OF PROCESSING

Article 8

The processing of special categories of data

1. 1.

   Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

2. 2.

   Paragraph 1 shall not apply where:

   1. (a)

      the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subjectʼs giving his consent; […]

SECTION IV

INFORMATION TO BE GIVEN TO THE DATA SUBJECT

Article 10

Information in cases of collection of data from the data subject

Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

1. (a)

   the identity of the controller and of his representative, if any;

2. (b)

   the purposes of the processing for which the data are intended;

3. (c)

   any further information such as

   • the recipients or categories of recipients of the data,

   • whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,

   • the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.”

1.4 Appendix 4: Excerpts from Psi UG’s Terms of Service (Until November 2017)

“[…]

(9) Our service stays high-quality and competitive also thanks to your willingness to provide us with personal information about yourself. This personal information might be both one-time and recurring in nature, the former referring to the data you supply to us upon registering your account and the latter pertaining to our daily mood and sleep check-in data we strongly urge you to share with us. We may use this data in a variety of ways which can improve our service to you and can also serve our company’s own interests.

(10) We operate on the basis of mutual trust and value your cooperation highly. However, should you choose not to provide some of the personal data we ask for, we will still do our best to provide you with top-notch service. Nevertheless, keep in mind that non-compliance may result in suboptimal results and limits our liability in cases you are not content with the service we have rendered.

(11) By agreeing to these terms, you also certify that you will keep your personal information on our site up to date and accurate.

(12) All matters of privacy and personal data are further explained in our Privacy Policy which you should read and accept before using our services.

[…]

(15) We reserve the right to update and amend the terms of service as we see fit. We will contact you periodically to turn your attention to possible changes and updates which affect you as a customer. “

1.5 Appendix 5: Excerpts from Psi UG’s Privacy Policy (Until November 2017)

“[…]

(11) You agree that Psi may collect and store your personal information, including but not limited to your name, physical and email address, profile info, transaction history, and daily check-ins. We may use this information for our internal purposes as well as occasionally pass it on to third parties who might then use the information we provide to them for the purposes of occasional promotional communications.

(12) You allow Psi to exercise its own discretion in selecting the third parties, to whom we may make available some of your personal data. We reserve the right to periodically review and update our agreements with third parties, which can have an influence on the amount and kind of personal information we might share with them.

[…]

(17) Should you have any objections to the amount or kind of personal information we might be sharing with third parties, you may get in touch with us and supply a formal inquiry as to the exact nature of our activities. We take such requests very seriously, our team reviews them regularly, and we will get back to you with a personal response in due time. Until you hear back from us, we urge you to refrain from any further actions even though your principal rights and freedoms as customer remain unrestrained under this policy.”

1.6 Appendix 6: Customer Personal Data Collected by Psi

1. (a)

   Upon registration (one-time)

   • Name

   • Physical/postal address

   • Email address

   • Nationality

   • Age

   • Gender

   • Relationship status

   • Pets

   • Income bracket

   • History of medical and/or psychological problems or ailments

   • History of life and/or career coaching (when? how long? how successful?)

2. (b)

   Upon sign-in (recurring)

   • How happy are you feeling today? (scale of 1–10)

   • How many hours of sleep did you get last night?

   • Sum up your feelings in the days since your last sign-in in 1–3 words!