Privacy and Contracts in the GDPR Era

The digital age has brought with it an unprecedented collection and use of personal data, prompting a re-evaluation of traditional contract law in light of emerging privacy concerns. The General Data Protection Regulation (GDPR) of the European Union, alongside other global privacy laws, is reshaping how contracts involving personal data are formed, interpreted, and enforced. This article explores the intersection of contract law and privacy regulations, supported by case law, juristic opinions, and jurisprudential insights.

Legal Framework:

Under traditional contract law, parties are free to negotiate terms, provided they do not contravene public policy. Contracts that involve the processing of personal data now intersect with privacy laws like the GDPR, which impose obligations on data controllers and processors regardless of mutual consent in contracts.

The GDPR, effective since May 2018, introduces principles such as lawfulness, fairness, transparency, data minimization, and purpose limitation, which directly affect contractual practices. Importantly, consent under GDPR must be freely given, specific, informed, and unambiguous, contrasting with broader, implied consents often found in standard form contracts.

Impact on Contract Formation and Performance:

Consent Clauses: Standard contracts often include blanket consent clauses for data processing. Under GDPR, such clauses may not meet the requirement of informed and explicit consent, making them unenforceable.

Data Processing Agreements (DPAs): Article 28 of GDPR mandates that controllers and processors enter into specific contracts outlining roles, responsibilities, and data protection measures.

Limitation of Freedom to Contract: While parties may contract freely, GDPR places non-negotiable statutory limits to protect fundamental rights of data subjects.

Case Law Analysis of the Two Laws:

Schrems II Case (CJEU, 2020): The Schrems II case, formally known as Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18, is a landmark ruling by the Court of Justice of the European Union (CJEU) on July 16, 2020. It dealt with the transfer of personal data from the European Union (EU) to countries outside the European Economic Area (EEA), particularly the United States.

The Court invalidated the EU-US Privacy Shield framework due to inadequate data protection standards. It emphasized that data subjects’ rights must be protected under EU law, regardless of contractual arrangements.

Lloyd v. Google LLC (UK Supreme Court, 2021): The UK Supreme Court case of Lloyd v Google LLC [2021] UKSC 50, decided on November 10, 2021, is a significant ruling concerning representative actions and data protection in the UK.

Richard Lloyd, a consumer rights advocate, sought to bring a representative action against Google on behalf of over 4 million iPhone users in England and Wales. He alleged that Google had illegally tracked their internet activity through the "Safari workaround" and collected their data for commercial purposes without their knowledge or consent.

This case highlighted how data breaches and misuse can lead to collective redress, even without financial loss, shifting the burden on how companies design contracts and manage consent.

Facebook Ireland Ltd. v. Data Protection Commissioner (Ireland, 2023): The Irish Data Protection Commission (DPC) concluded an inquiry into Meta Platforms Ireland Limited (Meta Ireland), focusing on the transfers of personal data from the EU/EEA to the US in connection with its Facebook service. The DPC's decision, dated May 12, 2023, found that Meta Ireland had infringed Article 46(1) of the GDPR by continuing these transfers even after the CJEU's Schrems II judgment.

This case reaffirmed that companies must ensure data transfers comply with GDPR, regardless of existing contractual safeguards.

Juristic and Jurisprudential Perspectives:

Legal scholars argue that privacy is not merely a contractual issue but a matter of fundamental human rights, as recognized by the Charter of Fundamental Rights of the EU (Article 8). Jurists like Paul De Hert and Christopher Kuner have emphasized that contracts cannot override these rights.

From a jurisprudential standpoint, theories like Dworkin’s rights-based approach support the notion that individual rights to privacy cannot be waived through unconscionable contract terms. Kantian ethics would further argue that treating individuals as means to commercial ends (through data exploitation) violates the dignity and autonomy that legal systems should protect.

International Influence and Comparative Analysis:

• India’s DPDP Act (2023): Inspired by GDPR, India’s new data protection regime limits consent in contracts and prioritizes user rights, pushing businesses to adopt privacy-by-design.

The following provisions under Indian law provide data protection protecting privacy:

Section 4 – Personal Data Processing

Personal data must be processed only for lawful purposes with consent or for certain legitimate uses provided by the Act.

Section 6 – Consent

Data must be collected with informed, clear, and specific consent of the individual (data principal), unless exempted.

Section 12 – Right to Erasure

Grants individuals the right to request deletion of their personal data when it is no longer necessary or consent is withdrawn.

Section 13 – Right to Correction and Update

Data principals have the right to correct, complete, update, or erase their personal data.

Section 8 – Data Fiduciary Duties

Entities processing data must ensure accuracy, security, and accountability, and delete data once the purpose is fulfilled.

Section 9 – Limitation on Data Retention

Personal data must not be retained beyond the purpose for which it was collected unless required by law.

• California Consumer Privacy Act (CCPA): Emphasizes consumer control over personal data, reinforcing limitations on blanket contractual waivers.

Practical Implications for Contract Drafting:

• Contracts must clearly specify data usage, retention, and protection mechanisms.

• Blanket consent clauses should be replaced with layered, granular consent options.

• Parties must include mechanisms for data subject rights (e.g., access, correction, erasure) within contracts.

The GDPR and similar privacy laws have fundamentally altered the landscape of contract law. No longer can contracts simply include generic clauses to sidestep data protection obligations. Instead, privacy is now a central legal concern that contracts must respect. This development marks a shift from freedom of contract towards rights-based regulation, redefining the boundaries of enforceability in the digital age.

References:

• General Data Protection Regulation (EU) 2016/679

• Schrems II, Case C-311/18, CJEU

• Lloyd v. Google LLC [2021] UKSC 50

• Facebook Ireland Ltd. v. Data Protection Commissioner [2023] IEHC

• Charter of Fundamental Rights of the European Union

• Paul De Hert & Vagelis Papakonstantinou, "The New General Data Protection Regulation: Still a Sound System for the Protection of Individuals?" (2016)

• Christopher Kuner, "Transborder Data Flows and Data Privacy Law" (2013)

• Digital Personal Data Protection Act, 2023 (India)

• California Consumer Privacy Act (2018)

DISCLAIMER- This article has been submitted by Divya Garg, trainee under the LLL Legal Training Program. The views and opinions expressed in this piece are solely those of the author.