Keyword: Data protection law

Getting under your skin(s): A legal-ethical exploration of Fortnite’s transformation into a content delivery platform and its manipulative potential external link

Sax, M. & Ausloos, J.
Interactive Entertainment Law Review, vol. 4, num: 1, 2021

Abstract

This paper investigates the ethical and legal implications of increasingly manipulative practices in the gaming industry by looking at one of the currently most popular and profitable video games in the world. Fortnite has morphed from an online game into a quasi-social network and an important cultural reference point in the lifeworld of many (young) people. The game is also emblematic of the freemium business model, with strong incentives to design the game in a manner which maximises microtransactions. This article suggests that to properly understand Fortnite’s practices – which we predict will become more widely adopted in the video game industry in the near future – we need an additional perspective. Fortnite is not only designed for hyper-engagement; its search for continued growth and sustained relevance is driving its transformation from being a mere video game into a content delivery platform. This means that third parties can offer non game-related services to players within Fortnite’s immersive game experience. In this paper, we draw on an ethical theory of manipulation (which defines manipulation as an ethically problematic influence on a person’s behaviour) to explore whether the gaming experience offered by Fortnite harbours manipulative potential. To legally address the manipulative potential of commercial video game practices such as the ones found in Fortnite, we turn to European data protection and consumer protection law. More specifically, we explore how the European Union’s General Data Protection Regulation and Unfair Commercial Practices Directive can provide regulators with tools to address Fortnite’s manipulative potential and to make Fortnite (more) forthright.

Consumer law, Data protection law, Fortnite, manipulation, Platforms, video games

Bibtex

Article{SaxAusloos2021, title = {Getting under your skin(s): A legal-ethical exploration of Fortnite’s transformation into a content delivery platform and its manipulative potential}, author = {Sax, M. and Ausloos, J.}, url = {https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3764489}, year = {0301}, date = {2021-03-01}, journal = {Interactive Entertainment Law Review}, volume = {4}, number = {1}, pages = {}, abstract = {This paper investigates the ethical and legal implications of increasingly manipulative practices in the gaming industry by looking at one of the currently most popular and profitable video games in the world. Fortnite has morphed from an online game into a quasi-social network and an important cultural reference point in the lifeworld of many (young) people. The game is also emblematic of the freemium business model, with strong incentives to design the game in a manner which maximises microtransactions. This article suggests that to properly understand Fortnite’s practices – which we predict will become more widely adopted in the video game industry in the near future – we need an additional perspective. Fortnite is not only designed for hyper-engagement; its search for continued growth and sustained relevance is driving its transformation from being a mere video game into a content delivery platform. This means that third parties can offer non game-related services to players within Fortnite’s immersive game experience. In this paper, we draw on an ethical theory of manipulation (which defines manipulation as an ethically problematic influence on a person’s behaviour) to explore whether the gaming experience offered by Fortnite harbours manipulative potential. To legally address the manipulative potential of commercial video game practices such as the ones found in Fortnite, we turn to European data protection and consumer protection law. More specifically, we explore how the European Union’s General Data Protection Regulation and Unfair Commercial Practices Directive can provide regulators with tools to address Fortnite’s manipulative potential and to make Fortnite (more) forthright.}, keywords = {Consumer law, Data protection law, Fortnite, manipulation, Platforms, video games}, }

Kaleidoscopic data-related enforcement in the digital age external link

Yakovleva, S., Geursen, W. & Arnbak, A.
Common Market Law Review, vol. 57, num: 5, pp: 1461-1494, 2020

Abstract

The interplay between competition, consumer and data protection law, when applied to data collection and processing practices, may lead to situations where several competent authorities can, independently, carry out enforcement actions against the same practice, or where an authority competent to carry out enforcement in one area of law can borrow the concepts of another area to advance its own goals. The authors call this “kaleidoscopic enforcement”. Kaleidoscopic enforcement may undermine existing coordination mechanisms within specif ic areas, and may lead to both the incoherent enforcement of EU rules applicable to data, and to sub-optimal enforcement. An EU level binding inter-disciplinary coordination mechanism between competition, consumer and data protection authorities is needed. Now the Commission has announced ambitious plans to enhance the coherent application of EU law in several areas, it is the perfect time to work towards creating such an enforcement mechanism.

Competition law, Consumer law, Data protection law, enforcement, frontpage, Privacy

Bibtex

Article{Yakovleva2020c, title = {Kaleidoscopic data-related enforcement in the digital age}, author = {Yakovleva, S. and Geursen, W. and Arnbak, A.}, url = {https://www.ivir.nl/publicaties/download/CMLR_2020.pdf}, year = {1001}, date = {2020-10-01}, journal = {Common Market Law Review}, volume = {57}, number = {5}, pages = {1461-1494}, abstract = {The interplay between competition, consumer and data protection law, when applied to data collection and processing practices, may lead to situations where several competent authorities can, independently, carry out enforcement actions against the same practice, or where an authority competent to carry out enforcement in one area of law can borrow the concepts of another area to advance its own goals. The authors call this “kaleidoscopic enforcement”. Kaleidoscopic enforcement may undermine existing coordination mechanisms within specif ic areas, and may lead to both the incoherent enforcement of EU rules applicable to data, and to sub-optimal enforcement. An EU level binding inter-disciplinary coordination mechanism between competition, consumer and data protection authorities is needed. Now the Commission has announced ambitious plans to enhance the coherent application of EU law in several areas, it is the perfect time to work towards creating such an enforcement mechanism.}, keywords = {Competition law, Consumer law, Data protection law, enforcement, frontpage, Privacy}, }

The personal information sphere: An integral approach to privacy and related information and communication rights external link

Eskens, S.
JASIST, vol. 71, num: 9, pp: 1116-1128, 2020

Abstract

Data protection laws, including the European Union General Data Protection Regulation, regulate aspects of online personalization. However, the data protection lens is too narrow to analyze personalization. To define conditions for personalization, we should understand data protection in its larger fundamental rights context, starting with the closely connected right to privacy. If the right to privacy is considered along with other European fundamental rights that protect information and communication flows, namely, communications confidentiality; the right to receive information; and freedom of expression, opinion, and thought, these rights are observed to enable what I call a “personal information sphere” for each person. This notion highlights how privacy interferences affect other fundamental rights. The personal information sphere is grounded in European case law and is thus not just an academic affair. The essence of the personal information sphere is control, yet with a different meaning than mere control as guaranteed by data protection law. The personal information sphere is about people controlling how they situate themselves in information and communication networks. It follows that, to respect privacy and related rights, online personalization providers should actively involve users in the personalization process and enable them to use personalization for personal goals.

Data protection law, frontpage, Fundamental rights, personalization, Privacy

Bibtex

Article{Eskens2020, title = {The personal information sphere: An integral approach to privacy and related information and communication rights}, author = {Eskens, S.}, url = {https://www.ivir.nl/publicaties/download/jasist_2020.pdf}, doi = {https://doi.org/https://doi.org/10.1002/asi.24354}, year = {0320}, date = {2020-03-20}, journal = {JASIST}, volume = {71}, number = {9}, pages = {1116-1128}, abstract = {Data protection laws, including the European Union General Data Protection Regulation, regulate aspects of online personalization. However, the data protection lens is too narrow to analyze personalization. To define conditions for personalization, we should understand data protection in its larger fundamental rights context, starting with the closely connected right to privacy. If the right to privacy is considered along with other European fundamental rights that protect information and communication flows, namely, communications confidentiality; the right to receive information; and freedom of expression, opinion, and thought, these rights are observed to enable what I call a “personal information sphere” for each person. This notion highlights how privacy interferences affect other fundamental rights. The personal information sphere is grounded in European case law and is thus not just an academic affair. The essence of the personal information sphere is control, yet with a different meaning than mere control as guaranteed by data protection law. The personal information sphere is about people controlling how they situate themselves in information and communication networks. It follows that, to respect privacy and related rights, online personalization providers should actively involve users in the personalization process and enable them to use personalization for personal goals.}, keywords = {Data protection law, frontpage, Fundamental rights, personalization, Privacy}, }

The regulation of online political micro-targeting in Europe external link

Dobber, T., Fahy, R. & Zuiderveen Borgesius, F.
Internet Policy Review, vol. 8, num: 4, 2020

Abstract

In this paper, we examine how online political micro-targeting is regulated in Europe. While there are no specific rules on such micro-targeting, there are general rules that apply. We focus on three fields of law: data protection law, freedom of expression, and sector-specific rules for political advertising; for the latter we examine four countries. We argue that the rules in the General Data Protection Regulation (GDPR) are necessary, but not sufficient. We show that political advertising, including online political micro-targeting, is protected by the right to freedom of expression. That right is not absolute, however. From a European human rights perspective, it is possible for lawmakers to limit the possibilities for political advertising. Indeed, some countries ban TV advertising for political parties during elections.

Advertising, Data protection law, elections, europe, frontpage, Micro-targeting, Politics, Privacy, Regulering, Vrijheid van meningsuiting

Bibtex

Article{Dobber2020, title = {The regulation of online political micro-targeting in Europe}, author = {Dobber, T. and Fahy, R. and Zuiderveen Borgesius, F.}, url = {https://policyreview.info/articles/analysis/regulation-online-political-micro-targeting-europe}, doi = {https://doi.org/10.14763/2019.4.1440}, year = {0116}, date = {2020-01-16}, journal = {Internet Policy Review}, volume = {8}, number = {4}, pages = {}, abstract = {In this paper, we examine how online political micro-targeting is regulated in Europe. While there are no specific rules on such micro-targeting, there are general rules that apply. We focus on three fields of law: data protection law, freedom of expression, and sector-specific rules for political advertising; for the latter we examine four countries. We argue that the rules in the General Data Protection Regulation (GDPR) are necessary, but not sufficient. We show that political advertising, including online political micro-targeting, is protected by the right to freedom of expression. That right is not absolute, however. From a European human rights perspective, it is possible for lawmakers to limit the possibilities for political advertising. Indeed, some countries ban TV advertising for political parties during elections.}, keywords = {Advertising, Data protection law, elections, europe, frontpage, Micro-targeting, Politics, Privacy, Regulering, Vrijheid van meningsuiting}, }

Third Annual Detlev F. Vagts Roundtable on Transnational Law: Data Protection in a Global World external link

Irion, K.
Proceedings of the Annual Meeting - American Society of International Law, vol. 112, pp: 220-226, 2019

Data protection law, free data flow, frontpage, General Data Protection Regulation, Internet, transnational law

Bibtex

Article{Irion2019, title = {Third Annual Detlev F. Vagts Roundtable on Transnational Law: Data Protection in a Global World}, author = {Irion, K.}, url = {https://www.cambridge.org/core/services/aop-cambridge-core/content/view/4DAD3CA357D2483729CD38B52ED6A612/S027250371900123Xa.pdf/remarks_by_kristina_irion.pdf}, doi = {https://doi.org/https://doi.org/10.1017/amp.2019.123}, year = {0411}, date = {2019-04-11}, journal = {Proceedings of the Annual Meeting - American Society of International Law}, volume = {112}, pages = {220-226}, keywords = {Data protection law, free data flow, frontpage, General Data Protection Regulation, Internet, transnational law}, }

The Japan EU Economic Partnership Agreement: Flows of Personal Data to the Land of the Rising Sun external link

Bartl, M. & Irion, K.
2017

Abstract

At the EU-Japan Summit in July this year the European Union (EU) and Japan have achieved a political agreement in principle on the content of the Japan EU Economic Partnership Agreement. For Japan including data flows in the trade deal with the EU has been an important political goal besides mutual recognition of their privacy laws. The EU is currently not favorably disposed to allow data flows provisions into trade deals. Building a ‘state of the art’ digital economy between Japan and the EU is certainly possible in conformity with their data privacy laws and the classical trade law disciplines. Our brief unpacks how flows of personal data will governed in the relationship between Japan and the EU. As a point of departure we look at the extent to which the prospective trade deal between the two economies would already cover data flows, including personal data. Next, we will take a look at the prospects for a regulatory handshake between Japan and EU providing for mutual recognition of data privacy and flows of personal data. The brief concludes with findings and recommendations on the future directions of Japan EU Economic Partnership Agreement.

Data protection law, frontpage, Japan, Personal data, trade agreements

Bibtex

Other{Bartl2017, title = {The Japan EU Economic Partnership Agreement: Flows of Personal Data to the Land of the Rising Sun}, author = {Bartl, M. and Irion, K.}, url = {https://www.ivir.nl/publicaties/download/Transfer-of-personal-data-to-the-land-of-the-rising-sun-FINAL.pdf}, year = {1025}, date = {2017-10-25}, abstract = {At the EU-Japan Summit in July this year the European Union (EU) and Japan have achieved a political agreement in principle on the content of the Japan EU Economic Partnership Agreement. For Japan including data flows in the trade deal with the EU has been an important political goal besides mutual recognition of their privacy laws. The EU is currently not favorably disposed to allow data flows provisions into trade deals. Building a ‘state of the art’ digital economy between Japan and the EU is certainly possible in conformity with their data privacy laws and the classical trade law disciplines. Our brief unpacks how flows of personal data will governed in the relationship between Japan and the EU. As a point of departure we look at the extent to which the prospective trade deal between the two economies would already cover data flows, including personal data. Next, we will take a look at the prospects for a regulatory handshake between Japan and EU providing for mutual recognition of data privacy and flows of personal data. The brief concludes with findings and recommendations on the future directions of Japan EU Economic Partnership Agreement.}, keywords = {Data protection law, frontpage, Japan, Personal data, trade agreements}, }

The perfect match? A closer look at the relationship between EU consumer law and data protection law external link

Helberger, N., Zuiderveen Borgesius, F. & Reyna, A.
Common Market Law Review, vol. 2017, num: 5, pp: 1427-1466, 2017

Abstract

In modern markets, many companies offer so-called “free” services and monetize consumer data they collect through those services. This paper argues that consumer law and data protection law can usefully complement each other. Data protection law can also inform the interpretation of consumer law. Using consumer rights, consumers should be able to challenge excessive collection of their personal data. Consumer organizations have used consumer law to tackle data protection infringements. The interplay of data protection law and consumer protection law provides exciting opportunities for a more integrated vision on “data consumer law”.

Consumentenrecht, Consumer law, Data protection law, EU, frontpage, gegevensbescherming, Privacy

Bibtex

Article{Helberger2017b, title = {The perfect match? A closer look at the relationship between EU consumer law and data protection law}, author = {Helberger, N. and Zuiderveen Borgesius, F. and Reyna, A.}, url = {https://www.ivir.nl/publicaties/download/CMLR_2017_5.pdf}, year = {1006}, date = {2017-10-06}, journal = {Common Market Law Review}, volume = {2017}, number = {5}, pages = {1427-1466}, abstract = {In modern markets, many companies offer so-called “free” services and monetize consumer data they collect through those services. This paper argues that consumer law and data protection law can usefully complement each other. Data protection law can also inform the interpretation of consumer law. Using consumer rights, consumers should be able to challenge excessive collection of their personal data. Consumer organizations have used consumer law to tackle data protection infringements. The interplay of data protection law and consumer protection law provides exciting opportunities for a more integrated vision on “data consumer law”.}, keywords = {Consumentenrecht, Consumer law, Data protection law, EU, frontpage, gegevensbescherming, Privacy}, }

Online Price Discrimination and EU Data Privacy Law external link

Zuiderveen Borgesius, F. & Poort, J.
Journal of Consumer Policy, vol. 2017, 2017

Abstract

Online shops could offer each website customer a different price. Such personalized pricing can lead to advanced forms of price discrimination based on individual characteristics of consumers, which may be provided, obtained, or assumed. An online shop can recognize customers, for instance through cookies, and categorize them as price-sensitive or price-insensitive. Subsequently, it can charge (presumed) price-insensitive people higher prices. This paper explores personalized pricing from a legal and an economic perspective. From an economic perspective, there are valid arguments in favour of price discrimination, but its effect on total consumer welfare is ambiguous. Irrespectively, many people regard personalized pricing as unfair or manipulative. The paper analyses how this dislike of personalized pricing may be linked to economic analysis and to other norms or values. Next, the paper examines whether European data protection law applies to personalized pricing. Data protection law applies if personal data are processed, and this paper argues that that is generally the case when prices are personalized. Data protection law requires companies to be transparent about the purpose of personal data processing, which implies that they must inform customers if they personalize prices. Subsequently, consumers have to give consent. If enforced, data protection law could thereby play a significant role in mitigating any adverse effects of personalized pricing. It could help to unearth how prevalent personalized pricing is and how people respond to transparency about it.

behavioural targeting, cookies, Data protection law, frontpage, General Data Protection Regulation, personalized communication, Price discrimination

Bibtex

Article{Borgesius2017b, title = {Online Price Discrimination and EU Data Privacy Law}, author = {Zuiderveen Borgesius, F. and Poort, J.}, url = {https://www.ivir.nl/publicaties/download/JCP_2017.pdf}, doi = {https://doi.org/DOI 10.1007/s10603-017-9354-z}, year = {0725}, date = {2017-07-25}, journal = {Journal of Consumer Policy}, volume = {2017}, pages = {}, abstract = {Online shops could offer each website customer a different price. Such personalized pricing can lead to advanced forms of price discrimination based on individual characteristics of consumers, which may be provided, obtained, or assumed. An online shop can recognize customers, for instance through cookies, and categorize them as price-sensitive or price-insensitive. Subsequently, it can charge (presumed) price-insensitive people higher prices. This paper explores personalized pricing from a legal and an economic perspective. From an economic perspective, there are valid arguments in favour of price discrimination, but its effect on total consumer welfare is ambiguous. Irrespectively, many people regard personalized pricing as unfair or manipulative. The paper analyses how this dislike of personalized pricing may be linked to economic analysis and to other norms or values. Next, the paper examines whether European data protection law applies to personalized pricing. Data protection law applies if personal data are processed, and this paper argues that that is generally the case when prices are personalized. Data protection law requires companies to be transparent about the purpose of personal data processing, which implies that they must inform customers if they personalize prices. Subsequently, consumers have to give consent. If enforced, data protection law could thereby play a significant role in mitigating any adverse effects of personalized pricing. It could help to unearth how prevalent personalized pricing is and how people respond to transparency about it.}, keywords = {behavioural targeting, cookies, Data protection law, frontpage, General Data Protection Regulation, personalized communication, Price discrimination}, }

Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new data protection regulation external link

Zuiderveen Borgesius, F.
Computer Law & Security Review, num: 2, pp: 256-271., 2016

Abstract

Information about millions of people is collected for behavioural targeting, a type of marketing that involves tracking people’s online behaviour for targeted advertising. It is hotly debated whether data protection law applies to behavioural targeting. Many behavioural targeting companies say that, as long as they do not tie names to data they hold about individuals, they do not process any personal data, and that, therefore, data protection law does not apply to them. European Data Protection Authorities, however, take the view that a company processes personal data if it uses data to single out a person, even if it cannot tie a name to these data. This paper argues that data protection law should indeed apply to behavioural targeting. Companies can often tie a name to nameless data about individuals. Furthermore, behavioural targeting relies on collecting information about individuals, singling out individuals, and targeting ads to individuals. Many privacy risks remain, regardless of whether companies tie a name to the information they hold about a person. A name is merely one of the identifiers that can be tied to data about a person, and it is not even the most practical identifier for behavioural targeting. Seeing data used to single out a person as personal data fits the rationale for data protection law: protecting fairness and privacy.

behavioural targeting, cookies, Data protection law, IP addresses, online behavioural advertising, Personal data, Privacy, profiling, pseudonymous data, tracking

Bibtex

Article{nokey, title = {Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new data protection regulation}, author = {Zuiderveen Borgesius, F.}, url = {http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2733115}, year = {0223}, date = {2016-02-23}, journal = {Computer Law & Security Review}, number = {2}, abstract = {Information about millions of people is collected for behavioural targeting, a type of marketing that involves tracking people’s online behaviour for targeted advertising. It is hotly debated whether data protection law applies to behavioural targeting. Many behavioural targeting companies say that, as long as they do not tie names to data they hold about individuals, they do not process any personal data, and that, therefore, data protection law does not apply to them. European Data Protection Authorities, however, take the view that a company processes personal data if it uses data to single out a person, even if it cannot tie a name to these data. This paper argues that data protection law should indeed apply to behavioural targeting. Companies can often tie a name to nameless data about individuals. Furthermore, behavioural targeting relies on collecting information about individuals, singling out individuals, and targeting ads to individuals. Many privacy risks remain, regardless of whether companies tie a name to the information they hold about a person. A name is merely one of the identifiers that can be tied to data about a person, and it is not even the most practical identifier for behavioural targeting. Seeing data used to single out a person as personal data fits the rationale for data protection law: protecting fairness and privacy.}, keywords = {behavioural targeting, cookies, Data protection law, IP addresses, online behavioural advertising, Personal data, Privacy, profiling, pseudonymous data, tracking}, }

Freedom of Expression and ‘Right to Be Forgotten’ Cases in the Netherlands after Google Spain external link

Zuiderveen Borgesius, F.
European Data Protection Law Review, num: 2, pp: 113-125., 2015

Abstract

Since the Google Spain judgment of the Court of Justice of the European Union, Europeans have, under certain conditions, the right to have search results for their name delisted. This paper examines how the Google Spain judgment has been applied in the Netherlands. Since the Google Spain judgment, Dutch courts have decided on two cases regarding delisting requests. In both cases, the Dutch courts considered freedom of expression aspects of delisting more thoroughly than the Court of Justice. However, the effect of the Google Spain judgment on freedom of expression is difficult to assess, as search engine operators decide about most delisting requests without disclosing much about their decisions.

Data protection law, european court of justice, Freedom of expression, google spain, Grondrechten, Privacy, right to be delisted, right to be forgotten, search engines, the netherlands, Vrijheid van meningsuiting

Bibtex

Article{nokey, title = {Freedom of Expression and ‘Right to Be Forgotten’ Cases in the Netherlands after Google Spain}, author = {Zuiderveen Borgesius, F.}, url = {http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2652171}, year = {0917}, date = {2015-09-17}, journal = {European Data Protection Law Review}, number = {2}, abstract = {Since the Google Spain judgment of the Court of Justice of the European Union, Europeans have, under certain conditions, the right to have search results for their name delisted. This paper examines how the Google Spain judgment has been applied in the Netherlands. Since the Google Spain judgment, Dutch courts have decided on two cases regarding delisting requests. In both cases, the Dutch courts considered freedom of expression aspects of delisting more thoroughly than the Court of Justice. However, the effect of the Google Spain judgment on freedom of expression is difficult to assess, as search engine operators decide about most delisting requests without disclosing much about their decisions.}, keywords = {Data protection law, european court of justice, Freedom of expression, google spain, Grondrechten, Privacy, right to be delisted, right to be forgotten, search engines, the netherlands, Vrijheid van meningsuiting}, }