The Perfect Match? A Closer Look at the Relationship between EU Consumer Law and Data Protection Law

This paper asks how EU consumer protection law and EU data protection law relate to one another in “data-driven” digital markets—especially where services are marketed as “free” but are monetized through collection and processing of personal data. The question matters because, in practice, many online services are not purchased with money; instead, consumers provide data (directly or indirectly) that firms use for profiling, advertising, personalization, and other forms of value extraction. When the legal system treats these transactions as either (only) data protection issues or (only) consumer contract/market issues, consumers may lose important remedies and regulatory leverage. The authors’ core claim is that the two legal regimes can complement each other: data protection law supplies fundamental-right-based rules for lawful and fair processing of personal data, while consumer law can broaden the perspective to the fairness of the overall commercial relationship, including information duties, unfair terms, unfair commercial practices, and the treatment of consumer vulnerability.

The paper is primarily a doctrinal and policy analysis rather than an empirical study. It synthesizes EU legal frameworks and policy developments, focusing on the GDPR and major consumer directives (notably the Unfair Commercial Practices Directive, the Unfair Contract Terms Directive, and the Consumer Rights Directive), and it discusses the Commission’s then-proposed Digital Content Directive that explicitly addresses contracts for digital content supplied in exchange for data. The authors also draw on case law and enforcement experiences—especially consumer organizations’ litigation and complaints—to illustrate how consumer law can be used to challenge data-related practices.

Methodologically, the paper proceeds in structured sections: (1) it explains how personal data function in consumer transactions (as an economic asset, as part of the service, as a determinant of contractual conditions, and as a tool for influencing consumer decision-making); (2) it sketches the GDPR’s legal architecture (principles like lawfulness/fairness/transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability; legal bases such as contract necessity, legitimate interests, and consent; and data subject rights and enforcement mechanisms); (3) it maps where consumer law can add value to data protection law in four areas: informing consumers, “free” services, identifying unfair terms, and identifying unfair commercial practices (including profiling and vulnerability). It then (4) discusses conceptual “growing pains” and risks of integration, especially around consistency, conflicts (notably consent and “freely given” consent), and the danger of treating personal data as a commodity.

Because the paper is not an experimental or quantitative study, it does not report statistical effect sizes, sample sizes, or p-values. Instead, it provides detailed legal reasoning and cites specific directive provisions, GDPR articles, and illustrative judicial decisions. The “key findings” are therefore normative/doctrinal conclusions about where legal tools can be combined and what gaps remain. The authors argue that consumer law can (a) strengthen transparency and information requirements beyond GDPR’s detailed disclosure rules by leveraging consumer-law flexibility and by tying omissions/misrepresentations to “misleading practices” standards; (b) extend protection to “free” services by treating non-monetary remuneration (personal data) as counter-performance in the Digital Content Directive approach, while also highlighting ambiguities and scope limitations (e.g., “active” provision of data and the uncertain relationship between consumer-law remedies and GDPR’s consent/legal-basis structure); (c) use the Unfair Contract Terms Directive’s fairness test to scrutinize privacy- and data-related standard terms, potentially using data protection principles (minimization, purpose limitation, security) as benchmarks for contractual fairness; and (d) use the Unfair Commercial Practices Directive to assess whether consent to data processing is obtained in a way that undermines consumers’ autonomous transactional decisions—particularly in profiling and targeted persuasion contexts.

The paper’s limitations are those inherent to doctrinal/policy scholarship: it does not provide systematic empirical evidence about how often these cross-regime tools are used, nor does it quantify consumer harm or measure enforcement outcomes across Member States. The authors acknowledge “open questions” about remedies for non-monetary transactions, valuation of personal data in contractual exchange, institutional competence and expertise mismatches between consumer and data protection authorities, and the need for further research (including comparative work with the US FTC approach). They also identify conceptual limitations: consumer law and data protection law have different legal traditions and objectives, and the integration is not yet consistent. The authors specifically flag potential contradictions, such as the GDPR requirement that consent be “freely given” (and the prohibition on consent being bundled with non-necessary processing), which may conflict with consumer-law characterizations of data as counter-performance.

Practically, the implications are aimed at regulators, courts, consumer organizations, and policymakers. The authors suggest that consumer organizations can and should use consumer law to challenge data protection infringements and data-related unfairness, as illustrated by enforcement actions against major platforms and connected products. They also imply that courts and regulators should interpret consumer-law concepts (misleading practices, unfair terms, unfair persuasion, vulnerability) in ways that reflect modern data-driven market realities, while data protection law should inform consumer-law interpretation to ensure that fundamental-right constraints remain central. For consumers, the practical promise is that they may gain additional remedies—such as contract-based remedies or unfair-practice enforcement—when data protection alone does not provide an effective contractual outcome (e.g., returning a device, terminating a contract, or requiring conformity of digital content/services).

Overall, the paper’s core contribution is to articulate a “data consumer law” vision: a more integrated legal toolbox where consumer protection addresses the fairness of market conduct and contractual balance in data monetization scenarios, and data protection law supplies the fundamental-right-based constraints on processing. The authors emphasize that this integration should not normalize the idea that personal data are merely a commodity; rather, it should ensure that consumer-law tools operate within the boundaries set by GDPR and fundamental rights doctrine.