Regardless of considering personal data as rights or as things, everyone shall agree that they are worth a lot. Personal data is a commodity, a kind of asset everyone has, but not everybody understands its potential. Do you?

Since Warren and Brandeis defined the “right to be let alone” in 1890, the world has changed a lot. But, even if their concept was among the first milestones of privacy, we still face the same challenges, just in a bigger, higher, stronger, and faster manner.

Personal data is the fuel for the network society created by the digital economy, and the engine of this machine is social media. In our understanding, social media is made up of online platforms fed by the personal data of the masses. Any medium where the content (including but not limited to images, videos, messages, and sound files) is broadcast to, or capable of being broadcast to, the general public. Each elements of the content are made by the users, the framework and finally the free flow of the personal content is made by the social media provider. In conclusion they are users and the website are co-workers in creating social media, it is a jointly produced medium.

The origin (history) of social media is somewhat unclear. The Swedish social networking website LunarStorm, (originally Stajlplejs) was launched in 1996 and described as “the world’s first social media on the Internet” by its founder, Rickard Eriksson. LunarStorm had 1,2 million members. According to the History Cooperative’s article titled “The Complete History of Social Media: A Timeline of the Invention of Online Networking”, social media goes back to 1997, the launch of the first social media platform, called Six Degrees (it lasted until 2001). Six Degrees had 3,5 million members. Although iWiW (International Who is Who) –a Hungarian social networking web service started on 14 April 2002 as iWiW – is not cited often in social media resources, we propose incorporating it into the current discourse. iWiW was unique as it worked on an invitation-basis, which provided a seemingly exclusive personal guarantee to its users. The system was renewed in 2005 and became multi-lingual with other new features. At the peak of its success, iWiW had 4.7 million members with about 1.5 million daily users in a country of ten million (Hungary). By the end of 2010, the same number of people from Hungary had logged into iWiW and Facebook every day, but then the number of Facebook members started to increase because it was better financed. The history of iWiW is worth mentioning from a personal data point of view. On 28 April 2006, T-Online, the internet service branch of Magyar Telekom, purchased iWiW for almost one billion HUF from Virgo Systems Informatikai Kft. Users (mainly Hungarians) expressed concerns that their personal data may be sold to telemarketers or used for other purposes (potentially hurting their privacy). The platform has been defunct since 30 June 2014, and all the users’ data was deleted by then.

Around the millennium, multiple companies entered the online market with similar products, but none of these had significant social support until MySpace reached 115 million members. Facebook was founded in 2004, and by the time of its European market entry (with the establishment of its international headquarters in Dublin) in 2008, it incredibly quickly decreased the popularity of other similar platforms. Interestingly, Compete.com’s study ranked Facebook the most used social networking service worldwide in 2009. At this time, following the Ürümqi riots, China blocked Facebook.

Facebook currently has 2.895 billion monthly active users, 65,9% of which means daily users. User numbers also include approx. 1% of now deceased people, whose data still circulate in the ether. This means an incredibly massive amount of personal data. These numbers empower the social media giant to formulate threats like an ‘incapability to offer a number of their most significant products and services, including Facebook and Instagram, in Europe’ because of the difficult legal situation of the international data transfers to the USA. This announcement, at first look, may seem like something real knowing that Facebook has recently blocked certain contents in Australia because of a bill which would impose fees on tech giants when users share news publisher’s contents. Besides this, it will not likely happen that Facebook will let alone its European users.

Besides Facebook’s trendiness in the Hungarian society (had 5,3 million users from Hungary (population: 9,684,679) in 2019), we witnessed an interesting example of Hungarian legal practice. In 2021, the Hungarian Competition Authority fined Facebook 1,2 billion HUF (approx. 3,75 million USD) for advertising itself as free. Consideration has been given to deceiving consumers by claiming “It’s free and always will be”. Although there is no monetary reward for using the social site, Facebook uses the users’ personal information collected when people use the site. Facebook hands over the target information based on personal data, and this activity brings monetary benefits into the structure, such as from the sale of personalized advertising space.

Legally speaking, from something that is ‘free’, it is expected that the customer not be obliged to give anything in return. However, ultimately, consumers pay with their personal data to use the service, and Facebook is misleading them in making this transactional decision by convincing its complementary feature. Of course, Facebook does not sell the personal data itself, but let the advertiser select the targeted groups they want, based on personal data created by using the platform and collected by the social media provider.

In December 2019, the Hungarian National Authority for Data Protection found that Facebook’s practice was in violation of relevant legal regulation. Facebook then appealed, and as a result, both the Budapest-Capital Regional Court and the Hungarian Supreme Court (Kúria) ruled that the commercial practice was not in violation of Section 6 of Act XLVII of 2008 Prohibition of Unfair Business-to-Consumer Commercial Practices. In the courts’ interpretation, ‘free of charge’ shall mean that the consumer does not have to pay a monetary consideration for the service or does not suffer any other significant disadvantage when using the service. The courts assumed that consumers would accept the Privacy Policy and Terms and Conditions when registering on Facebook. Hence, they are (should be) aware that they are providing data and consent to the processing of their data. In terms of the facts, it is totally indifferent, irrelevant if Facebook later receives a monetary reward from its business partners for handling and transferring the personal data of several consumers. According to the Hungarian Supreme Court, Facebook users are “not more disadvantaged” by tolerating targeted ads than by tolerating generic ads.

However, from a consumer point of view, by tolerating targeted ads based on the users’ personal data, the users allow businesses and Facebook to maximize their profit. This means that targeted ads are not considered more harmful for the users than generic ads. However, the question here, in our view, is not “which type of ads (targeted vs. generic) are more harmful”, but rather “is the term free misleading in a situation where users give something in exchange”. We can examine the situation from a purely consumer-protection point of view, and can raise the question: whether the reasonable consumer would come to the conclusion that the privacy harm shall be deemed as a price just like any monetary obligation. To tell the truth, most of them would not say that, having in mind that many of them create such content in which they open their private life to the public intentionally. Most of the users do not consider targeted ads a privacy harm but “helpful assistance of the majestic Internet” to find their preferences and products fulfilling their needs in an easier, quicker, and cheaper way.

The legal evaluation of something ‘being for free’ is dependent on whether we treat personal data as a commodity (that could be subject to financial transactions and has a monetary value) or a right. The evaluation is complex as European legal systems usually handle personal data as subject to rights-based protection while the US approach considers it a commodity. One of the most effective legal means of protecting privacy is to guarantee the protection of personal data and informational self-determination. The latter means that everyone has the right to decide what information they share about themselves or what information they do not disclose to the public. Consequently, the regulation of shared or undisclosed personal data becomes similar to that of private property (things).

Posner said personal data is a commodity. To make it simple: people sell themselves like products, and if they hide certain features (i.e., do not disclose personal information), they put themselves in a better light. Posner concludes that privacy outright condemns the fact that legislation provides a right for an individual to withhold information about himself because it distorts or misleads the market. For example, if a candidate discloses a false profile in a job interview, the prospective employer may not be hiring the best employee for that job. At the same time, Posner acknowledges the right to self-protection so that others cannot explore the characteristics of a persons’ undisclosed privacy.

The “commodity” aspect also reveals the differences between the US and European approaches to personality, personal reputation, and personal data protection. For example, the European concept of “the right to be forgotten” is bizarre in US legal thinking, which prefers transparency and the free flow of information under the First Amendment. Therefore, the USA does not recognize this right “of having an imperfect past” even if this was declared by the Court of Justice of the European Union back in 2014. The US courts declared that the right to be forgotten is impermissible under the First Amendment.

Did you know that a U.S. citizen is willing to pay $29 to protect their personal information and pay just 50 cents more for a product offered by a merchant who has taken steps to protect the buyers’ personal information?[1] This is called the privacy paradox, which implies that data subjects (users) expect to protect their personal data but do not want to provide (material) assets for this. The other side of this coin is the platform’s side. Facebook CEO, Mark Zuckerberg expressed in 2010 that “Privacy is no longer the social norm”. This could mean for us that users no longer care about their privacy. This is true, especially if users tend to provide their (sensitive) data even for considerably smaller benefits.

An excellent example is the club card system of multinational companies. They usually ask consumers to provide their e-mail address or telephone number, sign up for newsletters, and immediately get a discount, a coupon, personal ads, and further benefits. Gamification is a smart tool for motivating customers and building trust and loyalty. At the same time, companies may increase customer engagement via positive reinforcement of providing rewards to loyal customers. When this happens via the “connect your social media account” button, the customer shares much more personal information than by providing an email address. Giving access to the social media profile enables companies to get to know (pretty well) their consumers and target them with personal–direct ads. Profiling through automated decision-making and AI raises data protection concerns. This level of surveillance capitalism raises legal concerns starting with the question: do we consider personal data as subject to rights that protect it, or treat them as commodities?

One thing is sure: The personal data market is huge today, and ownership of these assets is not exercised by the data subjects (users), but data controllers use the collected, organized data and are not shy to sell it and turn enormous profits thereon.

In the early 1990s, Laudon took the position that the solution was not legislation but creating an information market. He envisaged that the data subject would provide his data and assign them within the Market to a group where a person with similar characteristics or preferences has data. Anyone who offers something to each group buys that data set, and a portion of the price (‘the dividend’) will go to the data subject. There would also be agents in the Market who would act commission-likely when selling the data entrusted to them.

Perhaps a different conclusion is that the European attitude typically interprets data protection as a set of rights to protect individual privacy. In contrast, the common law and the American attitude typically treat personal data as an object of property and still treat it so in economic relations. Although, both aspects are reasonable, they have one feature in common: transferability. Even if personal data is deemed to be a commodity, or a right, both can be transferred. We can sell the raw personal data – sometimes without any price in return -, and can also transfer the right to the data controller to process them. Regardless of which framework is better, the urgent need for social media regulation and awareness-raising of users is expected.

[1] ACQUISTI, Alessandro: The Economics of Privacy: Theoretical and Empirical Aspects, Carnegie Mellon University, September 12, 2013, 16. pp.

Bianka MAKSÓ is a data protection advisor and an adjunct lecturer of the Data Protection LLM Program at the University of Miskolc. She defended her PhD thesis in 2019 focusing on the GDPR and the Binding Corporate Rules.

Lilla Nóra KISS is a visiting scholar at Antonin Scalia Law School, George Mason University. Participates in the Hungary Foundation’s Liberty Bridge Program, does her postdoctoral research in social media regulation in a comparative approach. Lilla obtained her Ph.D. degree in 2019. The topic of the dissertation is the legal issues of the Brexit.