In web 2.0 and 3.0 users are more and more prosumers of content. User-produced content is highly valuable for several reasons: it increases the quantity and quality of interactions in a given digital platform thus increasing its commercial value; it is personal information and reveals further personal data on the subject, and as such it has an intrinsic value per se; it can be eligible as intellectual property, e.g. it can be a work protectable by copyright.
In other terms, user generated content are a valuable intersection of personal information and intellectual property (IP) where the borderlines between personal data and IP is totally blurred. That is why we will refer to them as “user provided personal content” to underline its dual nature of being both personal data and digital content, and also to refer to its source of production.
In the world of digital market and behavioural algorithms, we cannot ignore the value of this user provided personal content. It is already considered as digital currency, often without full awareness of final users (consumers, data subjects).
Interestingly, it seems that the EU law is increasingly taking into account the value and the peculiarities of this “user provided personal content”. It is not just a coincidence that, among all kinds of IP assets and personal data, this category of data has a sui generis regulation. In particular:
1. In the proposal for a Directive on the supply of digital content (hereinafter: the Proposed Directive), user provided data (personal data or non personal data that are directly provided by users to the supplier) are considered a potential counter-performance other than money for receiving the provision of services and contents.
2. In the GDPR, data provided by data subjects have specific rules. In particular, the right to data portability is limited only to data “provided” by data subjects to the data controller.
The above-mentioned legal provisions and proposals about user provided content lacks uniformity and tends to consider “information” on a sector-specific basis. What is needed here is an inter-sectorial analysis looking for a common language, common definitions, problematic overlaps and envisaged opportunities for the management of user provided personal content in the digital market.
Obviously, not any “user generated” content is personal data and not all user provided personal data is valuable in terms of Intellectual Property.
The European Commission has highlighted that the market for consumers’ data is acquiring more and more importance: business models based on monetizing data become predominant and a large share of consumers access digital services offered “in return” for their personal data.
In order to better understand the actual value of user provided content in the digital platforms economy and also to examine the factual regulation of this valuable good in the market, it is necessary to analyse how the Terms of Services (ToS) of the most common digital platforms deal with user provided personal content. In particular, here are taken as examples the ToS of Facebook, Twitter, Instagram and Second Life: all “free” social networks, where users supply great amount of personal content (writing, photographs, drawing, videos, etc.).
All these ToS have a similar structure: they recognize the Intellectual Property of users on their own content (e.g. copyright, patents, design, database sui generis protection, etc.), but at the same time they retain wide and free licence to re-use, modify or economically profit from such good.
In particular, Facebook affirms that the user “own[s] all of the content and information [he/she] post[s] on Facebook”. In addition, “for content that is covered by intellectual property rights, like photos and videos (IP content), the user specifically gives Facebook “a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that [he ore she] post[s] on or in connection with Facebook (IP License). This IP License ends when [the user] delete[s] his or her IP content or [his or her] account unless [his or her] content has been shared with others, and they have not deleted it”.
As regards Twitter, the ToS asserts that the user retains his or her right “to any Content [he or she] submit[s], post[s] or display[s] on or through the Services”. The ToS adds also that “by submitting, posting or displaying Content on or through the Services, [the user] grant[s] Twitter a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed)”. The license at issue “includes the right for Twitter to provide, promote, and improve the Services and to make Content submitted to or through the Services available to other companies, organizations or individuals for the (…) distribution, promotion or publication of such Content”. Interestingly, the ToS specifies that “such additional uses by Twitter, or other companies, organizations or individuals, may be made with no compensation paid to [the user] with respect to the Content that [he or she] submit[s], post[s], transmit[s] or otherwise make[s] available through the Services”.
Second Life also acknowledges that the user retains all the Intellectual Property on the user provided content. Interestingly, also considering the breadth of possible uses and creations on that platform, the licence that Second Life retains on that content is particularly wide: an “unrestricted, unconditional, unlimited, worldwide, irrevocable, perpetual, and cost-free” license to use, distribute, and even “sell, re-sell or sublicense (through multiple levels)” the user provided content.
Finally, Instagram’s ToS is one of the most interesting examples. First of all it does not affirm IP rights of users explicitly, but it denies any ownership of Instagram on user provided content. Moreover, when it describes its licence to use or modify user provided content it adds that this licence is “totally paid”.  On Instagram the registration is free and users do not receive any monetary benefit when they share content, so the phrase “totally paid” seems to refer to non-monetary payment. In other words, according to Instagram’s Terms of Services, it seems that users and service providers perform a transaction in which users “pay” to Instagram for registration, while Instagram “pays” to users for having a licence on user generated content: these bilateral payments balance out into a zero-sum and so a “free” digital transaction reveals to be a (implicitly) non-free transaction. Such reference to non-monetary payment seems consistent with the provisions of the Proposed Directive on the supply of digital content that we will address below.
After this quick overview, we observe that if consumers want to use a given platform “for free”, they are obliged to grant a licence on their content to the service provider for free, while the service provider can also economically profit from that licence (“sell”, “re-sell”, “sublicence”). This non-monetary exchange described in the analysed ToS well recalls the “composite transaction” between data and content and so well represents the actual nature of user provided personal content as the main form of currency in the modern digital economy.
One of the most interesting “tools” in the EU legal system taking into user provided personal content is the proposed EU directive on “certain aspects concerning contracts for the supply of digital content”. Its Impact Assessment explicitly asserts that “the market for consumers’ data is growing fast and business models based on monetising data become predominant” . Accordingly, with regard to the provision of valuable online content for free, the scope of the proposed directive is restricted in Article 3(1) to any contract where the supplier provides digital content to the consumer or undertakes to do so and, in exchange, a price is to be paid or “the consumer actively provides counter-performance other than money in the form of personal data or any other data”.
Actually, the proposal of recognizing “actively provided data” as a form of non-monetary payment has several compatibility problems with the EU personal data protection framework, in particular if we consider the GDPR. Article 7(4) of the GDPR, when referring to the assessment of freedom of consent for the processing of personal data, states that “utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”. In other words, if a data subject is asked to give his/her consent for the processing of personal data (which is not necessary for the performance of that contract) in order to have access to a service or for the performance of a contract, it is highly probable that his/her consent is not “free”, and so it is not valid under the GDPR.
Accordingly, it has been argued that if individuals are asked to “pay by data” they would be required to consent to authorize access to and processing of personal data that is not necessary for the provision of that service. The consequential problem is that when users pay by their (personal or non personal) data they cannot withdraw their consent freely: given that personal data would be a “counter-performance other than money”, blocking that data processing would mean blocking the provision of that service. But, as also recital 42 of GDPR asserts, the withdrawal of consent must be “without detriment” to the data subject. It has therefore been affirmed that Article 3(1) of the Proposed Directive model might be incompatible with the GDPR.
Actually, Article 7(4) GDPR does not forbid non-monetary payments based on the exchange of personal data, it only affirms that the consent is not freely given if it is conditional to the processing of personal data that is not necessary for the performance of the contract at issue. Accordingly, if the data controller well declares that the contract at issue is based on the mutual exchange between digital content and user provided data, the consent of the data subject will be conditional to the processing of personal that is necessary for the performance of the contract at issue. Therefore, also according to the purpose limitation principle and the data minimization principle, if data controllers process personal data as a counter-performance other than money, they should clearly declare the nature of the contract at issue and so the purpose to the data subject.
User provided personal content has also a specific legal relevance under the GDPR. In particular Article 20 regulates the right to data portability: it applies only to “data concerning [the data subject], which he or she has provided to a controller”. It has been argued that the restriction to data that are only “provided” may be a safeguard to intellectual property of data controllers, in particular avoiding that the intellectual work of a digital service provider (data inferred about consumers, using complex algorithms) could be legally disclosed to competitor businesses for free. Interestingly, WP29 has recently asserted that the phrase “provided by” must be interpreted extensively, so to include “personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour. By contrast, any personal data which have been generated by the data controller as part of the data processing, e.g. by a personalisation or recommendation process, by user categorisation or profiling are data which are derived or inferred from the personal data provided by the data subject, and are not covered by the right to data portability”.
Actually, also EDPS had recommended that in order to be effective, the right to data portability should have “a wide scope of application, and not only be applied to the processing operations that use data provided by the data subject”.
Taking into account all these reasons, “provided data” should mean all data which have not been processed through an intellectual activity of the controller, but including not only data explicitly disclosed in a written form (or similar) to the controller, but all data just “observed” by the controller (e.g., location data, fitness data, cookies generated data, etc.) without any further (intellectual, economic, scientific) effort from the controller (e.g. algorithmic results).
There is a growing market of personal information in the digital platform economy. A special category of information has been subject to this analysis: user provided data. Considering that these data are often both personal data and copyrighted content, a multilevel and inter-sectorial approach has been adopted in order to investigate about the definition borderlines, legal issues and opportunities of the management of this category of data. That is why the inclusive term “user provided personal content” has been preferred to more specific terms (user generated content, user provided personal data, etc.).
The monetization of personal content is a growing reality in several business models and poses numerous legal problems, such as the protection of consumers and the need for a harmonized approach across different legal frameworks (privacy, IPRs, e-commerce).
Interestingly, the practice of “licencing” user provided personal content is already a reality in the most common social networks’ Terms of Services (ToS), even though the existing ToS provides too wide (and free) licences to the advantage of service providers. Instagram’s ToS explicitly asserts that the licence is “totally paid”, maybe referring to the non-monetary nature of the exchange of personal data for content.
The proposed solution is a user-centric system based on full controllership and awareness of individuals on their own “personal content” management. Controllership should be based on two separate legal tools: fair licences over user-generated content and the right to withdraw and transfer such content from one platform to another, i.e. the full exercisability of the right to data portability (eventually combined with the right to erasure). Awareness should be based on clear information about commercial purposes of that data processing, in order to respect freedom of consent and purpose limitation principle.
 Brendan Van Alsenoy, Joris Ballet, Aleksandra Kuczerawy & Jos Dumortier, ‘Social Networks and Web 2.0: Are Users also Bound by Data Protection Regulations?’ (2009), Identity in the Information Society, Volume 2, Issue 1, pp. 65–79.
 See, Gianclaudio Malgieri, Bart Custers, ‘Pricing Privacy: the right to know the value of your personal data’ (2017), Computer and Security Law Review, forthcoming, 2017. See also Bilyana Petkova and Philipp Hacker, ‘Reining in the Big Promise of Big Data: Transparency, Inequality, and New Regulatory Frontiers’ (2016), Lecturer and Other Affiliate Scholarship Series. Paper 13.
 See Proposed Directive on the Supply of Digital Content, recital 14.
 European Commission, Impact Assessment Accompanying the proposed Directive on certain aspects concerning contracts for the supply of digital content, COM/2015/0634 final .
 See also < http://europa.eu/rapid/press-release_IP-17-631_en.htm> (accessed 29 May 2017).
 “What’s yours is yours — you own your Content (and your photos and videos are part of the Content)”.
 A “non-exclusive, unrestricted, unconditional, unlimited, worldwide, irrevocable, perpetual, and cost-free right and license to use, copy, record, distribute, reproduce, disclose, modify, display, publicly perform, transmit, publish, broadcast, translate, make derivative works of, and sell, re-sell or sublicense (through multiple levels)(…), and otherwise exploit in any manner whatsoever, all or any portion of your User Content (and derivative works thereof), for any purpose whatsoever in all formats (…)”.
 Italics added.
 “Instagram does not claim any ownership rights in the text, files, images, photos, video, sounds, musical works, works of authorship, applications, or any other materials (collectively, “Content”) that you post on or through the Instagram Services”.
 See Gianclaudio Malgieri and Bart Custers, ‘Pricing Privacy: the right to know the value of your personal data’ (2017), Computer and Security Law Review, forthcoming, 2017, supra.
 COM/2015/0634 final.
 Impact Assessment Accompanying COM/2015/0634 final.
 See the definition of “consent” at Article 4, GDPR.
 See Gianclaudio Malgieri & Bart Custers, ‘Pricing Privacy’, supra.
 Article 5(1), GDPR.
 See B. Van Der Auwermeulen, ‘How to attribute the right to data portability in Europe: A comparative analysis of legislations’, Computer Law & Security Review 33 (2017), 57–72, p. 61.
 “Article 29 WP, Guidelines rev01, supra, pp. 10-11. See also Article 29 Working Party Issues Results of Fablab Workshop on the GDPR.
 EDPS recommendations on the EU’s options for data protection reform (2015/C 301/01).
 Art.29WP, Guidelines rev01, supra, p.10: “They may for example include a person’s search history, traffic data and location data. It may also include other raw data such as the heartbeat tracked by fitness or health trackers” and also “transaction history and access log” (see page 9, footnote 12).
 See recital 38 of the draft opinion on the proposed directive on copyright in the digital market, supra.
 See Gianclaudio Malgieri and Bart Custers, supra.