How Uninformed is the Average Data Subject? A Quest for Benchmarks in EU Personal Data Protection

Information obligations have always been crucial in personal data protection law. Reinforcing these obligations is one of the priorities of the legislative package introduced in 2012 by the European Commission to redefine the personal data protection legal landscape of the European Union (EU). Those responsible for processing personal data (the data controllers) must imperatively convey certain pieces of information to those whose data is processed (the data subjects), and they are expected to do so in an increasingly transparent manner. Beyond these punctual information requirements, however, data subjects appear to always be and inevitably remain in a state of relative ignorance, as in almost constant need of further guidance. Data subjects are nowadays often depicted as unknowing consumers of online services, services which surreptitiously take away from them personal data thus conceived as a valuable asset. In light of these developments, this contribution critically investigates how EU law is envisaging data subjects in terms of knowledge. The paper reviews the birth and evolution of information obligations as an element of European personal data protection law, and asks whether thinking of data subjects as consumers is consistent with the notion of average consumer functioning in EU consumer law. Finally, it argues that the time might have come to openly clarify when data subjects are unlawfully misinformed, and that, in the meantime, individuals might benefit not only from accessing more transparent information, but also from being made more aware of the limitations of the information available to them.