Enter the quagmire - the complicated relationship between data protection law and consumer protection law

This article examines the complex relationship between consumer protection law and data protection law, particularly within the EU's online environment, and highlights the problems that stem from this complexity. It suggests that, while there are significant similarities between their respective sources, tools and purposes, there are also arguable differences between consumer protection law and data protection law. One such arguable difference is found in that, while consumer protection law can be seen to merely set a floor in its pursuit of a sufficiently high level of consumer protection, data protection law - due to its clearly articulated dual purposes of (a) protecting individuals with regard to the processing of personal data and (b) providing for the free movement of such data - sets both a floor and a ceiling.Having discussed the relationship between consumer protection law and data protection law in more detail, the argument is made that it seems possible to conclude that the balance struck in the Data Protection Directive, and soon in the General Data Protection Regulation, places limitations on consumer protection law. The implications of this conclusion are then examined briefly in the context of some matters currently coming before the CJEU and the contours of a framework are presented, addressing situations where a data protection-based liability claim is pursued against a third-party non-controller under consumer protection law.