ElectronicjournalofcomparatiVeLa,vol.8.3(october2004),<http://www.ejcl.org/> consumer protection and intellectual property rights, and thus has put in place mandatory program protection Directive, e.g., stipulates thatany contractual provisions contrary to w provisions to limit the parties'freedom of contract. Article 9(1)of the European comput Article 6 or to the exceptions provided for in Article 5(2 )and (3)shall be null and void.A glance at the European Directive on personal data protection reveals that it does not contain provisions or indications as to the imperative character of the provisions. 2 In contrast with other EU frameworks, the Directive is silent on the mandatory character of its provisions, nor does it indicate that the level of personal data protection established is of a mandatory nature Given that in practice individuals are often weaker parties'-due to the fact that they rarely possess the sufficient information or the resources to control the use of their personal data and thus their control as a bargaining tool in exchange for certain privileges-it is somewhat surprising that the european lawmakers did not intervene in contractual relationships on the processing of personal data. Nevertheless, given that the Directive is silent on the mandatory character of the Directive's level of protection, the logical conclusion must be that individuals are free to regulate by contract the collection, use, distribution and further processing of their personal data. Hence, contrary to what might be expected the European Directive allows parties to commercially exploit their personal data without any interference from the european data protection regime The conclusion that freedom of contract prevails in the area of personal data protection does not, of course, mean that the contracting parties may freely determine their relationship. Clearly, the principle of freedom of contract does not allow parties to reach a result that is most unfavourable to a weaker party. When parties contract on the processing of personal data, their relationship is affected by general principles of law(e.g. to protect weaker parties to a contract)on the basis of which a number of measures have been established to redesign the balance of power between contracting parties. Most systems of continental European law contain a vast array of legal rules that limit the stronger party's freedom of contract. It is clear that also in the sphere of personal data, these and other measures allow the courts to interpret, supplement or correct the inequalities of bargaining power between contracting partie The conclusion that the EU Directive clearly facilitates a contractual approach to protecting personal data may even be taken one step further, for it could be argued that utilitarian considerations weigh heavily under the European system. As will be known, the Directive has two aims: 1)to achieve a harmonized minimum level of personal data protection in the European Union and 2)to abolish existing barriers to the flow of per data between EU member states by allowing the free flow of personal data within the European Union. When subsequently considering the constituting principles of the Directive, one may note that in essence the regime has nothing to do with the trad itional human- rights- based perspective of control and respect for the private sphere. Instead, the Directive works Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs, O/1991 L122/42. Art. 8(2 Xa), however, provides that member states are allowed to prohibit the processing of sensitive data even when the data subject has consented to the use of these data See in detail on this C M.C. K. Cuijpers, Privacyrecht of privaatrecht? Een privaatrechtelijkalternatief voor de implementatie van de europese privacyrichtlijn(Den Haag: Sdu, 2004) 4Electronic Journal of Comparative Law, vol. 8.3 (October 2004), <http://www.ejcl.org/> 4 consumer protection and intellectual property rights, and thus has put in place mandatory provisions to limit the parties’ freedom of contract. Article 9(1) of the European computer program protection Directive, e.g., stipulates that ‘any contractual provisions contrary to Article 6 or to the exceptions provided for in Article 5(2) and (3) shall be null and void’.11 A glance at the European Directive on personal data protection reveals that it does not contain provisions or indications as to the imperative character of the provisions.12 In contrast with other EU frameworks, the Directive is silent on the mandatory character of its provisions, nor does it indicate that the level of personal data protection established is of a mandatory nature. Given that in practice individuals are often ‘weaker parties’ - due to the fact that they rarely possess the sufficient information or the resources to control the use of their personal data and thus their control as a bargaining tool in exchange for certain privileges - it is somewhat surprising that the European lawmakers did not intervene in contractual relationships on the processing of personal data. Nevertheless, given that the Directive is silent on the mandatory character of the Directive’s level of protection, the logical conclusion must be that individuals are free to regulate by contract the collection, use, distribution and further processing of their personal data.13 Hence, contrary to what might be expected the European Directive allows parties to commercially exploit their personal data without any interference from the European data protection regime. The conclusion that freedom of contract prevails in the area of personal data protection does not, of course, mean that the contracting parties may freely determine their relationship. Clearly, the principle of freedom of contract does not allow parties to reach a result that is most unfavourable to a weaker party. When parties contract on the processing of personal data, their relationship is affected by general principles of law (e.g. to protect weaker parties to a contract) on the basis of which a number of measures have been established to redesign the balance of power between contracting parties. Most systems of continental European law contain a vast array of legal rules that limit the stronger party’s freedom of contract. It is clear that also in the sphere of personal data, these and other measures allow the courts to interpret, supplement or correct the inequalities of bargaining power between contracting parties. The conclusion that the EU Directive clearly facilitates a contractual approach to protecting personal data may even be taken one step further, for it could be argued that utilitarian considerations weigh heavily under the European system. As will be known, the Directive has two aims: 1) to achieve a harmonized minimum level of personal data protection in the European Union and 2) to abolish existing barriers to the flow of personal data between EU member states by allowing the free flow of personal data within the European Union. When subsequently considering the constituting principles of the Directive, one may note that in essence the regime has nothing to do with the traditional human-rights￾based perspective of control and respect for the private sphere. Instead, the Directive works 11 Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs, OJ 1991 L122/42. 12 Art. 8(2)(a), however, provides that member states are allowed to prohibit the processing of sensitive data even when the data subject has consented to the use of these data. 13 See in detail on this C.M.C.K. Cuijpers, Privacyrecht of privaatrecht? Een privaatrechtelijk alternatief voor de implementatie van de Europese privacyrichtlijn (Den Haag: Sdu, 2004)