Privacy Rights and Data Security: GDPR and Personal Data Markets
68 Pages Posted: 17 Jul 2020 Last revised: 15 Sep 2022
Date Written: July 5, 2020
Abstract
GDPR--EU's data protection regulation--has two key principles. It recognizes that individuals own and control their personal (but not contractual) data in perpetuity, leading to three critical privacy rights, i.e., right to (i) explicit consent (data opt-in), (ii) be forgotten (data erasure), and (iii) portability (data transfer). It also includes data security mandates against privacy breaches through unauthorized access. We study GDPR's equilibrium impact by including these features in a dynamic two-period model of forward-looking firms and consumers. Firms collect consumer data for personalization and price discrimination. Consumers trade off gains from personalization relative to potential losses from privacy breaches and price discrimination in their purchase, data opt-in, erasure and transfer decisions. Though data security mandates impose fines on firms for privacy breaches, firms can benefit from higher opt-in given lower breach risk. Surprisingly, data security mandates can hurt consumers. The effect of privacy rights is nuanced. Since the right to opt-in separates goods exchange from provision of personal data, it prevents market failure under high breach risk. But it also reduces consumer opt-in and personal data availability. Erasure and portability rights reduce consumers' hold-up concerns by disciplining firms to provide ongoing value by limiting price discrimination and not slacking off on data security; but they also reduce the incentive to offer lower initial prices that encourages opt-in. Overall, privacy rights always benefit consumers in competitive markets, but can surprisingly hurt consumers under monopoly as monopolists have less incentives to subsidize consumer opt-in. They raise (reduce) firm profit and social welfare when breach risk is high (low). Finally, privacy rights increase firm profit most at moderate levels of data transferability.
Keywords: GDPR, privacy, data security, personalization, price discrimination, digital marketing
Suggested Citation: Suggested Citation