Privacy Rights and Data Security: GDPR and Personal Data Driven Markets

53 Pages Posted: 17 Jul 2020

See all articles by T. Tony Ke

T. Tony Ke

The Chinese University of Hong Kong (CUHK)

K. Sudhir

Yale School of Management; Yale University-Department of Economics; Yale University - Cowles Foundation

Date Written: July 5, 2020


The paper investigates how the two key features of GDPR (EU’s data protection regulation)— privacy rights and data security—impact personal data driven markets. First, GDPR recognizes that individuals own and control their data in perpetuity, leading to three critical privacy rights: (i) right to explicit consent (data opt-in), (ii) right to be forgotten (data erasure), and (iii) right to portability (switch data to competitor). Second, GDPR has data security mandates protection against privacy breaches through unauthorized access. The right to explicit opt-in allows goods exchange without data exchange. Erasure and portability rights discipline firms to provide ongoing value and reduces consumers’ holdup using their own data. Overall, privacy rights restrict legal collection and use, while data security protects against illegal access and use. We develop a two- period model of forward-looking firms and consumers where consumers exercise data privacy rights balancing the cost (privacy breach, price discrimination) and benefits (product personalization, price subsidies) of sharing data with firms. We find that by reducing expected privacy breach costs, data security mandates increase opt-in, consumer surplus and firm profit. Privacy rights reduce opt-in and mostly increase consumer surplus at the expense of firm profits; interestingly they hurt firms more in competitive than in monopolistic markets. While privacy rights can reduce surplus for both firms and consumers, these conditions are unlikely to be realized when breach risk is endogenized. Further, by unbundling data exchange from goods exchange, privacy rights facilitate trade in goods that may otherwise fail to occur due to privacy breach risk.

Keywords: GDPR, privacy, data security, personalization, price discrimination, digital marketing

Suggested Citation

Ke, Tony and Sudhir, K., Privacy Rights and Data Security: GDPR and Personal Data Driven Markets (July 5, 2020). Available at SSRN: or

Tony Ke (Contact Author)

The Chinese University of Hong Kong (CUHK) ( email )

Shatin, N.T.
Hong Kong
Hong Kong

K. Sudhir

Yale School of Management ( email )

135 Prospect Street
P.O. Box 208200
New Haven, CT 06520-8200
United States
203-432-3289 (Phone)
203-432-3003 (Fax)

Yale University-Department of Economics ( email )

28 Hillhouse Ave
New Haven, CT 06520-8268
United States

Yale University - Cowles Foundation ( email )

Box 208281
New Haven, CT 06520-8281
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics