Privacy Rights and Data Security: GDPR and Personal Data Markets

68 Pages Posted: 17 Jul 2020 Last revised: 15 Sep 2022

See all articles by T. Tony Ke

T. Tony Ke

The Chinese University of Hong Kong (CUHK)

K. Sudhir

Yale School of Management; Yale University-Department of Economics; Yale University - Cowles Foundation

Date Written: July 5, 2020


GDPR--EU's data protection regulation--has two key principles. It recognizes that individuals own and control their personal (but not contractual) data in perpetuity, leading to three critical privacy rights, i.e., right to (i) explicit consent (data opt-in), (ii) be forgotten (data erasure), and (iii) portability (data transfer). It also includes data security mandates against privacy breaches through unauthorized access. We study GDPR's equilibrium impact by including these features in a dynamic two-period model of forward-looking firms and consumers. Firms collect consumer data for personalization and price discrimination. Consumers trade off gains from personalization relative to potential losses from privacy breaches and price discrimination in their purchase, data opt-in, erasure and transfer decisions. Though data security mandates impose fines on firms for privacy breaches, firms can benefit from higher opt-in given lower breach risk. Surprisingly, data security mandates can hurt consumers. The effect of privacy rights is nuanced. Since the right to opt-in separates goods exchange from provision of personal data, it prevents market failure under high breach risk. But it also reduces consumer opt-in and personal data availability. Erasure and portability rights reduce consumers' hold-up concerns by disciplining firms to provide ongoing value by limiting price discrimination and not slacking off on data security; but they also reduce the incentive to offer lower initial prices that encourages opt-in. Overall, privacy rights always benefit consumers in competitive markets, but can surprisingly hurt consumers under monopoly as monopolists have less incentives to subsidize consumer opt-in. They raise (reduce) firm profit and social welfare when breach risk is high (low). Finally, privacy rights increase firm profit most at moderate levels of data transferability.

Keywords: GDPR, privacy, data security, personalization, price discrimination, digital marketing

Suggested Citation

Ke, Tony and Sudhir, K., Privacy Rights and Data Security: GDPR and Personal Data Markets (July 5, 2020). Available at SSRN: or

Tony Ke (Contact Author)

The Chinese University of Hong Kong (CUHK) ( email )

Shatin, N.T.
Hong Kong
Hong Kong

K. Sudhir

Yale School of Management ( email )

135 Prospect Street
P.O. Box 208200
New Haven, CT 06520-8200
United States
203-432-3289 (Phone)
203-432-3003 (Fax)

Yale University-Department of Economics ( email )

28 Hillhouse Ave
New Haven, CT 06520-8268
United States

Yale University - Cowles Foundation ( email )

Box 208281
New Haven, CT 06520-8281
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics