The Vulnerable Data Subject: A Gendered Data Subject?
23 Pages Posted: 27 Sep 2021
Date Written: August 27, 2021
Abstract
Vulnerability is an emerging topic in many different fields, but in data protection and privacy the discussion has rarely engaged with gender studies. This paper investigates the notion of the ‘vulnerable data subject’ from a gender perspective, to question whether gender should be regarded as factor of vulnerability at all, and, if yes, how. In addition, what do these reflections tell us about the (gendered or un-gendered) notion of ‘standard data subject’? In the EU data protection law (GDPR), even though the term ‘vulnerable data subject’ is only incidentally mentioned and referring explicitly just to children, several Data Protection Authorities (e.g., in Spain and Poland) have considered “being female” as a potential source of data subject’s vulnerability (e.g., in case of consumers victims of sex-related crimes). The US privacy tort - as originally conceived - was built off gendered notions of female modesty, suggesting women were vulnerable, and thus connecting women’s privacy claims to the ‘wrong kind of privacy’. Looking at the history and foundations of privacy and data protection law, surface questions such as whether the ‘average data subject’ in privacy and data protection legislation is, by default, a man, and, whether women might have to be regarded as vulnerable data subjects just because they are women. This article then look into law and economics analysis of consumers’ behaviour, but also political philosophy and, in particular, gender studies, where we can observe a real intellectual polarisation: on the one hand the vulnerability universalist approach, according to which every human is vulnerable, otherwise vulnerability would be a stigmatizing label; on the other hand the particularistic approach, according to which some subjects are more vulnerable than others (in particular, women are more vulnerable - i.e., subject to adverse effects - than men in many contexts: workplace, education, etc.). A third way might be the "layered" theory of Luna, based on a contextual and relational (even situational) nature of vulnerability. This solution is compatible with the layered risk-based approach in the GDPR, but also with the intersectional approach in gender studies. This “third way” might be also a cautious solution to the ambiguous and inconsistent focus on vulnerability both in the European Commission documents and proposed legislation (e.g., the EU Regulation AI) and in the EU data protection practice (considering, e.g., the ineffective protection of children).
Keywords: Vulnerability; Gender studies; Data protection; GDPR; Vulnerable data subjects; Gendered data subjects
Suggested Citation: Suggested Citation