Privacy Rights and Data Security: GDPR and Personal Data Driven Markets

The paper investigates how the two key features of GDPR (EU’s data protection regulation)— privacy rights and data security—impact personal data driven markets. First, GDPR recognizes that individuals own and control their data in perpetuity, leading to three critical privacy rights: (i) right to explicit consent (data opt-in), (ii) right to be forgotten (data erasure), and (iii) right to portability (switch data to competitor). Second, GDPR has data security mandates protection against privacy breaches through unauthorized access. The right to explicit opt-in allows goods exchange without data exchange. Erasure and portability rights discipline firms to provide ongoing value and reduces consumers’ holdup using their own data. Overall, privacy rights restrict legal collection and use, while data security protects against illegal access and use. We develop a two- period model of forward-looking firms and consumers where consumers exercise data privacy rights balancing the cost (privacy breach, price discrimination) and benefits (product personalization, price subsidies) of sharing data with firms. We find that by reducing expected privacy breach costs, data security mandates increase opt-in, consumer surplus and firm profit. Privacy rights reduce opt-in and mostly increase consumer surplus at the expense of firm profits; interestingly they hurt firms more in competitive than in monopolistic markets. While privacy rights can reduce surplus for both firms and consumers, these conditions are unlikely to be realized when breach risk is endogenized. Further, by unbundling data exchange from goods exchange, privacy rights facilitate trade in goods that may otherwise fail to occur due to privacy breach risk.