Privacy Rights and Data Security: GDPR and Personal Data Driven Markets

General Data Protection Regulation (GDPR)—the European Union’s data protection regulation—has two key principles. It recognizes that individuals own and control their personal (but not contractual) data in perpetuity, leading to three critical privacy rights, namely, the rights to (i) explicit consent (data opt-in), (ii) to be forgotten (data erasure), and (iii) portability (data transfer). It also includes data security mandates against privacy breaches through unauthorized access. We study GDPR’s equilibrium impact by including these features in a dynamic two-period model of forward-looking firms and consumers. Firms collect consumer data for personalization and price discrimination. Consumers trade off gains from personalization relative to potential losses from privacy breaches and price discrimination in their purchase, data opt-in, erasure, and transfer decisions. Though data security mandates impose fines on firms for privacy breaches, firms can benefit from higher opt-in given lower breach risk. Surprisingly, data security mandates can hurt consumers. The effect of privacy rights is nuanced. Since the right to opt in separates goods exchange from the provision of personal data, it prevents market failure under high breach risk. But it also reduces consumer opt-in and personal data availability. Erasure and portability rights reduce consumers’ hold-up concerns by disciplining firms to provide ongoing value by limiting price discrimination and not slacking off on data security; but they also reduce the incentive to offer lower initial prices that encourages opt-in. Overall, privacy rights always benefit consumers in competitive markets, but they can surprisingly hurt consumers under monopoly, as monopolists have less incentives to subsidize consumer opt-in. They raise (reduce) firm profit and social welfare when breach risk is high (low). Finally, privacy rights increase firm profit most at moderate levels of data transferability. This paper was accepted by Dmitri Kuksov, marketing. Funding: T. T. Ke acknowledges financial support from the General Research Fund of the Hong Kong Research Grants Council [Grant 14500421]. Supplemental Material: The e-companion is available at https://doi.org/10.1287/mnsc.2022.4614 .

In this paper we try to bridge the gap between the outcome ambitions of competition policy in terms of welfare gains and consumer surplus and the longer term effects of competition policy on growth and employment. First of all, an overview is given of the different definitions of welfare. We explain why maximising the consumer surplus is an important part of the mission statement for most competition authorities. In the second part of the paper we estimate the impact of the introduction of the competition law on economic development. The effects of antitrust policies, merger control and energy regulation on the consumer surplus appear substantial. This increase in consumer surplus can be interpreted as a cut in the “market power wedge” which, from a modelling point of view, is comparable to a cut in the tax wedge. A model simulation for the Netherlands shows that the economy responded positively to this increase in the consumer surplus. We find that production has grown by an extra 0.5% and that employment has increased by 0.4% as a result of the enforcement of the Competition Law.

With the EU’s trailblazing new data protection regulation (GDPR) coming into force in late 2018, the importance of data protection and privacy law has been amplified across the globe. Under the EU’s old data protection directive, however, a number of precedents, including the ‘right to be forgotten,’ will likely be impacted by the new regulation. While the European Court of Justice’s interpretation of this right under the old directive is particularly worrisome, the GDPR could facilitate the continuance of the right as it currently exists or alternatively, serve to narrow it. This article will demonstrate that while there is indeed a strong argument in favor of recognizing a legal ‘right to be forgotten,’ there is also a danger in striking an imbalance between an individual’s right to privacy on one hand, and the public’s right to information and freedom of expression on the other. While it is likely that the judgment will remain highly persuasive under the new GDPR, this paper will also examine additional protections built into the Regulation, as well as other practical limitations that could assist in keeping the right to be forgotten ‘in check’ moving forward.

This article explores the diversity of privacy and security in the context of social media platforms. As society increasingly relies on these platforms for communication, networking and information sharing, the risks associated with privacy breaches and data security holes have become more prominent. This study draws on the extensive existing literature and examines various dimensions of privacy violation, including data collection, surveillance practices, and algorithmic manipulation. In addition, it examines the shortcomings of current regulatory frameworks and industry practices to protect user privacy and ensure data security.Using case studies and empirical analysis, the article explores the real impact of privacy breaches and data security breaches on individuals, organizations and society as a whole. Finally, it proposes a comprehensive approach to address these issues and emphasizes the need for improved user education, technical innovation and regulatory measures to promote a safer and more private online environment. Keywords:Data Breach,Privacy Concerns,Cyber Security,Transparency,Privacy Violations

This submission by the Australian Privacy Foundation (APF) to the Australian Law Reform Commission (ALRC) strongly endorses establishment in national legislation in Australia of a cause of action for serious invasion of an individual’s privacy. It is appropriate to describe the action as an action in tort, or a ‘privacy tort’. The Australian Privacy Foundation (APF) is Australia's leading privacy advocacy organisation. This submission is in response to the proposals in ALRC Discussion Paper 80: Serious Invasions of Privacy. Key submissions made by the APF are as follows: (i) The most effective structure of a cause of action is that which is consistent with an intentional tort; consisting of elements that a plaintiff must satisfy with countervailing defences available to any putative defendant. There should be no requirement for the court to undertake a balancing exercise as an essential element in determining whether the plaintiff can, on his or her own case, succeed or not. (ii) The cause of action for a ‘serious invasion of privacy’ should additionally be described as an ‘interference with privacy’ for the purposes of the Privacy Act 1988 (Cth). (iii) The focus of the tort should be upon the intrusion into a plaintiff’s seclusion or private affairs (including by unlawful surveillance) and/or the misuse or disclosure of private information about the plaintiff. (iv) There is no sound legal or policy basis for limiting the scope of the action to either intentional or reckless acts rather than incorporating negligent acts. (v) There is potential for an undesirable downward ratchet effect in the concept of “reasonable expectations”: the lack of a practical remedy enables continuation of an intrusive practice without restraint, which practice reduces the level of protection that would be “reasonably expected”, which in turn reduces the scope of the tort over time. (vi) The fourth proposed element of the tort, that it is only available where the invasion of privacy is 'serious', is both unnecessary and arbitrary. (vii) There is little utility in incorporating a balancing exercise of the plaintiff’s privacy interest against freedom of expression or other broader public interest, the fifth element of the proposed cause of action. (viii) Federal, State and Territory courts should have jurisdiction to hear a serious invasion of privacy action. However, there are very strong reasons for providing the option to complainants/plaintiffs to take a ‘serious invasion of privacy’ complaint to the Privacy Commissioner. A new sub-section 13(6) should be added to the Privacy Act 1988 (Cth): ‘(6) A serious invasion of privacy under the [title of new Commonwealth Act] is an interference with the privacy of an individual,’ together with such limited consequential changes (if any) as are necessary to make the Privacy Act consistent with the new statutory action and the [title of new Commonwealth Act]. (ix) There may be a case for clarifying the law of breach of confidence even if a statutory tort were to be introduced, but some of the ALRC’s proposals are not justifiable. (x) While it is important to remove inconsistencies and promote uniformity in the the current State and Territory surveillance device and workplace surveillance laws, this must not be at the expense of reducing the level of protection of Australians against unjustified surveillance. Proposed uniform laws should apply to all existing and emerging technologies that are capable of monitoring and recording the activities of people and their data. Surveillance device laws should incorporate a mechanism for awarding compensation, or other forms of relief, to victims of unauthorised surveillance. (xi) The public interest activities of responsible journalists in investigating and reporting on matters of public interest, such as uncovering corruption, do not require a broad or vague exception for journalists. (xii) The ALRC proposal is desirable that a new APP (Australian Privacy Principle) be inserted into the Privacy Act to require an APP entity to provide a simple mechanism for an individual to request the destruction or de-identification of personal information that was provided to an APP entity by the individual. A regulator should be so empowered, preferably the Privacy Commissioner with a right of appeal to the AAT (Administrative Appeals Tribunal). (xiii) The definition of “personal information” in the Privacy Act 1988 (Cth) should be amended so as to confirm that the information will remain personal information, despite any steps to anonymise it, if there is any significant possibility that it may be re-identified in future.

Recommender systems have been introduced to help consumers navigate large sets of alternatives. They usually lead to more sales, which may increase consumer surplus and firm profit. In this paper, we ask whether the firms’ choice of recommender system might hurt consumers. We use data from a large-scale field experiment in video-on-demand to measure the price elasticity of demand for movies placed in salient and non-salient slots on the TV screen. During this experiment, the firm randomized the prices and slots in which movies were recommended to consumers. This setting readily allows for identifying the effects of price and slot on demand, and thus computes consumer surplus. We find that consumers are less price-elastic toward movies placed in salient slots. Using the outcomes of this experiment, we simulate how consumer surplus and welfare change when the firm implements several types of recommender systems, namely one that maximizes profit. We show that this system hurts consumer surplus and welfare relative to a system that maximizes welfare. We also show that, in our setting, the system that maximizes profit does not generate less consumer surplus than several recommender systems frequently used in practice. Yet, the amount of extra rent the firm can extract from strategically placing movies in salient slots is still a function of the popularity and quality of movies used to do so. Ultimately, our results question whether recommender systems embed mechanisms that extract excessive surplus from consumers, which may call for better scrutiny.

Rural consumers may face not only the challenge of affordability but also the problem of limited accessibility. Can a government’s subsidy program effectively address these issues? This paper examines the impact of a large-scale subsidy program, “Household Electrical Appliances Going to the Countryside,” offered by the Chinese government. The government regulation imposes price subsidy combined with price ceiling on products in the program. We consider two effects of the subsidy: lowering the retail price to make the product more affordable to consumers and encouraging manufacturers to expand their distribution coverage to make products more accessible to consumers. We build a dynamic model of oligopoly to study how firms adjust their distribution coverage. Conditional on the model estimates, we evaluate the program’s effects on social welfare, consumer surplus, and firms’ market performance and marketing channel decisions through counterfactual analyses. We find that the subsidy program increases social welfare by CNY¥ 0.209 billion, as a result of a subsidy expense of CNY¥ 0.236 billion. When breaking down the impact, we find it increases consumer surplus by CNY¥ 0.184 billion (50%), manufacturers’ profits by CNY¥ 0.125 billion (53%) and manufacturers’ payoff by CNY¥ 2.5 million (17%). Specifically, 14% (13.2%) of the consumer surplus (firm profit) increase are from changes in distribution coverage, and the rest is from the subsidy (price changes). The program’s return of investment (i.e., social welfare minus subsidy expense), which is negative, however, could be improved by applying a relatively lower subsidy rate.

Rural consumers may face not only the challenge of affordability but also the problem of limited accessibility. Can a government’s subsidy program effectively address these issues? This paper examines the impact of a large-scale subsidy program, “Household electrical appliances going to the countryside,” offered by the Chinese government. The government regulation imposes a price subsidy combined with a price ceiling on products in the program. We consider two effects of the subsidy: the retail price is lowered to make the product more affordable to consumers, and manufacturers are encouraged to expand their distribution coverage to make products more accessible to consumers. We build a dynamic model of oligopoly to study how firms adjust their distribution coverage. Conditional on the model estimates, we evaluate the program’s effects on social welfare, consumer surplus, and firms’ market performance and marketing channel decisions through counterfactual analyses. We find that the subsidy program increases social welfare by CNY 0.209 billion, as a result of a subsidy expense of CNY 0.236 billion. When breaking down the impact, we find it increases consumer surplus by CNY 0.184 billion (50%), manufacturers’ profits by CNY 0.125 billion (53%), and manufacturers’ payoffs by CNY 2.5 million (17%). Specifically, 14% (13.2%) of the consumer surplus (firm profit) increases are from changes in distribution coverage, and the rest is from the subsidy (price changes). The program’s return of investment (i.e., social welfare minus subsidy expense), which is negative, however, could be improved by applying a relatively lower subsidy rate. This paper was accepted by Juanjuan Zhang, marketing.

Among the key issues that big data (BD) projects will have to address are privacy and security. This chapter analyses the privacy, data protection and security issues associated with BD and discusses some key challenges associated with such issues in developing countries. A key focus is also on agriculture- and health care-related data. This chapter also promotes an understanding of the institutionalization of data privacy and security issues in developing countries. It gives special consideration to institutions at various levels that can influence cybersecurity and privacy issues in developing countries. This chapter also delves into the variation in institutionalization of cybersecurity and privacy issues across developing countries and different groups of people.

In the first edition of his famous treatise Reine Rechtslehre, Einleitung in die Rechtswissenschaftliche Problematik (translated as Introduction to the Problems of Legal Theory), Hans Kelsen makes the claim that the existing liberal, property rights-based private law of his era is a ‘democratic form of law’ and that private law rights are ‘political in the same sense as those rights that are usually characterized as political rights.’ In this article, I aim to explain how Kelsen developed his theory of private law and private rights within the theoretical and methodological framework of the ‘Pure Theory of Law’ and its philosophical underpinnings of relativism and ‘value neutrality,’ culminating in the connection between private law and democracy. I wish to highlight, in particular, the still often underappreciated fact that the Pure Theory saw itself as a critical project, aimed at exposing and exorcizing ‘ideology.’ To Kelsen’s contemporary audiences, drawing a connection between ‘capitalist’ private law and democracy must have appeared particularly counter-intuitive against the backdrop of one of the most important – if now almost forgotten – political debates of the Weimar era, the debate on ‘economic democracy’ (‘Wirtschaftsdemokratie’). It was a powerful trope in the inter-war period that the capitalist economy and its institutional safeguards – private, labour, commercial, and corporate law – were ‘undemocratic.’ I submit that Kelsen’s statement – flipping the contemporaneous revisionist-socialist rhetoric on its head – may be better understood in the larger context of the precarity of democracy in the Weimar period and especially in the context of a theoretical and political challenge that contrasted the existing ‘bourgeois’ parliamentary democracy with a ‘true,’ ‘social’ democracy that would realize conditions of social and economic justice. By connecting ‘capitalistic’ law with ‘democracy’ and ‘socialistic’ law with ‘autocracy,’ Kelsen once more underscores that democracy, properly understood as a formal principle, is irreducible to substantive justice.

In the early years of the twentieth century, Kansas was among the states that took the lead in recognizing a common law right of privacy. Since then, the Kansas courts have generally followed the Restatement (Second) of Torts in defining and recognizing actionable invasion of privacy claims. With limited exceptions, however, the Kansas Legislature has been slow to recognize or even limit the right of privacy by statutory enactment. And both the Kansas and federal courts have repeatedly recognized a variety of absolute and qualified defenses to Kansas common law privacy claims. The result is a well-established common law right of privacy, but with several traps for the unwary. What was a remarkably progressive approach in 1918 to the right of privacy has since evolved to become a relatively constrained set of privacy rights compared to the statutory and common law rights of privacy recognized by a majority of other states. In recent years the Kansas Legislature has enacted comprehensive criminal statutes prohibiting identity fraud, identity theft, breach of privacy, computer crime, and other privacy invasions. However, very few Kansas criminal statutes allow a victim of these crimes to pursue a private cause of action against the perpetrator. Moreover, the Kansas courts have been reluctant to recognize common law privacy claims on the basis of criminal statutes that do not explicitly authorize private causes of action. With respect to civil claims for invasion of privacy, the Kansas courts have been slow to recognize the significant implications associated with the rapidly developing computer and internet technology for the dissemination of private personal information.Part I of this article briefly addresses the history of the common law right of privacy in the United States. Part II discusses the evolution of the Kansas right of privacy, beginning with Kunz v. Allen, 172 P. 532 (Kan. 1918), the leading Kansas case. Part III addresses each of the four common law privacy claims as they have evolved in Kansas, together with the specific defenses the courts have recognized with respect to each variation. Part IV addresses available remedies and proof of damages. Part V addresses Kansas statutory enactments that may implicate the Kansas right of privacy. Part VI identifies unresolved issues, including some that other states have struggled to resolve but that Kansas courts have yet to address. Part VII concludes by urging Kansas courts and lawmakers to address the significant gaps and unresolved issues in Kansas privacy law.

Consumer Data Collection Strategies in Two-Sided Platforms: The Role of Data Ownership Assignment and Privacy Concerns

Introduction to the Special Issue: The Right to the Protection of One's Own Image in Ibero-America and Its Relevance for the Right of Publicity in Common Law Countries

Competitive implications of personalized pricing with a dominant retailer

The rapid growth of digitization in the present era leads to an exponential increase of information which demands the need of a Big Data paradigm. Big Data denotes complex, unstructured, massive, heterogeneous type data. The Big Data is essential to the success in many applications; however, it has a major setback regarding security and privacy issues. These issues arise because the Big Data is scattered over a distributed system by various users. The security of Big Data relates to all the solutions and measures to prevent the data from threats and malicious activities. Privacy prevails when it comes to processing personal data, while security means protecting information assets from unauthorized access. The existence of cloud computing and cloud data storage have been predecessor and conciliator of emergence of Big Data computing. This article highlights open issues related to traditional techniques of Big Data privacy and security. Moreover, it also illustrates a comprehensive overview of possible security techniques and future directions addressing Big Data privacy and security issues.