Contracting Around Privacy: The (Behavioral) Law and Economics of Consent and Big Data

Author:Yoan Hermstrüwer
Position:Senior Research Fellow at the Max Planck Institute for Research on Collective Goods in Bonn, Germany

European privacy law rests on the implicit assumption that consent to the processing of personal data and the analysis of Big Data is a purely individual choice. Accordingly, privacy lawyers mainly focus on how to empower users to make free and informed choices, for instance through debiasing and nudging. However, a game theoretical analysis suggests that strategic considerations may be a driving ... (see full summary)

Contracting Around Privacy
Contracting Around Privacy
The (Behavioral) Law and Economics of Consent and Big Data
by Yoan Hermstrüwer, Senior Research Fellow at the Max Planck Institute for Research on Collective Goods in
Bonn, Germany. His research covers (behavioral) law and economics, cyberlaw, constitutional law, financial law,
international economic law and empirical legal studies (
© 2017 Yoan Hermstrüwer
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obtain ed at http://nbn-resolving.
Recommended citation: Yoan Hermstrü wer, Contracting Around Privacy: T he (Behavioral) Law and Economics of Consent and
Big Data, 8 (2017) JIPITEC 9 para 1.
Keywords: Consent; monetizing personal data; big data; EU privacy law; EU-GDPR; behavioral law and economics;
game theory; nudging, libertarian paternalism; constitutional law
suggests that users are subject to bounded rational-
ity and bounded willpower. While nudges, like default
options, can enable users to make protective pri-
vacy choices in some cases, correcting cognitive def-
icits might facilitate market failures and accelerate
the erosion of privacy in other cases. This counterin-
tuitive conclusion shows that legal rules on consent
and privacy contracts should be grounded on an as-
sumption of ‘mixed rationalities’, i.e. on insights from
both standard economics and behavioral econom-
ics. Hence, a sharper distinction between ‘paternalis-
tic nudging’ and ‘non-paternalistic soft regulation’ to
counter market failures is warranted.
Abstract: European privacy law rests on the
implicit assumption that consent to the process-
ing of personal data and the analysis of Big Data is a
purely individual choice. Accordingly, privacy lawyers
mainly focus on how to empower users to make free
and informed choices, for instance through debias-
ing and nudging. However, a game theoretical anal-
ysis suggests that strategic considerations may be
a driving force of consent under certain conditions.
In environments relying on the use of Big Data, con-
sent is likely to impose negative privacy external-
ities on other users and constrain their freedom of
choice. By contrast, a behavioral economic analysis
A. Introduction
Personal data has become one of the most important
currencies in digital economies.1 This currency
seems to be inherently inclusive and egalitarian,
since there is no need to be wealthy in order to pay
with data. Digital services like Facebook, Google,
Instagram or Snapchat, largely rely on this pay-with-
data business model and the use of Big Data. However,
monetizing personal data might well give rise to a
society where, overall, publicity trumps privacy. On
both sides of the Atlantic, the debate about what
1 This article draws on Hermstrüwer, Informationelle
Selbstgefährdung (2016).
legislators should do to cope with the tendency to
contract around privacy and the continuous erosion
of privacy has just begun.
2 One of the biggest problems is that privacy law does
not really dovetail with the concept of contract and
the idea of personal data as money.2 While there is
a growing consensus that privacy can be waived
and even monetized, it is less clear under which
conditions such a ‘contract around privacy’ shall
be considered valid. In the draft of a Directive on
2 Ben-Shahar/Strahilevitz, Contracting over Privacy:
Introduction, Journal of Legal Studies 45 (2016), S1 (S5-S10);
Hermstrüwer, Informationelle Selbstgefährdung (2016).
Yoan Hermstrüwer
certain aspects concerning contracts for the supply
of digital content, the European Commission has
proposed a new legal regime for contracts “where
the supplier supplies digital content to the consumer
or undertakes to do so and, in exchange, a price is to
be paid or the consumer actively provides counter-
performance other than money in the form of
personal data or any other data”.
The EU General
Data Protection Regulation (EU-GDPR), which was
recently adopted as a substitute for the EU Data
Protection Directive, relies on consent as the prime
mechanism to ‘pay’ with personal data.4 According
to Art. 4 § 11 EU-GDPR, consent “means any
freely given, specic, informed and unambiguous
indication of the data subject’s wishes by which he or
she, by a statement or by a clear afrmative action,
signies agreement to the processing of personal
data relating to him or her”. How can privacy law
enable people to make such an autonomous choice?
The academic and political struggle over appropriate
tools to empower people to protect or waive their
privacy has been fought from two different angles:
the traditional data protection approach and the
market-oriented approach. The data protection
approach is rmly anchored in the tradition of public
law doctrine and claims that stricter government
interventions to protect privacy are needed.
market-oriented approach basically claims that the
market will yield an optimal level of privacy, be it
through competition, self-regulation, or learning
and evolutionary forces.6
In this article, I argue that to a certain extent
both approaches go astray. As it seems, neither
policymakers nor legislators have sufciently taken
account of the cognitive and motivational forces
driving privacy choices. The result of this reluctance
to take account of economics and psychology is a
mismatch between the regulatory problem and the
3 Art. 3 § 1 of the Directive of the European Parliament and of
the Council on certain aspects concerning contracts for the
supply of digital content [Brussels, 9.12.2015, COM(2015) 634
4 Regulation EU 2016/679 of the European Parliament and
the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and
on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation).
5 Solove, Privacy Self-Management and the Consent Dilemma,
Harvard Law Review 126 (2013), 1880; Weichert, Wider
das Verbot mit Erlaubnisvorbehalt im Datenschutz?,
Datenschutz und Datensicherheit 2013, 246.
6 Tene/Polonetsky, Big Data for All: Privacy and User Control in
the Age of Analytics, 11 Northwestern Journal of Technology
and Intellectual Property 11 (2013), 239 (242), favoring a
relaxation of the consent requirement; for a traditional
view Posner, The Right of Privacy, Georgia Law Review 12
(1978), 393; Stigler, An introduction to privacy in economics
and politics, Journal of Legal Studies 9 (1980), 623; Posner,
The Economics of Privacy, American Economic Review 71
(1981), 405.
legal tools introduced to solve it. Consequently, the
literature regarding the role that the behavioral
sciences could play in the design and implementation
of EU privacy law remains rather scarce.7 To
understand the regulatory problem associated with
contracts involving consent to the disclosure of
personal information, I argue that it is crucial to
understand the behavioral and social forces that
push people to disclose personal information in the
rst place. A cautionary note is warranted, however;
the objective of my analysis is not to identify the
criteria for optimal contract design, nor to develop
a full-edged doctrinal framework for consent and
Big Data embedded in behavioral law and economics.
Rather, my objective is to identify some of the
‘sweet spots’ where the law could step in to regulate
privacy choices and consent, given certain more or
less specic objectives that EU privacy law aims to
5 In Section B, I explore the factors driving consent in
an analytical framework set out by rational choice
theory and game theory. This approach allows us to
understand some of the strategic reasons pushing
users to disclose or withhold personal information
in interactions with companies or other users. In
Section C, I shed light on the so-called privacy paradox
and the behavioral economics of privacy. Without
a good grasp of this paradox, lawmakers and legal
practitioners are likely to make ill-informed choices
that may well cause backre effects in some cases.
In Section D, I show that a behaviorally informed
privacy law does not necessarily imply libertarian
paternalism. EU privacy law and constitutional law
should take account of the distinction between
paternalistic nudging and non-paternalistic soft
regulation of market failures. In Section E, I present
my conclusion.
B. The Strategic Rationality
of Consent
6 Rational choice theory assumes that individuals are
rational actors with a set of stable and exogenously
given preferences.8 Rational actors are able to
process an indenite amount of information and will
always make their choices such as to maximize their
utility. Standard game theory builds on the rational
choice paradigm and analyzes strategic interactions
between actors.9 Under a game theory approach,
7 But see Borgesius, Behavioural Sciences and the Regulation
of Privacy on the Internet, in Alemanno/Sibony (Eds.),
Nudge and the Law: A European Perspective (2015), 179.
8 Becker, The Economic Approach to Human Behavior (1976),
9 Rebonato, Taking Liberties: A Critical Examination of
Libertarian Paternalism (2012).

To continue reading