Santiago Ramírez López
an interconnected world.9 Although this explanation
is convenient for businesses, it also disregards the
fact that society has become increasingly more
suspicious of how companies are using the data and
information provided by users.10
5 This article aims to demonstrate that, although the
legal concepts of privacy between the predominant
Western traditions contain discrepancies mainly in
their formation, they are not so different in their
outcome, as Western traditions embrace the concept
of control of the data subjects as a capital guideline
of data protection.
6 This paper will analyze the implications of the eld
of behavioral economics in the data privacy scenario.
Supporting the position of other authors,11 it will be
argued that some of the bias and impasses studied
in the eld of behavioral economics may help to
explain the issues and problems of consent as a way
to provide control to the data subject based on a
conscientious decision-making scenario.
The objective of this analysis is to restore the
position of the concept of informed consent as the
primary means of control for the data subject, while
recognizing that to achieve such informed consent,
the data subjects must be provided with more
suitable conditions that allow them to overcome
the biases and impasses.
As a conclusion, this contribution will analyze a
proposal for the creation of such a suitable scenario,
by implementing alternative ways to provide and
manage information and by giving a tangible
value to the data from the user’s perspective. This
proposal is composed of the following components:
(i) alternative and user-friendly ways of providing
the information required by Article 13 of the GDPR,
resorting to existing models, such as Creative
Commons; (ii) a data management system that
contains unied information of the personal data
circulating online of the data subject; and (iii) a
model based on the value of the data in benet of the
9 In 2010 with the rapid increase in the use of social media,
Mark Zuckerberg, founder of Facebook, stated that privacy
was no longer a “social norm”, as social media sharing
reected a change in attitude. See: Johnson, B. (2010, 1
11). Privacy no Longer a Social Norm, says Facebook Founder.
Retrieved 7 1, 2016, from <https://www.theguardian.com/
10 Several polls have shown the rejection of the public in
relation to surveillance and data gathering. These polls will
be discussed in Section B.II. See: Jourová, V. (2015). Data
Protection Eurobarometer-Factsheet. European Commission.
See also Madden, M., & Rainie, L. (2015, 5 20). Americans’
Attitudes About Privacy, Security and Surveillance. Retrieved 7
2, 2016, from <http://www.pewinternet.org/2015/05/20/
11 See footnotes 54 to 56.
recognized equivalent values, identifying the right
“to be let alone” as a way to promote a non-intrusive
information gathering against the media and the
emerging technologies,3 and as a right grounded
in the control of the individual to determine what
information can be openly communicated.4
On paper, the European legislation has included
several provisions which seem to provide data
subjects more control over their information.
Indeed, the former Data Protection Directive5 (from
now on the “DPD”) and the recently adopted General
Data Protection Regulation6 (from now on the
“GDPR”), contain the basis to prevent practices that
may constitute an illegitimate processing of data,
and dedicate several provisions to the possibility of
control of the data subject grounded on informed
consent. Nevertheless, the reality of the online
scenario has shown the inability of this model to
provide control and to protect the data subject’s
right to privacy.
Among experts, there is a debate if whether
providing more control to the data subject can
be a solution applicable in the real world for the
protection of the right to privacy. The critics of a
control-oriented approach base their arguments on
the practical, conceptual, and moral difculties of
the model,7 but mainly on the fact that the consent,
as the main mechanism of control of the data subject,
has so far proved to be impractical and inefcient.8
A concise reason for the failure of a consent-
oriented model is still subject to debate. Some,
especially in the private sector, believe that modern
society is currently suffering a transition, where
the traditional concept of privacy, or privacy as a
“social norm,” is being dismissed with the excuse of
Informational Self-Determination. The American Journal of
Comparative Law, 37, pp. 678-689.
3 Warren, S., & Brandeis, L. (1890, December 15). The Right to
Privacy. The Harvard Law Review, IV(5).
5 The European Parliament and the Council of
the European Union. Directive 95/46/EC of the
European Parliament and the Council of 24 October
1995 on the protection of individuals with regard
to the processing of personal data and on the free
movement of such data.
6 The European Parliament and the Council of the European
Union. Regulation (EU) 2016/679 on the protection of
natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation).
7 Allen, A. L. (2000). Privacy-as-Data Control: Conceptual,
Practical, and Moral Limits of the Paradigm. Connecticut Law
Review, 32, 861-875.
8 Koops, B.-J. (2014). The Trouble with European Data
Protection Law. Tilburg Law School Legal Studies Research
Paper Series, 4, p. 3.