Game-theoretical Model on the GDPR - Market for Lemons?



Tim Zander
Anne Steinbrück
Pascal Birnstill


JIPITEC 10 Nr. 2, Oktober 2019.



In order to evaluate the regulatory effects of the GDPR on the institution of privacy as a public good, a data protection law and economical perspective should be applied. Conveying an economic point of view on the GDPR, we include a game-theoretical model on the rights and duties arising out of the GDPR in order to clarify the possible game-theoretical strategies and discuss the compensatory mechanisms for the problem of asymmetric information between the data controller and the data subject. Furthermore, we point out the concepts of control and the legal construction of ``data ownership'' as an unsatisfying concept. The fact that services within the scope of the GDPR can rewrite their privacy policies and afterwards request the users' consent or otherwise lock them out of the service causes undue pressure on the data subject. The recent decision of the Federal Cartel Office of Germany disputed this behaviour and imposed far-reaching restrictions on Facebook. Thus, elements of the GDPR have begun to fall within the remit of competition law and the question of effective regulatory compensation regarding the economic effects in privacy should be addressed. In general, the measurement of privacy risks seems to be the first reasonable step towards empowering actors to make effective decisions.