Privacy self-management and the issue of privacy externalities: of thwarted expectations, and harmful exploitation

Abstract

This article argues that the self-management of one's privacy is impossible due to privacy externalities. Privacy externalities are the negative by-product of the services offered by some data controllers, whereby the price to "pay" for a service includes not just the provision of the user's own personal data, but also that of others. This term, related to similar concepts from the literature on privacy such as "networked privacy" or "data pollutio", is used here to bring to light the incentives and exploitative dynamics behind a phenomenon which, I demonstrate, benefits both the user and the data controller to the detriment of third-party data subjects. Building on these novel elements and on the relevant concepts and examples found in the existing literature, this article draws a comprehensive picture of the phenomenon, and offers two promising paths to address it-better enforcing the principle of data protection by design and by default, and relying on the framework of joint controllership.