gdpr as an Instance of Neoliberal Governmentality: a Critical Analysis of the Current ‘Gold Standard’ of Data Protection

The gdpr today is commonly seen as a ‘gold standard’ of personal data regulation. While recognizing the importance of the gdpr, especially in affirming that personal data belongs to the individuals rather than commercial or public entities, this paper seeks to demonstrate that such a view is, nevertheless, problematic: first, what the gdpr, along with similar regulations inspired by it elsewhere, effectively does is help organise the functioning of the personal data market in which private user data continues to be commodified and used to generate massive profits by various firms and platforms; second, the gdpr does it in a paradigmatically neoliberal manner – public authorities create a legal framework for a market, and devolve the responsibility for managing negative consequences to the affected populations themselves, presenting it as their ‘empowerment’; third, just as it is often the case with neoliberal governmentality in other sectors, the tool provided by the gdpr to individuals to protect themselves – here the right to reject the terms of service (tos) of different providers – embodies and reproduces an asymmetric power relation between capital and society – here between service providers and users – and effectively ensures that individuals continue to acquiesce to the collection and commodification of their private data: on the one hand, the complexity of different tos, their ‘take-it-or-leave-it’ nature, length, etc., render the evaluation of privacy implications very difficult for individual users; second, in some cases, the rejection of tos is impossible because access to the service in question is indispensable, as in the case of platform workers. Users mechanically click ‘Accept’ which is seen as an instance of ‘informed consent,’ and which in turn makes the collection and monetization of personal data legal.