Information asymmetries: recognizing the limits of the GDPR on the data-driven market

Online search engines, social media platforms, and targeted advertising services often employ a “data-driven” business model based on the large-scale collection, analysis, and monetization of personal data. When providing such services significant information asymmetries arise: data-driven companies collect much more personal data than the consumer knows or can reasonably oversee, and data-driven companies have much more (technical) information about how this data is processed than consumers would be able to understand. This article demonstrates the vulnerable position consumers continue to find themselves in as a result of information asymmetries between them and data-driven companies. The GDPR, by itself, is in practice unable to mitigate these information asymmetries, nor would it be able to provide for effective transparency, since it does not account for the unique characteristics of the data-driven business model. Consumers are thus faced with an insurmountable lack of transparency which is inherent in, as well as the inevitable consequence of, the magnitude of the information asymmetries present on the data-driven market.