[Narayani Anand, a III year law student at Campus Law Centre, Faculty of Law,
University of Delhi writes about the effectiveness of personal data exchanges.]


This paper aims to examine the effectiveness of the newly adopted Regulation (EU) 2016/679 – popularly known as the General Data Protection Regulation (GDPR) – in protecting data privacy, and analyses the extent to which it prioritises individual interests over those of data aggregators. Three key aspects of data protection, viz. ‘notice & consent’, ‘opting-out’ and ‘anonymisation & pseudonymisation’ have been selected for this analysis. Their presence has then been traced in the GDPR, and compared with the older data protection law in Europe – Directive 95/46/EC, also known as the Data Protection Directive of 1995. Finally, a consumer-centric system of data exchange and management has been proposed vis-à-vis the existing provider-centric model, in the form of a Personal Data Exchange – modelled upon considerations emerging from three separate research approaches – ‘Primary Market’, ‘User Privacy Risk Attitudes’ and the ‘Personal Information Management System’. This has been proposed as an end towards which the three aspects of data protection in the GDPR discussed above could be developed.