The vulnerable data subject: A gendered data subject?


  • Gianclaudio Malgieri EDHEC Business School
  • Gloria González Fuster


Vulnerability is an emerging topic in many different fields, but data protection and privacy discussions of vulnerability have rarely engaged with gender studies. This paper investigates the notion of the ‘vulnerable data subject’ from a gender perspective, to question whether gender should be regarded as factor of vulnerability at all, and, if yes, how. It also asks what do these reflections tell us about the (gendered or un-gendered) notion of ‘standard data subject’. Even though the term ‘vulnerable data subject’ is only incidentally mentioned in EU data protection law, and in the GDPR only referring explicitly to children, several Data Protection Authorities (e.g. in Spain and Poland) have considered “being female” as a potential source of data subject’s vulnerability (e.g. in case of consumers victims of sex-related crimes). The US privacy tort – as originally conceived – was built off gendered notions of female modesty, suggesting women were vulnerable, and connecting women’s privacy claims to the ‘wrong kind of privacy’. Looking at the history and foundations of privacy and data protection law, surface questions such as whether the ‘average data subject’ in privacy and data protection legislation is, by default, a man, and whether women might have to be regarded as vulnerable data subjects just because they are women. This article then looks into law and economics analysis of consumers’ behaviour, but also political philosophy and, in particular, gender studies, to observe an intellectual polarisation: on the one hand the universalist approach, according to which every human must be regarded as vulnerable, as otherwise vulnerability would be a stigmatising label; on the other hand the particularistic approach, according to which some subjects are more vulnerable than others (in particular, women are more vulnerable – i.e. subject to adverse effects – than men in many contexts: workplace, education, etc.). A third way might be the ‘layered’ theory of Luna, based on a contextual and relational (even situational) nature of vulnerability. This solution is compatible with the layered risk-based approach in the GDPR, but also with intersectional approaches in gender studies. This ‘third way’ might be also a cautious solution to the ambiguous and inconsistent treatment of vulnerability both in the European Union policies surrounding data protection law and in the EU data protection practice itself (considering, e.g. the ineffective protection of children).






Refereed Articles