Vulnerable Data Subjects

Discussion about vulnerable individuals and communities spread from research ethics to consumer law and human rights. According to many theoreticians and practitioners, the framework of vulnerability allows formulating an alternative language to articulate problems of inequality, power imbalances and social injustice. Building on this conceptualisation, we try to understand the role and potentiality of the notion of vulnerable data subjects. The starting point for this reflection is wide-ranging development, deployment and use of data-driven technologies that may pose substantial risks to human rights, the rule of law and social justice. Implementation of such technologies can lead to discrimination systematic marginalisation of different communities and the exploitation of people in particularly sensitive life situations. Considering those problems, we recognise the special role of personal data protection and call for its vulnerability-aware interpretation. This article makes three contributions. First, we examine how the notion of vulnerability is conceptualised and used in the philosophy, human rights and European law. We then confront those findings with the presence and interpretation of vulnerability in data protection law and discourse. Second, we identify two problematic dichotomies that emerge from the theoretical and practical application of this concept in data protection. Those dichotomies reflect the tensions within the definition and manifestation of vulnerability. To overcome limitations that arose from those two dichotomies we support the idea of layered vulnerability, which seems compatible with the GDPR and the risk-based approach. Finally, we outline how the notion of vulnerability can influence the interpretation of particular provisions in the GDPR. In this process, we focus on issues of consent, Data Protection Impact Assessment, the role of Data Protection Authorities, and the participation of data subjects in the decision making about data processing.