Introduction
The declaration that “privacy is dead” has become a familiar refrain in debates on technology and data governance. It reflects genuine frustration with pervasive surveillance, opaque data practices, and the erosion of individual control. Yet the diagnosis is imprecise. Privacy has not disappeared. It has been reorganized. It has migrated from physical boundaries and social restraint into a dense architecture of contracts, standard terms, and platform policies that increasingly govern the collection, use, and circulation of personal data. In short, privacy today is increasingly contractual.
From Control of Secrets to Agreements About Data Flows
Classical privacy theory framed privacy either as restricted access or as individual control over personal information. In digital environments, both models struggle. The dominant regulatory paradigm of “notice and choice” assumes that individuals read privacy notices, understand them, and make informed decisions among competing services. Empirical evidence consistently undermines this assumption. Privacy policies are long, technical, and non-negotiable, creating a setting where users function as a captive audience rather than autonomous decision-makers. [1]
Simultaneously, social, economic, and political participation has become inseparable from data disclosure. Workplaces, healthcare systems, education platforms, and democratic processes now operate through continuous information exchange. In such a context, privacy can no longer be understood as secrecy or withdrawal. Instead, scholars increasingly conceptualize privacy as governance over appropriate data flows within specific social contexts. [2]
Kirsten Martin’s social contract approach captures this shift. Privacy, on this account, is constituted by shared expectations within communities about how information will be used, shared, and protected. [3] Violations occur not merely when data is collected, but when those contextual expectations are breached. Privacy thus emerges as an ongoing, relational, and implicitly contractual practice rather than a static individual entitlement.
The Rise of Formal Data Contracts
Layered over these social expectations is a rapidly expanding legal infrastructure of data contracts. Digital services increasingly operate on an exchange model in which users “pay” with personal data rather than money. [4] This exchange is formalized through clickwrap agreements, terms of service, and privacy policies that define rights, obligations, and liabilities between users and data controllers. [5]
Legal scholarship now recognizes contracts for the exchange of personal data as a distinct category. These agreements resemble commercial contracts, yet they implicate fundamental rights and public interests that cannot be fully waived. [6] Contracts involving sensitive data such as genetic information, health records, or criminal histories are constrained by mandatory norms and public policy limitations. They cannot be reduced to ordinary transactions without undermining the normative foundations of data protection law.
Empirical studies further show that firms exploit contractual flexibility to differentiate data terms across users and markets, often to the disadvantage of less sophisticated or more vulnerable individuals. [7] Contractual privacy, in practice, risks reinforcing existing power asymmetries rather than correcting them.
When Public Interests Override Private Bargains
Contract law traditionally prioritizes private ordering. In data-intensive sectors such as health research, however, contracts increasingly operate as hybrid instruments that must also safeguard public and fundamental interests. Public–private research partnerships rely on detailed contractual clauses to regulate data access, confidentiality, and compliance with data protection law. [8]
Critically, contracts cannot legitimize unlawful data practices. Under doctrines of illegality and public policy, contractual terms that conflict with data protection norms may be void or unenforceable. [9] Courts thus retain the authority to prioritize public interest standards over private agreements. This tension illustrates how privacy today exists at the intersection of contractual freedom and the non-waivable character of fundamental rights.
Privacy as Right Versus Privacy as Commodity
Comparative legal approaches diverge sharply on the extent to which privacy can be contractualized. The European Union treats personal data protection as a fundamental right and resists framing personal data as a tradable commodity. [10] At the same time, EU law relies heavily on contractual mechanisms such as data processing agreements, standard contractual clauses, and consent forms. [11] The GDPR itself recognizes contracts as lawful bases for processing in specific contexts.
In jurisdictions with weaker data protection regimes, privacy protection relies more heavily on general contract law, leaving significant gaps when personal data is exchanged for ostensibly “free” services. [12]
The result is a hybrid system in which privacy is formally recognized as a right but functionally managed through private agreements that individuals rarely negotiate or fully understand.
Technical Contracts and the Automation of Consent
A newer development is the translation of privacy agreements into machine-readable and self-executing forms. Blockchain-based systems and smart contracts promise automated enforcement of data terms, transparency, and auditability. [13] However, these technologies also raise new risks, including the exposure of sensitive information on immutable public ledgers.
To address these challenges, researchers have proposed privacy-preserving technical frameworks such as zero-knowledge-based agreements and dynamic consent systems. [14] These systems allow individuals to grant, monitor, and revoke consent over time while maintaining cryptographic assurances of compliance. [15] By embedding privacy expectations directly into technical infrastructure, such approaches aim to rebalance power between data subjects and data controllers.
Coexisting Models of Privacy Protection
Despite the dominance of contractual logic, privacy continues to be understood through multiple overlapping frameworks. Fair Information Practice Principles emphasize transparency and consent but are widely criticized for producing illusory choice. [16] Contextual integrity challenges one-time consent models by focusing on whether data flows align with contextual norms. [17] Structural and group privacy critiques highlight that many data harms occur at collective levels, beyond the reach of individual contracts. [18]
These perspectives expose a core limitation of contractual privacy: while contracts are individual and transactional, data harms are often systemic, cumulative, and socially distributed.
Conclusion
Privacy is not dead. It has migrated. It now operates through negotiated, standardized, and increasingly automated agreements that govern data flows across digital ecosystems. This transformation reframes the responsibilities of organizations, shifting the focus from formal compliance toward sustained stewardship of contextual privacy norms. [19]
At the same time, it reveals the limits of relying on individual contracts to correct deep structural imbalances between data subjects and data-rich institutions. The central challenge going forward is not whether privacy can be contractual, but whether contractual privacy can be made genuinely protective of autonomy, dignity, and the public interest rather than a legal fiction sustained by a checkbox.
Reference
1.O. Gstrein, A. J. P. Schild & M. J. Wachter, How to Protect Privacy in a Datafied Society? A Presentation of Multiple Legal and Conceptual Approaches, 35 Phil. & Tech. 1 (2022).
2.Id.
3.Kirsten E. Martin, Understanding Privacy Online: Development of a Social Contract Approach to Privacy, 25 J. Bus. Ethics 179 (2016).
4.Saja Alabboodi, Matej Avbelj & Marko Kambič, The Juridical Nature of Contracts for the Exchange of Personal Data, Lex Localis – J. Loc. Self-Gov’t (forthcoming 2025).
5.Kevin E. Davis & Florencia Marotta-Wurgler, Contracting for Personal Data, 28 Colum. J. Eur. L. 1 (2019).
6.Alabboodi et al., supra note 4.
7.Davis & Marotta-Wurgler, supra note 5.
8.J. Bell, J. T. Salmon & G. Laurie, Contractual Mechanisms for Securing the Public Interest in Data Sharing in Public-Private Health Research Partnerships, SCRIPTed (2023).
9.Id.
10.Graham Greenleaf, International Data Privacy Agreements after the GDPR and Schrems, 139 Privacy L. & Bus. Int’l Rep. 1 (2016).
11.Stefano Fantin, Data Protection Commissioner v Facebook Ireland Ltd (Schrems II): Standard Contractual Clauses and Privacy Shield, 6 Eur. Data Prot. L. Rev. 89 (2020).
12.C. Drahaman, A Collision of Contract and Privacy Law in a Digital Environment—An Accident Waiting to Happen!, SSRN (2020).
13.Dmytro Ovsianko et al., Smart Contracts as Privacy-Preserving Mechanisms in Distributed Digital Twin Systems, Cybersecurity: Educ., Sci. & Tech. (2025).
14.To-Wen Liu et al., zk-Agreements: A Privacy-Preserving Way to Establish Deterministic Trust in Confidential Agreements, arXiv (2025).
15.Mpyana Mwamba Merlec et al., A Smart Contract-Based Dynamic Consent Management System for Personal Data Usage under GDPR, 21 Sensors 1 (2021).
16.Michiel Rhoen, Beyond Consent: Improving Data Protection through Consumer Protection Law, 22 Eur. J. Consumer L. 1 (2016).
17.Martin, supra note 3.
18.Gordon Hull, The Death of the Data Subject, 15 Law, Culture & Human. 1 (2021).
.Martin, supra note 3.