Paper short abstract:

By confronting journeys of personal data from devices to data markets with expectations of the new European e-privacy regulation we examine limits and opportunities of agency in regard to privacy protection.

Paper long abstract:

This paper is based on a series of interviews with e-privacy activists and several experiments with day to day devices that collect and share end-user data. In preparation of the coming EU General Data Protection Regulation (GDPR) and its suite of e-privacy regulation, our work maps several severe limits to controlling where and how our data flows.

We focus on the inextricability of the many services that make up mobile apps for daily use, such as bike sharing or fitness tracking. After meticulously investigating all operations happening in the usage of such apps that are not immediately visible to the end user, we confronted our findings with the main criteria of the coming privacy regulation. Predictably there are huge discrepancies. .... What are users' options in monitoring and controling their data flows? What new types of socio-technical agency do we need, that go beyond trusting the law and respective sanctions?