This article makes a case for treating individual data subjects as gatekeepers against misuse of personal data. Imposing gatekeeper responsibility on individuals is most useful where (a) the primary wrongdoers engage in data misuse intentionally or recklessly; (b) misuse of personal data is likely to lead to serious harm; and (c) one or more individuals are able to detect and prevent data misuse at a reasonable cost.

As gatekeepers, individuals should have a legal duty to take reasonable measures to prevent data misuse where they are aware of facts indicating that the person seeking personal data from them is highly likely to misuse it or to facilitate its misuse. Recognizing a legal duty to prevent data misuse provides a framework for determining the boundaries of appropriate behavior when dealing with personal data that people have legally acquired. It does not, however, abrogate the need to impose gatekeeping obligations on big technology companies.

In addition, individuals should also owe a social duty to protect the personal data in their possession. Whether individuals have sufficient incentive to protect their personal data in a particular situation depends not only on the cost of the relevant security measures, but also on their expectation of the security decisions made by others who also possess that data. Even a privacy conscious individual would have little incentive to invest in privacy protective measures if he believes that his personal data is possessed by a sufficiently large number of persons who do not invest in such measures. On the flip side, an individual’s decision to protect his personal data generates positive externalities—it incentivizes others to invest in security measures. As such, promoting the norm of data security is likely to lead to a self-reinforcing virtuous cycle which helps improve the level of data security in a given community.