The increasing establishment of networked environments that combine tracking technologies, Artificial Intelligence and the Internet of Things into an Internet of Everything also crosses the boundaries of traditional fields of law. It requires, this book argues, the creation of a “private data law” which integrates EU data protection law into Member State private law.The first part of the book lays the technical and economic foundations for this endeavor. Three specific regulatory challenges emerge from this review: the multi-relationality of personal data, which manifests itself in the frequent inclusion of third-party providers (third-party tracking); the inherent ambivalence concerning the risks and benefits of personal data; and the heterogeneity of data protection preferences of the respective data subjects.The second part of the book examines the resources available under current data protection law and general private law to address these challenges. The analysis of data protection law shows that data-based business models, but also the development of the Internet of Things, are subject to significant limits under data protection law, in particular due to the tying prohibition under the GDPR. However, these limits could in principle be overcome by valid contractual agreements, or by the voluntary offer of a data-safe option by the respective providers. These paths to legality, in turn, put the contractual design of the exchange relationships in the limelight. In this, the methodological focus rests on the applicability of Member State private law in parallel to the GDPR rules. The book integrates the declaration of consent under data protection law into the doctrine of the German Civil Code (BGB) and examines in detail limits of contractual validity resulting from the ‘regulatory part’ of the BGB.From an overarching perspective, however, the enabling structures under data protection and civil law reveal considerable shortcomings, in both legal and factual terms. In concrete decision-making situations, the vast majority of users do not sufficiently consider data protection issues to make a conscious and informed decision in this respect. Hence, the third part of the book shows that users need to be supported in a twofold way to cope with the three regulatory risks mentioned: technically, by increasingly autonomous data protection assistants; and, in terms of regulation, by a right to a data-safe option. Automated data collection and analysis must be answered with automated communication and enforcement of heterogeneous privacy preferences; informed consent must be replaced by technological consent. Only in this way can an autonomous design of exchange processes in highly networked environments be realized, at least in a restricted form mediated by machines. This also implies that emerging, data-processing technologies should notonly be seen as a risk, but also as an opportunity for self-determination and data protection.

DFG Programme Publication Grants