Chao Wu

DOI: https://doi.org/10.1016/j.techsoc.2024.102457

IF: 6.879

2024-01-01

Technology in Society

Abstract:In recent years, data privacy has attracted increasing public concerns, especially with public scandals from top Internet companies, emerging over inappropriate data collection, lack of transparency in data usage, and manipulation of users' preferences. This has led to responsive efforts from multiple sectors of society to constrain the violation of individuals’ data privacy. Among these efforts, the regulations like GDPR are the most influential, which are believed to be able to change the foundation of the whole data ecosystem. The main concern of current regulation is data transparency, designed to enable individuals to make rational decisions about their data. However, I argue that transparency cannot mitigate a key issue of data privacy, which is the right of receiving benefits from data. This issue is getting severe with the rapid development of the data economy and will become the essential problem of social welfare and fairness in the AI era. I further point out that the key to solving this issue is to migrate the current centralized data utilization paradigm to a new decentralized paradigm. Based on the recent technical advancements, I propose an applicable pathway to implement such a paradigm. And to realize a fair and sustainable data eco-system, joint efforts should be made within this paradigm.

Rex Chen,Fei Fang,Thomas Norton,Aleecia M. McDonald,Norman Sadeh

DOI: https://doi.org/10.1145/3463676.3485

2021-09-28

Abstract:Vagueness and ambiguity in privacy policies threaten the ability of consumers to make informed choices about how businesses collect, use, and share their personal information. The California Consumer Privacy Act (CCPA) of 2018 was intended to provide Californian consumers with more control by mandating that businesses (1) clearly disclose their data practices and (2) provide choices for consumers to opt out of specific data practices. In this work, we explore to what extent CCPA's disclosure requirements, as implemented in actual privacy policies, can help consumers to answer questions about the data practices of businesses. First, we analyzed 95 privacy policies from popular websites; our findings showed that there is considerable variance in how businesses interpret CCPA's definitions. Then, our user survey of 364 Californian consumers showed that this variance affects the ability of users to understand the data practices of businesses. Our results suggest that CCPA's mandates for privacy disclosures, as currently implemented, have not yet yielded the level of clarity they were designed to deliver, due to both vagueness and ambiguity in CCPA itself as well as potential non-compliance by businesses in their privacy policies.

Computers and Society

Yujin Kwon,Ella Corren,Gonzalo Munilla Garrido,Chris Hoofnagle,Dawn Song

2023-12-04

Abstract:As information economies burgeon, they unlock innovation and economic wealth while posing novel threats to civil liberties and altering power dynamics between individuals, companies, and governments. Legislatures have reacted with privacy laws designed to empower individuals over their data. These laws typically create rights for "data subjects" (individuals) to make requests of data collectors (companies and governments). The European Union General Data Protection Regulation (GDPR) exemplifies this, granting extensive data rights to data subjects, a model embraced globally. However, the question remains: do these rights-based privacy laws effectively empower individuals over their data? This paper scrutinizes these approaches by reviewing 201 interdisciplinary empirical studies, news articles, and blog posts. We pinpoint 15 key questions concerning the efficacy of rights allocations. The literature often presents conflicting results regarding the effectiveness of rights-based frameworks, but it generally emphasizes their limitations. We offer recommendations to policymakers and Computer Science (CS) groups committed to these frameworks, and suggest alternative privacy regulation approaches.

Computers and Society,Databases

James Pavur,Casey Knerr

DOI: https://doi.org/10.48550/arXiv.1912.00731

2019-12-02

Abstract:The General Data Protection Regulation (GDPR) has become a touchstone model for modern privacy law, in part because it empowers consumers with unprecedented control over the use of their personal information. However, this same power may be susceptible to abuse by malicious attackers. In this paper, we consider how legal ambiguity surrounding the "Right of Access" process may be abused by social engineers. This hypothesis is tested through an adversarial case study of more than 150 businesses. We find that many organizations fail to employ adequate safeguards against Right of Access abuse and thus risk exposing sensitive information to unauthorized third parties. This information varied in sensitivity from simple public records to Social Security Numbers and account passwords. These findings suggest a critical need to improve the implementation of the subject access request process. To this end, we propose possible remediations which may be appropriate for further consideration by government, industry and individuals.

Cryptography and Security,Computers and Society

Excel G Chukwurah

DOI: https://doi.org/10.51594/csitrj.v5i4.1047

2024-04-17

Computer Science & IT Research Journal

Abstract:As data privacy concerns become increasingly prevalent, especially in the U.S. where regulations like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are setting new standards, technology companies must adopt advanced risk management strategies to ensure compliance and protect consumer data. This review explores the concept of proactive privacy and outlines key strategies for integrating privacy considerations into product development processes. The review begins by highlighting the growing importance of data privacy in the U.S. tech industry, emphasizing the need for proactive approaches to privacy management. It then introduces the concept of proactive privacy, which involves identifying and mitigating privacy risks early in the product development lifecycle. The review emphasizes the importance of adopting a privacy-by-design approach, where privacy considerations are integrated into every stage of product development. The review then outlines several advanced risk management strategies for proactive privacy. This includes conducting thorough privacy impact assessments (PIAs) to identify potential privacy risks associated with new products or services. It also emphasizes the importance of implementing privacy-enhancing technologies, such as encryption and anonymization, to protect consumer data. Furthermore, the review discusses the importance of establishing a culture of privacy within tech companies, where privacy is viewed as a fundamental value and employees are educated about privacy best practices. It also highlights the benefits of engaging with privacy experts and regulators to stay informed about evolving privacy regulations and industry standards. In conclusion, the review emphasizes the importance of proactive privacy in product development and highlights key strategies for integrating privacy considerations into the development process. By adopting advanced risk management strategies and prioritizing privacy throughout the product lifecycle, U.S. technology companies can enhance consumer trust, ensure compliance with regulations, and mitigate privacy risks. Keywords: Proactive Privacy, Risk Management, Strategies, Product Development, Advanced

Excel G Chukwurah,Samuel Aderemi

DOI: https://doi.org/10.51594/csitrj.v5i4.1044

2024-04-17

Computer Science & IT Research Journal

Abstract:Data protection compliance is a critical issue for U.S. technology companies, especially in light of increasingly stringent regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). Achieving compliance requires a harmonized approach that aligns internal teams and processes with regulatory requirements. This review explores strategies for U.S. technology companies to harmonize teams and regulations to ensure data protection compliance. The first key strategy is to establish a cross-functional team dedicated to data protection compliance. This team should include representatives from legal, IT, security, and other relevant departments. By bringing together experts from different areas, companies can ensure a comprehensive approach to compliance that takes into account legal requirements, technical capabilities, and organizational policies. Secondly, companies should invest in training and education for all employees on data protection principles and compliance requirements. This includes raising awareness about the importance of data protection, as well as providing specific training on how to handle personal data in accordance with regulations. By ensuring that all employees are informed and knowledgeable about data protection, companies can reduce the risk of non-compliance. Another important strategy is to implement privacy by design and by default principles in product development and business processes. This means building privacy considerations into products and services from the outset, rather than trying to retrofit them later. By incorporating privacy into the design process, companies can ensure that their products and services are compliant with regulations and protect user data. Finally, companies should establish a culture of continuous improvement and accountability when it comes to data protection compliance. This includes regularly reviewing and updating data protection policies and procedures, as well as conducting regular audits and assessments to identify and address compliance gaps. By making data protection a priority at all levels of the organization, companies can reduce the risk of data breaches and non-compliance with regulations. Keywords: Data Protection, Compliance, Strategies, Technology, Regulations.

Suvineetha Herath,Dakota State University,Haywood Gelman,Lisa McKee,

DOI: https://doi.org/10.32727/8.2023.18

2023-10-12

Abstract:In today's data-sharing paradigm, personal data has become a valuable resource that intensifies the risk of unauthorized access and data breach. Increased data mining techniques used to analyze big data have posed significant risks to data security and privacy. Consequently, data breaches are a significant threat to individual privacy. Privacy is a multifaceted concept covering many areas, including the right to access, erasure, and rectify personal data. This paper explores the legal aspects of privacy harm and how they transform into legal action. Privacy harm is the negative impact to an individual as a result of the unauthorized release, gathering, distillation, or expropriation of personal information. Privacy Enhancing Technologies (PETs) emerged as a solution to address data privacy issues and minimize the risk of privacy harm. It is essential to implement privacy enhancement mechanisms to protect Personally Identifiable Information (PII) from unlawful use or access. FIPPs (Fair Information Practice Principles), based on the 1973 Code of Fair Information Practice (CFIP), and the Organization for Economic Cooperation and Development (OECD), are a collection of widely accepted, influential US codes that agencies use when evaluating information systems, processes, programs, and activities affecting individual privacy. Regulatory compliance places a responsibility on organizations to follow best practices to ensure the protection of individual data privacy rights. This paper will focus on FIPPs, relevance to US state privacy laws, their influence on OECD, and reference to the EU General Data Processing Regulation. (GDPR).

T. Tony Ke,K. Sudhir

DOI: https://doi.org/10.1287/mnsc.2022.4614

IF: 5.4

2022-12-04

Management Science

Abstract:General Data Protection Regulation (GDPR)—the European Union’s data protection regulation—has two key principles. It recognizes that individuals own and control their personal (but not contractual) data in perpetuity, leading to three critical privacy rights, namely, the rights to (i) explicit consent (data opt-in), (ii) to be forgotten (data erasure), and (iii) portability (data transfer). It also includes data security mandates against privacy breaches through unauthorized access. We study GDPR’s equilibrium impact by including these features in a dynamic two-period model of forward-looking firms and consumers. Firms collect consumer data for personalization and price discrimination. Consumers trade off gains from personalization relative to potential losses from privacy breaches and price discrimination in their purchase, data opt-in, erasure, and transfer decisions. Though data security mandates impose fines on firms for privacy breaches, firms can benefit from higher opt-in given lower breach risk. Surprisingly, data security mandates can hurt consumers. The effect of privacy rights is nuanced. Since the right to opt in separates goods exchange from the provision of personal data, it prevents market failure under high breach risk. But it also reduces consumer opt-in and personal data availability. Erasure and portability rights reduce consumers’ hold-up concerns by disciplining firms to provide ongoing value by limiting price discrimination and not slacking off on data security; but they also reduce the incentive to offer lower initial prices that encourages opt-in. Overall, privacy rights always benefit consumers in competitive markets, but they can surprisingly hurt consumers under monopoly, as monopolists have less incentives to subsidize consumer opt-in. They raise (reduce) firm profit and social welfare when breach risk is high (low). Finally, privacy rights increase firm profit most at moderate levels of data transferability. This paper was accepted by Dmitri Kuksov, marketing. Funding: T. T. Ke acknowledges financial support from the General Research Fund of the Hong Kong Research Grants Council [Grant 14500421]. Supplemental Material: The e-companion is available at https://doi.org/10.1287/mnsc.2022.4614 .

management,operations research & management science

Ian Thomas

DOI: https://doi.org/10.69554/olhs2696

2020-05-01

Abstract:Following the introduction of the EU General Data Protection Regulation (GDPR) in 2018, several US states are introducing similar privacy laws. Of these, the California Consumer Privacy Act (CCPA) will be the most far-reaching. The CCPA builds on various consumer privacy principles established with the GDPR, albeit with some important differences, and is likely to act as the template for any forthcoming federal legislation in the USA. This paper examines some of the ways that the CCPA is similar to and differs from the GDPR, and how this affects the way that businesses should prepare for the implementation of the law in 2020. It then considers the level of GDPR preparedness among US businesses as an indication of their readiness to comply with the CCPA, before presenting a set of privacy best practices that businesses should adopt in order to remain compliant with the increasingly wide range of privacy laws being passed around the world.

Pranith Shetty,

DOI: https://doi.org/10.47363/jaicc/2023(2)224

2023-12-31

Abstract:Data Privacy is relevant for majority of the firms conducting businesses in the international market today. Better privacy safeguards and implementations are one of the key contributors in driving business output, companies are reporting direct and indirect benefits as a result of privacy project related investments. To be compliant with the Privacy regulation landscape globally is the need of the hour, there have been significant business impacts in terms of both financial and reputational, as a result of noncompliance to privacy regulations. To manage these risks, it is imperative for the Privacy assessment teams, Legal teams and Risk management teams to work together and tackle these challenges. This paper firstly aims at giving a perspective on global risk landscape and how the privacy regulations are gaining more traction every passing day, bringing in more states and countries into the fold. This article also narrates the approach or solution explaining how Risk management teams can partner with the relevant stakeholders in legal and privacy teams and guide the data privacy risks across firms, across business sectors. Through the risk management lifecycle thus remediating these risks, helping businesses prosper and at the same time safeguard individual interests.

Alex Bowyer,Jack Holt,Josephine Go Jefferies,Rob Wilson,David Kirk,Jan David Smeddinck

DOI: https://doi.org/10.1145/3491102.3501947

2022-03-10

Abstract:In our data-centric world, most services rely on collecting and using personal data. The EU's General Data Protection Regulation (GDPR) aims to enhance individuals' control over their data, but its practical impact is not well understood. We present a 10-participant study, where each participant filed 4-5 data access requests. Through interviews accompanying these requests and discussions scrutinising returned data, it appears that GDPR falls short of its goals due to non-compliance and low-quality responses. Participants found their hopes to understand providers' data practices or harness their own data unmet. This causes increased distrust without any subjective improvement in power, although more transparent providers do earn greater trust. We propose designing more effective, data-inclusive and open policies and data access systems to improve both customer relations and individual agency, and also that wider public use of GDPR rights could help with delivering accountability and motivating providers to improve data practices.

Human-Computer Interaction

Eleanor Birrell,Jay Rodolitz,Angel Ding,Jenna Lee,Emily McReynolds,Jevan Hutson,Ada Lerner

DOI: https://doi.org/10.48550/arXiv.2312.15383

2023-12-24

Abstract:Growing recognition of the potential for exploitation of personal data and of the shortcomings of prior privacy regimes has led to the passage of a multitude of new online privacy regulations. Some of these laws -- notably the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) -- have been the focus of large bodies of research by the computer science community, while others have received less attention. In this work, we analyze a set of Internet privacy and data protection regulations drawn from around the world -- both those that have frequently been studied by computer scientists and those that have not -- and develop a taxonomy of rights granted and obligations imposed by these laws. We then leverage this taxonomy to systematize 270 technical research papers published in computer science venues that investigate the impact of these laws and explore how technical solutions can complement legal protections. Finally, we analyze the results in this space through an interdisciplinary lens and make recommendations for future work at the intersection of computer science and legal privacy.

Computers and Society

Atheer Aljeraisy,Masoud Barati,Omer Rana,Charith Perera

DOI: https://doi.org/10.48550/arXiv.2210.03520

2022-10-06

Cryptography and Security

Abstract:Internet of Things (IoT) applications have the potential to derive sensitive information about individuals. Therefore, developers must exercise due diligence to make sure that data are managed according to the privacy regulations and data protection laws. However, doing so can be a difficult and challenging task. Recent research has revealed that developers typically face difficulties when complying with regulations. One key reason is that, at times, regulations are vague, and could be challenging to extract and enact such legal requirements. In our research paper, we have conducted a systematic analysis of the data protection laws that are used across different continents, namely: (i) General Data Protection Regulations (GDPR), (ii) the Personal Information Protection and Electronic Documents Act (PIPEDA), (iii) the California Consumer Privacy Act (CCPA), (iv) Australian Privacy Principles (APPs), and (v) New Zealand's Privacy Act 1993. In this technical report, we presented the detailed results of the conducted framework analysis method to attain a comprehensive view of different data protection laws and highlighted the disparities, in order to assist developers in adhering to the regulations across different regions, along with creating a Combined Privacy Law Framework (CPLF). After that, we gave an overview of various Privacy by Design (PbD) schemes developed previously by different researchers. Then, the key principles and individuals' rights of the CPLF were mapped with the privacy principles, strategies, guidelines, and patterns of the Privacy by Design (PbD) schemes in order to investigate the gaps in existing schemes.

Yibo Zhang,Tawei Wang,Carol Hsu

DOI: https://doi.org/10.1108/jic-05-2019-0113

2019-11-20

Journal of Intellectual Capital

Abstract:Purpose The purpose of this paper is to examine the impacts of companies’ voluntary adoption of the General Data Protection Regulation (GDPR) as well as the readability of privacy statements on US customers’ intention to disclose information and their trust in a company. Design/methodology/approach Building on the construal level theory and psychological distance, the authors conduct a 2 × 2 + 2 between-participants experiment with 255 participants. Findings The findings show that a company’s voluntary adoption of the GDPR has positive effects on customers’ intention to disclose information to and their trust in that company. In addition, the effects of GDPR adoption are stronger when the adopting company’s privacy statements possess a higher level of readability. Originality/value The authors believe this study poses policy implications for the outcomes of GDPR adoption and the recent debate on both a stricter data breach and privacy regulation.

management,business

Martha Davis

DOI: https://doi.org/10.4018/978-1-7998-3817-3.ch010

2020-01-01

Abstract:Big data and analytics have not only changed how businesses interact with consumers, but also how consumers interact with the larger world. Smart cities, IoT, cloud, and edge computing technologies are all enabled by data and can provide significant societal benefits via efficiencies and reduction of waste. However, data breaches have also caused serious harm to customers by exposing personal information. Consumers often are unable to make informed decisions about their digital privacy because they are in a position of asymmetric information. There are an increasing number of privacy regulations to give consumers more control over their data. This chapter provides an overview of data privacy regulations, including GDPR. In today's globalized economy, the patchwork of international privacy regulations is difficult to navigate, and, in many instances, fails to provide adequate business certainty or consumer protection. This chapter also discusses current research and implications for costs, data-driven innovation, and consumer trust.

Jayashree Mohan,Melissa Wasserman,Vijay Chidambaram

DOI: https://doi.org/10.1007/978-3-030-33752-0_6

2019-01-01

Abstract:AbstractWith the arrival of the European Union’s General Data Protection Regulation (GDPR), several companies are making significant changes to their systems to achieve compliance. The changes range from modifying privacy policies to redesigning systems which process personal data. Privacy policy is the main medium of information dissemination between the data controller and the users. This work analyzes the privacy policies of large-scaled cloud services which seek to be GDPR compliant. We show that many services that claim compliance today do not have clear and concise privacy policies. We identify several points in the privacy policies which potentially indicate non-compliance; we term these GDPR dark patterns. We identify GDPR dark patterns in ten large-scale cloud services. Based on our analysis, we propose seven best practices for crafting GDPR privacy policies.

Juniper Lovato,Philip Mueller,Parisa Suchdev,Peter S. Dodds

DOI: https://doi.org/10.48550/arXiv.2302.08936

2023-02-17

Computation and Language

Abstract:Collecting personally identifiable information (PII) on data subjects has become big business. Data brokers and data processors are part of a multi-billion-dollar industry that profits from collecting, buying, and selling consumer data. Yet there is little transparency in the data collection industry which makes it difficult to understand what types of data are being collected, used, and sold, and thus the risk to individual data subjects. In this study, we examine a large textual dataset of privacy policies from 1997-2019 in order to investigate the data collection activities of data brokers and data processors. We also develop an original lexicon of PII-related terms representing PII data types curated from legislative texts. This mesoscale analysis looks at privacy policies overtime on the word, topic, and network levels to understand the stability, complexity, and sensitivity of privacy policies over time. We find that (1) privacy legislation correlates with changes in stability and turbulence of PII data types in privacy policies; (2) the complexity of privacy policies decreases over time and becomes more regularized; (3) sensitivity rises over time and shows spikes that are correlated with events when new privacy legislation is introduced.

Yabing Jiang,Thant Syn

DOI: https://doi.org/10.1080/08874417.2022.2095542

2022-07-15

Journal of Computer Information Systems

Abstract:While companies' privacy policies inform consumers about their privacy practices, their adherence to regulations and Fair Information Practices (FIP) may vary widely. We develop and apply an extended checklist to examine the privacy practices of companies with a higher privacy and data security risk. We find that industry sector has a significant effect on companies' privacy practice. Specifically, companies in the non-regulated communication services sector complied to FIP better than those in the regulated financial sector, indicating that the FTC' self-regulation approach works, at least for the examined sector. While 67% of companies fully complied to the Security principle, they were not doing enough in full specification of Enforcement in their privacy policies, indicating that regulators need to strengthen enforcement provision in regulations and develop and enlist various enforcement mechanisms. Overall, this research informs legislation and the public on the effectiveness of self-regulation and government regulation.

computer science, information systems

Seun Solomon Bakare,Adekunle Oyeyemi Adeniyi,Chidiogo Uzoamaka Akpuokwe,Nkechi Emmanuella Eneh

DOI: https://doi.org/10.51594/csitrj.v5i3.859

2024-03-09

Computer Science & IT Research Journal

Abstract:This Review provides an overview of the comparative review of data privacy laws and compliance, focusing on the European Union's General Data Protection Regulation (EU GDPR) and data protection regulations in the United States. The analysis explores key similarities and differences, emphasizing their implications for businesses and individuals. The EU GDPR, implemented in 2018, stands as a landmark regulation governing data protection and privacy for individuals within the European Union and the European Economic Area. In contrast, the United States lacks a comprehensive federal data privacy law. Instead, it relies on a patchwork of sector-specific laws and state regulations, such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA). One major distinction lies in the overarching principles of these regulations. The EU GDPR adopts a comprehensive and rights-based approach, emphasizing individual rights to privacy, data portability, and the "right to be forgotten." In contrast, the U.S. system often focuses on specific industries or types of data, leading to a more fragmented regulatory landscape. Both regulatory frameworks incorporate principles of transparency, consent, and data breach notification. However, differences in enforcement mechanisms and penalties exist. The EU GDPR imposes significant fines for non-compliance, reaching up to 4% of a company's global annual revenue. In the U.S., penalties vary by state, and enforcement is often reactive, triggered by data breaches. Businesses operating globally must navigate these distinct regulatory landscapes, necessitating a nuanced approach to data privacy compliance. Multinational corporations must adhere to the more stringent requirements when handling EU citizens' data while also considering the diverse regulations within the U.S. This review underscores the ongoing evolution of data privacy laws worldwide and the critical importance for organizations to stay abreast of these developments. It emphasizes the need for a proactive and adaptive approach to data privacy compliance, taking into account the unique requirements and expectations of both the EU GDPR and U.S. regulations. Keywords: Data Privacy, Laws, Compliance, EU GDPR, Regulations.

Carl Benedikt Frey,Giorgio Presidente

DOI: https://doi.org/10.1111/ecin.13213

2024-03-06

Economic Inquiry

Abstract:This paper examines how privacy regulation shaped firm performance. Controlling for firm and country‐industry‐year unobserved characteristics, we compare the outcomes of firms at different levels of exposure to EU markets, before and after the enforcement of the General Data Protection Regulation (GDPR) in 2018. We find that the GDPR had the unintended consequence of harming the profitability of companies targeting European consumers through the cost channel. Technology firms experienced a 2.1% decline in profits, but not in sales. The GDPR increased extra expenses, added to firms wage bills, and accelerated patenting in GDPR‐related technology fields. The main burdens have been borne by smaller companies.

economics