Ali Alibeigi,Abu Bakar Munir

DOI: https://doi.org/10.69554/yqug8122

2022-08-01

Abstract:The massive and implausible advancements in the fields of information and communications technology, and especially the internet, have increased both the value and threats to the information privacy of individuals. The Malaysian Personal Data Protection Act 2010 (PDPA) was a governmental endeavour to protect the information privacy of the citizens. However, the Act's output and the level of compliance by the data users are in a halo of ambiguity. This qualitative study using the document analysis aimed to find out to what extent the communications companies comply with the Act. Hence, the privacy policies of these companies were evaluated in line with the requirements of the Act. The results indicated that more or less all samples failed to satisfy the PDPA requirements. The solutions provided by this research can be used as practical guidelines to draft a Standard Privacy Policy. The suggestions also would benefit the Personal Data Protection Commissioner in performing his duties and functions.

Ali Alibeigi,Abu Bakar Munir,Adeleh Asemi

DOI: https://doi.org/10.1080/13600869.2021.1970936

2021-08-23

International Review of Law, Computers and Technology

Abstract:The sensitivity and value of personal information, especially financial data concerning the increasing threats, particularly in the online domain, make it urgent to assess how far financial companies are serious about respecting and protecting individuals' information privacy. The recent incidents and cases in Malaysia indicate this necessity. To date, there is not any official report or study concerning this issue in Malaysia. The purpose of the research was to assess the out-put of the Malaysian Personal Data Protection Act 2010 through evaluating the privacy policies of the Banks and Financial Institutions. In this qualitative research, the compliance assessment is delimited to compliance with specific requirements, especially the Notice and Choice Principle and individuals' rights through document study. We proposed an evaluation model based on the standards of the PDPA. The qualitative analysis of the results showed a non-compliance with the requirements of the Act by the financial sector. Hence, suggestions and solutions are provided in line with a standard privacy policy for these types of companies.

Dian Purwaningrum Soemitro,Muhammad Arvin Wicaksono,Nur Aini Putri

DOI: https://doi.org/10.37276/sjh.v5i1.272

2023-07-31

SIGn Jurnal Hukum

Abstract:This study aims to compare the penal provisions between the PDPA and Law Number 27 of 2022. This study uses normative legal research with the statute and comparative approaches. The collected legal material is then qualitatively analyzed to describe the problem and answer study purposes. The results show a striking difference between the PDPA and Law Number 27 of 2022 concerning penal provisions related to offenses of personal data protection. The PDPA portrays a more moderate approach by establishing relatively lighter imprisonment and fines. In contrast, Law Number 27 of 2022 illustrates a stricter approach with more severe imprisonment, fines, and additional punishments. Singapore leans towards prevention and education, while Indonesia places a high priority on law enforcement. Nonetheless, both approaches ultimately aim to protect their citizens’ personal data. Therefore, it recommended that the relevant authorities in both Singapore and Indonesia continually evaluate and adapt their legal frameworks to safeguard personal data effectively. Singapore could consider stricter penalties to discourage offenses while maintaining its focus on education and prevention. On the other hand, while Indonesia’s commitment to law enforcement is commendable, it could also benefit from incorporating preventive measures and public education to promote understanding and voluntary compliance. Collaborative efforts between the two countries can facilitate continual enhancements in personal data protection within their respective jurisdictions.

Yibo Zhang,Tawei Wang,Carol Hsu

DOI: https://doi.org/10.1108/jic-05-2019-0113

2019-11-20

Journal of Intellectual Capital

Abstract:Purpose The purpose of this paper is to examine the impacts of companies’ voluntary adoption of the General Data Protection Regulation (GDPR) as well as the readability of privacy statements on US customers’ intention to disclose information and their trust in a company. Design/methodology/approach Building on the construal level theory and psychological distance, the authors conduct a 2 × 2 + 2 between-participants experiment with 255 participants. Findings The findings show that a company’s voluntary adoption of the GDPR has positive effects on customers’ intention to disclose information to and their trust in that company. In addition, the effects of GDPR adoption are stronger when the adopting company’s privacy statements possess a higher level of readability. Originality/value The authors believe this study poses policy implications for the outcomes of GDPR adoption and the recent debate on both a stricter data breach and privacy regulation.

management,business

Wan-Tzu Su,Pei-Yu Lee,Hung-San Kuo,Chien-Lin Kuo

DOI: https://doi.org/10.6224/JN.202110_68(5).07

Abstract:Background: The aim of the Personal Data Protection Act (PDPA) is to regulate the collection, processing, and use of personal information; to avoid the infringement of personal rights; and to promote the reasonable use of personal information. Clinical nurses are frontline patient caregivers, and they are the most likely to have access to patients' personal information. If these nurses do not clearly understand the PDPA, they may violate the law and affect patients' rights. Purpose: The purpose of this study was to investigate the knowledge level of clinical nurses regarding the PDPA and related factors, with the findings intended to serve as a reference for continuing education. Methods: A cross-sectional research design was adopted. A purposive sample of nurses working at a regional hospital in southern Taiwan was selected. A self-administered survey incorporating the self-developed Nurses Knowledge Scale for Patient Personal Data Protection Act (NKSPPDPA) was used to collect data from May to June 2017. Results: A total of 269 valid responses were received (return rate: 89.67%). The mean score on the NKSPPDPA was 68.80 out of a total-possible 100 points. Knowledge related to patient privacy and penalties was relatively low. Moreover, working department, job title, and participation in PDPA-related on-the-job education were found to be significant predictors of NKSPPDPA score, while years of experience was found to have a low correlation only. Conclusions: The results suggest that clinical nurses have knowledge gaps regarding PDPA, especially in terms of privacy and penalties. Nurses should participate in continuing education to address these knowledge gaps.

Hamoud Alhazmi,Ahmed Imran,Mohammad Abu Alsheikh

2024-11-19

Abstract:Perception of privacy is a contested concept, which is also evolving along with the rapid proliferation and expansion of technological advancements. Information systems (IS) applications incorporate various sensing infrastructures, high-speed networks, and computing components that enable pervasive data collection about people. Any digital privacy breach within such systems can result in harmful and far-reaching impacts on individuals and societies. Accordingly, IS organisations have a legal and ethical responsibility to respect and protect individuals digital privacy rights. This study investigates people perception of digital privacy protection of government data using the General Data Protection Regulation (GDPR) framework. Findings suggest a dichotomy of perception in protecting people privacy rights. For example, people perceive the right to be informed as the most respected and protected in Information Technology (IT) systems. On the contrary, the right to object by granting and with-drawing consent is perceived as the least protected. Second, the study shows evidence of a social dilemma in people perception of digital privacy based on their context and culture.

Cryptography and Security

Ayesha Qamar,Tehreem Javed,Mirza Omer Beg

DOI: https://doi.org/10.48550/arXiv.2102.12362

2021-02-21

Abstract:Privacy Policies are the legal documents that describe the practices that an organization or company has adopted in the handling of the personal data of its users. But as policies are a legal document, they are often written in extensive legal jargon that is difficult to understand. Though work has been done on privacy policies but none that caters to the problem of verifying if a given privacy policy adheres to the data protection laws of a given country or state. We aim to bridge that gap by providing a framework that analyzes privacy policies in light of various data protection laws, such as the General Data Protection Regulation (GDPR). To achieve that, firstly we labeled both the privacy policies and laws. Then a correlation scheme is developed to map the contents of a privacy policy to the appropriate segments of law that a policy must conform to. Then we check the compliance of privacy policy's text with the corresponding text of the law using NLP techniques. By using such a tool, users would be better equipped to understand how their personal data is managed. For now, we have provided a mapping for the GDPR and PDPA, but other laws can easily be incorporated in the already built pipeline.

Cryptography and Security,Computation and Language

Yabing Jiang,Thant Syn

DOI: https://doi.org/10.1080/08874417.2022.2095542

2022-07-15

Journal of Computer Information Systems

Abstract:While companies' privacy policies inform consumers about their privacy practices, their adherence to regulations and Fair Information Practices (FIP) may vary widely. We develop and apply an extended checklist to examine the privacy practices of companies with a higher privacy and data security risk. We find that industry sector has a significant effect on companies' privacy practice. Specifically, companies in the non-regulated communication services sector complied to FIP better than those in the regulated financial sector, indicating that the FTC' self-regulation approach works, at least for the examined sector. While 67% of companies fully complied to the Security principle, they were not doing enough in full specification of Enforcement in their privacy policies, indicating that regulators need to strengthen enforcement provision in regulations and develop and enlist various enforcement mechanisms. Overall, this research informs legislation and the public on the effectiveness of self-regulation and government regulation.

computer science, information systems

Atheer Aljeraisy,Masoud Barati,Omer Rana,Charith Perera

DOI: https://doi.org/10.48550/arXiv.2210.03520

2022-10-06

Cryptography and Security

Abstract:Internet of Things (IoT) applications have the potential to derive sensitive information about individuals. Therefore, developers must exercise due diligence to make sure that data are managed according to the privacy regulations and data protection laws. However, doing so can be a difficult and challenging task. Recent research has revealed that developers typically face difficulties when complying with regulations. One key reason is that, at times, regulations are vague, and could be challenging to extract and enact such legal requirements. In our research paper, we have conducted a systematic analysis of the data protection laws that are used across different continents, namely: (i) General Data Protection Regulations (GDPR), (ii) the Personal Information Protection and Electronic Documents Act (PIPEDA), (iii) the California Consumer Privacy Act (CCPA), (iv) Australian Privacy Principles (APPs), and (v) New Zealand's Privacy Act 1993. In this technical report, we presented the detailed results of the conducted framework analysis method to attain a comprehensive view of different data protection laws and highlighted the disparities, in order to assist developers in adhering to the regulations across different regions, along with creating a Combined Privacy Law Framework (CPLF). After that, we gave an overview of various Privacy by Design (PbD) schemes developed previously by different researchers. Then, the key principles and individuals' rights of the CPLF were mapped with the privacy principles, strategies, guidelines, and patterns of the Privacy by Design (PbD) schemes in order to investigate the gaps in existing schemes.

Lau Keng Yew,Meng Ma,Mak Wai Hong,Nor Azazi Zakaria

2011-01-01

Abstract:The rise in popularity of social networking sites (SNS) has led to various social and ethical issues such as privacy. The freedom to share and post information, pictures and to network with each other have raised privacy concerns among SNS members. We carried out a survey of 100 students at one of Malaysian universities to analyze their behavior on the SNSs in terms of awareness of privacy protection and what actions they have been taken. The survey results show that most of the students are aware of the customizable privacy settings but less than half of them change or modify them. This survey is important for understanding the user' approach to privacy protection, which in turn is important for our proposed privacy protection systems in future research.

Lu Zhang,Nabil Moukafih,Hamad Alamri,Gregory Epiphaniou,Carsten Maple

2024-07-09

Abstract:Since its implementation in May 2018, the General Data Protection Regulation (GDPR) has prompted businesses to revisit and revise their data handling practices to ensure compliance. The privacy policy, which serves as the primary means of informing users about their privacy rights and the data practices of companies, has been significantly updated by numerous businesses post-GDPR implementation. However, many privacy policies remain packed with technical jargon, lengthy explanations, and vague descriptions of data practices and user rights. This makes it a challenging task for users and regulatory authorities to manually verify the GDPR compliance of these privacy policies. In this study, we aim to address the challenge of compliance analysis between GDPR (Article 13) and privacy policies for 5G networks. We manually collected privacy policies from almost 70 different 5G MNOs, and we utilized an automated BERT-based model for classification. We show that an encouraging 51$\%$ of companies demonstrate a strong adherence to GDPR. In addition, we present the first study that provides current empirical evidence on the readability of privacy policies for 5G network. we adopted readability analysis toolset that incorporates various established readability metrics. The findings empirically show that the readability of the majority of current privacy policies remains a significant challenge. Hence, 5G providers need to invest considerable effort into revising these documents to enhance both their utility and the overall user experience.

Cryptography and Security,Artificial Intelligence

Ananda Dwitha Yuniar

DOI: https://doi.org/10.1108/ijse-11-2022-0740

2024-01-10

International Journal of Social Economics

Abstract:Purpose Privacy is a sensitive issue in business because it involves how a platform uses consumer personal data. In terms of consumer rights, personal information needs to be protected in the privacy policy (PP). This study describes several aspects of the PP that consumers need to pay attention to, especially points prone to misuse of personal information. Design/methodology/approach This research used a taxonomy of consumer privacy concerns in e-commerce to reveal general and specific privacy concerns. The privacy calculus theory was also applied to explore consumer rationalization using (1) consumer knowledge about PP, (2) subjective perception, and (3) proximity to the PP features. Furthermore, the netnographic approach was used to combine the interrelation between technology and social construction. A sample of 378 young consumers in several major cities in Indonesia participated online and offline. Semi-structured interviews were also conducted to gain more in-depth comprehension. Findings The results showed that most young consumers have sufficient basic knowledge of the important points of PP. Furthermore, they tend not to read the PP because it is long and cumbersome, and therefore do not wish to expend much cognitive effort on it. Originality/value This study provides several results that can be utilized by policymakers or e-commerce companies to pay more attention to PPs for young groups. In addition, e-commerce companies can increase the knowledge of the privacy situation of Internet users in general. Peer review The peer review history for this article is available at: https://publons.com/publon/10.1108/IJSE-11-2022-0740

English Else

Awatef Issaoui,Jenny Örtensjö,M. Sirajul Islam

DOI: https://doi.org/10.1186/s43093-023-00285-2

2023-12-15

Future Business Journal

Abstract:Abstract The adoption of cloud services offers manifold advantages to public organizations; however, ensuring data privacy during data transfers has become increasingly complex since the inception of the General Data Protection Regulation (GDPR). This study investigates privacy concerns experienced by public organizations in Sweden, focusing on GDPR compliance. A qualitative interpretative approach was adopted, involving semi-structured interviews with seven employees from five public organizations in Sweden. Additionally, secondary data were gathered through an extensive literature review. The collected data were analyzed and classified using the seven privacy threat categories outlined in the LINDDUN framework. The key findings reveal several significant privacy issues when utilizing public cloud services, including unauthorized access, loss of confidentiality, lack of awareness, lack of trust, legal uncertainties, regulatory challenges, and loss of control. The study underscores the importance of implementing measures such as anonymization, pseudonymization, encryption, contractual agreements, and well-defined routines to ensure GDPR compliance. The findings emphasize the importance of implementing measures such as anonymization, pseudonymization, encryption, contractual agreements, and well-defined routines to ensure GDPR compliance. Furthermore, this research highlights the critical aspect of digital sovereignty in addressing privacy challenges associated with public cloud service adoption by public organizations in Sweden.

Awanthika Rasanjalee Senarath,Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1710.03890

2017-10-11

Abstract:End user privacy is a critical concern for all organizations that collect, process and store user data as a part of their business. Privacy concerned users, regulatory bodies and privacy experts continuously demand organizations provide users with privacy protection. Current research lacks an understanding of organizational characteristics that affect an organization's motivation towards user privacy. This has resulted in a "one solution fits all" approach, which is incapable of providing sustainable solutions for organizational issues related to user privacy. In this work, we have empirically investigated 40 diverse organizations on their motivations and approaches towards user privacy. Resources such as newspaper articles, privacy policies and internal privacy reports that display information about organizational motivations and approaches towards user privacy were used in the study. We could observe organizations to have two primary motivations to provide end users with privacy as voluntary driven inherent motivation, and risk driven compliance motivation. Building up on these findings we developed a taxonomy of organizational privacy approaches and further explored the taxonomy through limited exclusive interviews. With his work, we encourage authorities and scholars to understand organizational characteristics that define an organization's approach towards privacy, in order to effectively communicate regulations that enforce and encourage organizations to consider privacy within their business practices.

Cryptography and Security,Computers and Society

Keng Yew Lau,Meng Ma,Wai Hong Mak,Nor Azazi Zakaria

2011-01-01

Abstract:The rise in popularity of social networking sites (SNS) has led to various social and ethical issues such as privacy.The freedom to share and post information, pictures and to network with each other have raised privacy concerns among SNS members.We carried out a survey of 100 students at one of Malaysian universities to analyze their behavior on the SNSs in terms of awareness of privacy protection and what actions they have been taken.The survey results show that most of the students are aware of the customizable privacy settings but less than half of them change or modify them.This survey is important for understanding the user’ approach to privacy protection, which in turn is important for our proposed privacy protection systems in future research.

Jana Korunovska,Bernadette Kamleitner,Sarah Spiekermann

DOI: https://doi.org/10.48550/arXiv.2005.08967

2020-05-18

Abstract:The new information and communication technology providers collect increasing amounts of personal data, a lot of which is user generated. Unless use policies are privacy-friendly, this leaves users vulnerable to privacy risks such as exposure through public data visibility or intrusive commercialisation of their data through secondary data use. Due to complex privacy policies, many users of online services unwillingly agree to privacy-intruding practices. To give users more control over their privacy, scholars and regulators have pushed for short, simple, and prominent privacy policies. The premise has been that users will see and comprehend such policies, and then rationally adjust their disclosure behaviour. In this paper, on a use case of social network service site, we show that this premise does not hold. We invited 214 regular Facebook users to join a new fictitious social network. We experimentally manipulated the privacy-friendliness of an unavoidable and simple privacy policy. Half of our participants miscomprehended even this transparent privacy policy. When privacy threats of secondary data use were present, users remembered the policies as more privacy-friendly than they actually were and unwittingly uploaded more data. To mitigate such behavioural pitfalls we present design recommendations to improve the quality of informed consent.

Computers and Society

Jayashree Mohan,Melissa Wasserman,Vijay Chidambaram

DOI: https://doi.org/10.1007/978-3-030-33752-0_6

2019-01-01

Abstract:AbstractWith the arrival of the European Union’s General Data Protection Regulation (GDPR), several companies are making significant changes to their systems to achieve compliance. The changes range from modifying privacy policies to redesigning systems which process personal data. Privacy policy is the main medium of information dissemination between the data controller and the users. This work analyzes the privacy policies of large-scaled cloud services which seek to be GDPR compliant. We show that many services that claim compliance today do not have clear and concise privacy policies. We identify several points in the privacy policies which potentially indicate non-compliance; we term these GDPR dark patterns. We identify GDPR dark patterns in ten large-scale cloud services. Based on our analysis, we propose seven best practices for crafting GDPR privacy policies.

Yannic Meier,Johanna Schäwel,Nicole C. Krämer

DOI: https://doi.org/10.17645/mac.v8i2.2846

IF: 3.043

2020-06-23

Media and Communication

Abstract:Privacy policies provide Internet users with the possibility to inform themselves about websites’ usage of their disclosed personal data. Strikingly, however, most people tend not to read privacy policies because they are long and cumbersome, indicating that people do not wish to expend much (cognitive) effort on reading such policies. The present study aimed to examine whether shorter privacy policies can be beneficial in informing users about a social networking site’s (SNS) privacy practices, and to investigate associations between variables relevant for privacy decision-making using one theory-based integrative model. In an online experiment, participants ( N = 305) were asked to create a personal account on an SNS after being given the option to read the privacy policy. Privacy policy length and the SNS’s level of privacy were varied, creating a 2 (policy length) x 2 (level of privacy) between-subjects design. The results revealed that participants who saw short policies spent less time on reading but gained higher knowledge about the SNS’s privacy practices—due to the fact that they spent more reading time per word. Factual privacy policy knowledge was found to be an indicator for participants’ subjective privacy perception. The perception and evaluation of the specific SNS ́s privacy level influenced the assessment of privacy costs and benefits. Particularly when benefits were perceived as high, self-disclosure was increased.

communication

Shara Monteleone

Abstract:Information notice and data subject's consent are the current main legal safeguards of data protection and privacy rights: they reflect individuals' instances, such as self-determination and control over one's own private sphere, that have been acknowledged in many jurisdictions. However, the theoretic strength of these safeguards appears frustrated by current online practices that seem suggesting to give-up with their most common form of implementation: privacy notices and request for consent. These measures are proving to be unsuccessful in increasing users' awareness and in fostering a privacy protective-behaviour. As recent studies have shown, although people declare privacy concerns, their actual behaviour diverges from their statements (the "privacy paradox"), as they seem to increasingly disclose personal data and to not even read privacy notices available online; eventually, the current privacy notices are not effective in regulating user's data disclosure. Behaviourally informed approaches to regulatory problems, already applied to different areas of information provision and public policy, helped to clarify the reasons of similar peoples' behaviour that cannot be reduced to a simplistic "users do not care about privacy." Highlighting the regulatory weakness of traditional information notices, applied behavioural science has also demonstrated to be particularly effective in improving users' decision-making and attaining concrete policy objectives if accompanied by ad hoc design interventions to display the relevant, salient information. As users do not read privacy policies or act in contradiction with them, other strategies might be more successful in promoting, "nudging," privacy-protective behaviour. The use of innovative information notices, like salient alerts and nudges, seems to be a promising means of behavioural change also in the area of digital privacy, a possible new area of application of behavioural insights. Building on recent studies in the field ( conducted mainly in the U.S.), this paper considers new forms of privacy notices (like "visceral" 2 Syracuse Journal of International Law and Commerce, Vol. 43, No. 1 [2015], Art. 4 https://surface.syr.edu/jilc/vol43/iss1/4 2015] Addressing the 'Failure' of Informed Consent 71 notices), as alternative or complement to current legal (technical) measures for data protection. For the informed consent approach (or "notice and choice" approach) to work, it needs to be improved with welldesigned, transparent and regulated nudging system, capable to help citizens in their decision-making as regards their privacy. Without disregarding the challenges and limitations of nudging strategies in public policy in general and in the privacy area in particular, and examining their legal grounds, the paper aims also to integrate that branch of legal-policy research that see "nudging" methods as an effective way to gently encourage safer behaviours in the citizens.

Computer Science,Economics,Law

Tao Fu

DOI: https://doi.org/10.1177/1742766519846644

2019-05-27

Global Media and Communication

Abstract:By examining the privacy policies of leading Chinese Internet and information service providers (IISPs), this study found their privacy policies to be generally compliant with China’s personal information protection provisions. These IISPs use proper mechanisms showing their commitment, measures and enforcement to data security, but their Fair Information Practices need improvement. Personal information protection in China is severe. Privacy policies offer more ‘notice’ than they do ‘choice’. Chinese IISPs collect and use information extensively in the guise of providing value to users, but have given insufficient consideration to transborder data flows and change of ownership. Societal and technological mechanisms have not been widely sought.