scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Data protection authorities and information technology

Charles D. Raab, Ivan Szekely
01 Aug 2017-Computer Law & Security Review (Elsevier Advanced Technology)-Vol. 33, Iss: 4, pp 421-433
TL;DR: The findings of a recent survey of EU DPAs are reported that explore the problems they have in comprehending new technologies and how they are dealing with them.
About: This article is published in Computer Law & Security Review.The article was published on 2017-08-01 and is currently open access. It has received 23 citations till now. The article focuses on the topics: General Data Protection Regulation & National data protection authority.

Summary (3 min read)

Jump to: [1. Introduction][2. The survey and its methodology][2.1. DPAs’ expertise in information technologies][2.2. The necessary ICT expertise in investigations][2.3. DPAs’ strategies in ICT-related decision-making][2.4. DPAs’ preferred ways to keep up with new developments][2.5. The most important technologies: everything?] and [3. Conclusion]

1. Introduction

  • In the field of information privacy, the overwhelming focus of scholarship for several decades has been on the legal and – increasingly – the technological dimensions of data protection; far less attention has been devoted to understanding the work of regulatory organisations, of which data protection authorities (DPAs) are the most prominent.
  • Thus the styles and strategies of DPAs in their regulatory roles are not uniform across the landscape of European or global data protection.

2. The survey and its methodology

  • This article attempts to cast light on this subject by reporting the findings of an empirical survey of all EU DPAs that was conducted in late 2015 and early 2016.
  • The authors are grateful participants – all of whom had significant expertise in this topic – were faced with the results of the survey analysis: their on-site evaluation and comments added important aspects to the findings of the survey.
  • This survey aimed to find out the extent to which DPAs were abreast of changes in ICTs with which personal data are processed and which powerfully shape the terrain on which DPAs’ regulatory and supervisory activities take place.
  • For their participation in the panel, and for their agreement to allow us to use some of the remarks they made in the CPDP panel session.

2.1. DPAs’ expertise in information technologies

  • The survey included a question about how the data protection authorities evaluate the expertise of DPAs in general in the area of information and communication technologies.
  • When asking the respondents to evaluate the level of expertise in ICT in their own organisation, the figures were somewhat higher: DPAs tended to evaluate their own expertise higher than that of the community of DPAs (Fig. 1).
  • The data protection authorities of the federal states of Germany, or those of the cantons of Switzerland.
  • The biggest organisation had 379 employees, while the smallest one had a staff of a single person.
  • Those who were not satisfied with the existing level of ICT expertise among the members of their non-technical staff were asked about the causes of the shortfall.

2.2. The necessary ICT expertise in investigations

  • The survey included a question about the percentage of the respondent organisation’s investigations (responding to data subjects’ complaints or initiated by the DPA itself) that involve general ICTrelated aspects (such as the use of computerised databases or the Internet).
  • In the next question the authors asked the respondents about the percentage of investigations that require specific ICT expertise.
  • The vertical lines connecting the round and the triangle dots show the distance between the two, that is, the difference between the two types of investigations belonging to the same DPA.
  • A panellist added that data controllers can mislead DPAs in such matters whenever they want but they do this only infrequently, because they are afraid of the risks.

2.3. DPAs’ strategies in ICT-related decision-making

  • Experience shows that DPAs, partly owing to the administrative and legal traditions of their respective countries, and partly to the traditions of the working methods they had developed over the years, lay different emphasis on the various tasks and roles the authors referred to in the Introduction of this article.
  • This is also reflected in the way DPAs take part in ICT-related decision-making, including legislation, regulation, or giving opinions on certain data processing operations.
  • The survey offered two options to the respondents: whether they prefer (a) participating proactively in strategic decision-making in privacy-related ICT matters, or (b) waiting until the real implications will be clear, and responding accordingly.
  • Almost all DPAs preferred the proactive strategy, and only a few organisations preferred the reactive approach (Fig. 7).
  • The few DPAs that preferred reactive actions mentioned their limited resources, or the fact that their organization is not involved in the legislative process, however, one DPA clearly stated that the proper strategy is to act only when the challenge is clear.

2.4. DPAs’ preferred ways to keep up with new developments

  • The authors did ask a question about the methods DPAs prefer in acquiring this knowledge, with special regard to understanding FETs.15.
  • As can be seen in Fig. 8, respondents indicated a range of options, attending conferences and learning sessions being the most popular.
  • The second most popular method was ‘bringing in expertise from outside when necessary’: more than twenty DPAs preferred this option.
  • This seems to be somewhat contradictory to the opinions expressed in the issue of developing expertise in-house v. importing expertise from external sources, when only five responding authorities were in favour of the latter alternative.

2.5. The most important technologies: everything?

  • The authors asked DPAs to say which technologies or applications they thought will have the most significant impact on privacy in general, and on DPAs’ activities and responsibilities in particular.
  • The authors expected the frequent mentioning of well publicised technologies/applications such as big data analysis or the internet of things, along with a few country-specific ones.
  • 18 Respondents could mention any number of technologies they found important.
  • There were 152 mentions altogether; this means that one technology was mentioned only 2.2 times on average.

3. Conclusion

  • The survey findings and the public discussion shed light on the fact that European data protection authorities regard the importance of this area differently, due to the different nature of their investigations, their different approaches to influencing developments in data processing technologies, and the differences in their available resources.
  • Another panellist replied to the moderator’s question and noted the absence of a benchmark: it is difficult to evaluate even one’s own expertise without such a benchmark, and makes the comparison between DPAs debatable.
  • 23 20 A member of the audience, during the discussion of the survey findings, publicly offered to help in clarifying the impact of new and emerging technologies, if invited by a DPA.
  • Therefore developing such expertise, and keeping up with new developments, is a core necessity for DPAs.

Did you find this useful? Give us your feedback

Figures (9)
Citations
More filters
Journal Article
The Governance of Privacy: Policy Instruments in Global Perspective

[...]

Tomas A. Lipinski
01 Apr 2008-Journal of Information Ethics

124 citations

Discrimination, artificial intelligence, and algorithmic decision-making

[...]

F. Zuiderveen Borgesius
01 Jan 2018
TL;DR: This new study elaborates on the risks of discrimination caused by algorithmic decision-making and other types of artificial intelligence (AI).
Abstract: Artificial intelligence (AI) has a huge impact on our personal lives and also on our democratic society as a whole. While AI offers vast opportunities for the benefit of people, its potential to embed and perpetuate bias and discrimination remains one of the most pressing challenges deriving from its increasing use. This new study, which was prepared by Prof. Frederik Zuiderveen Borgesius for the Anti-discrimination Department of the Council of Europe, elaborates on the risks of discrimination caused by algorithmic decision-making and other types of artificial intelligence (AI).

72 citations

Cites background from "Data protection authorities and inf..."

  • ...200 See, on the importance of technical expertise for Data Protection Authorities: Raab and Szekely 2017. 201 Rieke, Bogen and Robinson 2018, p. 2. 202 Rieke, Bogen and Robinson 2018, p. 8. They also give examples of scrutiny of AI systems (p. 31-34). 203 See ECRI Statute Resolution 2002, Article 12; ECRI general policy recommendation no. 2 (2018), para....

    [...]

Journal ArticleDOI
Revisiting The Governance of Privacy: Contemporary policy instruments in global perspective

[...]

Colin J. Bennett1, Colin J. Bennett2, Charles D. Raab1, Charles D. Raab2
University of Edinburgh1, University of Victoria2
01 Jul 2020-Regulation & Governance
TL;DR: The Governance of Privacy: Policy Instruments in Global Perspective as mentioned in this paper explores how those instruments have changed as a result of 15 years of fundamental transformations in information technologies, and the new digital economy that they have brought in their wake.
Abstract: In the early 2000s, we surveyed and analyzed the global repertoire of policy instruments deployed to protect personal data in “The Governance of Privacy: Policy Instruments in Global Perspective” In this article, we explore how those instruments have changed as a result of 15 years of fundamental transformations in information technologies, and the new digital economy that they have brought in their wake We review the contemporary range of transnational, regulatory, self-regulatory and technical instruments according to the same framework, and conclude that the types of policy instrument have remained relatively stable, even though they are now deployed on a global scale, rather than in association with particular national legal and administrative traditions While the labels remain the same, however, the conceptual foundations for their legitimation and justification are shifting as a greater emphasis on accountability, risk, ethics and the social/political value of privacy have gained purchase in the policy community Our exercise in self-reflection demonstrates both continuity and change within the governance of privacy, and displays how we would have tackled the same research project today As a broader case study of regulation, it also highlights the importance of going beyond the technical and instrumental labels The change or stability of policy instruments do not take place in isolation from the wider conceptualizations that shape their meaning, purpose and effect

38 citations

Double-blind peer-reviewed proceedings part II of the International Scientific Conference Hradec Economic Days 2018 : January 30-31, 2018, Hradec Králové, Czech Republic

[...]

Pavel Jedliĉka, Petra Mareŝová, Ivan Soukal
01 Jan 2018
TL;DR: In this article, the authors focused on identification of current role of social media in public marketing and analyzed the Facebook pages of 13 regions of the Czech Republic and analyzed five blocks of Kietzmann's honeycomb framework: identity, conversation, sharing, presence, and reputation.
Abstract: Social media has become a new phenomenon of the society, which significantly affects not individuals only, but also organizations, including public institutions. An article aims on identification of current role of social media in public marketing. Specifically, it focuses on the sample of 13 regions of the Czech Republic and analyzes Facebook pages of its regional authorities. The content analysis concentrates on five blocks (out of seven original ones) of Kietzmann ́s honeycomb framework: identity, conversation, sharing, presence, and reputation. Findings confirmed that all the regions have their Facebook page set up, one third of regions react on citizen ́s request up to few minutes, the other one third up to one day. Regional authorities regularly publish its posts (11 posts per week in average) and share their own content, mainly.

31 citations

Journal ArticleDOI
A personal data store approach for recommender systems: enhancing privacy without sacrificing accuracy

[...]

Itzik Mazeh1, Erez Shmueli1
Tel Aviv University1
01 Jan 2020-Expert Systems With Applications
TL;DR: This work suggests a novel architecture for recommender systems that allows the recommender system to utilize rich data collected about the user to produce more accurate recommendations, while allowing its users to manage and gain control over their own data.
Abstract: Recommender systems have become extremely common in recent years, and are applied in a variety of domains. Existing recommender systems exhibit two major limitations: (1) Privacy - each service provider holds a database that contains information about all of its users; and (2) Partial view - when recommending to users, each such service can rely only on data that were collected by the service itself. The Open Personal Data Store (openPDS) architecture was recently suggested for storing personal data in a privacy preserving way. Inspired by openPDS, we suggest a novel architecture for recommender systems that overcomes the two limitations mentioned above. The suggested architecture allows the recommender system to utilize rich data collected about the user (possibly through other services) to produce more accurate recommendations, while allowing its users to manage and gain control over their own data. We evaluate the suggested architecture on two different use cases: movies and web browsing, and compare its performance with that of a popular non-privacy-aware collaborative-filtering algorithm. We find that in comparison to the alternative approach, our approach is able to enhance privacy significantly without sacrificing the accuracy level of the recommendations (and in some cases providing even higher level of accuracy).

20 citations

References
More filters
Book
Legislating Privacy: Technology, Social Values, and Public Policy

[...]

Priscilla M. Regan
18 Sep 1995
TL;DR: In this paper, the dynamics of congressional policy formulation on privacy issues and why legislation has lagged so far behind technological development are explored, and the authors explain why privacy issues have lagged behind technological developments.
Abstract: From the Publisher: This book explores the dynamics of congressional policy formulation on privacy issues and explains why legislation has lagged so far behind technological development.

308 citations

"Data protection authorities and inf..." refers background in this paper

  • ...…given, it characterises the world that powerfully shapes the performance – and the degree of success – of the multiple roles played by DPAs as among the official guardians of our personal data and our privacy, and of the wider societal interest in privacy as a public good (Raab, 2012; Regan, 1995)....

    [...]

Journal Article
The Governance of Privacy: Policy Instruments in Global Perspective

[...]

Tomas A. Lipinski
01 Apr 2008-Journal of Information Ethics

124 citations

Book
Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, and the United States

[...]

David H. Flaherty
01 Jan 1989
TL;DR: In this article, the authors examine the passage, revision, and implementation of privacy and data protection laws at the national and state levels in Sweden, Canada, France, Germany, and the United States.
Abstract: Flaherty examines the passage, revision, and implementation of privacy and data protection laws at the national and state levels in Sweden, Canada, France, Germany, and the United States. He offers a comparative and critical analysis of the challenges data protectors face int their attempt to preserve individual rights.

104 citations

"Data protection authorities and inf..." refers background in this paper

  • ...The survey was organised to coincide with a public panel discussion on DPAs’ understanding of ICT that was chaired and moderated by the authors in the Computers, Privacy and Data Protection (CPDP) 1 http://www.aki.ee/en/inspectorate/typology-dpa-s 2 Quoted in Flaherty (1989): 383, note 33....

    [...]

  • ...Each agency has specialists in various types of information systems and data flows who can speak intelligently about data protection and security with the operators of government information systems’ (Flaherty, 1989, p. 383)....

    [...]

Posted Content
Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (Chapter 1)

[...]

Kenneth A. Bamberger1, Deirdre K. Mulligan1
University of California, Berkeley1
01 Nov 2015-Social Science Research Network
TL;DR: Privacy on the Ground: Driving Corporate Behavior in the US and Europe as mentioned in this paper, an intensive five-nation study that goes inside corporations to examine how the people charged with protecting privacy actually do their work, and what kinds of regulation effectively shape their behavior.
Abstract: Barely a week goes by without a new privacy revelation or scandal. Whether by hackers or spy agencies or social networks, violations of our personal information have shaken entire industries, corroded relations among nations, and bred distrust between democratic governments and their citizens. Polls reflect this concern, and show majorities for more, broader, and stricter regulation—to put more laws “on the books.” But there was scant evidence of how well tighter regulation actually worked “on the ground” in changing corporate (or government) behavior—until now. This paper is the Introduction from the book, Privacy on the Ground: Driving Corporate Behavior in the US and Europe, an intensive five-nation study that goes inside corporations to examine how the people charged with protecting privacy actually do their work, and what kinds of regulation effectively shape their behavior. The research yields a surprising result. The countries with more ambiguous regulation—Germany and the United States—had the strongest corporate privacy management practices, despite very different cultural and legal environments. The more rule-bound countries—like France and Spain—trended instead toward compliance processes, not embedded privacy practices. At a crucial time, when Big Data and the Internet of Things are snowballing, Privacy on the Ground helpfully searches out the best practices by corporations, provides guidance to policymakers, and offers important lessons for everyone concerned with privacy, now and in the future.

45 citations

"Data protection authorities and inf..." refers background in this paper

  • ...Privacy law ‘on the ground’ rather than ‘on the books’, in the terms used by Bamberger and Mulligan (2015) in their study of corporate privacy behaviour, involves not only the work of chief privacy officers (CPOs) but of DPAs, with whom those non-state actors frequently engage in relationships that…...

    [...]

BookDOI
The European Union as Guardian of Internet Privacy

[...]

Hielke Hijmans
01 Jan 2016

37 citations

Related Papers (5)
The Impact of GDPR on Global Technology Development

[...]

24 Jan 2019-Journal of Global Information Technology Management
He Li, Lu Yu, Wu He
Thoughts on General Data Protection Regulation and Online Human Surveillance

[...]

15 Jan 2020-IEEE Computer
Nir Kshetri, Jeffrey Voas
Privacy and security legal issues

[...]

01 Jan 2017
Hwaiyu Geng
Ethics and privacy in national security and critical infrastructure protection

[...]

23 May 2014
Jennifer Betts, Sakir Sezer
Protection of data relating to EU consumers in the IoT age

[...]

12 Nov 2012
Nina Gumzej
Frequently Asked Questions (8)
Q1. What are the contributions in this paper?

The ability of data protection authorities ( DPAs ) to gain and deploy sufficient knowledge of new technological developments in their regulation of personal-information practices is an important consideration now and for the future. This article reports the findings of a recent survey of EU DPAs that explore the problems they have in comprehending new technologies and how they are dealing with them. 

Countries are frequently criticised for only passing laws to protect privacy without also creating implementation machinery that gives the law force through the institutional machinery by means of which compliance, good practice, and other requisites can be encouraged or required; the US is the most prominent case-in-point. 

Formal training was also among the popular options, and the respondents mentioned a range of other methods as well; for example:• individual self-development, such as reading professional literature or taking courses; • learning while doing, i.e., acquiring the necessary knowledge on the job; • organising in-house informal training sessions; • asking or accepting assistance from the business or the academic community; • exchange of experience and expertise with other DPAs; • participation in research projects at the intersection of data protection and technology. 

The survey found that the predominant opinion among DPAs was in favour of developing the necessary information technology expertise in the framework of their organisations and only a few DPAs thought that relying on the expertise of external ICT professionals was a better solution (Fig. 6). 

In the 11-25% category about the same number of organisations evaluated this proportion as satisfactory and unsatisfactory, evenly distributed on the scale of the DPAs’ size. 

Among those that preferred in-house developing of expertise and explained their choice, the following reasons deserve noting:• in the field of privacy and data protection, IT professionals need special knowledge, not only in legal terms but also in the technologies of processing personal data, and such a knowledge can be developed to the required level within DPAs and more easily in the course of practical audits of data controllers;• ICT expertise has to be continuously available in-house, not only when a specific case makes it necessary; • DPAs have to be proactive, conducting preliminary audits and evaluating privacy and data protection impact assessments of new data controlling operations, and since such operations are based almost entirely on new data processing technologies, these investigations also need the participation of ICT experts (one organisation noted that independence and impartiality can only be ensured if the experts represent the DPA itself;(1) frequently, (2) sometimes, (3) almost never, the majority of the audience voted for option 2. 

The survey was organised to coincide with a public panel discussion on DPAs’ understanding of ICT that was chaired and moderated by the authors in the Computers, Privacy and Data Protection (CPDP) conference4 held in Brussels in January 2016.5 

In the opinion of two of the panellists, this was due to a psychological characteristics of the institutions: they see themselves in a better position than that of ‘the others’.