An Economic Approach towards Privacy Enforcement
Download
1 / 35

An Economic Approach towards Privacy Enforcement Jimmy C. Tseng Assistant Professor Rotterdam School of Management jtseng@fbk.eur.nl - PowerPoint PPT Presentation

An Economic Approach towards Privacy Enforcement Jimmy C. Tseng Assistant Professor Rotterdam School of Management jtseng@fbk.eur.nl I. Information at the centre of debate

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentationdownload

An Economic Approach towards Privacy Enforcement Jimmy C. Tseng Assistant Professor Rotterdam School of Management jtseng@fbk.eur.nl

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

An Economic Approach towards Privacy Enforcement Jimmy C. TsengAssistant ProfessorRotterdam School of Managementjtseng@fbk.eur.nl


I information at the centre of debate l.jpg

I. Information at the centre of debate

  • Information technology is reducing the cost of collecting, storing, manipulating, and exchanging large amounts of information.

  • Trend towards transparency and accountability in business using IT

  • Information transparency can lead to economic efficiency and increased control at the same time.

  • Data ownership and property rights are hard to define, agree upon and enforce

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Debunking some myths l.jpg

Debunking some myths

  • There economic incentives for businesses to maximize the commercial value of personal data.

  • Privacy, or protection of personal data in business data processing is often regarded as a constraint on business efficiency and hence counter-productive to business.

  • Decision makers can find an appropriate balance between the threat to privacy and the needs of business organisation alone (“private costs”)

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Fact of the matter compliance is poor l.jpg

Fact of the matter: compliance is poor

  • In spite of EU Data Protection Directive, national legislation, and self-regulation, compliance with legislation and privacy policies is poor...

  • Difficulty in checking for compliance

  • Difficulty in enforcing privacy rules

  • Difficulty in setting software standards

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


The need for stronger enforcement l.jpg

The need for stronger enforcement

  • Compliance with privacy policies and seals not easily enforceable

  • Compliance with data protection rules are not easily enforceable

  • Both the US FTC and EU call for stronger enforcement of privacy rules

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Ii the research agenda l.jpg

II. The research agenda

  • Need for more theoretical foundations

    • Economics of information

    • Economics of privacy

    • Institutional economics

  • Need for empirical research

    • Costs of compliance

    • Costs of enforcement

    • Institutional arrangements to align economic incentives with privacy laws

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Economics of information l.jpg

Economics of information

  • The role of information in markets

  • Information Asymmetry

    • Individuals are able to differentiate between good and poor data protection practices in a costless manner

  • Transaction costs

    • ICT reducing search and managerial costs, but increasing compliance and enforcement costs

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Economics of privacy l.jpg

Economics of privacy

  • Posner (1981) argues that reducing the availability of information leads to less efficient markets and higher prices.

  • Privacy as public good

  • Role of technology in shifting enforcement costs

  • Role of institutions in aligning economic incentives

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Why is enforcement weak l.jpg

Why is enforcement weak?

  • Compliance is not rewarding

  • Enforcement of is costly

  • Lack of awareness

  • Lack of market incentives

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Compliance is not rewarding l.jpg

Compliance is not rewarding

  • “Compliance with privacy under existing laws does not reward those that comply, nor does it deter those that do not. Fines are often below the cost of dealing with complaints and investigations.The costs organisations incur for non-compliance with existing data protection legislation are often not commensurate with cost of dealing with complaints and investigations.”

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Balancing risk l.jpg

Balancing risk

Source: Miyoshi and Ho

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Enforcement is costly l.jpg

Enforcement is costly

  • “Data protection authorities require significant resources to deal with complaints, inspections, audits, administrative decisions, and court actions, all of which are costly. When the burden of proof is on the regulators under public law, data protection authorities can only afford to react to the most serious complaints, resulting in lax enforcement of data protection legislation.”

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Lack of awareness l.jpg

Lack of awareness

  • “Second, the risks the organisations incur for non-compliance with data protection legislation can be justified by the lack of awareness of data protection practices, or the state of the art. Organisations can often plead innocence, and not take action until data protection authorities instigate an investigation. The burden is on the data protection authorities to educate the users and recommend changes in business practices for compliance with data protection legislation, hence the lax compliance with data protection legislation.”

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Lack of market incentives l.jpg

Lack of market incentives

  • “In the absence of an effective privacy-seal programme or other effective ways of signalling compliance (or quality in general) in a market, organisations are rarely punished in the marketplace when they are not in compliance with data protection legislation or industry best practices. It is costly for individuals to verify whether businesses are complying with the information practices they disclose to customers. When consumers are unable to tell the difference, they are unwilling to pay higher prices with merchants that merely state that they invest in privacy-enhancing technologies and practices, but do not do so. When it is difficult to signal product quality within markets, the result is inferior products and services.”

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Private and social costs of privacy l.jpg

Private and Social Costs of Privacy

  • Market and Regulation failure

  • Privacy as public good

  • Social cost of privacy

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Market failure l.jpg

Market failure

  • “When it is difficult to signal product quality within markets, the result is inferior products, and possibly market failure. It is costly for individuals to verify whether businesses are complying with the information practices disclosed. When consumer are unable to tell the difference, they are unwilling to pay higher prices with merchants that merely state that they invest in privacy-enhancing technologies and practices. Markets operate efficiently under clear rules that guide practice.”

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Regulation failure l.jpg

Regulation failure

  • “If there is asymmetry of information and a market failure, government intervention may be justified. But the key questions are where the market fails, in what way it fails, and what intervention could correct the failure without causing other adverse effects.” (Bergkamp, p.41, 2002)

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Privacy as public good l.jpg

Privacy as public good

  • “Similar to other basic human rights, the right to privacy is a public good because it is non-excludable and non-rival… The more widely accepted the principle and practice of privacy, the more confidence all parties will have on benefits of the public good, and hence contribute to its production. The less the right to privacy is practiced, the less incentive there is for any party to provide the public good for others to enjoy. If the right to privacy has the characteristic of a public good, private actors are inclined to behave opportunistically by trying to free-ride on the public good without contributing to its production.”

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Public goods and collective action l.jpg

Public goods and collective action

  • “This is, indeed, a dilemma, that public goods face. Without some sort of collective-action mechanism they risk being under-provided. Conversely, without collective action public bads – such as pollution, noise, risky bank lending, and so on – would be overprovided.”(Kaul, 2002, p.302)

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Social cost of privacy l.jpg

Social cost of privacy

  • “The detrimental effects of erosion of privacy (e.g. surveillance, unwanted marketing, spam mail, identity theft) is a social cost that is often not qualified. Maintaining the status quo erodes social capital both online and offline.”

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Network externalities and social cost l.jpg

Network externalities and social cost

  • “Economically, privacy can be understood as a problem of social cost, where the actions of one agent (e.g., a mailing list broker) impart a negative externality on another agent (e.g., an end consumer). Problems in social cost can be understood by modelling the liabilities, transaction costs and property rights assigned to various economic agents within the system, and can be resolved by reallocating property rights and liability to different agents as needed to achieve economic equilibrium.” (Paul Sholtz, 2001)

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Iii privacy enforcement l.jpg

III. Privacy Enforcement

  • PETs has the potential to reduce the cost of compliance for businesses intent on complying, but it is not sufficient to signal quality to the consumer, nor does it actually ensure compliance.

  • Technology and regulations can work together to reduce compliance, monitoring, and enforcement costs.

  • Reduction in enforcement costs may be an objective criteria for evaluating the success of PETs and the PRIME project.

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Automating enforcement of privacy l.jpg

Automating enforcement of privacy

  • Platform for Privacy Preferences (P3P) is simple, automated way for users to gain more control over the use of personal information on Web sites they visit

  • P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences

  • http://www.w3.org/P3P/

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Privacy enhancing identity management from the research labs l.jpg

Privacy Enhancing Identity Management from the Research labs

Disclosure

Software agent

Client Roles

Anonymous

Pseudonym

Fully detailed

Business

Data tracking

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Service level negotiation l.jpg

Service level negotiation

Disclosure of personal data

Software agent

Business

Conditions, ex:

Delete all personal data after transaction is complete

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Customization of client preferences l.jpg

Customization of client preferences

  • Software enabling businesses to customize client preferences

    • Example: Negotiate the deletion of personal data after certain period of time

    • Provide a larger variety of service levels

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Monitoring for compliance l.jpg

Monitoring for compliance

  • Transaction cost as residual value. Instead of absolute figures, much of the discussion in transaction cost is based on relative cost.

  • How to measure compliance cost?

  • How to measure enforcement cost?

  • How to show reduction in compliance and enforcement costs?

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Iv making the business case l.jpg

IV. Making the business case

  • Business case for Identity Management

  • Business case for Privacy

  • Business case for Privacy enhancing identity management

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Business case for identity management l.jpg

Business case for identity management

  • Administrative efficiencies through user provisioning

  • Fine grained security controls across systems and organisations

  • Reduction in compliance costs

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Business case for privacy l.jpg

Business case for privacy

  • Compliance with data protection rules

  • Godin’s “permission marketing”

  • Data minimalization

  • Other business drivers

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Business case for privacy enhancing identity management l.jpg

Business case for privacy enhancing identity management

  • Criteria for investment decisions

  • Input and output variables

  • Business model to show the relationship between the variables

  • Hypothesis: Reduction in compliance and enforcement costs

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Prime economics work package l.jpg

PRIME Economics work package

- Examines the private and social costs of adopting privacy-enhancing technologies and practices.

- Identifies the economic and commercial obstacles that hinder the adoption of privacy-enhancing identity management technologies.

- Explores and recommends strategies to stimulate the adoption of PIM by commercial players and consumers.

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Big brother and his seven little sisters l.jpg

Big Brother and his Seven Little Sisters

  • Threat to individuals

    • Government surveillance

    • Big corporations control over consumer behaviour

  • Enforcement of privacy

    • Weak enforcement of data protection legislation

    • Weak incentives for compliance with policy

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


Privacy for business l.jpg

Privacy for Business

  • Threat to businesses

    • Accountability in publicly listed companies, conflicts of interest, good governance

    • Commercial confidentiality, trade secrets, operational costs, pricing

  • Enforcement of privacy

    • What are the economic mechanisms for compliance and enforcement in financial regulations and environmental protection?

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


References l.jpg

References

  • Varian, Hal R, (1996) “Economic Aspects of Personal Privacy”, UC Berkeley, December 6, 1996

  • Sholtz, Paul (2001) “Transaction Costs and the Social Cost of Online Privacy” First Monday Volume 6, Number 5 - May 7th 2001

ERIM/PRIME Privacy for Business Workshop - The Airlines Sector


ad
  • Login