an economic approach towards privacy enforcement jimmy c. tseng assistant professor rotterdam school...
Post on 14-Dec-2015
213 Views
Preview:
TRANSCRIPT
An Economic Approach towards Privacy Enforcement
Jimmy C. TsengAssistant Professor
Rotterdam School of Managementjtseng@fbk.eur.nl
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
2
I. Information at the centre of debate• Information technology is reducing the cost of
collecting, storing, manipulating, and exchanging large amounts of information.
• Trend towards transparency and accountability in business using IT
• Information transparency can lead to economic efficiency and increased control at the same time.
• Data ownership and property rights are hard to define, agree upon and enforce
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
3
Debunking some myths• There economic incentives for businesses to
maximize the commercial value of personal data.• Privacy, or protection of personal data in
business data processing is often regarded as a constraint on business efficiency and hence counter-productive to business.
• Decision makers can find an appropriate balance between the threat to privacy and the needs of business organisation alone (“private costs”)
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
4
Fact of the matter: compliance is poor
• In spite of EU Data Protection Directive, national legislation, and self-regulation, compliance with legislation and privacy policies is poor...
• Difficulty in checking for compliance • Difficulty in enforcing privacy rules• Difficulty in setting software standards
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
5
The need for stronger enforcement
• Compliance with privacy policies and seals not easily enforceable
• Compliance with data protection rules are not easily enforceable
• Both the US FTC and EU call for stronger enforcement of privacy rules
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
6
II. The research agenda• Need for more theoretical foundations
– Economics of information– Economics of privacy– Institutional economics
• Need for empirical research– Costs of compliance – Costs of enforcement– Institutional arrangements to align economic
incentives with privacy laws
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
7
Economics of information• The role of information in markets• Information Asymmetry
– Individuals are able to differentiate between good and poor data protection practices in a costless manner
• Transaction costs – ICT reducing search and managerial costs, but
increasing compliance and enforcement costs
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
8
Economics of privacy• Posner (1981) argues that reducing the availability
of information leads to less efficient markets and higher prices.
• Privacy as public good• Role of technology in shifting enforcement costs• Role of institutions in aligning economic
incentives
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
9
Why is enforcement weak?• Compliance is not rewarding
• Enforcement of is costly
• Lack of awareness
• Lack of market incentives
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
10
Compliance is not rewarding• “Compliance with privacy under existing laws does
not reward those that comply, nor does it deter those that do not. Fines are often below the cost of dealing with complaints and investigations. The costs organisations incur for non-compliance with existing data protection legislation are often not commensurate with cost of dealing with complaints and investigations.”
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
11
Balancing risk
Source: Miyoshi and Ho
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
12
Enforcement is costly• “Data protection authorities require significant
resources to deal with complaints, inspections, audits, administrative decisions, and court actions, all of which are costly. When the burden of proof is on the regulators under public law, data protection authorities can only afford to react to the most serious complaints, resulting in lax enforcement of data protection legislation.”
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
13
Lack of awareness• “Second, the risks the organisations incur for non-
compliance with data protection legislation can be justified by the lack of awareness of data protection practices, or the state of the art. Organisations can often plead innocence, and not take action until data protection authorities instigate an investigation. The burden is on the data protection authorities to educate the users and recommend changes in business practices for compliance with data protection legislation, hence the lax compliance with data protection legislation.”
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
14
Lack of market incentives• “In the absence of an effective privacy-seal programme or
other effective ways of signalling compliance (or quality in general) in a market, organisations are rarely punished in the marketplace when they are not in compliance with data protection legislation or industry best practices. It is costly for individuals to verify whether businesses are complying with the information practices they disclose to customers. When consumers are unable to tell the difference, they are unwilling to pay higher prices with merchants that merely state that they invest in privacy-enhancing technologies and practices, but do not do so. When it is difficult to signal product quality within markets, the result is inferior products and services.”
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
15
Private and Social Costs of Privacy• Market and Regulation failure
• Privacy as public good
• Social cost of privacy
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
16
Market failure• “When it is difficult to signal product quality
within markets, the result is inferior products, and possibly market failure. It is costly for individuals to verify whether businesses are complying with the information practices disclosed. When consumer are unable to tell the difference, they are unwilling to pay higher prices with merchants that merely state that they invest in privacy-enhancing technologies and practices. Markets operate efficiently under clear rules that guide practice.”
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
17
Regulation failure
• “If there is asymmetry of information and a market failure, government intervention may be justified. But the key questions are where the market fails, in what way it fails, and what intervention could correct the failure without causing other adverse effects.” (Bergkamp, p.41, 2002)
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
18
Privacy as public good• “Similar to other basic human rights, the right to privacy
is a public good because it is non-excludable and non-rival… The more widely accepted the principle and practice of privacy, the more confidence all parties will have on benefits of the public good, and hence contribute to its production. The less the right to privacy is practiced, the less incentive there is for any party to provide the public good for others to enjoy. If the right to privacy has the characteristic of a public good, private actors are inclined to behave opportunistically by trying to free-ride on the public good without contributing to its production.”
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
19
Public goods and collective action• “This is, indeed, a dilemma, that public
goods face. Without some sort of collective-action mechanism they risk being under-provided. Conversely, without collective action public bads – such as pollution, noise, risky bank lending, and so on – would be overprovided.” (Kaul, 2002, p.302)
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
20
Social cost of privacy• “The detrimental effects of erosion of
privacy (e.g. surveillance, unwanted marketing, spam mail, identity theft) is a social cost that is often not qualified. Maintaining the status quo erodes social capital both online and offline.”
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
21
Network externalities and social cost• “Economically, privacy can be understood as a problem of
social cost, where the actions of one agent (e.g., a mailing list broker) impart a negative externality on another agent (e.g., an end consumer). Problems in social cost can be understood by modelling the liabilities, transaction costs and property rights assigned to various economic agents within the system, and can be resolved by reallocating property rights and liability to different agents as needed to achieve economic equilibrium.” (Paul Sholtz, 2001)
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
22
III. Privacy Enforcement– PETs has the potential to reduce the cost of compliance
for businesses intent on complying, but it is not sufficient to signal quality to the consumer, nor does it actually ensure compliance.
– Technology and regulations can work together to reduce compliance, monitoring, and enforcement costs.
– Reduction in enforcement costs may be an objective criteria for evaluating the success of PETs and the PRIME project.
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
23
Automating enforcement of privacy • Platform for Privacy Preferences (P3P) is simple,
automated way for users to gain more control over the use of personal information on Web sites they visit
• P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences
• http://www.w3.org/P3P/
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
24
Privacy Enhancing Identity Management
from the Research labs
Anonymous
Pseudonym
Fully detailed
Business
Disclosure
Data tracking
Client Roles Software agent
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
25
Service level negotiation
Business
Disclosure of personal dataSoftware agent
Conditions, ex:Delete all personal data after
transaction is complete
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
26
Customization of client preferences• Software enabling businesses to customize
client preferences– Example: Negotiate the deletion of personal
data after certain period of time– Provide a larger variety of service levels
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
27
Monitoring for compliance• Transaction cost as residual value. Instead
of absolute figures, much of the discussion in transaction cost is based on relative cost.
• How to measure compliance cost?
• How to measure enforcement cost?
• How to show reduction in compliance and enforcement costs?
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
28
IV. Making the business case
• Business case for Identity Management
• Business case for Privacy
• Business case for Privacy enhancing identity management
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
29
Business case for identity management
• Administrative efficiencies through user provisioning
• Fine grained security controls across systems and organisations
• Reduction in compliance costs
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
30
Business case for privacy
• Compliance with data protection rules
• Godin’s “permission marketing”
• Data minimalization
• Other business drivers
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
31
Business case for privacy enhancing identity management
• Criteria for investment decisions
• Input and output variables
• Business model to show the relationship between the variables
• Hypothesis: Reduction in compliance and enforcement costs
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
32
PRIME Economics work package- Examines the private and social costs of adopting
privacy-enhancing technologies and practices.
- Identifies the economic and commercial obstacles that hinder the adoption of privacy-enhancing identity management technologies.
- Explores and recommends strategies to stimulate the adoption of PIM by commercial players and consumers.
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
33
Big Brother and his Seven Little Sisters
• Threat to individuals– Government surveillance– Big corporations control over consumer behaviour
• Enforcement of privacy – Weak enforcement of data protection legislation– Weak incentives for compliance with policy
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
34
Privacy for Business• Threat to businesses
– Accountability in publicly listed companies, conflicts of interest, good governance
– Commercial confidentiality, trade secrets, operational costs, pricing
• Enforcement of privacy– What are the economic mechanisms for compliance and
enforcement in financial regulations and environmental protection?
Dec. 17, 2004 ERIM/PRIME Privacy for Business Workshop - The Airlines Sector
35
References
• Varian, Hal R, (1996) “Economic Aspects of Personal Privacy”, UC Berkeley, December 6, 1996
• Sholtz, Paul (2001) “Transaction Costs and the Social Cost of Online Privacy” First Monday Volume 6, Number 5 - May 7th 2001
top related