Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Economic Approach towards Privacy Enforcement Jimmy C. Tseng Assistant Professor Rotterdam School of Management

Similar presentations


Presentation on theme: "An Economic Approach towards Privacy Enforcement Jimmy C. Tseng Assistant Professor Rotterdam School of Management"— Presentation transcript:

1 An Economic Approach towards Privacy Enforcement Jimmy C. Tseng Assistant Professor Rotterdam School of Management

2 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 2 I. Information at the centre of debate Information technology is reducing the cost of collecting, storing, manipulating, and exchanging large amounts of information. Trend towards transparency and accountability in business using IT Information transparency can lead to economic efficiency and increased control at the same time. Data ownership and property rights are hard to define, agree upon and enforce

3 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 3 Debunking some myths There economic incentives for businesses to maximize the commercial value of personal data. Privacy, or protection of personal data in business data processing is often regarded as a constraint on business efficiency and hence counter-productive to business. Decision makers can find an appropriate balance between the threat to privacy and the needs of business organisation alone (“private costs”)

4 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 4 Fact of the matter: compliance is poor In spite of EU Data Protection Directive, national legislation, and self-regulation, compliance with legislation and privacy policies is poor... Difficulty in checking for compliance Difficulty in enforcing privacy rules Difficulty in setting software standards

5 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 5 The need for stronger enforcement Compliance with privacy policies and seals not easily enforceable Compliance with data protection rules are not easily enforceable Both the US FTC and EU call for stronger enforcement of privacy rules

6 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 6 II. The research agenda Need for more theoretical foundations –Economics of information –Economics of privacy –Institutional economics Need for empirical research –Costs of compliance –Costs of enforcement –Institutional arrangements to align economic incentives with privacy laws

7 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 7 Economics of information The role of information in markets Information Asymmetry –Individuals are able to differentiate between good and poor data protection practices in a costless manner Transaction costs –ICT reducing search and managerial costs, but increasing compliance and enforcement costs

8 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 8 Economics of privacy Posner (1981) argues that reducing the availability of information leads to less efficient markets and higher prices.Posner (1981) Privacy as public good Role of technology in shifting enforcement costs Role of institutions in aligning economic incentives

9 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 9 Why is enforcement weak? Compliance is not rewarding Enforcement of is costly Lack of awareness Lack of market incentives

10 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 10 Compliance is not rewarding “Compliance with privacy under existing laws does not reward those that comply, nor does it deter those that do not. Fines are often below the cost of dealing with complaints and investigations. The costs organisations incur for non-compliance with existing data protection legislation are often not commensurate with cost of dealing with complaints and investigations.”

11 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 11 Balancing risk Source: Miyoshi and Ho

12 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 12 Enforcement is costly “Data protection authorities require significant resources to deal with complaints, inspections, audits, administrative decisions, and court actions, all of which are costly. When the burden of proof is on the regulators under public law, data protection authorities can only afford to react to the most serious complaints, resulting in lax enforcement of data protection legislation.”

13 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 13 Lack of awareness “Second, the risks the organisations incur for non- compliance with data protection legislation can be justified by the lack of awareness of data protection practices, or the state of the art. Organisations can often plead innocence, and not take action until data protection authorities instigate an investigation. The burden is on the data protection authorities to educate the users and recommend changes in business practices for compliance with data protection legislation, hence the lax compliance with data protection legislation.”

14 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 14 Lack of market incentives “In the absence of an effective privacy-seal programme or other effective ways of signalling compliance (or quality in general) in a market, organisations are rarely punished in the marketplace when they are not in compliance with data protection legislation or industry best practices. It is costly for individuals to verify whether businesses are complying with the information practices they disclose to customers. When consumers are unable to tell the difference, they are unwilling to pay higher prices with merchants that merely state that they invest in privacy-enhancing technologies and practices, but do not do so. When it is difficult to signal product quality within markets, the result is inferior products and services.”

15 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 15 Private and Social Costs of Privacy Market and Regulation failure Privacy as public good Social cost of privacy

16 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 16 Market failure “When it is difficult to signal product quality within markets, the result is inferior products, and possibly market failure. It is costly for individuals to verify whether businesses are complying with the information practices disclosed. When consumer are unable to tell the difference, they are unwilling to pay higher prices with merchants that merely state that they invest in privacy- enhancing technologies and practices. Markets operate efficiently under clear rules that guide practice.”

17 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 17 Regulation failure “If there is asymmetry of information and a market failure, government intervention may be justified. But the key questions are where the market fails, in what way it fails, and what intervention could correct the failure without causing other adverse effects.” (Bergkamp, p.41, 2002)

18 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 18 Privacy as public good “Similar to other basic human rights, the right to privacy is a public good because it is non-excludable and non- rival… The more widely accepted the principle and practice of privacy, the more confidence all parties will have on benefits of the public good, and hence contribute to its production. The less the right to privacy is practiced, the less incentive there is for any party to provide the public good for others to enjoy. If the right to privacy has the characteristic of a public good, private actors are inclined to behave opportunistically by trying to free-ride on the public good without contributing to its production.”

19 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 19 Public goods and collective action “This is, indeed, a dilemma, that public goods face. Without some sort of collective- action mechanism they risk being under- provided. Conversely, without collective action public bads – such as pollution, noise, risky bank lending, and so on – would be overprovided.” (Kaul, 2002, p.302)

20 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 20 Social cost of privacy “The detrimental effects of erosion of privacy (e.g. surveillance, unwanted marketing, spam mail, identity theft) is a social cost that is often not qualified. Maintaining the status quo erodes social capital both online and offline.”

21 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 21 Network externalities and social cost “Economically, privacy can be understood as a problem of social cost, where the actions of one agent (e.g., a mailing list broker) impart a negative externality on another agent (e.g., an end consumer). Problems in social cost can be understood by modelling the liabilities, transaction costs and property rights assigned to various economic agents within the system, and can be resolved by reallocating property rights and liability to different agents as needed to achieve economic equilibrium.” (Paul Sholtz, 2001)

22 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 22 III. Privacy Enforcement –PETs has the potential to reduce the cost of compliance for businesses intent on complying, but it is not sufficient to signal quality to the consumer, nor does it actually ensure compliance. –Technology and regulations can work together to reduce compliance, monitoring, and enforcement costs. –Reduction in enforcement costs may be an objective criteria for evaluating the success of PETs and the PRIME project.

23 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 23 Automating enforcement of privacy Platform for Privacy Preferences (P3P) is simple, automated way for users to gain more control over the use of personal information on Web sites they visit P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences

24 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 24 Privacy Enhancing Identity Management from the Research labs Anonymous Pseudonym Fully detailed Business Disclosure Data tracking Client Roles Software agent

25 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 25 Service level negotiation Business Disclosure of personal data Software agent Conditions, ex: Delete all personal data after transaction is complete

26 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 26 Customization of client preferences Software enabling businesses to customize client preferences –Example: Negotiate the deletion of personal data after certain period of time –Provide a larger variety of service levels

27 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 27 Monitoring for compliance Transaction cost as residual value. Instead of absolute figures, much of the discussion in transaction cost is based on relative cost. How to measure compliance cost? How to measure enforcement cost? How to show reduction in compliance and enforcement costs?

28 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 28 IV. Making the business case Business case for Identity Management Business case for Privacy Business case for Privacy enhancing identity management

29 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 29 Business case for identity management Administrative efficiencies through user provisioning Fine grained security controls across systems and organisations Reduction in compliance costs

30 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 30 Business case for privacy Compliance with data protection rules Godin’s “permission marketing” Data minimalization Other business drivers

31 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 31 Business case for privacy enhancing identity management Criteria for investment decisions Input and output variables Business model to show the relationship between the variables Hypothesis: Reduction in compliance and enforcement costs

32 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 32 PRIME Economics work package - Examines the private and social costs of adopting privacy-enhancing technologies and practices. - Identifies the economic and commercial obstacles that hinder the adoption of privacy-enhancing identity management technologies. - Explores and recommends strategies to stimulate the adoption of PIM by commercial players and consumers.

33 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 33 Big Brother and his Seven Little Sisters Threat to individuals –Government surveillance –Big corporations control over consumer behaviour Enforcement of privacy –Weak enforcement of data protection legislation –Weak incentives for compliance with policy

34 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 34 Privacy for Business Threat to businesses –Accountability in publicly listed companies, conflicts of interest, good governance –Commercial confidentiality, trade secrets, operational costs, pricing Enforcement of privacy –What are the economic mechanisms for compliance and enforcement in financial regulations and environmental protection?

35 Dec. 17, 2004ERIM/PRIME Privacy for Business Workshop - The Airlines Sector 35 References Varian, Hal R, (1996) “Economic Aspects of Personal Privacy”, UC Berkeley, December 6, 1996 Sholtz, Paul (2001) “Transaction Costs and the Social Cost of Online Privacy” First Monday Volume 6, Number 5 - May 7th 2001


Download ppt "An Economic Approach towards Privacy Enforcement Jimmy C. Tseng Assistant Professor Rotterdam School of Management"

Similar presentations


Ads by Google