This paper assesses to what degree new European online privacy regulation addresses official European Union government research on best practices for online privacy. Specifically it investigates the European Commission’s General Data Protection Regulation (GDPR) and to what degree it coheres to the official EU government report on “Privacy, Accountability and Trust - Challenges and Opportunities” by the European Union Agency for Network and Information Security (ENISA). The paper maps the provisions of the GDPR to the model proposed by ENISA and finds that the GDPR regulation appears to overemphasize some inputs while under-emphasizing or even ignoring others. We propose a behavioral model to explain the discrepancy. We assume that the ENISA inputs represent the best official approximation of how to achieve long-term welfare outcomes while the GDPR regulation is optimized to maximize short-run outputs for political support.
The paper presents the provisions of the GDPR as a function of the four inputs for privacy as defined by ENISA: (1) the user’s knowledge of online privacy, (2) the technology design, (3) the practices of providers, and (4) the institutions governing the system. With regard to institutions, the GDPR applies to any entity regardless of location, if processing EU resident data; it requires that a data protection authority in each member state; and if GDPR provisions are violated, allows fines up to 4 percent of annual revenue of €20 million, whichever is greater. For practices of providers, the GDPR has provisions for consent, breach notification, right to access, right to be forgotten, data portability, and data protection officers. The GDPR has some privacy by design requirements which map to ENISA’s technological design parameter. Finally there are no specific GDPR provisions that would remedy users’ knowledge such as an education campaign etc. From the preliminary analysis, we find that the GDPR tends to overemphasize compliance and punishment while underemphasizing technology design and user education.
The GDPR encompasses perhaps the most monumental pan-European regulation in the last decade. It has the potential to impose significant penalties, add significant bureaucracy through the creation of national data protection authorities, and require the appointment of chief privacy officers in enterprises, a requirement that many medium size organizations find onerous. As the European Commission did not provide empirical justification for its rules other than a factsheet, this research attempts to quantify the choice of instruments and model political behavior and expectation based upon a selection of policy options.
The model is reviewed with e-privacy panel data for the 28 EU member states based on Eurostat and Eurobarometer. It investigates whether there are any relationships between the ENISA inputs and the GDPR provisions by measuring the level of privacy awareness and skills, the degree of deployment of privacy by design technologies, the presence of a data protection authority in the member state, and other variables. In addition to general online privacy research, the findings may shed light on the assumptions of the policy making process and to what degree evidence informs regulation.
Keywords: GDPR, online privacy, regulation, data protection, European Union, privacy by design, regulatory behavior and performance
Should there be different regulators and approaches for broadband companies versus other Internet companies? The Congressional Review Act resolution was enacted earlier this year repealed the FCC's rule and barred similar rules in the future, but would it affect the FCC's ability to enforce Title II directly? What options will the CRA leave the FCC in the future? And what will happen if/when the FCC cedes jurisdiction over broadband privacy back to the FTC? Will the FTC have adequate authority? An appellate panel decision called the FTC's jurisdiction into question but the full Ninth Circuit has since vacated that decision and will rehear the case in September. Does Congress need to address the common carrier exception? What other changes should be made to the FTC or FCC's authority or approaches? What authority will the states and private parties have?
The network neutrality debate has proceeded on two levels: 1) the typical dynamic of public interest regulation versus the private industry preference for regulatory restraint and 2) the battle between two media industry segments – the ISP platforms versus the heavy commercial users. Panelists will review how these dynamics are likely to play out in a new political context.
This international panel will focus on the impact of the widespread penetration and use of intelligent mobile devices, in both developing and developed countries. The Panelists, whose expertise covers various countries and regions, will discuss and compare strategies being used in developed countries like the US, Australia and the EU, and developing countries like Mexico, Brazil and India, among others. [We wish to find out what has worked, what did not, the problems encountered and whether there are lessons to be learned that are of general applicability, as well as for particular countries.]
Debates about Internet policy frequently proceed from the premise that the Internet owes its success to presence of key platform technologies. Unfortunately, the concept of platforms remains badly undertheorized and understudied empirically. The result is that policymakers and enforcement authorities must often make key decisions without a clear idea of what aspects of platform design are essential and what practices are potentially problematic. The panel would include a discussion of the theoretical and empirical literature surrounding platforms. Key topics would the EU antitrust case against Google, the role of standard setting organizations, and the decisions not to include mobility and identity verification into IPv6.
Key personnel from the NTIA, NSF and the Office of Educational Technology, Department of Education who led the development of the National Broadband Research Agenda (NBRA) will brief the TPRC community about the NBRA, and discuss potential areas of cooperation between government stakeholders and the academic community to further research and policy-making on broadband access. Speakers will discuss the research, data collection and funding priorities for their respective agencies.
Across Sub-Saharan Africa (SSA), Internet penetration has lagged behind developed countries. Within countries in SSA, this divide exists between urban and rural areas with the offline population largely in rural areas. Mobile technologies have been identified as a means of leapfrogging the relatively expensive fixed Internet access and bridging the gap between the connected and unconnected populations. Furthermore, over-the-top services – that allow users to make calls and send messages over the Internet – and social networks have been a driver of Internet traffic in SSA. Using panel data from January 2016 to July 2017 of the billing records of 2 million unique customers retrieved from a mobile carrier in Nigeria, this study seeks to understand the urban-rural digital divide and how the relationship between cellular voice and mobile Internet varies across this divide. The results show that the increase in total minutes of voice calls, and total volume of data used by the sample over time, is largely driven by increase in the average volume used per person. Urban users have a significantly higher use of mobile Internet than rural users. The result showed mobile Internet is both a substitute and a complement to voice calls. The substitution was weaker for males, older users, those living in the South West region and those with a longer tenure on the network. Urban users also had a weaker substitution compared to rural users, while urban female users had a higher substitution than rural females.
Estimates of the costs incurred by a data breach can vary enormously. For instance, a 2015 Congressional Research Service report titled “The Target and Other Financial Data Breaches: Frequently Asked Questions” compiled seven different sources’ estimates of the total losses resulting from the 2013 Target breach, ranging from $11 million to $4.9 billion. The high degree of uncertainty and variability surrounding cost estimates for cybersecurity incidents has serious policy consequences, including making it more difficult to foster robust insurance markets for these risks as well as to make decisions about the appropriate level of investment in security controls and defensive interventions. Multiple factors contribute to the poor data quality, including that cybercrime is continuously evolving, cyber criminals succeed by covering their tracks and victims often see more risk than benefit in sharing information. Moreover, the data that does exist is often criticized for an over-reliance on self-reported survey data and the tendency of many security firms to overestimate the costs associated with security breaches in an effort to further promote their own products and services.
While the general lack of good cost data presents a significant impediment to informed decision-making, ignorance of the economic impacts of data breaches varies across categories of costs, events, and stakeholders. Moreover, the need for precision, accuracy, or concurrence in data estimates varies depending on the specific decisions the data is intended to inform. Our overarching goals in this paper are to clarify which types of cybersecurity cost data are more easily collected than others; how policymakers might improve data access and why previous policy-based efforts to do so have largely failed; and what differential ignorance implies for cybersecurity policy and investment in cyber defenses and mitigation.
To address these questions, we examine several common presumptions about the relative magnitudes of cybercrime cost effects for which generally accepted and reasonably precise quantitative estimates are lacking. For example, we review the evidence supporting the commonly accepted and often cited claims that the aggregate investments in defending against and remediating cybercrimes significantly exceed the aggregate investments by attackers; and that the aggregate harm suffered by victims of cybercrimes exceeds the benefits realized by attackers. There are other such statements that are more contentious. For example, it is unclear whether the aggregate expenditures on cyber defense and remediation exceed the aggregate harms from cybercrimes; or whether a significant change in expenditures on cyber defense and remediation would result in proportionately larger changes in the harms resulting from cybercrimes. For each of these presumptions, we consider the existing evidence, what additional evidence might be needed to develop more precise quantitative estimates, and what better estimates might imply for cyber policy and investment.
We argue that the persistent inability to accurately estimate certain types of costs associated with data breaches—especially reputational and loss-of-future-business costs—has played an outsize and detrimental role in dissuading policy-makers from pursuing the collection of cost data related to other, much less fundamentally uncertain costs, including legal fees, ex-ante defense investments, and credit monitoring and notification. Finally, we propose steps for policy-makers to take towards aggregating more reliable, consistently collected cost data associated with data breaches for the categories of costs that are most susceptible to rigorous measurement, without getting too bogged down in discussions of the costs that are most difficult to measure, and which are therefore, by necessity, likely to remain most uncertain. We argue that the high degree of ignorance and uncertainty surrounding this subset of data breach costs should not be used as a reason to abandon measurement of other types of losses incurred by these incidents, and that explicit consideration of our differential ignorance of breach cost elements can help us better understand which questions about the economic impacts of data breaches can and cannot be meaningfully answered.