An official website of the United States government
In recent years, well-known cyber breaches have placed growing pressure on organizations to implement proper privacy and data protection standards. Attacks involving the theft of employee and customer personal information have damaged the reputations of well-known brands, resulting in significant financial costs. As a result, governments across the globe are actively examining and strengthening laws to better protect the personal data of its citizens. The General Data Protection Regulation (GDPR) updates European privacy law with an array of provisions that better protect consumers and require organizations to focus on accounting for privacy in their business processes through “privacy-by-design” and “privacy by default” principles. In the US, the National Privacy Research Strategy (NPRS), makes several recommendations that reinforce the need for organizations to better protect data. In response to these rapid developments in privacy compliance, data flow mapping has emerged as a valuable tool. Data flow mapping depicts the flow of data through a system or process, enumerating specific data elements handled, while identifying the risks at different stages of the data lifecycle. This Article explains the critical features of a data flow map and discusses how mapping may improve the transparency of the data lifecycle, while recognizing the limitations in building out data flow maps and the difficulties of maintaining updated maps. The Article then explores how data flow mapping may support data collection, transfer, storage, and destruction practices pursuant to various privacy regulations. Finally, a hypothetical case study is presented to show how data flow mapping was used by an organization to stay compliant with privacy rules and to improve the transparency of information flows
more »
« less
Data Market Discipline: From Financial Regulation to Data Governance
Privacy regulation has traditionally been the remit of consumer protection, and privacy harm is cast as a contractual harm arising from the interpersonal exchanges between data subjects and data collectors. This frames surveillance of people by companies as primarily a consumer harm. In this article, we argue that the modern economy of personal data is better understood as an extension of the financial system. The data economy intersects with capital markets in ways that may increase systemic and systematic financial risks. We contribute a new regulatory approach to privacy harms: as a source of risk correlated across households, firms and the economy as a whole. We consider adapting tools from macroprudential regulations designed to mitigate financial crises to the market for personal data. We identify both promises and pitfalls to viewing individual privacy through the lens of the financial system.
more »
« less
- Award ID(s):
- 2105301
- PAR ID:
- 10327398
- Editor(s):
- Johnson, Kristin N.; Reyes, Carla L.
- Date Published:
- Journal Name:
- Journal of international and comparative law
- Volume:
- 8
- Issue:
- 2
- ISSN:
- 2313-3775
- Page Range / eLocation ID:
- 459-486
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
We compare the notice and consent requirements of the three recent privacy regulations that are most likely to serve as the starting points for the creation of a comprehensive consumer privacy bill in the United States: the European General Data Protection Regulation, the California Consumer Privacy Act/California Privacy Rights Act, and the Federal Communications Commission’s Broadband Privacy Order. We compare the scope of personal information under each regulation, including the test for identifiability and exclusions for de-identified information, and identify problems with their treatment of de-identified information and of pseudonymous information. We compare notice requirements, including the level of required detail and the resulting ability of consumers to understand the use and flow of their personal information, and identify deficiencies with consumers’ ability to track the flow of their personal information. Finally, we compare consumer choices under each regulation, including when a consumer must agree to the use of their personal information in order to utilize a service or application, and find that none of the regulations take full advantage of the range of options, and thereby fail to disincentive tracking.more » « less
-
This article is an exploratory analysis of the impact of the California Consumer Privacy Act (CCPA) on data breaches that result in exposing sensitive private data of consumers. The CCPA applies to large for-profit businesses that collect and disseminate personal information of Californian consumers. It provides for consumer rights and imposes notification and security requirements on businesses that collect private information. We analyzed how CCPA affects data breach notifications that are required by the state's Office of Auditor General, for the period 2012 to 2023. The analysis provides interesting insights into the impact of CCPA on the pattern of data breaches. Our principal finding is that privacy breaches reduced to some extent after CCPA. Importantly, CCPA has helped in the overall improvement in reporting privacy breaches. We surmise that the CCPA brought more data breaches into light.more » « less
-
Around the world, people increasingly generate data through their everyday activities. Much of this happens unwittingly through sensors, cameras, and other surveillance tools on roads, in cities, and at the workplace. However, how individuals and governments think about privacy varies significantly around the world. In this article, we explore differences between people’s attitudes toward privacy and data collection practices in the United States and the Netherlands, two countries with very different regulatory approaches to governing consumer privacy. Through a factorial vignette survey deployed in the two countries, we identify specific contextual factors associated with concerns regarding how personal data are being used. Using Nissenbaum’s framework of privacy as contextual integrity to guide our analysis, we consider the role that five factors play in this assessment: actors (those using data), data type, amount of data collected, reported purpose of data use, and inferences drawn from the data. Findings indicate nationally bound differences as well as shared concerns and indicate future directions for cross-cultural privacy research.more » « less
-
The trouble with data is that it frequently provides only an imperfect representation of a phenomenon of interest. Experts who are familiar with their datasets will often make implicit, mental corrections when analyzing a dataset, or will be cautious not to be overly confident about their findings if caveats are present. However, personal knowledge about the caveats of a dataset is typically not incorporated in a structured way, which is problematic if others who lack that knowledge interpret the data. In this work, we define such analysts' knowledge about datasets as data hunches. We differentiate data hunches from uncertainty and discuss types of hunches. We then explore ways of recording data hunches, and, based on a prototypical design, develop recommendations for designing visualizations that support data hunches. We conclude by discussing various challenges associated with data hunches, including the potential for harm and challenges for trust and privacy. We envision that data hunches will empower analysts to externalize their knowledge, facilitate collaboration and communication, and support the ability to learn from others' data hunches.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Journal Article:
- The DOI is not currently available.
