Skip to content
Technical University of Munich

Privacy and Regulatory Compliance

Introduction

Privacy is a concept that people have struggled to understand for at least the past decade. Since the first notable mention by US Supreme Court Justices Warren and Brandeis [1] as "the right to be let alone" in 1890, definitions and perceptions have evolved. Another popular definition by Alan Westin [2] outlines privacy as "the claim of individuals, groups or institutions to determine for themselves, […] is communicated to others", whereas more recently legal scholars acknowledge that privacy serves best as an umbrella term for a "web of related things" [3], which have to be specified and addressed individually.

The rapid development of internet an communication techniques has contributed to the difficulty of defining and maintaining privacy. Social Media and Web 2.0 technologies have changed the way we interact with each other and added more options to information sharing and gathering. The private sphere, rather simple in a phyiscal setting, dissolved into a multifaceted and complex concept in the interconnected environment.

Interestingly, work on privacy in Information Systems was not triggered by user concerns about the control of one's identity. Instead, as the US Federal Trade Commission writes in its "Report to Congress" 1998, "electronic commerce will not reach its full potential" if consumer concerns about online privacy are not addressed [4].

Studies on the economics of privacy show how people have difficulties in defining the value of their personal data and if they do, their stated beliefs usually do not match their actions [5], [6]. People say they value privacy, but give up personal data - sometimes for marginal benefits. Ultimately, these mechanisms have facilitated the development of centralized platforms like Facebook or Amazon. As the authors of a popular book put it provocativeley, "sociology is how the world should work, economics is how it actually works" [7].

Starting in 2012, the European Union has negotiated and established new rules for data processing in our information society. The resulting General Data Protection Regulation, which was passed in 2016, finally became effective in May 2018 [8]. Compared to the previous European Data Protection Directive, the major changes include a new territorial scope and responsibilities in an international context [9]. Perhaps most importantly, the GDPR introduced dramatic fines of up to 4% annual revenue, and thus created a business case for data protection.

 

Overview of the project

The project aims at developing a configurable method for attaining GDPR compliance. It follows the "Pattern-based design research approach" [10], which has its roots in situational method engineering [11], and describes a cycle of

  • Developing a collection of reusable solution fragments from both theoretical work and practical observations
  • Using these solutions for theory building
  • Designing and applying an overall solution
  • Gaining new insights from the instantiation and adjusting the collection of solution fragments
To top