An economic analysis of appropriateness under article 32 GDPR

Annika Selzer; Daniel Woods; Rainer Böhme

doi:10.21552/edpl/2021/3/15

An economic analysis of appropriateness under article 32 GDPR

Annika Selzer, Daniel Woods, Rainer Böhme

Research output: Contribution to journal › Comment/debate › peer-review

Abstract / Description of output

I. Introduction
While privacy laws establish obligations on organisations to protect the fundamental rights of individuals, they rarely provide explicit prescriptions about how to do so.1 This forces organisations to balance the risk to privacy of data subjects against the costs of implementation options, such as technical and organisational measures (hereinafter ‘privacy measures’ or simply ‘measures’) or stopping processing personal data. Therefore, privacy laws often occupy a middle ground between prescribing appropriate privacy measures and allowing organisations to self-define what is appropriate. This approach creates uncertainty over which privacy measures to implement while also threatening penalties if the appropriate measures are not in place.2 Uncertainty looms over aspects like which privacy measures to choose (see II. 1.), how much measures will cost directly and indirectly (see II. 2.), and what the likelihood and impact of a violation on the individual and the organisation is (see II. 3.). In addition, organizations may have to defend such decisions to regulators, which necessitates a structured approach with documented evidence.

Original language	English
Pages (from-to)	456-470
Number of pages	15
Journal	European Data Protection Law Review
Volume	7
Issue number	3
DOIs	https://doi.org/10.21552/edpl/2021/3/15
Publication status	Published - 1 Sept 2021

Access to Document

10.21552/edpl/2021/3/15Licence: All Rights Reserved

https://edpl.lexxion.eu/article/edpl/2021/3/15/display/htmlLicence: All Rights Reserved

Cite this

@article{afc55c7ede1f404e976de7983561bdf0,

title = "An economic analysis of appropriateness under article 32 GDPR",

abstract = "I. IntroductionWhile privacy laws establish obligations on organisations to protect the fundamental rights of individuals, they rarely provide explicit prescriptions about how to do so.1 This forces organisations to balance the risk to privacy of data subjects against the costs of implementation options, such as technical and organisational measures (hereinafter {\textquoteleft}privacy measures{\textquoteright} or simply {\textquoteleft}measures{\textquoteright}) or stopping processing personal data. Therefore, privacy laws often occupy a middle ground between prescribing appropriate privacy measures and allowing organisations to self-define what is appropriate. This approach creates uncertainty over which privacy measures to implement while also threatening penalties if the appropriate measures are not in place.2 Uncertainty looms over aspects like which privacy measures to choose (see II. 1.), how much measures will cost directly and indirectly (see II. 2.), and what the likelihood and impact of a violation on the individual and the organisation is (see II. 3.). In addition, organizations may have to defend such decisions to regulators, which necessitates a structured approach with documented evidence.",

author = "Annika Selzer and Daniel Woods and Rainer B{\"o}hme",

note = "Funding Information: This research work has been funded by the German Federal Ministry of Education and Research and the Hessian Ministry of Higher Education, Research, Science and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE and by the German Federal Ministry of Education and Research within the project Edumida (16KIS1361K & 16KIS1363). Daniel Woods is funded by the European Commission{\textquoteright}s call H2020-MSCAIF-2019 under grant number 894700. This paper was written during a two-month research stay at the Security and Privacy Lab of the University of Innsbruck in 2020. The author Annika Selzer thanks Rainer B{\"o}hme and the entire team of the Security and Privacy Lab for making this research stay possible.",

year = "2021",

month = sep,

day = "1",

doi = "10.21552/edpl/2021/3/15",

language = "English",

volume = "7",

pages = "456--470",

journal = "European Data Protection Law Review",

issn = "2364-2831",

publisher = "Lexxion Verlagsgesellschaft mbH",

number = "3",

}

TY - JOUR

T1 - An economic analysis of appropriateness under article 32 GDPR

AU - Selzer, Annika

AU - Woods, Daniel

AU - Böhme, Rainer

N1 - Funding Information: This research work has been funded by the German Federal Ministry of Education and Research and the Hessian Ministry of Higher Education, Research, Science and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE and by the German Federal Ministry of Education and Research within the project Edumida (16KIS1361K & 16KIS1363). Daniel Woods is funded by the European Commission’s call H2020-MSCAIF-2019 under grant number 894700. This paper was written during a two-month research stay at the Security and Privacy Lab of the University of Innsbruck in 2020. The author Annika Selzer thanks Rainer Böhme and the entire team of the Security and Privacy Lab for making this research stay possible.

PY - 2021/9/1

Y1 - 2021/9/1

N2 - I. IntroductionWhile privacy laws establish obligations on organisations to protect the fundamental rights of individuals, they rarely provide explicit prescriptions about how to do so.1 This forces organisations to balance the risk to privacy of data subjects against the costs of implementation options, such as technical and organisational measures (hereinafter ‘privacy measures’ or simply ‘measures’) or stopping processing personal data. Therefore, privacy laws often occupy a middle ground between prescribing appropriate privacy measures and allowing organisations to self-define what is appropriate. This approach creates uncertainty over which privacy measures to implement while also threatening penalties if the appropriate measures are not in place.2 Uncertainty looms over aspects like which privacy measures to choose (see II. 1.), how much measures will cost directly and indirectly (see II. 2.), and what the likelihood and impact of a violation on the individual and the organisation is (see II. 3.). In addition, organizations may have to defend such decisions to regulators, which necessitates a structured approach with documented evidence.

AB - I. IntroductionWhile privacy laws establish obligations on organisations to protect the fundamental rights of individuals, they rarely provide explicit prescriptions about how to do so.1 This forces organisations to balance the risk to privacy of data subjects against the costs of implementation options, such as technical and organisational measures (hereinafter ‘privacy measures’ or simply ‘measures’) or stopping processing personal data. Therefore, privacy laws often occupy a middle ground between prescribing appropriate privacy measures and allowing organisations to self-define what is appropriate. This approach creates uncertainty over which privacy measures to implement while also threatening penalties if the appropriate measures are not in place.2 Uncertainty looms over aspects like which privacy measures to choose (see II. 1.), how much measures will cost directly and indirectly (see II. 2.), and what the likelihood and impact of a violation on the individual and the organisation is (see II. 3.). In addition, organizations may have to defend such decisions to regulators, which necessitates a structured approach with documented evidence.

UR - http://www.scopus.com/inward/record.url?scp=85118208915&partnerID=8YFLogxK

U2 - 10.21552/edpl/2021/3/15

DO - 10.21552/edpl/2021/3/15

M3 - Comment/debate

AN - SCOPUS:85118208915

SN - 2364-2831

VL - 7

SP - 456

EP - 470

JO - European Data Protection Law Review

JF - European Data Protection Law Review

IS - 3

ER -

An economic analysis of appropriateness under article 32 GDPR

Abstract / Description of output

Access to Document

Other files and links

Fingerprint

Cite this