An economic analysis of appropriateness under article 32 GDPR

Annika Selzer, Daniel Woods, Rainer Böhme

Research output: Contribution to journalComment/debatepeer-review

Abstract / Description of output

I. Introduction
While privacy laws establish obligations on organisations to protect the fundamental rights of individuals, they rarely provide explicit prescriptions about how to do so.1 This forces organisations to balance the risk to privacy of data subjects against the costs of implementation options, such as technical and organisational measures (hereinafter ‘privacy measures’ or simply ‘measures’) or stopping processing personal data. Therefore, privacy laws often occupy a middle ground between prescribing appropriate privacy measures and allowing organisations to self-define what is appropriate. This approach creates uncertainty over which privacy measures to implement while also threatening penalties if the appropriate measures are not in place.2 Uncertainty looms over aspects like which privacy measures to choose (see II. 1.), how much measures will cost directly and indirectly (see II. 2.), and what the likelihood and impact of a violation on the individual and the organisation is (see II. 3.). In addition, organizations may have to defend such decisions to regulators, which necessitates a structured approach with documented evidence.
Original languageEnglish
Pages (from-to)456-470
Number of pages15
JournalEuropean Data Protection Law Review
Issue number3
Publication statusPublished - 1 Sept 2021


Dive into the research topics of 'An economic analysis of appropriateness under article 32 GDPR'. Together they form a unique fingerprint.

Cite this