We value your privacy: The organisational protection of personal data

Abstract

‘We value your privacy’, is what organisations tell us when we first connect with them online, but more often than not, this statement is followed by an instant grab of information about us. Knowing that organisations are well aware that they need to protect that information, the question is how they interpret their task to protect personal data in practical reality. Organisations face many challenges related to their handling of personal data, from dominant technological infrastructures to regulatory interventions and societal expectations. Against the background of Media and Communication Studies, with their focus on how ‘media’ (as the plural of ‘medium’) influence communication, the main research question I pose in this thesis is: In our technology-mediated society, which kinds of influences shape organisational practices of personal data protection? Answering this question requires a deep dive into actual organisational practices, which can only be approached through qualitative research methods aimed at discovering relevant actors’ own interpretations of the situation. Although the disciplinary lens of Media and Communication Studies guided the research, it was conducted in acknowledgment of the interdisciplinary nature of privacy studies. Before embarking on the empirical stage of the research, I developed an analytical framework integrating insights from Media and Communication Studies, Law and Compliance Studies, Science and Technology Studies, Philosophy of Technology, Organisation and Institutional Studies, and wider sociological research. The framework consisted of six different perspectives to scope the analysis of case study results: Goals and Values, Knowledge and Understandings, Regulatory Tools and Techniques, Behaviour and Interactions, Data and Technology, and Trust and Legitimacy. The perspectives were applied at three levels: the micro level (of the work floor), the meso level (of organisations and sectors), and the macro level (of society), in line with the (legalphilosophical) Theory of Contextual Integrity. This theory posits that flows of information are appropriate when they adhere to contextual norms, which requires an analysis of norms at the levels of individuals, organisations, and society. By analysing all study results from these six perspectives and on the three levels, coherent and comprehensive findings were obtained for empirical studies of organisational practices in different sectors. Choosing different sectors for the comparison of organisational practices was another operationalisation of the element of ‘context’. Four personal data-intensive sectors were selected for the comparison – the (retail) banking sector, the media sector, smart cities, and the health sector – and empirical studies were conducted in the first three. The hugely disruptive nature of the COVID-19 pandemic, during which all of society arguably turned into ‘the health sector’, meant that conducting comparison-focused research for this sector was out of scope for the time being. The findings showed important influences on organisational data protection practices at three levels were: (at the macro level:) crises, hard and soft law, and digital infrastructures; (at the meso level:) sector-specific goals, values, purposes and expectations, dominant privacy paradigms and managerialised risk perceptions, and markets; (at the micro level:) data governance, and professionalisation of privacy and data protection actors. These influences should be regarded in coherence, interacting with each other. While this is by no means a complete list of all possible influences, it shows the promise of the analytical framework in discovering a wide set of influences that are sensitive to the specific contexts in which organisations operate. The framework can thus motivate a research agenda that can spawn iterative framework revisions and innovative empirical research designs, aimed at understanding and improving the protection of personal data on the ground. Furthermore, the findings of this research expand the Theory of Contextual Integrity to include the technologies used to process personal data as actors that also shape practices. In addition, by studying actual practices, this empirical research shows why it is so complicated for organisations to maintain the appropriateness of information flows in an environment saturated with personal data-processing technologies. In conclusion, the contribution of this research to society entails that the influences found may be deployed or adjusted to protect people whose personal data are processed by improving organisational practices.