Regulating Data in the European Union and United States: Privacy, Access, Portability & APIs

Woodall, Angela

January 2023

This dissertation examines the way that demands for more control over the collection, processing, and sharing of personal data are being managed by both government and industry leaders with strategies that appear to comply with regulations, but that fail to do so. These are “by-design” strategies used by individuals to unilaterally manage their data with automated tools. I take a multimethod approach that combines autoethnography, reverse engineering techniques, and data analysis to assess the implementation of by-design services implemented by Facebook, Twitter, and Instagram in compliance with current European Union regulations for access and portability. I also employ archival research, discourse analysis, interviews, and participant observation. I argue that self-led, by-design approaches do not answer the demands for more control over personal data. The regulatory and technical resources put in place for individuals to control their data are not effective because they turn over decisions about execution to an industry with no interest in sharing that data or being regulated. If policymakers continue to pursue by-design approaches, they will need to learn how to test the techniques, and the execution of the techniques, provided by industry. They will need to assess the impact on data that is made available. So that results can be evaluated, by-design tools like the ones I assessed must be accompanied by clear and detailed details about design choices and procedures. In this vein, I offer directions for critical scrutiny, including standards and measuring the impact of APIs. I conclude that self-managed, by-design approaches are not the source of the problem. But they are a symptom of the need for critical scrutiny over the execution of tools like the ones offered by Facebook, Twitter, and Instagram. Ultimately, I found that portability and access are legally and technically fraught. However, despite the shortcomings of by-design approaches, personal data can be more effectively regulated in Europe than in the United States as the result of current regulations.

Communication

Data protection--Government policy

Personal information management

Privacy

Facebook (Firm)

Twitter (Firm)

Awareness and training: the influence on end-user' attitude towards information security policy compliance

Snyman, Mmabatho Charity

02 1900

Research accentuates that end-users‘ noncompliance with information security policy (ISP) is a key concern for government just as it is for the private sector. Although awareness and training programmes are important factors impacting employees‘ intentions to comply with an organisation‘s ISP, it can be argued that there is insufficient empirical evidence to support this assertion. To address this gap, this study seeks to expand research on ISP compliance by focusing on attitudes as targets of change. A research model based on the Theory of Planned Behaviour was proposed to illustrate the influence of ISP awareness training on end-users‘ attitudes towards complying with their organisation‘s ISP. Relevant hypotheses were developed to test the research conceptualisation. A survey and an experiment was undertaken to collect the data from a sample of 173 end-users of a single government organisation in one province. The data was captured and analysed using a Statistical Package for Social Sciences (SPSS). Furthermore, Structural Equation Modelling (SEM) was used to test whether the overall model appears to be a good fit to support the hypotheses. The reliability, validity, and model fit were found to be statistically significant, and three out of five research hypotheses were supported. Overall this study contributes to the existing body of knowledge by providing an understanding of the methods that can be used to encourage end-users‘ ISP compliance behaviour through an attitudinal shift, thereby targeting end-users‘ attitude as a means to improve information security policy compliance. Implications of the findings are further discussed in the paper. / Information Technology / M. Tech. (Information Technology)

Attitudes

Information security

Information security policy

Awareness training

Intentions to comply

Information security compliance

Self-efficacy

005.8

Computer security -- Government policy

Data protection -- Government policy

Computer networks -- Security measures

Compliance auditing

Information technology -- Management