Recent years have seen the adoption of several data privacy protection laws, most notably the General Data Protection Regulation (GDPR) in the EU, the California Consumer Privacy Act (CCPA) in the United States, or even the lesser known Bundesdatenschutzgesetz in Germany. Legislation like the GDPR and CCPA shed light on an increasing worldwide awareness of the potential dangers and complications brought about by the ever-growing popularity of data collection, processing, and analysis. Furthermore, they represent an attempt to enforce the responsible handling of data through legal means, ultimately at its core protecting the consumer, or rather the individual. From these laws stems the concept of data privacy compliance, essentially meaning how a corporation or other organization must comply with the guidelines defined in such laws. At the same time, and in most cases actually predating these recent privacy laws, the research and development of Privacy-Enhancing Technologies (PETs) has also sharply risen, yielding many novel and effective methods for processing sensitive data in a private matter. Some notable PETs, among many others, are Differential Privacy, Homomorphic Encryption or Multi-Party Computation.
With two distinct sectors approaching the issue of data privacy in inherently different ways, it raises the potential for a gap in understanding over how exactly to achieve the end goal of privacy preservation. On one hand, the legal approach sets a foundation upon which privacy compliance finds its basis, most notably through definitions and general requirements relating to data processing. As a result, privacy in the legal sense, by nature, is more of a guideline rather than a specification. Advances in the technical realm, however, work towards developing processes that do indeed preserve privacy in some manner, yet this may or may not be directly translatable to given legislation. In other words, one can read through the entire text of the GDPR, yet still be unsure as to how this exactly could be implemented in a PET. By the same token, the developers of a PET might face challenges when evaluating how their framework conforms to GDPR guidelines. Ultimately, it becomes the question of how privacy is approached both in the legal and technical sense, and furthermore, how these potentially disparate ideas can be unified into one common notion of data privacy. Thus, the goal of this thesis is not only to explore the dynamic existing between privacy compliance in the legal and technical sectors, but also to start to work towards a unifying solution between them. This goal will be accomplished by first exploring the challenges existing within privacy compliance programs today, and subsequently analyzing the findings to develop useful solutions.
With these goals in mind, the following research questions have been defined:
In order to best answers these questions, this thesis will follow a methodology consisting of semi-structured interviews, drawing from participants working with privacy in either the legal or technical sectors, or ideally ones that traverse both fields. The interview participants will be presented with a pre-defined set of questions, with the goal being learning about the participant’s role, identified challenges, and future goals regarding privacy compliance within their organization and/or field. From these insights, the main challenge and goal of the thesis will be to synthesize the knowledge in order to gain a holistic view of the state of privacy compliance. These insights, in turn, will give way to potential future avenues regarding the bridging of possible gaps in the understanding and implementation of privacy compliance.
| Name | Type | Size | Last Modification | Last Editor |
|---|---|---|---|---|
| 210920 Meisenbacher Master Thesis Kick-Off.pdf | 947 KB | 20.09.2021 |