| News | Interview | Click and Collect – When is data disclosed?

Click and Collect – When is data disclosed?

Data is the basis for government action and a multitude of business models. But when do we willingly disclose it and when should we never do so? What role do cultural influences or legal frameworks play in this? We talked about this with Moritz Hennemann, head of the project "Vectors of Data Disclosure".

© Valentin Brandes/ Universität Passau

These are some of the questions that the bidt-funded research project “Vectors of Data Disclosure” has been investigating since the beginning of 2021. We talked about this with the project leader Professor Moritz Hennemann. He holds the Chair of European and International Information and Data Law at the University of Passau.

You talk about data as a driver of innovation. What do you mean by that?

Data is coded information. Depending on the context, they have always had a value. By means of modern technologies, data can be analysed in large quantities and at a high speed, which is also commonly known as Big Data. Patterns can be recognised from these data sets, correlations derived and new insights gained, which in turn form the basis for business models and for government action. The use of data sets can also be welfare-enhancing, for example by evaluating mobility data for an optimised traffic flow to avoid traffic jams or health data to treat diseases.

What social challenges are associated with this?

The question arises within the respective societies of how we deal with our data, at national, supranational and international levels. In order to “obtain” personal data, the individual usually has to make a decision to disclose it. This is also connected to the question of under which aspects someone is willing to disclose his or her data at all. However, it is still an open question whether and to what extent the willingness to disclose one’s own data depends on cultural conditioning as well as the existing legal framework and how the decision is made in detail. This is where our research project comes in.

What kind of data are you investigating in the research project?

Our focus is on personal data. With regard to the General Data Protection Regulation (GDPR), this refers to data with which a person can be identified or is identifiable. This includes a person’s own name, address or date of birth, but also data that, in turn, indicates a person in combination with other data, such as location data transmitted via smartphone. There are also special categories of personal data, such as political opinions, religious beliefs or health characteristics.

In what situations is this data disclosed?

We make a number of decisions every day about whether and how we disclose our data. This can be data in the course of using an app, by setting cookies on websites, when shopping online or generally in e-commerce – especially where contracts are concluded and data is entered for processing. There are also a large number of business models where no monetary payment is made, but data is a consideration for the use of a service. Furthermore, data is also disclosed for altruistic purposes, for example in the form of a data donation – the donation of health data to the Robert Koch Institute for research purposes during the corona pandemic would be an example of this.

Why is the project called “Vectors of Data Disclosure”?

The concept of vectors underlines the multidimensionality of the process of data disclosure.

Prof. Dr. Moritz Hennemann, Project manager

We are investigating the decision-making process as well as cultural and regulatory frameworks. They are all, we suspect, intrinsically related to each other.

How does the project team approach this interaction?

We follow a comparative, interdisciplinary approach and combine cultural studies and business informatics with the legal perspective at the University of Passau. The project team also focuses on data disclosure in an international context, especially on the cross-border character of data disclosure between legal areas and cultural groups.

Which cultural areas, states and regions does the project focus on?

We have selected the countries in such a way that we can look at different cultural dimensions and legal areas. For example, we contrast the European Union with Germany and Switzerland as a non-EU country with the USA with a decidedly different regulatory model. We also look at the cultural setting and the forms of regulation in Brazil, China, Ghana, Japan and Russia – and of course the political parameters in the various countries are by no means uniform.

Can you give an example of the different regulation of data in the countries?

In the European Union, according to the GDPR, any data processing is generally prohibited unless the use is subject to a separate authorisation, such as a legal permission or the consent of the data subject. The regulatory models of other countries such as the USA deviate from this, because data processing is generally permitted here. However, sensitive areas have also been defined – risk-consciously – where sectoral regulation exists (for example, in the education or health sectors).

In addition, there are of course also different specifications as to what information a data subject must receive before a decision is made. Likewise, different regulations are conceivable on the question of whether consent must be given in advance or the possibility of an opt-out exists.

How are cultural and regulatory frameworks linked?

Cultural framework conditions often influence the regulatory setting. For example, if there is a strong awareness of privacy and data protection in a country, this has often been reflected in regulation in the past, for example in Germany. But this does not necessarily happen. We look at these entanglements, these different dimensions, and investigate the question of which framework conditions have which effects on the disclosure of data.

And of course there are other levels: Even if something is written on paper, it does not necessarily mean that it is lived practice. Lawyers distinguish here between the “law in the books” and the “law in action”. Just because there is a data protection regulation does not mean that it is implemented and lived in everyday life, for example, if there is a lack of acceptance or enforcement.

What role do cognitive and affective factors play in the respective decision?

Behavioural economics teaches that decisions can be affective or cognitive. An example: clicking on the cookie banner on a website. Do I spontaneously and without conscious thought agree to the cookie selection or do I first read through the cookie instructions and ask myself, for example, whether I trust this provider?

You mention trust. What role does it play in the decision-making process?

Trust is a central concept, especially for the cultural studies dimension, but also for our investigations in general. The basic questions are to what extent there is trust in the processing activities of a data recipient in societies and whether this trust or mistrust has an influence on the disclosure process. We look at different scenarios of disclosure decisions: from e-commerce to state actors to data donation.

In addition, there is the dimension of global networking: data is processed across borders in a variety of situations. We want to explore to what extent the decision-making process differs when the sender knows that data will be processed across borders.

What are the goals of the research team?

We want to build models and develop concrete recommendations for action on this basis. These can be impulses for further regulation or deregulation at national, supranational or international level, but also recommendations for stakeholders such as companies, associations and NGOs that are active in the countries under consideration or in comparable countries.

We also strive to classify which regulatory models are particularly appropriate (and possibly innovative). This would also provide impulses for possible harmonisation at the international level. Incidentally, one result could also be that the different cultural and legal framework conditions in the respective countries have no influence at all on the pricing process because it is the same everywhere – that would also be an insight!