We value your privacy: The organisational protection of personal data

‘We value your privacy’, is what organisations tell us when we first connect with them online, but more often than not, this statement is followed by an instant grab of information about us. Knowing that organisations are well aware that they need to protect that information, the question is how they interpret their task to protect personal data in practical reality.
Organisations face many challenges related to their handling of personal data, from dominant technological infrastructures to regulatory interventions and societal expectations. Against the background of Media and Communication Studies, with their focus on how ‘media’ (as the plural of ‘medium’) influence communication, the main research question I pose in this thesis is: In our technology-mediated society, which kinds of influences shape organisational practices of personal data protection? Answering this question requires a deep
dive into actual organisational practices, which can only be approached through qualitative research methods aimed at discovering relevant actors’ own interpretations of the situation.
Although the disciplinary lens of Media and Communication Studies guided the
research, it was conducted in acknowledgment of the interdisciplinary nature of privacy
studies. Before embarking on the empirical stage of the research, I developed an analytical
framework integrating insights from Media and Communication Studies, Law and Compliance
Studies, Science and Technology Studies, Philosophy of Technology, Organisation and
Institutional Studies, and wider sociological research.
The framework consisted of six different perspectives to scope the analysis of case
study results: Goals and Values, Knowledge and Understandings, Regulatory Tools and
Techniques, Behaviour and Interactions, Data and Technology, and Trust and Legitimacy. The
perspectives were applied at three levels: the micro level (of the work floor), the meso level
(of organisations and sectors), and the macro level (of society), in line with the (legal-
philosophical) Theory of Contextual Integrity. This theory posits that flows of information are
appropriate when they adhere to contextual norms, which requires an analysis of norms at
the levels of individuals, organisations, and society. By analysing all study results from these
six perspectives and on the three levels, coherent and comprehensive findings were obtained
for empirical studies of organisational practices in different sectors.
Choosing different sectors for the comparison of organisational practices was another
operationalisation of the element of ‘context’. Four personal data-intensive sectors were
selected for the comparison – the (retail) banking sector, the media sector, smart cities, and
the health sector – and empirical studies were conducted in the first three. The hugely
disruptive nature of the COVID-19 pandemic, during which all of society arguably turned into
‘the health sector’, meant that conducting comparison-focused research for this sector was
out of scope for the time being.
The findings showed important influences on organisational data protection practices
at three levels were: (at the macro level:) crises, hard and soft law, and digital infrastructures;
(at the meso level:) sector-specific goals, values, purposes and expectations, dominant privacy
paradigms and managerialised risk perceptions, and markets; (at the micro level:) data
governance, and professionalisation of privacy and data protection actors. These influences
should be regarded in coherence, interacting with each other. While this is by no means a
complete list of all possible influences, it shows the promise of the analytical framework in
discovering a wide set of influences that are sensitive to the specific contexts in which
organisations operate. The framework can thus motivate a research agenda that can spawn
iterative framework revisions and innovative empirical research designs, aimed at
understanding and improving the protection of personal data on the ground.
Furthermore, the findings of this research expand the Theory of Contextual Integrity
to include the technologies used to process personal data as actors that also shape practices.
In addition, by studying actual practices, this empirical research shows why it is so complicated
for organisations to maintain the appropriateness of information flows in an environment
saturated with personal data-processing technologies. In conclusion, the contribution of this
research to society entails that the influences found may be deployed or adjusted to protect
people whose personal data are processed by improving organisational practices.