Modern privacy regulations, such as the General Data Protection Regulation (GDPR), address privacy in software systems in a technologically agnostic way by mentioning general "technical measures" for data privacy compliance rather than dictating how these should be implemented. An understanding of the concept of technical measures and how exactly these can be handled in practice, however, is not trivial due to its interdisciplinary nature and the necessary technical-legal interactions. We aim to investigate how the concept of technical measures for data privacy compliance is understood in practice as well as the technical-legal interaction intrinsic to the process of implementing those technical measures. We follow a research design that is 1) exploratory in nature, 2) qualitative, and 3) interview-based, with 16 selected privacy professionals in the technical and legal domains. Our results suggest that there is no clear mutual understanding and commonly accepted approach to handling technical measures. Both technical and legal roles are involved in the implementation of such measures. While they still often operate in separate spheres, a predominant opinion amongst the interviewees is to promote more interdisciplinary collaboration. Our empirical findings confirm the need for better interaction between legal and engineering teams when implementing technical measures for data privacy. We posit that interdisciplinary collaboration is paramount to a more complete understanding of technical measures, which currently lacks a mutually accepted notion. Yet, as strongly suggested by our results, there is still a lack of systematic approaches to such interaction. Therefore, the results strengthen our confidence in the need for further investigations into the technical-legal dynamic of data privacy compliance.
翻译:《数据保护总条例》(GDPR)等现代隐私条例以技术不可接受的方式处理软件系统中的隐私问题,方法是提及数据隐私合规的一般“技术措施”,而不是规定如何执行这些措施。然而,了解技术措施的概念和实际上如何处理这些概念并非微不足道,因为技术措施具有跨学科性质和必要的技术-法律互动。我们的目的是调查如何在实践中理解数据隐私合规的技术措施概念以及执行这些技术措施过程中固有的技术-法律互动。我们遵循的研究设计是:(1) 性质探索,(2) 质量和(3) 访谈为基础,有16名技术和法律领域的选定隐私专业人员参与。我们的结果表明,在处理技术措施时,没有明确的相互理解和共同接受的方法。这些措施的执行涉及技术和法律作用。虽然它们往往在不同领域运作,但受访者中间的主要意见是促进更加跨学科的合作。我们的经验发现,在执行数据保密技术措施时,法律和工程小组之间需要更好的互动。我们认为,在进行数据保密方面,进行这种互动是最重要的,因此,从技术上来说,我们缺乏一种最完整的理解。我们提出的是,从技术上看,缺乏一种了解这种理解,因此,因此,我们缺乏一种最需要一种最彻底的办法是,因此,因此缺乏一种最强烈地认为,因此缺乏一种了解。