Assessing Regulatory Impact

(1)

Assessing regulatory impact

The GDPR and consent from an informational perspective

Frans Huigen

Student ID: 11623810

University of Amsterdam, Faculty of Science

Thesis for the Master Information Studies – Business Information Systems

Final version: 13 June 2018 Defense date: 9 July 2018

Thesis Supervisor: Professor Dr. T.M. van Engers Second examiner: Drs. A.W. Abcouwer

Abstract Since May 25th_{, 2018, the General Data Protection Regulation (GDPR) is} in effect. Awaiting this European law, organizations indicate they were unable to prepare themselves in time to comply to it. It is interesting to investigate how certain regulations are constructed, and how their regulatory impact on business processes can be assessed. In this thesis, a qualitative case study of giving and withdrawing consent has been executed. The basic assumption was that there is a gap between policy- and law-makers, and businesses across The Netherlands. Literature analysis, document analysis, unstructured interviews, and semi-structured phone interviews reveal this gap is indeed observable. From an informational perspective, this thesis that argues an instrument is never a perfect fit and will need to be tailor-made. A synthesis is proposed of the Selective Organizational Information Privacy and Security Violations Model, and of the Societal Cost-Benefit Analysis. The practical relevance of this approach lies within mitigating non-compliance risk of organizations. Scientific relevance of the proposed approach is embedded in structurally enabling the improvement and ratification of legal construction in our constitutional democracy.

Keywords: General Data Protection Regulation, privacy protection, consent, Regulatory Impact Assessment, SOIPSVM, process impact, non-compliance.

(2)

1

Introduction

Imagine a universe where Aristotle, Goethe and Foucault were to sit next to each other in a bar in Amsterdam. Pondering about their daily lives and the state of the world, after a few drinks they decide to exchange business cards. Philosophers will be philosophers, and they come to discuss how they intend to use their personal details. Aristotle and Foucault contemplate about privacy and the ethical consequences of the use of personal data; Goethe pragmatically constructs consent forms and ensures the righteous use and their personal data protection, saying “(…) only the law can bring us freedom” (1802).

Now let us go back to our own universe. Rules and regulations pertaining to the ‘physical’ have been in place for a long time, the necessity of legislation for ‘the online’ becomes ever more urgent in the digital era. Although laws for this domain have already been in development since halfway the twentieth century, they were outrun by the internet developing rapidly. The most topical law is the General Data Protection Regulation (GDPR), which has been brought into power May 25th_{, 2018. It has}

consequences for all concerning the use of personal data.

During almost a year before the GDPR coming into action, organizations in The Netherlands seemed to be paying little attention to prepare for its compliance; I wanted to explore and understand what was happening. In light of this phenomenologically interpretivist approach, my basic assumption at the start of my research was that there is a structural mismatch between policy- & law-makers, and business organizations in The Netherlands. These stakeholders have several impact assessment instruments at their disposal, for example the ex-ante execution test (in Dutch: the “ex-ante uitvoeringstoets”, Kenniscentrum Wetgeving en Juridische zaken [KCWJ], 2017).

Although these instruments exist, I wondered to what extent these are fit for usage by businesses in The Netherlands for an impact assessment of the GDPR, given the phenomenon I observed. I narrowed my research down further to the domain of consent in the GDPR-articles 6 (section 1, sub a) and 7. I chose this particular part because I felt that in many cases, I myself do not know what I gave consent for at certain websites.

I have conducted a qualitative case study in the course of January-June 2018 with the following central research question: What method can be used to assess the impact on organizations in The Netherlands of GDPR article 6, section 1, sub a, and 7 concerning consent?

To answer this central research question, I sought to answer the following sub-questions: 1. What are existing measurement instruments used for the assessment of

regulatory impact?

2. What was the state of affairs at organizations in The Netherlands in anticipation of the GDPR coming into force?

3. What are the implications of GDPR article 6, section 1, sub a and article 7 for organizations in The Netherlands?

4. Are the current measurement instruments fit for a clear-cut impact assessment of articles 6, section 1, sub a and 7 of the GDPR?

Following this introduction, in the methodology section, I explain design and strategy as well as rationale behind these questions, and the quality control.

Following the methodologic section, I have elaborated on the literature in the field of study. Although in common structuring of theses the literature study precedes a

(3)

2 methodologic section, I switched these since my literature analysis contains results of the desk research and interview codes forming the foundation of my conceptual and theoretical framework. Subsequently, I present an analysis of my findings. In the section after, I discuss the findings presented, followed by a concluding section.

1. Methodology

I elaborate on the research questions, research strategy and research design, and why I considered them fitting. Subsequently, I clarify the approach to data collection and how I aimed to control the quality of my research. I have structured these aspects in table 1 below.

Table 1 – Research question framework

The desire to understand something, provides handles for a qualitative research strategy and a phenomenological approach (Bryman, 2015, p. 26; Blaikie, 2009, pp. 58-68). Following this qualitative research strategy, the design I used was the “exemplifying case study” (Bryman, 2015, p. 64).

I used two methods of research within the qualitative domain: I conducted interviews with seven experts in the field, and I analyzed documents and literature. In figure 1 on the next page, I have placed these under the concept exploration and saturation sections of the funnel. The interviews contributed to the forming of the conceptual and theoretical framework as well.

Method of research Goal

Main research question: What method

can be used to assess the impact on organizations in The Netherlands of GDPR article 6, section 1, sub a, and 7 concerning consent?

Literature research of scientific and non-scientific literature reading and unstructured & semi-structured interviews with experts in the field. Exemplifying Case study of consent in the GDPR.

Central research goal;

gaining insight in getting to

an acceptable impact

assessment methodology of laws and regulations.

Research question 1: What are existing

measurement instruments used for the assessment of regulatory impact?

Literature analysis of scientific reading, unstructured interviews with experts in the field.

Identifying what has already been investigated within this

domain. Constructing

conceptual framework.

Research question 2: What was the state

of affairs at organizations in The Netherlands in anticipation of the GDPR coming into force?

Literature analysis of scientific and non-scientific reading and semi-structured phone interviews with professionals.

Identifying the origin of the problem statement, practical and scientific rationale.

Research question 3: What are the

implications of GDPR article 6, section 1, sub a and article 7 for organizations in The Netherlands ?

Thorough document analysis of the GDPR and literature research.

Constructing a conceptual framework.

Research question 4: Are the current

measurement instruments fit for a clear-cut impact assessment of articles 6, section 1, sub a and 7 of the GDPR ?

Literature analysis, unstructured interviews with experts and semi-structured interviews experts in the field.

Comparison of possibilities for a methodology of a Regulatory Impact Assessment (RIA).

(4)

3 Figure 1: Methodological funnel for this thesis, derived from http://www.ach2.org.au/about

Respondent selection & interviews

I selected the experts in the field for interviewing through qualitative sampling

methods. I selected my respondents using the so-called respondent-driven sampling, as a variation of snowball sampling (see Heckathorn, 1997; Bryman, 2015).

Since I wanted to gain better understanding of different perspectives towards laws and regulations and their impact on processes, I interviewed a legislative lawyer and researcher, an expert on legislative processes at the Dutch government, and an expert on politics and governance from a foundation in The Netherlands. I chose these respondents because they were knowledgeable on the subject from various

perspectives.

To assess the state of affairs in The Netherlands, I conducted four phone interviews with executive privacy officers at universities, lasting no more than twenty minutes each. I asked two questions: “what is the state of affairs in preparation for the new law?” and “which difficulties do you identify on the road to compliance?”.

All interviews were recorded. This was discussed with the informants beforehand with which they all agreed. I deleted the recordings of the interviews using privacy software after summaries, transcriptions, and coding were finished. This was to ensure the privacy of my respondents.

I verified the constructed summaries with them: respondent validation (Bryman, 2015, p. 385). The summaries were checked for inconsistencies or inaccuracies and I

(5)

4 incorporated those accordingly. This approach helped me improve the transferability of my research (ibid., p. 44).

To further enrich my literature analysis, I used the interview codes. This led to theoretical saturation in combination with the respondent sampling method, making this an iterative process (see Marshall, 1996, p. 522; Bryman, 2015, p. 411). I have appended the coding schemes per interview in appendices A – C. In the last subsection of the literature review, I have constructed a table containing codes and categories which form the foundation for the conceptual and theoretical framework, using an open coding approach (Bryman, 2015, p. 574).

I aimed to interview politicians and Dutch Data Protection Authority experts, reaching out to one Dutch Parliamentarian, two European Parliamentarians, and to the European Data Protection Supervisor. Unfortunately, all replied they were unable to help me because of the challenges offered by the coming of the GDPR.

2. Literature analysis

The GDPR defines consent as given by a subject who has a clear appreciation and understanding of the facts, implications, and consequences of the act of giving consent (European Parliament and European Council, 2016, pp. 36-37).

Furthermore, GDPR article 6, section 1, sub a, concerning the lawfulness of processing, states processing of personal data is lawful only when the data subject has given consent for specific purposes. Article 7, stating the conditions for this consent, lists the following reasons for data processing to be lawful:

1. The consent shall be actively given.

2. The consent shall be informed: it shall be clearly indicated what the data subject is giving his or her consent for.

3. Consent shall be specific: it shall only be for the purpose provided. Processing for other purposes than initially mentioned, must be preceded by consent for this purpose for every single case.

4. A data subject must be able to withdraw a data subject at any given time, of which he or she must be informed prior to giving consent. Withdrawing consent should be made as easy as giving it, and after consent is withdrawn all further data processing is no longer lawful.

2.1. Assessing regulatory impact

Within the Dutch government, a frequently used method for the assessment of regulatory impact is the ex-ante execution analysis, which provides insight in consequences of a certain law or regulation. This type of analysis is the Dutch interpretation of what is called the Regulatory Impact Assessment (RIA), widely introduced by the OECD during the second half of the twentieth century (Organisation for Economic Cooperation and Development [OECD], n.d.).

Radaelli & De Francesco elaborate on the nature and purpose of this RIA, considering it a “systematic and mandatory” (2010, p. 2) administrative procedure to be performed before legislation comes into practice. The authors posit that the RIA enables the controlling of bureaucracies: controlling the way laws and legislations are continually monitored.

Zooming in further towards the Dutch governmental system, Schrijvershof, Douma & Aarts (2013) inventoried different methods with which execution analyses

(6)

5 were performed. They explain that the execution analysis focuses on the processes of decision-making for executive organizations within the Dutch government. The authors conduct empirical research aiming to find out what types of execution tests have been performed and what their methods of approach were.

They limit the research to the consequences of (alteration of) laws and regulations for the processes within the judicial chain of the Dutch government. They distinguish types of execution tests, all of which have an ex-ante nature, meaning the tests are performed before implementation of laws and regulations took place. To a large extent, calculations in these tests are made on the basis of assumptions of several experts of the domain within the test takes place. The research conclusion entails the execution tests mentioned being performed for internal use of the governmental departments only, and not for business organizations.

In a more extensive study, Klein Haarhuis & Keulemans (2014) conducted similar research to the numbers and nature of ex-ante evaluations within the domain of Dutch governmental bodies. The authors distinguish eight types of ex-ante studies towards laws and regulations, and a category holding a combination of certain methods (ibid., p. 52):

1. A (Societal) Cost-Benefit analysis, which entails a comparison of policy alternatives and the ‘zero-option’. Different financial consequences are examined.

2. Ex-ante evaluation, measuring potential effects and side results of the implementation of certain laws and regulations, on a general level. The (Societal) Cost-Benefit analysis is not part of this evaluation.

3. Plan or policy-evaluation, in which a reconstruction and assessment is constructed, aiming to expose logic behind the laws and regulations. 4. Exploration or Quickscan, scanning consequences for certain proposals

without going too much into detail.

5. Execution and enforceability test, which is performed internally within departments.

6. Risk analysis or analysis of the ‘bottleneck’; focusing on which aspects of the regulations will pose difficulties in the execution.

7. Specific ex-ante execution test, differing from the second category in this list. Logically within this category a certain exact aspect is measured. 8. Cost-effectivity analysis, similar to the first option from this list, but

without the ‘zero-option’.

A conclusion the authors formulate is that ex-ante evaluation of laws and regulation is and never will be perfect and the results are frequently surrounded by “(…) margins of uncertainty (…)” (p. 161). This uncertainty does not help the business in their assessment of process impact.

Following the Regulatory Impact Assessment (RIA) study, and the two studies concerning ex-ante evaluations, Klein Haarhuis & Parapuf (2016) conducted a study toward the ex-post evaluation of regulations. These take place after a regulation has been implemented. The authors state that evaluation of laws and regulations prove valuable to gain insight in the way they are set up and used in governmental bodies. Klein Haarhuis & Parapuf conclude that these ex-post evaluations are conducted in what they call “policy divisions” (2016, p. 124). In their study, the authors find that within the law-making

(7)

6 process, combined legal-empirical approaches add value to the quality of the law and its evaluation.

I identify a gap in the literature: the authors of the articles I analyzed focus on the public administration, business organizations are left out of scope. Ex-ante evaluations and RIAs pertain to the setting of legislators and law-makers, whether from a national or an international perspective. The studies conclude about the methods of approach towards impact assessment for executive organizations within the domain of governments; businesses and policy implementations are not mentioned. This will be the focus of the next section of this literature analysis.

2.2. Policy and business implementation

Business organizations require a certain rationality in their work and the processes they implement, as for example instigated by Taylor and his Scientific Management (Taylor, 2004). Snellen (2002) explains rationality as “(…) the core of public administration” (p.323). He defines it within this domain as being a graduate concept of certain choices made appear to be taken “judiciously” (p. 324), i.e. based on argumentation. Argumentation and judicious reasoning is the core of public administration, on which Snellen elaborates using four paradigms (p.325).

The first is legal-procedural; public administration exists to connect politics and the civil service. The second paradigm elaborates on the public administration as being part of the political system. It assists the political function of the complex system; accurately distributing societal values. The third paradigm is an efficiency and economics perspective, improving the public administration service. The fourth paradigm the author elaborates on is a scientific approach to public administration and the construction and “(…) execution of politics and policies” (p.325).

In a later paper, Klijn & Snellen (2009) elaborate on the transformation of public administration management towards the management of a complex system. Emerging from complexity theory, complex systems emphasize interactions and the accompanying feedback loops constantly that constantly change, and the processes occurring while constructing laws and legislations.

While the complex systems theory proposes systems to be unpredictable, they are also constrained by order-generating rules, e.g. policies and business rules and the regulations established by government bodies. The authors argue for the combining of concepts and complexity theory ideas, and the public administration theory, and elaborating them further to understand the domain and line of work. Still, they focus on the public administrative services, and business organizations are left aside.

An illustrative study has been conducted by Zwenne & Schmidt in 2016, in which the authors elaborate on the administrative law, the legality principle, and the digitization of the public administration. They use a case study of the Dutch DigiD, a digital passport for citizens. Zwenne & Schmidt illustrate the risks of the digital government using DigiD. What is behind these risks is similar to the paradigms drawn by Snellen (2002, p. 325). The government is digitizing its policies, and is expecting Dutch citizens to do the same.

This is an example of how complex theory and public administration theory are combined; interactions and feedback loops between government and citizens constantly change. There is a parallel between the works of Snellen (2002), Klijn & Snellen (2009), and Zwenne & Schmidt (2016). Where the formers construct their research on theoretical foundations of public administration and the policy implementations, the latter take a viable undertaking towards the digitization of government bodies.

(8)

7 The practical method is the formulation of five risks digitization involves, following directly from the policy choices made (Zwenne & Schmidt, 2016, pp. 323-331):

1. Digitizing the public administration service – aiming to improve efficiency and effectivity – leads to exclusion of (large) groups of citizens.

2. Governments offering the digital services such as DigiD provide one-sided guarantees: using this digital service, citizens cannot be certain of what they are using and what they are up against.

3. Governments are able to withdraw themselves from checks and balances, i.e. the ‘societal equilibrium’, by disclosing only partial information. Civilians cannot control this behavior.

4. There is a great difference between governing bodies in their literacy concerning information security and its societal and economic importance. There is uncertainty about what actions to take when things “go wrong” (p. 330).

5. Policies concerning digitization and the digital society are over the heads of government directors and administrators. They lack knowledge and experience.

The four paradigms and the complex systems theory shed light on the regulatory impact assessment as not merely a tool or a method of approach. It is a fundamental part having to do with construction of laws, legislations and policies and taking control. The risks formulated by Zwenne & Schmidt (2016) and the works concerning policy implementation of Snellen (2002), and Klijn & Snellen (2009), form the connection with the next section of this literature analysis. However, impact on the private domain business processes would have deserved more attention in my opinion. Zwenne & Schmidt suggests this as well with their fourth point.

2.3. Privacy protection: a consent perspective

I am focusing this section on the main theme of the case study of this thesis: consent, privacy and privacy regulation. Privacy is a fundamental right, finding its foundations in the Dutch Constitutional Law (article 10) and the European Convention on Human Rights (article 8).

The concept itself and its regulation are not new. On the contrary, Aristotle (384-322 BC) distinguished the political sphere and the private sphere associated with family and private life (Aristotle, 1926, pp. 489). In 1977, Irwin Altman postulates privacy as “(…) a universal process that involves culturally unique regulatory mechanisms” (p. 66). This is long before the inception of online privacy and the digital use of personal data, and its pervasiveness into our culture. Altman argues privacy to be considered a “(…) regulation of social interaction” (p. 82). People control when and with whom they interact. The giving of consent is a form of privacy self-control, as regulated in civil law – the GDPR in this case.

Following this line of reasoning, Bell (2010) separates two types of common civil law: contract and tort law. Contract law concerns the enforcing of relationships formed by contract, among persons involved. Tort law must be applied to groups of people, not individuals. In this light, GDPR is a ‘tort law’. It imposes behavior between parties, justifying social policy. Bell argues that the giving of consent varies by degrees,

(9)

8 and consent provides a “(…) standard for evaluating the justification of social institutions” (p. 83). Giving consent is not just saying ‘yes’ or ‘no’.

Altman (1977) and Bell (2010) make note of a behavioral aspect to privacy and its regulation. An interesting concept to consider in this regard is the privacy paradox, relating to whether or not the consent given is ‘informed’. The privacy paradox entails the online behavior of people not reflecting their privacy concern (Baek, 2014; Smith, Dinev & Xu, 2011; Norberg, D.R. Horne & D.A. Horne, 2007). People tend to be protective with their personal data, but online they are willing to give up (a part of) their privacy in exchange for discounts for example. For the giving of consent in modern internet times, Hull (2015, p. 96) stipulates that it provides users with choices they cannot “(…) rationally make”. The privacy paradox facilitates a consent paradox: we do not know what exactly it is, what we are giving consent for. Building on this further, Hull introduces the idea of the postmodernist philosopher Michel Foucault, arguing notice and giving of consent to be techniques of “subjectification” (Foucault, 1982, p. 208); humans understand what they do and who they are in a conscious way.

Consent is a handle with which citizens obtain control over their own privacy, as regulated by the GDPR, argued by Altman (1977). Monteleone (2015) states that online requests for consent appears to frustrate this control. She argues the data protection policies have to be made a priority on the European Union agenda because of the “emergence of new data technologies and the growth of an information-based economy (…)” (p. 71).

Although these policies are made a priority on the agendas, she elaborates that subjects ignore the current privacy notices found online because of the unclear and difficult language they are written in. This results in “(…) lack of understanding (…)” (p.75) by the data subject, which cannot lead to the giving of informed consent. Therefore, Monteleone introduces what she calls privacy nudges, as “complementary regulatory tools” (p. 118), additional to the request for consent. This would have to change the way organizations ask for consent, and changing business processing reliant on it.

In their 2016 article, Wall, Lowry & Barlow state that research within this domain rarely focuses on “(…) organizational environment and organizational-level decisions” concerning privacy regulations (p. 40).

The authors constructed a model which they call the “(…) Selective Organizational Information Privacy and Security Violations Model (SOIPSVM). It explains violations of various organizational (…) rules” (p. 49). The authors state several propositions, of which the first is most relevant for this thesis: the higher the organizational understanding of the risks associated with the non-compliance, the lower the probability organizations will violate the rules (Wall et al., 2016, p. 50, paraphrased). In conclusion, following Altman (1977), Bell (2010) and Hull (2015), the foundation of giving of consent is to be found within the social sciences and not within legal theory. Subject control over privacy is ambiguous, considering the privacy paradox. The ‘origin of consent’ and the privacy paradox, legislation and regulations seem to be unable to cover the scope entirely (following Monteleone, 2016). A model helping organizations in their understanding of externally governed privacy regulations, Wall et al. (2016) propose the SOIPSVM. The essence of giving or withdrawing consent is control, and data subjects seem to only partially know how to take this control. Their argument for more organizational attention to being in control within this regulatory context confirms the hiatus I observed in the literature pertaining to legal science.

(10)

9 2.4. Theoretical saturation

In table 2, I have structured major categories and concepts following from the interviews I held. As explained in the methodology section, desk research and interviews took place during the concept exploration and saturation phases as depicted in figure 1 on page 3. This is why I have embedded the scheme of major categories here and not in the results section. It is the result of theoretical saturation from the interviews and it is derived from the coding frameworks as depicted in appendices A, B, and C.

Major categories Associated concepts

Regulations and their implementation Policy- and law-makers, regulations,

mindset, governance, public

administration, collaboration.

Regulatory evaluation and impact

assessment

Governance, politics, policies,

regulations, stakeholders.

The protection of privacy and personal data Technological and societal

developments, regulations,

governance, privacy, consent, data control.

Table 2 – Major interview coding categories and concepts.

The dominant category emerging from the three unstructured interviews was the construction of policies and their implementation. The respondents reflected on the extent to which regulations were translated into policies by the policy- and law-makers, and took the organizational perspective in reflecting on the governance of the rules.

Following the first category, the second and third categories were those of the evaluation of these regulations, and the protection of privacy & personal data. Concepts emerging from the interviews overlap between all three major categories (axial coding; Bryman, 2015, p. 574). The major categories and associated concepts form the foundation of my conceptual and theoretical framework.

2.5. Conceptual and Theoretical framework

The framework in table 3 on the next page is derived from Birkinshaw, Hamel & Mol (2008, p. 827). The major categories, emerging from the coding of the interviews, form the three perspectives of this framework. The final two rows contain sources of literature and queries, for which I have been inspired by Van Helvoort (2016, p. 77).

(11)

10

Laws, regulations and

regulatory impact

Policy and policy

implementation

Privacy and data protection

Seminal Literature Radaelli & De Francesco

(2010), Klein Haarhuis & Keulemans (2014), Klein Haarhuis & Parapuf (2016), Schrijvershof, Douma & Aarts (2013).

Zwenne & Schmidt (2016), Klijn & Snellen (2009), Snellen (2002).

Altman (1977), Bell (2010), Hull (2015), Monteleone (2016), Wall, Lowry & Barlow (2016).

Domain Theories Law, legal theory. Policy theory, public

administration theory,

complex systems theory.

Privacy regulation theory, consent

theory, privacy and consent

paradox, SOIPSV-Model.

Levels of analysis European and national

governments.

National government,

public administration.

Governmental, organizational, civil.

Primary sources and

databases used

during desk

research

WODC publications; Boom Juridisch Tijdschriften via

the University Library

“CatalogusPlus” service.

Business Source Premier via

“CatalogusPlus”. ACM Digital Library and IEEE Xplore digital library via “CatalogusPlus”.

Queries used ‘regulatory impact’,

‘regulatory impact assessment’, ‘public administration’, ‘ex-ante uitvoeringstoets’, ‘legislation’. ‘public administration’, ‘business rules’, ‘business processes’, ‘process impact’.

‘privacy’, ‘data protection’, ‘data sovereignty’, ‘GDPR’, ‘consent’, ‘data processing’, ‘privacy paradox’, ‘ethics’, ‘privacy by design’, ‘data retention’.

Table 3 – Conceptual and theoretical framework

3. Analysis of findings

The first subsection is dedicated to the state of affairs at organizations in The Netherlands awaiting the GDPR, i.e. before May 25th_{, 2018. It consists of the results of a round of}

phone interviews I held with large research universities, which took place in January 2018. To provide an overview of organizations in The Netherlands stretching beyond universities, documents and quantitative research outputs were analyzed and brought into perspectives of process impact. This document analysis took place in the period April-May 2018.

3.1. State of affairs

In a 2016 global survey of nearly 7.000 respondents, KPMG international concluded that “(…) 56 percent of [the respondents] are (…) concerned about the way companies handle and use their data” (2016, p. 29). Additionally, 84 percent feel they have insufficient control over the use of their personal data (p.30).

In a smaller survey of a 1000 Dutch respondents, KPMG Advisory NV, concluded that 82 percent of the public does not have a clue of what the GDPR is about.

(12)

11 In contrast, 85 percent does want governments and organizations fined for violating their privacy (2018, p. 4).

These numbers show the public in general has a lot to win regarding awareness. They make the privacy paradox an apparent issue: although everyone wants their privacy protected, little do they undertake to do so.

I interviewed four executive officers at universities in semi-structured phone interviews. At all four of them, a GDPR implementation project program is in place, of which the project teams include the Data Protection Officer (DPO) of the university. Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) are in place, as well as data stewards or similar personnel. A major challenge for universities is the state of the Research Data Management. For it, all universities have some form of workshop, aimed at supporting researchers and creating awareness among faculty staff.

In an analysis of professional literature within the domain of information specialists at libraries, archives and museums, Snijders (2018) assesses the state of affairs at these institutions. He reported in the trade journal Informatieprofessional one month before the GDPR: “a large number” of archives and libraries is in the phase of awareness creation, itemizing which processes are using personal data.

According to the GDPR, subjects have the right to see which data is used, and they have the right to erasure. Yet, the majority of institutions have no clue as to which data exactly is being stored and how this process is to be foreseen. Snijders concludes by saying it will “take years” for the GDPR to be part of the DNA of these institutions.

In the National Privacy Benchmark 2017 it is concluded that 80 percent of businesses in The Netherlands is not ready for the GDPR. For example, 66 percent of the respondents have no DPO in place yet, nor does 46 percent have a register for processing activities and 88 percent of the responding organizations have not yet arranged privacy by design within their organization (Verdonck, Klooster & Associates [VKA], 2017, pp. 9-23).

3.2. Regulatory impact

Now for the question behind these numbers: how is it possible that, although the GDPR is accepted two years prior, the majority of stakeholders were still perturbed over its implementation? The informational impact of implementation on organizational processes has to be duly considered, leading to the legislation being designed in such a way that modelling it becomes possible to analyze the impact on business processes.

Dialogue and modelling are made complicated in the case of EU legislation because the legislative process is an exchange of interests and views between a large number of EU member states and political groups, of which the GDPR is an excellent example. It is a fundamental law scheme preceding any other legislation; it will be applicable regardless of the context; stakeholders do not always recognize this. Consequently, insufficient account is taken of business process impact and related policies in the EU. This explains the worries across the business in The Netherlands.

The way laws and regulations are created has an impact on the extent to which they can be implemented in an organization from an informational perspective. It is indicated, and acknowledged by Klein Haarhuis & Keulemans (2014), that these are difficult to make because legislation has to function in a complex dynamic environment, in line with the work of Klijn and Snellen concerning complex theory (2009). In many cases, it proves difficult to afterwards establish whether legislative objectives have been

(13)

12 achieved, and if so, whether because of the measure taken or other factors. The legal text is amended during the law construction phase, complicating the information processing of the legislation in processes and systems on an organizational level. Business organizations seem not to be dynamic enough to cope with these changes in laws and regulations.

Moreover, the Dutch Knowledge Center for Legislation and Legal Affairs distinguishes categories of policy instruments. They have published an extensive list topping 60 instruments at the disposition of the legal experts (KCWJ, 2017). It is up to the Dutch Minister to organize the quality of the legislation and their evaluation.

Considering the GDPR, this problem seems obvious: there is no clear rationale of the law other than privacy protection. Impact on business processes is therefore arduous to measure and is not entirely clear before something has been set in motion. Mitigating measures can therefore be set in advance, but effect will never be 100 percent accurately predictable using an ex-ante execution test. This is confirmed by the hiatus of business process impact I observed in the literature.

Major government organizations are working on changing the mindset of legislators and executors. During the drafting of a method of the implementation test, departments and organizations work together in the negotiation process for laws and certain regulations. This is a solution for the gap between policy makers and implementers. However, for the GDPR, these stakeholders have not been included in the pre-legislative process.

An interesting case to consider in this regard is the Dutch Public Access Act (WOB), active since 1991, guaranteeing the disclosure of governmental information. A law in its extension is the Dutch Open Government Act (WOO) which is not yet into service, but awaiting approval by the Dutch Senate. This, much alike the WOB, prescribes public institutions to actively release information for the public benefit.

The government does not actively control this disclosure. The reason for this case to be of interest in light of the aforementioned execution tests and this thesis is because a quickscan was executed for it. Its goal was to assess impact of the law. A foundation in the Netherlands requested for openness on the basis of the WOB. The conclusions they draw from the documents and analysis are firm. The advice following the quickscan – the law is “too expensive” to implement – is based on 'inaccurate estimates, differences in estimates of organizations involved were enormous and assumptions were volatile and unclear’ (Open State Foundation [OSF], 2017a). In the end, parliamentary questions were asked in response to a published document, in which one of the involved professionals stated the aim was to ‘prevent the arrival of the law in the first place.’ (OSF, 2017b; Eerste Kamer, 2017).

It is the essence of the test being interesting to consider which evaluation is now suitable for assessing regulatory impact. Clearly, this quickscan was not. This illustrates the problem and provides answers to sub-questions of this thesis. I consider a comparison between the WOO-situation and the GDPR not too farfetched, because OSF concludes that information management and ICT-systems quality and status make it impossible to correctly measure the impact of certain laws, backed by Zwenne & Schmidt (2016, p. 330, point 4). It is unclear what this means for the GPDR, active in 28 EU member states and for which clearly not a single test for its impact has been performed on EU level; let alone in The Netherlands.

(14)

13 3.3. Process impact

The GDPR mentions measures and process-oriented matters open to multiple interpretations. For example in article 6, considering lawfulness of processing, where there are six conditions for processing to be lawful. This creates ambiguity about its impact. Regarding privacy regulations, the law does not differ much from the Dutch Data Protection Act (WBP). Among others, this law already mentioned the giving of unambiguous consent for processing certain personal data.

Diving deeper into the impact of laws and the main focus of my thesis, two interesting cases to consider emerged during one of my interviews:

1. In the context of government transparency, public decision-making and disclosure of government information; minutes and council reports are worth considering in the light of giving and withdrawing of consent. In them, names of those present are recorded. This is personal data creating a difficult dilemma. If someone present at a meeting gave consent but later withdraws it, processing can no longer take lawfully place. The GDPR defines ‘processing’ as, among others, ‘storage’. Ergo, the name of the person concerned has to be removed from all documentation. This has a tremendous impact on the public administration processes and the information management of the government, and on a deeper level: a functioning democracy.

2. In a different context than personal data but worth mentioning; a cultural heritage institution Erfgoed Leiden was ordered to pay a penalty payment totaling almost €15,000.-, because photos were published online without permission from the owner. Following this decision, many archival institutions in the Netherlands have chosen to take photographs offline for fear of similar claims (De Telegraaf, 2018). This case is interesting to consider in the light of the possible €20.000.000,00 fines for non-compliance to the GDPR. As a preventative measure, organizations might choose to go off-line because of the magnitude of these fines.

The described quickscan for a law with such magnitude as the GDPR cannot possibly be suitable, taking into account the conclusions the Open State Foundation (OSF) drew on the results for the WOO. Another option is the Societal Cost-Benefit Analysis (see page 6, point 1) as an instrument for (expected) measurement impact. Still, this would have to be tailor-fit.

Magnitude and impact of the GDPR are unclear because such an analysis would be equally inadequate for carrying out a reasonable estimate and inherent enforcement actions. It is therefore important not to lose sight of proportionality regarding this law, communication and interdepartmental collaboration are crucial.

In light of this cruciality, the Data Protection Officer (DPO), as required by the GDPR, plays a vital role in the changing of mindset at companies and organizations. At government level, for example, a consultation takes place between various officers of executive organizations. The DPO as a person, or as a department (e.g. the CIO office), helps to change attitude and behavior through awareness and knowledge sharing concerning the GDPR.

An execution test, carried out before the law is introduced, is not the only thing to be done to make the effect of laws measurable or mitigate harmful effects.

(15)

14

4. Discussion

Assessing the impact of legislation on business processes is a complex procedure. The perfect regulatory impact assessment does not exist. My findings suggest a synthesis of the SOIPSV-Model by Wall, et al. (2016) and a Societal Cost-benefit analysis, functions as regulatory impact assessment instruments for organizations. This is founded by the remark Wall et al. make that there rarely is literature focusing on “(…) organizational environment (…)” (2016, p. 40).

My findings from the face-to-face interviews and the phone interviews are in line with the conclusion drawn by Klein Haarhuis & Keulemans (2014) and Radaelli & De Francesco (2010): no instrument is perfect-fit.

Alternatively, I have discovered there is a reason there are no, or few, definite measurement instruments: development of these instruments is a timely and costly matter. Perhaps it is the case that the workload for constructing and evaluating laws is too high to come to a meaningful evaluation. That might prove to be a fruitful topic for further research.

The findings described are practically and scientifically relevant. The practical relevance is that businesses are able to assess regulatory impact on their processes, allowing process optimization, improving effectivity and efficiency, enabling them to save time and money. Scientific relevance for the interdisciplinary study of Informational and Legal systems is that democratic values such as transparency and proportionality can be continuously safeguarded through a synthesized approach.

Although it was my aim to triangulate the evidence as much as possible, it proved difficult to do so. The limitation of my research here is, given the timeframe before May 25th_{, 2018, numerous envisaged respondents were unable to help me.}

An additional limitation is the little domain knowledge I had of the legal science, being an extra burden to carry during the starting-up-phase of my research.

5. Conclusions and Further Research

May 25th_{, 2018, the General Data Protection Regulation (GDPR) came into force across}

Europe. This regulation has its impact on organizations in The Netherlands. During the months prior to the regulation, organizations across The Netherlands struggled to prepare themselves for the regulation. I took it as my objective for this master thesis to investigate this phenomenon.

Without consent or another legal foundation, processing would not be lawful, making organizations non-compliant. The main research question for this thesis research was the following: What method can be used to assess the impact on organizations in The Netherlands of GDPR article 6, section 1, sub a, and 7 concerning consent? To answer this central research question, I sought to answer the following sub-questions:

1. What are existing measurement instruments used for the assessment of regulatory impact?

2. What was the state of affairs at organizations in The Netherlands in anticipation of the GDPR coming into force?

3. What are the implications of GDPR article 6, section 1, sub a and article 7 for organizations in The Netherlands?

4. Are the current measurement instruments fit for a clear-cut impact assessment of articles 6, section 1, sub a and 7 of the GDPR?

(16)

15 Policy- and law-makers construct laws and assess their impact through the use of various tools. Examples of instruments being used are ‘ex-ante execution tests’, coming forth from a growing attention and urgency for pragmatic and effective construction of policies (Klein Haarhuis & Keulemans, 2014). There are many different types of tests; none are perfect fit. Section three entails the findings concerning this answer to the first and fourth sub-question.

Universities, university libraries, archival institutions, small businesses as well as governmental and commercial organizations were taken into account for the answering of sub-question two. In section three, I elaborate specifically on the state of affairs.

Article 7 of the GDPR was put to a thorough examination. To assess the impact of a certain regulation, one must know its contents superbly. The results of the literature section provide the answer to the third sub-question. The implications and effects from an information point of view are that organizations have to evaluate processes in place, and consider whether they need to be enhanced to prove compliance to the GDPR.

In this thesis, I petered out the consent section of the GDPR. Its impact on business processes is underrated by the constructors of the law and by organizations in The Netherlands. That is not the only duty imposed by the GDPR on organizations; consider for example the construction of a record of processing activities (e.g. article 30), the Data Protection Officer (e.g. articles 37 – 39), and the right to be forgotten (e.g. articles 6 and 17). These require organizational investments and vast loads of extra work to be done. These are obviously not arguments not to comply to the law, but considering the remark by Zwenne & Schmidt (2016, p. 330, point 4) that there is little certainty about how to act when things “go wrong”, the impact on organizations is to be considered worrisome in the light of the GDPR.

Argued by Van Engers, uncollaborative organizations and departments suffer from “inefficiency” and “ineffectiveness” (2004, p. 16). Hence, constant collaboration and communication between stakeholders is imperative for successful implementation and adoption of a regulation. I propose a synthesized method of approach to regulatory impact assessment in the domain of privacy and personal data, with the SOIPVS-Model (Wall et al., 2016) and the Societal Cost-Benefit Analysis. Specifically: not only should costs and benefits for the society be considered, but also the extent to which organizations are aware of privacy risks. The higher the awareness, the lower the possibility for organizational non-compliance. Furthermore, a gap in the literature points towards further research for regulatory impact analysis on business processes.

The proposed approach makes organizations and law-constructors aware of data processing, leading to a better understanding of compliance, enabling business process optimization and consequently improving efficiency and effectivity. It is of paramount importance for governments and businesses construct laws and regulations with a more collaborative mindset.

Findings I propose in this thesis point in the direction of harnessing an approach, mindset, for an assessment of privacy regulations. After this study, the bigger question remains how to get to an effective measurement instrument of legislations in general. I left business case and financial impact out of scope, proving a topic for further research: framing the actual costs for organizations and government.

My concluding message is that governments and businesses have to collaborate more thoroughly. The structural mismatch between constructors and executors results in the wrong kind of fear: the starting point for organizations should not be to comply to

(17)

16 the law “because of the huge fines”. First and foremost the mindset must be that personal data and privacy must be protected at all cost, within the structure offered by the GDPR. This demands an integrated legal-policy-accordant approach to diminish risks, to optimize organizational assets, and to create service value.

An interesting handle for a pilot phase of impact assessment using the SOIPSVM is coming up in the short term: from the European Commission, two legislations are in their final stages; first, the ePrivacy regulation, concerning sensor data and the use of artificial intelligence in our daily lives. Second, the European Payment Service Directive, in which a large article is dedicated to consent as well, within the context of payment transactions.

Business and organizational processes are being left out from two perspectives; in the literature and at the table of the law constructors. As one of my respondents stated aptly; none of the Dutch stakeholders were asked for input for the GDPR.

(18)

17

6. Bibliography

Aristotle (1926). Nicomachean Ethics. Translated by H. Rackham. Cambridge, MA, USA: Harvard University Press. Retrieved from

https://www-loebclassics-com.proxy.uba.uva.nl:2443/view/LCL073/1926/volume.xml

Baek, Y. M. (2014). Solving the privacy paradox: A counter-argument experimental approach. Computers in Human Behavior, 38, 33-42. Retrieved from

https://doi.org/10.1016/j.chb.2014.05.006

Bell, T. W. (2010). Graduated Consent in Contract and Tort Law: Toward a Theory of Justification. Case W. Res. L. Rev., 61, 17. Retrieved from

http://heinonline.org/HOL/P?h=hein.journals/cwrlrv61&i=19

Birkinshaw, J., Hamel, G., & Mol, M. J. (2008). Management innovation. Academy of Management Review, 33(4), 825–845. Retrieved from

http://www.jstor.org/stable/20159448

Blaikie, N. (2009). Designing social research. Cambridge, UK: Polity.

Bryman, A. (2015). Social research methods. Oxford, UK: Oxford University Press. De Telegraaf (2018, 26 April). Foto’s archieven massaal offline na vonnis. Retrieved from

https://www.telegraaf.nl/nieuws/1966658/foto-s-archieven-massaal-offline-na-vonnis Eerste Kamer (2017, 26 September). Vragen van het lid Özütok aan de minister van

Binnenlandse Zaken en Koninkrijksrelaties over het bericht "De Haagse ziekte om openheid te veinzen en beslotenheid te eisen". Retrieved from

https://www.eerstekamer.nl/behandeling/20170926/vragenuur_vragen_van_het_lid/d ocument3/f=/vki8aja4z8rp.pdf

European Parliament and European Council (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and of the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Foucault, M. (1982). The subject and power. In H. L. Dreyfus & P. Rabinow (Eds.), Michel Foucault: Beyond structuralism and hermeneutics (pp. 208–226). Chicago: University of Chicago Press. Retrieved from http://www.jstor.org/stable/1343197 Heckathorn, D.D. (1997). Respondent-driven sampling: a new approach to the study of hidden

populations. Social problems, 44(2), 174-199.

Hull, G. (2015). Successful failure: what Foucault can teach us about privacy self-management in a world of Facebook and big data. Ethics and Information Technology, 17(2), 89-101. Retrieved from https://doi-org.proxy.uba.uva.nl:2443/10.1007/s10676-015-9363-z Kenniscentrum Wetgeving en Juridische Zaken (2017). Categorieën beleidsinstrumenten.

Retrieved from https://www.kcwj.nl/kennisbank/integraal-afwegingskader-beleid-en-regelgeving/6-wat-het-beste-instrument/61/categorie%C3%ABn

Klein Haarhuis, C.M. & Keulemans, S.A.C. (2014). Ex ante onderzoek in metaperspectief: Aard, aantallen en gebruik van ex ante analyses door de rijksoverheid (Report No. WODC-2016). Retrieved from Wetenschappelijk Onderzoeks- en Documentatiecentrum website: https://www.wodc.nl/onderzoeksdatabase/evaluatie-van-ex-ante-evaluaties-bij-voorgenomen-wet-en-regelgeving.aspx

Klein Haarhuis, C.M. & Parapuf, A. (2016). Evaluatievermogen bij beleidsdepartementen: praktijken rond uitvoering en gebruik van ex post beleids- en wetsevaluaties (Report No. WODC-2601). Retrieved from Wetenschappelijk Onderzoeks- en

Documentatiecentrum website: https://www.wodc.nl/onderzoeksdatabase/2601-procedurele-en-inhoudelijk-criteria-voor-wetsevaluaties.aspx

Klijn, E. H., & Snellen, I. (2009). Complexity theory and public administration: A critical appraisal. In G. Teisman, A. van Buuren, and L. Gerrits (Eds.), Managing complex governance systems (pp. 31-50). New York: Routledge. Retrieved from

https://books.google.nl/books?id=StExwiSWNG8C&lpg

KPMG Advisory N.V. (2018). Weten is willen. De kennis en behoeften van Nederlanders ten aanzien van de nieuwe Europese privacywet. Retrieved from

(19)

18 KPMG International (2016). Creepy or cool? Staying on the right side of the consumer privacy

line. Retrieved from

https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2016/11/creepy-or-cool.pdf Marshall, M.N. (1996). Sampling for Qualitative Research. Family Practice, 13(6), 522-525. Monteleone, S. (2015). Addressing the Failure of Informed Consent in Online Data Protection:

Learning the Lessons from Behaviour-Aware Regulation. Syracuse J. Int'l L. & Com., 43, 69. Retrieved from

https://heinonline.org/HOL/LandingPage?handle=hein.journals/sjilc43&div=5&id=& page=

Open State Foundation (2017a). Quickscan impact Wet open overheid gebaseerd op ‘dun ijs’. Retrieved from https://openstate.eu/nl/2017/09/wob-quickscan-wet-open-overheid-gebaseerd-op-dun-ijs/

Open State Foundation (2017b). J 16 Mailwisseling 31 Mrt 2017 Inz Bijdrage Impactanalyse Geredigeerd. Retrieved from https://www.documentcloud.org/documents/4051656-J-16-Mailwisseling-31-Mrt-2017-Inz-Bijdrage

Organisation for Economic Collaboration and Development (n.d.). Regulatory Impact Analysis. Retrieved from http://www.oecd.org/gov/regulatory-policy/ria.htm

Radaelli, C.M. & De Francesco, F. (2010). Regulatory Impact Assessment. In R. Baldwin, M. Cave, and M. Lodge (Eds.), The Oxford handbook of regulation (chapter 13). Retrieved from http://doi.org/10.1093/oxfordhb/9780199560219.003.0013 Schrijvershof, C., Douma, K., Aarts, L. (2013). Uitvoeringsanalyses in de justitiële keten:

Inventarisatie en analyse (Report No. WODC-2235). Retrieved from Wetenschappelijk Onderzoeks- en Documentatiecentrum website:

https://www.wodc.nl/onderzoeksdatabase/verdieping-impact-analyse-model-relatie-met-strafrechtketen.aspx

Snellen, I. (2002). Conciliation of rationalities: the essence of public administration. Administrative Theory & Praxis, 24(2), 323-346. Retrieved from https://www.tandfonline.com/doi/abs/10.1080/10841806.2002.11029357

Snijders, R. (2018). Goed voorbereid op weg naar de AVG? Informatieprofessional 22(4), 16-18 Taylor, F.W. (2004). Scientific Management. London: Routledge. Retrieved from

https://books.google.nl/books?hl=nl&lr=&id=3jXZpwWopf4C

van Engers, T.M. (2004). Goed Geregeld? Het recht als ontwerpvraagstuk (Inaugural Speech for the University Of Amsterdam). Retrieved from http://hdl.handle.net/11245/1.426366 van Helvoort. A.A.J. (2016). Beoordelen van informatievaardigheden in het hoger onderwijs

(Doctoral dissertation). Retrieved from http://hdl.handle.net/11245/1.539501 Verdonck, Klooster & Associates (2017). Nationale Privacy Benchmark 2017. Retrieved from

https://ecp.nl/wp-content/uploads/2017/11/rapport_Privacy_benchmark_2017.pdf von Goethe, J.W. (1802). Was wir bringen: Vorspiel bey Eröffnung des neuen Schauspielhauses

zu Lauchstadt. Tübingen, Germany: Cotta. Retrieved from

http://www.mdz-nbn-resolving.de/urn/resolver.pl?urn=urn:nbn:de:bvb:12-bsb10858625-0 Wall, J.D., Lowry, P.B. & Barlow, J.B. (2016). Organizational Violations of Externally

Governed Privacy and Security Rules: Explaining and Predicting Selective Violations under Conditions of Strain and Excess. Journal of the Association for Information Systems, 17(1), 39-75. Retrieved from

http://aisel.aisnet.org/jais/vol17/iss1/4/

Zwenne, G. J., & Schmidt, A. H. J. (2016). Wordt de homo digitalis bestuursrechtelijk

beschermd? In Moerel, E.M.L., Prins, J.E.J., Hildebrandt, M., Tjong, Tjin Tai T.F.E., Zwenne, G.J. & Schmidt, A.H.J. (Eds.), Privacy voor de Homo Digitalis (pp. 307 – 385) Retrieved from http://hdl.handle.net/1887/46377

(20)

19

Appendix A: Summary & coding scheme interview 1

Over de impact van weten regelgeving, de ex ante toets en de genoemde kloof interview ik een wetgevingsjurist en senior onderzoeker.

Autonome en coöperatieve voertuigen zijn nog in ontwikkeling. Mede daarom is de juridische inbedding nog niet in wetgeving vastgelegd. Coöperatieve voertuigen communiceren met elkaar via wifi-p, een protocol waarbij de auto met korte tussenposen niet beveiligde berichten uitzend. Deze techniek wordt beschouwd als een aanvulling op de sensortechnologie in zelfsturende voertuigen. De onbeveiligde berichten die, conform de huidige interpretatie van de AVG als persoonsgegevens moeten worden aangemerkt, zijn moeilijk met de regels in de AVG te verenigen. De vraag is nu of het doel van communicerende auto’s, namelijk verkeersveiligheid, zwaar genoeg weegt om de inbreuk op de privacy te accepteren. Als dat zo is dan zal dat in wetgeving moeten worden vastgelegd.

Bij een nieuwe ontwikkeling als deze is de wetgeving doorgaans volgend. In de pre wetgevingsfase is het mogelijk om uitvoerings- en informatiekundige aspecten mee te wegen. Een dergelijke dialoog kan ertoe leiden dat de wetgeving uiteindelijk informatiekundig zodanig wordt ontworpen dat modelleren naar digitale gegevensverwerking mogelijk wordt. Bij EU wetgeving wordt dit bemoeilijkt omdat het wetgevingsproces een uitruil is van belangen en opvattingen tussen een groot aantal lidstaten en politieke fracties, zoals bijvoorbeeld bij de AVG. De AVG is daarbij een grondrechtelijke regeling, die boven andere wetgeving gaat. Dat wordt niet altijd onderkend, waardoor onvoldoende rekening gehouden wordt met dataprotectie bij het ontwikkelen van nieuwe techniek en daarop betrekking hebbend beleid. De komst van de AVG leidt er in ieder geval toe dat dataprotectie op dit moment top of mind is De wijze van totstandkoming heeft zijn weerslag op de kwaliteit van de wetgeving, bijvoorbeeld in de mate waarop die vanuit informatiekundig perspectief is door te voeren in een organisatie. Een middel om een uitspraak te doen over verwachte impact van wetten is de ex ante uitvoeringstoets. Mijn respondent geeft aan dat deze lastig te maken zijn omdat weten regelgeving doorgaans moeten functioneren in een complexe dynamische omgeving. Vaak is achteraf moeilijk vast te stellen of een doelstelling is gehaald, en zo ja of dit kwam door de getroffen maatregel of door andere factoren. Het feit dat de wettekst na een eerste samenhangende fase tijdens de behandeling wordt geamendeerd en uitzonderingen worden gemaakt bemoeilijkt de informatiekundige verwerkbaarheid van de wetgeving in processen en systemen.

Daarmee ontstaat het risico dat de uitvoerbaarheid van de wetgeving vermindert en wellicht daarmee ook het effect, hetgeen tot politieke discussie zal leiden. Het is aan de Minister om in dit soort gevallen de kwaliteit van de wetgeving en de communicatie bij de totstandkoming daarvan te organiseren.

(21)

20

Table 4 - Coding scheme interview 1

First-level; codes Associated concepts Second-level; categories

"If you want … be a public system" "Personal data are … have this information"

"Privacy is crucial … is associated with privacy" Technological and Societal developments "However, one is … used targeted advertising"

"Location data are … retrievable by location" "Personal data protection … in the framework" "The problem is … of the GDPR"

"Who owns the … access to it?"

"On the one … to lose control" Regulations The protection of personal data and privacy "Legislation has been … protection of data"

"Privacy law is … is a given"

"Whether it concerns … to give consent" "Or one can … on individual freedom" "Prove that you … a certain extent"

"It turns out … problems with privacy" Privacy and control "One cannot secure … happening with it"

"On the contrary … in higher sanctions"

"Because that is … turn out alright" Governance "It is complicated … will it cost?"

"Of this I … the same framework" Evaluation Evaluation and Impact Asessment "I do have … at the time"

"In the light … a certain impact" Politics "This is to … and especially there"

"While you are … law being amended" "Resulting in the … the original design"

"Alternatively, policiy decisions … within the system" "They will never … understand the matter"

"He told me … construct a policy"

"These are conditional … mind of policymakers" Policy- and law-makers "Laws are being … amending the law"

"In taking such … point of view" "This is why … because of politics" "How will we … it too expensive?"

"They might tell … demanding polict implementation" "With autonomous vehicles … a government task" "The essence of … with legal judgement"

"European and Dutch … looking at evaluations" Regulations Policies and their implementation "All this will … go hand-in-hand"

"One could argue … a data leak"

"It brings order … an informational perspective" "This illustrates the … an integral system" "All this is … a simple solution"

"Who would want … are complex discussions!" Governance "There should be … within policy execution"

"A lot goes … it either way"

"In the meantime … becoming too costly" "To a large … of the execution"

"First reflex is … essence: the law" Mindset "It was about … within certain dimensions"

(22)

21

Appendix B: Summary & coding scheme interview 2

Werkbare specificaties voor ICT-systemen betekent in dit geval een omzetting van de taal uit wetten naar een taal die ondubbelzinnig leesbaar is. Een voorbeeld van zo’n taal is FLINT [Formal Language for the Interpretation of Normative Theories, FH]. Daarmee kunnen wetten geïmplementeerd worden in zakelijke informatiesystemen. Door middel van analyse en interpretatie van de wetten kunnen impliciete relaties op zowel micro- als macroniveau worden blootgelegd. Door specificaties in zo’n taal bovendien herleidbaar te maken naar de wettelijke bron, kan de wetsuitvoering wendbaarder gemaakt worden dan die nu is.

Een probleem hierbij is echter dat wetgevingsjuristen een bepaald kader en dus een bepaalde native language hebben als het gaat om opstellen van wetten. Het kader is vastgelegd in de Aanwijzingen voor de regelgeving, de ontwerpvoorschriften voor wetgeving. Bij het analyseren en interpreteren van wetgeving is het dus belangrijk dat juristen en ICT-ontwikkelaars zich afvragen of ze het over hetzelfde hebben. In andere woorden: de ambiguïteit van wetten zorgt voor een overheidsbrede worsteling met wendbare wetsuitvoering. Een vraag die zich hierbij opdringt is wat er nodig is om er in het proces van opstellen van wetten voor te zorgen dat de werelden van juristen en ICT-ontwikkelaars dichter bij elkaar komen, en de “technische rationaliteit” niet wordt

vergeten, ten gunste van de politieke, juridische, economische en

sociaalwetenschappelijke. Hiermee wordt bedoeld dat de technische aspecten van uitvoering van wetgeving een volwaardige afwegingsfactor in het proces moeten worden; techniek biedt niet alleen mogelijkheden, maar stelt soms ook beperkingen. Dat blijft vaak onderbelicht, en leidt dan tot onvrede over het feit dat wetgeving niet de effecten oplevert die verwacht werden.

Er is voor specialisten zoals mijn respondent een verbindingsfunctie weggelegd, die al begint bij het opstellen van de wet. Ze geeft aan dat een meer multidisciplinaire samenwerking nodig is in het wetgevingsproces, dus tussen juristen en ICT-ontwikkelaars. Daarnaast zou meer in agile-teams moeten worden gewerkt om wetten op te stellen, waarbij afgebakende onderdelen worden iteratief worden uitgewerkt en geleerd kan worden van ervaringen in eerdere fasen. Een dergelijke verandering van werkwijze helpt om zaken als de impact van weten regelgeving beter in kaart te brengen.

Met betrekking tot de AVG tekent zich heel scherp dit probleem af: er ontbreekt een duidelijke rationale van de wet, anders dan dat bedrijven wordt gedwongen in control te zijn, en ook aantoonbaar te maken dat ze dat zijn. Impact op bedrijfsprocessen is dus erg lastig te meten en is niet helemaal duidelijk voordat er iets in gang is gezet. Mitigerende maatregelen kunnen vooraf dus worden ingesteld, maar effect zal nooit 100% accuraat voorspelbaar zijn. Een ander instrument hiervoor is de (Ex ante) uitvoeringstoets, waarvan de Belastingdienst gebruik maakt bij toetsen van wetten.

In het kader van de Manifestgroep (grote uitvoeringsorganisaties van de Nederlandse overheid), wordt gewerkt aan het veranderen van de mindset van zowel wetgevers als uitvoerders. Al bij het opstellen van een methode van de genoemde uitvoeringstoets wordt door departementen en organisaties samen opgetrokken in het onderhandelingstraject voor wetten regelingen. Dat is een oplossing voor de kloof tussen beleidsmakers en uitvoerders. In het geval van de AVG zijn de grote uitvoerders niet meegenomen in dit proces van communicatie en gezamenlijke afstemming.

In de AVG wordt zijn veel open en procesgerichte normen opgenomen, die niet voor meer interpretaties vatbaar zijn. Daardoor ontstaat onduidelijkheid over de impact,