Skip to main content

How do law and culture influence our data disclosure?

The bidt project "Vectors of Data Disclosure" analyses this question by linking perspectives from cultural studies, business information systems and law. We asked participating scholars to give us a glimpse into their work. 

At the conference “Vectors of Data Disclosure” #VoD22 on 27th and 28th June in Munich, the interdisciplinary research team of the project under the same name has presented and discussed their first findings. The project is funded by the Bavarian Research Institute for Digital Transformation. In this article, participating researchers gave us a glimpse into their research paper series looking into different legal and cultural contexts of data protection, including Ghana, Japan, the European Union, the USA and China.

The Data Act proposal is the central piece of data regulation and part of an increasing legislative complexity in Data Law.”

Professor Moritz Hennemann, legal scholar

“On February 23 2022, the European Commission unveiled its long-awaited proposal for a Data Act. The Data Act is the central piece of the data (economy) regulation efforts of the European Commission. The proposal complements further statutory instruments and proposals (e.g., the Data Governance Act, the Digital Markets Act, and the Digital Services Act). The proposal is thereby part of an increasing legislative complexity in Data Law (not only) emanating from the European Commission.

The proposal is an attempt to (re)design the data economy as well as data markets. Fundamentally, its goal is an increase of data use and data sharing to the benefit of the common good. Data fragmentation shall be overcome and data silos of (especially, but not only) big companies shall be ‘opened’. To this end, the Act especially seeks to promote fairness within contractual relations of the data economy.

In substance, the Act introduces sweeping mandates to grant access to datasets to the benefit of both private and public entities, and accentuates a contractual angle into regulating the exchange and shared use of data in the digital economy. Furthermore, it strives for general accessibility, interoperability, and portability of data with technical safeguards and firm limitations for re-use in the data lifecycle in place. Especially, Chapter II (‘Business to Consumer and Business to Business Data Sharing’, Art. 3-7) is a focal point of discussion (and of critique) of the Data Act proposal. Its rules are intended to increase opportunities for consumers and businesses by accessing data generated by the products or related services they own, rent or lease. Users are not only afforded rights to access said data, but may also request data sharing to third parties. Conversely, limitations are placed on data holders and data recipients when it comes to (secondary) use of the data.

The Data Act has already received enormous attention and – in parts – fierce criticism by the data law community. Many commentators point to the need to adjust and clarify specific rules. Some also challenge the practicability of and the (economic) incentives set by the Act. It is also noteworthy that the Act leaves the GPDR untouched – a fact that raises many questions as to the actual relevant scope of the access rights granted by the Act. The proposal is therefore (only) a point of departure for the on-going legislative process on the EU level."

Prof. Dr. Moritz Hennemann lächelt freundlich in die Kamera.

Professor Moritz Hennemann

researches developments in data law

Which regulatory models for digital interaction should we be following in the 21st century?

Which regulatory models for digital interaction should we be following in the 21st century?

Professor Moritz Hennemann has held the Chair of European and International Information and Data Law and headed the Research Centre for Law and Digitalisation (FREDI) of the Faculty of Law at the University of Passau since 2020. His research revolves around the global development of data and data protection law as well as the legal and regulatory framework of the digital economy.

Hennemann, Moritz and Lienemann, Gregor, The Data Act - Article-by-Article Synopsis of the Commission Proposal (March 2022). UNIVERSITY OF PASSAU IRDG RESEARCH PAPER SERIES NO. 22-07, Available at SSRN: https://ssrn.com/abstract=4079615 or http://dx.doi.org/10.2139/ssrn.4079615 Research funded by the Bavarian Research Institute for Digital Transformation (bidt).

The data protection practices of the European Union influence not only the written law of other countries, but also their law in practice.”

Professor Kai von Lewinski, legal scholar

"A comparative legal analysis requires a starting point. To examine the vectors of data disclosure, our starting point is the EU General Data Protection Regulation (GDPR). This is not (only) because we are Europeans. But it is seen by many as the 'gold standard' of data protection, while others fear the 'Brussels Effect'. In any case, the GDPR is so relevant to comparative studies of data protection and data protection law that we have chosen this act as one of the central regulatory frameworks worldwide for our project.

The data protection practices of the European Union influence not only the written law of other countries, but also their law in practice. To identify these practices, the GDPR must first be thoroughly outlined, and its key features recognised. The GDPR follows an approach focused on a substantive fundamental rights basis: With its approach to generally prohibit the processing of personal data which might then be 'unlocked' by the data subject’s consent or by law and with its comprehensive compliance regulation, which is not only supervised by specifically independent authorities but also enforceable via the threat of heavy sanctions amounting up to 20 million Euros or 4 percent of one’s total annual worldwide turnover, the EU relies on strict adherence to far-reaching data protection regulations.

However, we are also aware that, as Europeans and researchers from Europe, we might easily suffer a 'GDPR bias' if we would only look at the world through the lenses of European data protection law. Therefore, we have developed a 'matrix' for the comparison of data protection law regimes that on the one hand is abstracting from the categories of the GDPR, but on the other hand also maps all its aspects.

One research hypothesis in this context is that the GDPR only forms the 'gold standard' with regard to the material requirements for data processing, but might fall behind the standards of privacy regimes in other parts of the world with regard to effective enforcement. In any case, by taking a comprehensive and holistic look at the GDPR, we also try to be able to achieve an overall "Regimevergleich" ("regime comparison", Teubner/Fischer-Lescano) to other data protection legislations.”

Prof. Dr. Kai von Lewinski

Professor Kai von Lewinski

researches the collision of jurisdictions in information exchange

What does the internet mean for geographically limited legal systems?

What does the internet mean for geographically limited legal systems?

Kai von Lewinski is Professor of Public Law, Media Law and Information Law at the University of Passau and chairs the DFG-funded Research Training Group 1681/2 ‘Privacy and Digitalisation’. Prior to this, he was the Academic Director of the Foundation for Data Protection in Leipzig.

von Lewinski, K. (2021). Informational Gold Standard and Digital Tare Weight – Country Report on Data Disclosure in the European Union. University of Passau Institute for Law of the Digital Society Research Paper Series No. 22-05. https://www.jura.uni-passau.de/irdg/publikationen/researchpaper-series/ Research funded by the Bavarian Research Institute for Digital Transformation (bidt).

Governments and businesses should consider cultural factors when they rely on people’s disclosure of data or need to increase the amount of data people share with them.

Professor Daniela Wawra, head of cultural sub-project

"In our cultural studies sub-project, we focus on the cultural conditions of data disclosure decisions. The countries we are studying include Brazil, China, Germany, Ghana, Japan, Russia, Switzerland and the US.

Initial project results have shown that, in some ways, the cultural context in which data disclosure decisions are taken varies substantially. As regards the basic attitudes to information privacy, for example. The differences also depend on a number of distinct factors, including the degree of trust people have in governments and in the different types of companies, but also on the type of personal data to be processed, that is to say, whether they include highly sensitive data. Familiarity with data protection regulations and knowledge of practical measures, privacy concerns and the potential benefit to be derived from data disclosure also play a role.

What piqued our particular interest as researchers was that the potential benefit of data disclosure was not important for majorities of respondents in most of the countries included in the study. By that we specifically mean the following aspects: improved adaptation of products, information and services to customer needs and quicker identification of what is relevant for the individual and, finally, the savings in time and money. Only respondents from Brazil and China found these aspects to be of particular relevance for their data disclosure decisions. The respondents from the other countries did not. Also, acceptance of surveillance by employers was particularly high in Brazil and the US, whereas it was very low in Japan. In all the countries included in the study, the respondents believed that their personal data was safe with healthcare service providers although medical data are largely considered highly sensitive data.

Cultural factors along with individual, sociodemographic and situational conditions thus affect people's basic willingness to disclose data. Government agencies and private enterprises must bear this in mind and address these factors if they rely on or wish to improve data disclosure. There are also cultural differences when it comes to the trust people have in the various types of data recipients, for example, vis-à-vis their domestic government or the different business sectors. So far, our findings have shown that the following approaches are likely to be the most successful in increasing the willingness to disclose data: guaranteed anonymity, an increase in trust on the part of the data recipient and appropriate, transparent communication."

Professor Daniela Wawra

Professor Daniela Wawra

conducts sociolinguistic and cross-cultural research

How do culture and language shape analogue and digital interactions?

How do culture and language shape analogue and digital interactions?

Professor Daniela Wawra has held the Chair of English Language and Culture of the Faculty of Arts and Humanities since 2010. From 2018 to 2020 she was Vice President for Study, Teaching and Internationalisation at the University of Passau. 

Wawra, Daniela. 2022. "The cultural context of personal data disclosure decisions." University of Passau Institute for Law of the Digital Society Research Paper Series No. 22-02. 1-19. SSRN March 2022. Research funded by the Bavarian Research Institute for Digital Transformation (bidt).

Wawra, Daniela et al. 2022. "Cultural influences on personal data disclosure decisions: Brazilian perspectives." University of Passau Institute for Law of the Digital Society Research Paper Series No. 22-08. 1-23. SSRN March 2022. Research funded by the Bavarian Research Institute for Digital Transformation (bidt).

Wawra, Daniela et al. 2022. "Cultural influences on personal data disclosure decisions: Chinese perspectives." University of Passau Institute for Law of the Digital Society Research Paper Series No. 22-09. 1-24. SSRN March 2022. Research funded by the Bavarian Research Institute for Digital Transformation (bidt).

Wawra, Daniela et al. 2022. "Cultural influences on personal data disclosure decisions: Japanese perspectives." University of Passau Institute for Law of the Digital Society Research Paper Series No. 22-10. 1-24. SSRN March 2022. Research funded by the Bavarian Research Institute for Digital Transformation (bidt).

Wawra, Daniela et al. 2022. "Cultural influences on personal data disclosure decisions: Russian perspectives." University of Passau Institute for Law of the Digital Society Research Paper Series No. 22-11. 1-22. SSRN March 2022. Research funded by the Bavarian Research Institute for Digital Transformation (bidt).

The EU's adequacy decision puts tech companies in the Global South at a disadvantage from the outset.

Timo Hoffmann, legal scholar

"Before we can analyse the implications of differing regulatory measures on individual decision-making, we first need to know how data protection laws work in different countries. That's exactly what our Country Reports are for. We have selected one or two countries per continent in order to have a broad international basis for comparison.

My reports include Ghana and Japan, two very different countries regarding data protection. Ghana has an interesting mix of different legal traditions. As a former British colony, the Republic of Ghana belongs to the common law legal sphere. But the older the historical tradition gets, the more new things come along as well.

Ghana does have modern data protection law on paper, which is also based on EU regulation. At its heart is the Data Protection Act of 2012, which was introduced before the EU’s General Data Protection Regulation. But there is a lack of implementation. There is a national information regulatory authority, but it is poorly resourced and largely concerned with securing its own funding by getting data-processing companies to sign up to a central register for a fee. In addition, there have been legislative developments in recent years giving the government strong surveillance powers.

Japan also has a modern data protection law built upon a long legal tradition, with recent developments driven by European law. The goal was to obtain an adequate level of data protection complying with European standards in order to allow Japanese companies to share data with European ones. Japan is interesting in that law enforcement works quite differently. There is little litigation in Japan, and there are comparatively few  judges and lawyers. Things are settled as amicably and conflict-free as possible, and the relevant supervisory authority has a very cooperative approach. This works in the Japanese context. But Japan will likely have to adjust to a more confrontational approach, because the global internet giants cannot be expected to conform to Japanese corporate traditions.

So, in both countries we have modern data protection law, but it is implemented quite differently. This has consequences: Japan has an EU adequacy agreement, so the data of European citizens may be shared with Japanese companies with relative ease. No such agreement exists with Ghana. While this serves to protect our personal data, it puts tech companies in countries of the Global South at a disadvantage from the outset."

Timo Hoffmann

Data law in Ghana, Japan and Brazil

What legal sources do different countries provide for data protection?

What legal sources do different countries provide for data protection?

Timo Hoffmann is research assistant at the Chair of European and International Information and Data Law at the University of Passau.

Hoffmann, Timo. (2022). Data Protection Act(ion) – Report on the Law of Data Disclosure in Ghana. University of Passau IRDG Research Paper Series No. 22-01.

Hoffmann, Timo. (2022). Data Protection by Definition– Report on the Law of Data Disclosure in Japan. University of Passau IRDG Research Paper Series No. 22-03. 

Project team

Prof. Dr. Moritz Hennemann lächelt freundlich in die Kamera.

Professor Moritz Hennemann

researches developments in data law

Which regulatory models for digital interaction should we be following in the 21st century?

Which regulatory models for digital interaction should we be following in the 21st century?

Professor Moritz Hennemann has held the Chair of European and International Information and Data Law and headed the Research Centre for Law and Digitalisation (FREDI) of the Faculty of Law at the University of Passau since 2020. His research revolves around the global development of data and data protection law as well as the legal and regulatory framework of the digital economy.

Prof. Dr. Kai von Lewinski

Professor Kai von Lewinski

researches the collision of jurisdictions in information exchange

What does the internet mean for geographically limited legal systems?

What does the internet mean for geographically limited legal systems?

Kai von Lewinski is Professor of Public Law, Media Law and Information Law at the University of Passau and chairs the DFG-funded Research Training Group 1681/2 ‘Privacy and Digitalisation’. Prior to this, he was the Academic Director of the Foundation for Data Protection in Leipzig.

Professor Daniela Wawra

Professor Daniela Wawra

conducts sociolinguistic and cross-cultural research

How do culture and language shape analogue and digital interactions?

How do culture and language shape analogue and digital interactions?

Professor Daniela Wawra has held the Chair of English Language and Culture of the Faculty of Arts and Humanities since 2010. From 2018 to 2020 she was Vice President for Study, Teaching and Internationalisation at the University of Passau. 

Prof. Dr. Thomas Widjaja

Professor Thomas Widjaja

researches on IT architecture management, data-based business models, and privacy

What changes when companies develop new services using customer data?

What changes when companies develop new services using customer data?

Professor Thomas Widjaja has held the Chair of Business Information Systems since 2016. He is also one of the principal investigators of the DFG Research Training Group 2720. Previously, he gained his doctoral and postdoctoral degrees at TU Darmstadt.

Doctoral researchers

Timo Hoffmann

Data law in Ghana, Japan and Brazil

What legal sources do different countries provide for data protection?

What legal sources do different countries provide for data protection?

Timo Hoffmann is research assistant at the Chair of European and International Information and Data Law at the University of Passau.

Playing the video will send your IP address to an external server.

Show video