ChapterPDF Available

Abstract and Figures

In this chapter I present an approach of privacy from the perspective of innovation theory. I bring two conceptual approaches together. First, I disentangle privacy in three interconnected concepts: information security, data protection and the private sphere. Each of these concepts has its own dynamics and refers to a specific logic: technology in case of information security, regulation in case of data protection and society in case of the private sphere. By interconnecting them, a more nuanced perspective on the innovative incentives stemming from privacy considerations arises. Second, innovation is considered to be hampered by market and system imperfections. These imperfections reduce the efficiency of the innovation system. Analysing which imperfections exist helps in overcoming them by identifying adequate counter-strategies. I will use a policy study that has been performed for the Dutch Ministry of Economic Affairs to elaborate the relation between privacy and innovation in more detail. The resulting tone is optimistic: during the study several indications for a more privacy respecting approach by firms were found. Still, the challenges to be addressed are huge.
Content may be subject to copyright.
Privacy and Innovation: From Disruption
to Opportunities
Marc van Lieshout
© Springer Science+Business Media Dordrecht 2016
S. Gutwirth et al. (eds.), Data Protection on the Move,
Law, Governance and Technology Series 24, DOI 10.1007/978-94-017-7376-8_8
Abstract In this chapter I present an approach of privacy from the perspective of
innovation theory. I bring two conceptual approaches together. First, I disentan-
gle privacy in three interconnected concepts: information security, data protection
and the private sphere. Each of these concepts has its own dynamics and refers
to a specific logic: technology in case of information security, regulation in case
of data protection and society in case of the private sphere. By interconnecting
them, a more nuanced perspective on the innovative incentives stemming from pri-
vacy considerations arises. Second, innovation is considered to be hampered by
market and system imperfections. These imperfections reduce the efficiency of
the innovation system. Analysing which imperfections exist helps in overcoming
them by identifying adequate counter-strategies. I will use a policy study that has
been performed for the Dutch Ministry of Economic Affairs to elaborate the rela-
tion between privacy and innovation in more detail. The resulting tone is optimis-
tic: during the study several indications for a more privacy respecting approach by
firms were found. Still, the challenges to be addressed are huge.
Keywords Privacy · Innovation theory · Market and systems imperfections ·
Information security · Data protection · Privacy and innovation
1 Introduction
Many organisations perceive privacy as an ‘innovation killer’. Innovative applica-
tions which make use of personal data are constrained because they need to meet
legal obligations. Data mining and data analytics are at the forefront of today’s
M. van Lieshout (*)
TNO Strategy & Policy, Van Mourik Broekmanweg 6, 2628 XE Delft, The Netherlands
196 M. van Lieshout
information and communication technologies (ICTs).1 For data analytics, ‘purpose
specification’—that needs to be articulated before data collection and processing
are to take place—seems to be a relic of past times. In a similar way the ‘Right to
be Forgotten’2 is considered to complicate business processes of organisations that
collect vast amounts of personal data. Google, being brought to court by a Spanish
citizen and convicted in a ruling by the European Court of Justice (May 13, 2014),
faces an on-going stream of requests to remove specific links from the results of a
search query.3 According to the court ruling, justified requests must refer to
removal of data being “inaccurate, inadequate, irrelevant, or excessive”.4 So, not
all personal data will be removed on request from search queries but only data that
are inaccurate, inadequate, irrelevant or excessive, categories that are hard to
define with precision. Google received more than 220,000 requests in the months
following upon the publication of the rulings. As a consequence, Google stated
that it will look to specifics within the legal framework of the European Union in
order to stay ahead of new requirements that need to be met.5 It established an
advisory network that will try to discover common terms and approaches to deal
with the various requests.6
This illustration is interesting: though it seems to show that regulation may
stifle innovation (Larry Page, Google’s CEO, warned that the ruling “could dam-
age the next generation of Internet start-ups and strengthen the hand of repres-
sive governments inclined to restrict online communication”7), the ruling could
force Google to be creative and think of novel ways to deal with the thousands of
requests that flood its offices. Up till now, Google allegedly uses man power to
deal with the requests, and has not introduced other more innovative
1World Economic Forum, Unlocking the value of personal data: from collection to usage (World
Economic Forum 2013).
2European Court of Justice (2014). Factsheet on the ‘Right to be Forgotten’ Ruling (C-131/12), (visited
March 4, 2015).
controversial-ruling-boundary-between (visited March 4, 2015).
4European Court of Justice (2014, p. 2).
right-to-be-forgotten (visited March 4, 2015).
6 (visited March 12, 2015).
be-forgotten-could-stifle-innovation-and-empower-repressive-regimes/ (visited March 4, 2015).
(vistied March 4, 2015).
Privacy and Innovation: From Disruption to Opportunities
A Dutch example shows how organisations may retreat to a combination of
organizational and technical innovations to deal with potential issues of privacy
invasion. The Dutch railway organization, NS, had acquired negative attention
some years ago with the introduction of the ‘OV-chip’card, a contactless RFID-
based public transport card. The Dutch Radboud University showed in 2008 that
the OV-chip could easily be hacked.9 The chip in use was an old and basically out-
dated version of the MiFare Classic chip, with a modest level of protection. While
this vulnerability could only indirectly be attributed to the Dutch railway organiza-
tion (it was NXP10 that sold the relatively unsecure chips to TransLink Systems,
the organisation that introduced the OV-chip into the Dutch public transport sys-
tem), the NS still was publicly held responsible. TransLink Systems had been
warned as early as 2005 by the Dutch Data Protection Authority that it should
refine its procedures and guidelines under which data collected through the OV-
chip would be used for business and client purposes. In 2010, the Dutch DPA
warned TransLink Systems, the Dutch NS and two other public transport providers
(of two major Dutch cities) that they did not provide sufficient detail on how they
would use collected data of students travelling with the student version of the pub-
lic transport card.11 As a result of the negative experiences and the negative public
image, NS appointed a privacy officer who is able to halt projects and activities
that could be invasive to customer privacy, and who has the responsibility to safe-
guard the privacy of travellers in NS activities.12 Since NS has adopted several
policies in which it consciously incorporates privacy considerations. One example
is the monitoring of passenger movements on railway stations, a relevant activity
for both the spatial organisation of railway stations and for determining economic
hotspots within the railway station. NS used a system in which infrared detection
of passengers was combined with using MAC addresses of Bluetooth and WiFi
connections that were used by passengers. To prevent identification by MAC
addresses, these addresses were complemented with information about the day on
which the monitoring took place, and the resulting data were subsequently one-
way hashed. An encompassing information policy that also included procedures
for removal of data that were not needed anymore and campaigns to raise aware-
ness by the employees who had access to the data, complemented the NS
This creative and innovative approach shows that privacy may have interesting
innovation consequences as well. At the same time, NS does not publicly convey
this image of respecting privacy in its activities. In our research we have met with
9 (visited March 4, 2015). The hack took place in 2008.
10The MiFare chip was originally a product produced by Philips, but at the time the hack became
public, the chips were made and sold by NXP, the successor of Philips.
met-de-wet (visited March 4, 2015).
12Arnold Roosendaal et al., Actieplan Privacy (Delft: TNO-report R11603, 2014), 24 ff.
13Roosendaal, 24 ff.
198 M. van Lieshout
a number of organisations that all express the intention to respect consumer pri-
vacy, but which all are hesitant to advertise this fact.14
Privacy and innovation thus do not really seem to merge in an easy and conven-
ient manner. In this chapter I will start with presenting a pragmatic perspective on
privacy, by disentangling it into three intersecting circles: information security,
data protection and the private sphere. Then I will present some studies that
researched the relationship between privacy and innovation. The next section
introduces innovation theory and especially the existence of market and system
imperfections as a conceptual approach to understanding how privacy and innova-
tion practices can be related. This will be followed by a discussion of the results of
a study the PI.lab performed for the Dutch ministry of Economic Affairs on pri-
vacy and innovation. The PI.lab is an expertise centre, formed by the Dutch organ-
isations, Radboud University, SIDN, Tilburg University and TNO.15 The study
was dedicated to studying how Dutch businesses dealt with privacy requirements
in their practices and policies. The concluding section will add some perspectives
on research in this field.
2 The Concept of Privacy
Many authors have presented views on privacy.16 In this paper, I will explore a dif-
ferent kind of approach, one that will start by distinguishing three main pillars.
The European Charter of Fundamental Rights distinguishes between a right to pri-
vacy (article 7) and a right to the protection of personal data (article 8).17 While
the right to privacy relates to fundamental notions of the integrity of the body, the
intimacy of the family, the sacrosanct place of the house and the right to confiden-
tial communications, the right to data protection refers to fundamental principles
to be obeyed when personal data are at stake. These principles are articulated in
the present EU directive on data protection.18 One of these principle is the princi-
ple that data controllers and processors should take appropriate technical and
14We did not publish on this issue, but we encountered this attitude at a number of Dutch organi-
sations. A few of these will be mentioned in this article.
15See (visited March 12, 2015).
16See for instance Rachel Finn, David Wright, and Michael Friedewald, “Seven types of privacy”,
in Serge Gutwirth, Yves Poullet et al. (eds.), European Data Protection: Coming of Age (Dordrecht:
Springer, 2013) who present a challenging sevenfold dimensioning of privacy, based on previous
work by amongst others Roger Clark.
17EC, Charter of Fundamental Rights of the European Union, (Brussels: Official Journal of the
European Communities, C 364/1, 2000).
18For the FIP, see Robert Gellman, Fair Information Practices: A Basic History, http://bobgellman
.com/rg-docs/rg-FIPShistory.pdf (visited March 9, 2015). The title of the EU Data Protection
Directive 95/46/EC states: “[O]n the protection of individuals with regard to the process-
ing of personal data and on the free movement of such data”. See: http://eur-lex.europa.
eu/LexUriServ/ (visited March 9, 2015).
Privacy and Innovation: From Disruption to Opportunities
organisational measures for safeguarding the security of the systems that store and
process personal data. Together with the right to privacy and the right to data pro-
tection this leads to the following scheme (see Fig. 1).
The figure presents three intersecting circles with distinct orientations:
1. Information security focuses on technical requirements stemming from the
treatment of personal data and the basic principles used in information security:
confidentiality of data, integrity of data and availability of data.19
2. Data protection focuses on legal and regulatory issues stemming from laws and
regulations, such as the EU directive on protecting personal data, 95/46/EU20 and
the ePrivacy directive (2002/58/EU), in line with the OECD Fair Information
Principles and Practices.21
3. The Private sphere focuses on issues of individual privacy, the autonomy of the
individual, the safeguarding against interference by others and the ability to
determine one’s life.
Choice, control and consent are the three basic principles that relate to each of the
circles. By subdividing the discourse on privacy in these three domains I try to
overcome the following barriers:
1. The discussion on privacy issues is often obfuscated by the dominance of
technical issues (encryption as the key to all privacy problems) over societal
19Mark Stamp, Information SecurityPrinciples and practice (Hoboken, New Jersey: John
Wiley & Sons, 2006): p. 2.
20With the 95/46/EC directive to be replaced by the General Data Protection Regulation in due time.
21See (visited March 5, 2015).
Fig. 1 Conceptual relations between private sphere, data protection and information security
200 M. van Lieshout
and regulatory ones.22 Information security clearly plays a role, but it is obvi-
ous that good technical solutions cannot fix everything.
2. Gutwirth and Gellert argue that data protection is based on the definition of a
number of procedures on how to deal with personal data, while privacy deals
with social phenomena such as autonomy and the right to self-fulfilment. These
latter issues always need to be assessed in a specific context. No general rules
or procedures are available to decide if and in what sense privacy is infringed.23
When dealing with issues in which personal data and privacy play a role we
need both perspectives (the procedural and the so-called substantive one). In
the scheme I use I address both aspects separately.
3. Data protection is often considered to be the domain of lawyers and legally
trained professionals. However, the legal perspective alone is not at all suffi-
cient to cover relevant DP issues. By separating the DP-approach from the pri-
vate sphere and the security approach I intend to both emphasize the relative
relevance of the legal (procedural) issues which are brought forward by the
data protection legislative frameworks while keeping a strict eye on the techni-
cal and societal dimensions which are explicit parts of these frameworks as
The figure presents and reconciles the various dimensions one has to deal with
when personal data are at stake. Innovation processes play a role in each of the
three domains. Innovation in security processes relates to new encryption tech-
niques, such as homomorphic encryption. These encryption techniques can be part
of the ‘appropriate organisational and technical measures’ which are requested in
the data protection regulations. Data protection impact assessments and data pro-
tection audits are examples of organisational innovations. And new approaches
which combine technical, organisational and user-related dimensions, such as
information processes that use data vaults, are an example of a more complex and
multidimensional innovation process, directed at enhancing autonomy, choice and
control by the data subjects.25
22One telling example is the response of Phil Zimmerman during the panel on privacy innova-
tions who responded to a question on whether privacy was more than securing data, that, indeed,
in the end it all comes down to using encryption for safeguarding data. In my view, which I also
introduced during the panel, this perspective falls short to capture on what privacy is about.
23Raphael Gellert and Serge Gutwirth. “The legal construction of privacy and data protection”
Computer Law and Security Review (CLSR) 29 (2013): 522–530.
24One interesting issue in this respect is the capabilities data protection officers need to have.
In the Directive and the Regulation it is emphasized that DPOs should have sufficient legal ánd
technical knowledge. Given the need for additional DPOs (triggered by the new Regulation) one
would expect multidisciplinary vocational courses to emerge that teach basic and advanced legal
ánd technical insights.
25Examples of these innovations will be provided in the next section. One example relates to the
opportunity to organize one’s CV in a data vault, thereby anticipating on the increasing num-
ber of self-employed professionals who need to convey their professional details to (potential)
Privacy and Innovation: From Disruption to Opportunities
3 Privacy and Innovation—A Conceptual Framework
According to the OECD Manual on innovation, innovation is either ‘something
new to the firm, something new to the market or something new to the world’.26
Over the years, the OECD has expanded its definition of innovation in order to
capture a broader array of activities: in addition to technological innovations,
organisational innovations have become part of the definition. New production
methods, new service distribution models, new ways of organising the collection
and distribution of data within an organisation are all examples of innovation.
Theoretical and conceptual approaches on the differences between the service ori-
ented character of many business practices today and the older industry-led pro-
duction model have led to variations on the traditional ‘innovation-diffusion’
model, but the main elements of this model are still in place.27
Innovation systems face different kind of imperfections. One such imperfection
is, for instance, a regulatory framework that is not up to date and that blocks inno-
vative activities because it forbids specific services that are part of a novel
approach of businesses.28 Modelling imperfections from an innovation systems
perspective has led to the identification of market and system imperfections.29 The
model I use identifies five categories of imperfections that can arise in the innova-
tion system and four categories of imperfections that can arise in the functioning
of the market (Table 1).
3.1 Market Imperfections
Market imperfections refer to imperfections in the functioning of a market. These
imperfections may have consequences for individuals, an example being the exclu-
sion from specific products of services.
26OECD Oslo Manual (1997). The measurement of Scientific and Technological activities—Proposed
guidelines for collecting and interpreting technological innovation data.
inno/2367580.pdf (visited March 4, 2015).
27Richard Barras, “Towards a theory of innovation theory in services”, Research policy 15 (4)
(2000): 161–173. Everett M. Rogers, Diffusion of Innovations (5th edition) (New York: Free
Press, 2003).
28This illustration could be applied to the example I provided before on purpose specification in
data analytics situations. Purpose specification as such may not be sufficient to block an innova-
tion in the field of data analytics, but combined with other regulatory requirements it may hinder
innovative practices.
29Martijn Poel, The impact of the policy mix on service innovationThe formative and
growth phases of the sectoral innovation system for internet video services in the Netherlands,
(Enschede: GildeprintDrukkerijen 2013). Poel discusses these imperfections as market and
systems failures. In a study project I have been part of in recent years, some participants urged
to use the less intrusive vocabulary of ‘imperfections’ instead of ‘failures’. I will follow this
approach in this contribution.
202 M. van Lieshout
Externalities and spill-overs refer to the situation in which the activities of one
party have consequences, or spill over to other parties. These spill-overs can be of
different kinds: knowledge spill-overs, market spill-overs or network spill-overs.30
A well-known example of a positive spill-over relates to the so-called network
externalities: in a service which relies on the exchange between its participants (a
social media app for instance), each participant profits from the addition of a new
Public goods are goods that embody public values, such as knowledge that
could become available to everyone who would like to use it. Non-exclusivity
however could be a barrier for innovation. When no party is able to capture the
competitive advantages of exclusive knowledge no one is willing to invest in real-
ising this knowledge. But exclusive availability of knowledge may hinder innova-
tion as well since only one party may capture the benefits. Open innovation
approaches, in which knowledge is shared in order to enhance the benefits for all,
have been shown to offer advantages, especially in the domain of information and
communication technologies where network effects are important.31
Information asymmetry refers to differences in access to relevant information.
App developers, for instance, are usually small firms32 which cannot afford to
invest in coping with the peculiarities of privacy regulations. They cannot compete
with larger organisations who can afford to hire a privacy officer information
asymmetry may also refer to the relationship between firms and customers, in
which a customer usually lacks detailed insights on what a firm knows and can do
with information collected over the individual.
30James Medhurst et al., An economic analysis of spill overs from programmes of technologi-
cal innovation support, (Report prepared for ICF GHK 2014).
31Eric von Hippel and Georg van Krogt, “Open Source Software and the “Private-Collective”
Innovation Model: Issues for Organization Science.” (MIT Sloan School of Management
Working Paper 4739-09, 2009).
32See for instance the EC Green Paper on Mobile Health (Com(2014) 219 final, that indicates
that 64 % of mobile app have less than 10 employees (p. 7).
Table 1 Categories of market and system imperfections
Poel (2013, pp. 55–56)
Market imperfections Imperfections in the innovation system
Externalities/spill-overs Imperfections in infrastructural provision and investment
Public goods Lock-in or path dependency
Information a-symmetry Institutional imperfections
Market power Interaction failures
Capabilities failures
Privacy and Innovation: From Disruption to Opportunities
Market power refers to market dominance. Facebook is a clear example.
Facebook has captured over one billion users. The mere presence of so many
‘peers’ on Facebook makes Facebook an interesting medium. Privacy-respecting
alternatives to Facebook, such as Diaspora,33 face the problem of not offering the
same level of customer spread as Facebook does. Competing with the market
dominance of Facebook is not an easy challenge.
3.2 Systems Imperfections
Imperfections in the innovation system refer more exclusively to arrangements
between parties (firms, governments and customers) that block the process of
innovation. These imperfections can be of various kinds as well.
Imperfections in infrastructural investments relate to those provisions that cre-
ate opportunities to offer new services and products. The roll-out of broadband
and 4G telecommunications networks is one such provision that is deemed essen-
tial to keep the innovation fabric running. Up till the nineties of the past century
these infrastructures were considered public goods. Since then, market forces
determine the creation of new infrastructures. Public intervention may be neces-
sary to guarantee availability of new infrastructure in locations which are hardly
interesting from a commercial perspective. Another example of such interventions
is the case concerning network neutrality. The US Federal Communications
Commission decided on February 26, 2015 that firms had to obey the principle of
network neutrality.34 No price competition on network bandwidth is allowed. In
the European Union, a similar debate is going on, with the Commission leaning
towards favouring net neutrality but as yet no clear decision has been made.35
Lock-in or path dependencies relate to the restriction of choice once a choice
for a system has been made. The dominance of Microsoft in previous decades with
its Windows Operating System and the dominance of Apple with its closed plat-
form are examples. Lock-in creates fixed avenues of innovation. For customers it
means that switching costs are high (having to replace all Apple related equipment
and services comes at a high price), while new services need to fit in existing paths
to be interesting to these customers.36
Institutional imperfections refer to failure in the institutional domain to enhance
innovative practices. As a ‘rule’, the regulatory framework lags behind business
practices.37 ‘Purpose specification’ for instance, is deemed obsolete, given the
37Technology neutral regulatory frameworks are presented as alternative to this lagging behind,
but—as the example of network neutrality shows—they are difficult to maintain.
204 M. van Lieshout
changes in collecting and processing personal data. However, the regulatory
framework still requires purposes to be defined as legitimate basis for data pro-
cessing. Other imperfections could relate to a failing supervisory authority, for
instance, one that lacks sufficient manpower to exercise all its responsibilities.
Imperfections in the interaction between the dominant players within an inno-
vation network may result in sub-optimal solutions. These could lead to missing
out opportunities because of groupthink among the most dominant actors.38
Capabilities imperfections refer to a sector’s lack of skills and competences to
fully capture the benefits of an innovation. Again, the size of the average app firm
(64 % fewer than 10 employees) may lead to problems in capturing relevant devel-
opments taking place in the app market. Such developments relate to privacy as well.
While this set of market and system imperfections relate to innovation systems
in general, they can also be related to issues concerning privacy as well. One such
issue is Privacy by design. Promoted by the Canadian Information and Privacy
Commissioner Ann Cavoukian39 and adopted by the International data protection
authorities in its 31st international conference in Madrid,40 privacy by design is
one of the placeholders in the new Regulation.41 Considering privacy by design as
an innovative practice enables analysing the impact of potential market and sys-
tems imperfections on the rise and spread of privacy by design.
4 Privacy and Innovation: It Takes Two to Tango?
An oft-heard statement is that privacy has a stifling effect on innovation. In a report
that formed the basis of a statement for the US Government, Lenard and Rubin
concluded that “the ‘familiar solutions’ associated with the Fair Information
Principles and Practices are a potentially serious barrier to much of the innovation
we hope to see from the big data revolution.42 However, empirical evidence on the
relation between privacy and innovation is scarce. One article which empirically
studied the impact of privacy regulations on business processes, concluded that the
overall consequences of having to deal with privacy are negative.43 The authors
38Martijn Poel, The impact of the policy mix on service innovationThe formative and
growth phases of the sectoral innovation system for internet video services in the Netherlands,
(Enschede: Gildeprint Drukkerijen, 2013), 56.
39Ann Cavoukian, Privacy by designTake the challenge, (Ontario 2009).
41Article 23 of the proposed General Data Protection regulation deals with data protection by
design and by default.
42Thomas M. Lenard and Paul H. Rubin, The Big Data revolutionPrivacy Considerations,
(Washington: Technology Policy Institute, 2013), 3.
43Avi Goldfarb, and Catherine Tucker, “Privacy and innovation”, In: Josh Lerner and Scott Stern
(eds.), Innovation Policy and the Economy. (Chicago: University of Chicago Press), 65–89.
Privacy and Innovation: From Disruption to Opportunities
studied the consequences of privacy regulations on the adoption of Electronic
Medical Records (EMRs) in the United States. They were able to show that adopt-
ing privacy regulations had a negative impact (compared to having no regulation)
on the adoption of EMRs, which was subsequently shown to have detrimental
effects on the quality of care delivered. The study focused on neonatal mortality
rates. The research showed a decrease in the number of incidences when a hospital
had access to EMRs, which enabled exchange of patient information in critical sit-
uations. Doctors in hospitals that did not utilize EMRs were not able to consult all
available information on a patient’s health situation (in this case of new-born
babies), which could have detrimental effects on the patients. The authors con-
cluded that privacy regulations explained about 5 % of the variation in EMR adop-
tion.44 The authors also studied on-line advertisements and showed that privacy
considerations have a significant effect on the efficiency of online advertisements
and thus on online advertisement revenues. Targeted advertisements were 65 %
more effective than advertisements that could not use targeting information to
address dedicated groups of customers. The authors conclude that “privacy protec-
tion will likely limit the scope of the advertising-supported internet” and that
“without targeting, it may be the case that publishers and advertisers switch to
more intentionally disruptive, intrusive, and larger adds.45 A final conclusion is
that “ultimately privacy policy is interlinked with innovation policy and conse-
quently has potential consequences for innovation and economic growth.46
In another study, performed for the European Parliament, the relation between
privacy and innovation was split in four different segments (see Fig. 2).47
44Avi Goldfarb, and Catherine Tucker, 81.
45Avi Goldfarb, and Catherine Tucker, p. 77.
46Avi Goldfarb, and Catherine Tucker, p. 85.
47Jonathan Cave et al., Does it help or does it hinder? Promotion of innovation on Internet and
citizen’s right to privacy, (Brussels: European Parliament, 2011).
Fig. 2 Relation between privacy and innovation (Cave et al. 2011, p. 10)
206 M. van Lieshout
The fourfold relationship between privacy and innovation was investigated in a
number of case studies (biometrics, cloud computing, online behavioural advertise-
ment, RFID and location based services). The overall conclusions of the study are
that innovation practices hardly take notice of privacy concerns and that the domi-
nant logic within these practices promotes innovation at the expense of privacy. The
conceptual approach adopted in the study for innovation enabled the study to dif-
ferentiate between various aspects of innovation (technological dimension, organi-
sational dimension, regulatory dimension and user perspective). Emergent new
technologies are based upon opportunities to collect sensitive personal data (gene
technologies, biometrics) and to collect an ever broader array of personal data
(RFID sensor data and location based services). Awareness of these practices and
developments within organisations and user constituencies is low or absent. The
study recommends distinguishing between normative dimensions of privacy and an
economic dimension of privacy.48 Policy interventions should relate to a number of
issues such as clarifying consent, offering more fine-grained privacy rights and
checking for possibilities to reconcile privacy and economic regulations.49
5 Action Plan Privacy—The Dutch Situation
The preceding section explored a number of perspectives related to privacy and
innovation. Some of the studies I presented, show that adherence to privacy
demands blocks innovation, and may have detrimental impacts on relevant societal
practices such as health care. According to these studies, privacy blocks innova-
tion, or stated the other way around, adopting innovation practices means giving
up on privacy. In order to better unravel the processes of innovation that are at
stake I introduced a conceptual approach towards privacy that distinguishes
between the technical (emphasized by information security), legal/regulatory
(emphasized by data protection) and societal (emphasized by the private sphere)
aspects. This conceptualisation enables us to classify between technical innova-
tions, institutionally oriented innovations and societal innovations.50 We used
these distinctions to examine innovative privacy practices in the Netherlands in a
study, commissioned by the Dutch Ministry of Economic Affairs. The study took a
rather optimistic point of departure in presuming that
(a) It is possible to identify innovative practices that promote privacy.
(b) These practices may have a positive economic impact, while safeguarding
privacy as well.
48Jonathan Cave et al., p. 97.
49Jonathan Cave et al., pp. 98–100.
50This does not assume that data protection for instance only deals with regulatory innovations.
As the example in the text indicate what is manifest in the cross cutting of data protection with
information security, and the private sphere, data protection deals with technical and societal inno-
vations as well. The distinctions should help in pinpointing and focusing, reducing complexity.
Privacy and Innovation: From Disruption to Opportunities
We adopted as starting point that one can identify a certain willingness to engage
with privacy as an agent of change. A recent report by Deloitte concisely phrases
this in its title that says: “Having it all—Protecting privacy in the age of analyt-
ics.”51 It is not the only expression of a changing mood. In consultancy projects
we are engaged with, several organisations indicated a willingness to include pri-
vacy and data protection in customer oriented services, but were reluctant to ‘go
public’ with this approach.
The Action Plan Privacy was based on three subsequent steps:
1. Inventorying best practices and best technologies that could support practices to
respect privacy.
2. Identifying organisations that had already implemented privacy respecting
approaches or that offered privacy respecting services.
3. Analysing these practices from an innovation policy point of view, and arriv-
ing at a set of recommendations to the client, the Dutch Ministry of Economic
In the first step, the assumption was that many more privacy tools are available
than is generally presupposed. However, these tools are hardly known and hardly
implemented. The inventory identified the following three categories of privacy
1. Tools and technologies that are directed at safeguarding privacy within a
service; these tools relate to privacy by design approaches (strategies and
patterns), the use of anonymous credentials and anonymisation and pseu-
donymisation techniques, and standards for information security. Many of
these tools relate to the technical pillar of our approach to privacy, which deals
with information security. Organisational tools in this category relate to Privacy
Impact Assessments (PIAs), Privacy Officers, and the use of a Privacy Maturity
Model to identify the level of privacy awareness and privacy actions within an
organisation. These tools relate to the data protection pillar as they take the reg-
ulatory framework as starting point.
2. Tools that are directed towards privacy respecting information architectures and
networks. These are technical (inserting a digital vault for instance) and organi-
sational (sticky policies, development and implementation of context aware pri-
vacy policies).
3. Tools that are directed towards enhancing the position of the data subject.
These tools underscore the private sphere pillar of our approach. Examples of
these tools are privacy dashboards, informed consent, private browsing, Do not
track and the use of TOR networks and encryption are examples. They cover
technological, organisational and regulatory dimensions.
51Deloitte. Having it allProtecting privacy in the age of analytics.
content/dam/Deloitte/ca/Documents/Analytics/ca-en-analytics-ipc-big-data.pdf (visited March 5,
208 M. van Lieshout
The study was not able to identify the use of these tools in practice. It identified
available technologies and tools, some of them still within the academic world,
some of them already available as a commercial product. Trusted third parties for
instance, are well-known as an approach to cope with sensitive data. And privacy
impact assessments (or: data protection impact assessments) are already intro-
duced in a variety of settings.
Within the second step, some anecdotal evidence was collected on organisa-
tions that had embedded privacy tools and techniques in their organisation. I have
already mentioned the NS. Another organisation that based its primary product on
a privacy respecting approach is CV-OK. CV-OK developed a data vault that indi-
viduals can use for storage of accredited documents such as diplomas and other
reference documents. With the rise of flex contracts, in which employees change
jobs more frequently and with a rising number of self-employed individuals
the need for such a data vault is growing. This organisation decided to develop
a secure and privacy respecting data vault that could be used by individuals to
store and forward documents they need when soliciting for a job or a task. Their
approach embodies an attitude that respects privacy, with the user in control, obey-
ing data protection regulation and using security techniques to realise secure stor-
age and handling of personal data.
The Action Plan Privacy also discussed the role of privacy/data protection offic-
ers and the role of branch organisations in promoting awareness and reflection on
business processes and services that respect privacy. Large organisations in which
personal data is processed need awareness campaigns to raise overall awareness
for how to deal with these data and organisational rules concerning access, use and
management of personal data.
Within the study we identified three sort of privacy approaches. Privacy as ser-
vice enabler refers to firms that adopt approaches that respect privacy in the ser-
vices they offer to their clients. The NS is an example of such a firm. These firms
go beyond the mere need for compliance with the data protection regulations and
try to build in user control, choice, and autonomy in their approach. Privacy as a
niche market refers to firms that bring new and innovative systems and products
for respecting or maintaining privacy on the market. Qiy is an example of such an
approach, where the data subject is able to determine which data are released to
which party for which purposes.52 We concluded that an important challenge for
these niche firms is to turn niche products into mainstream products. Finally, pri-
vacy as compliance refers to those firms that adopt a pragmatic approach towards
privacy and seek to comply with the regulatory framework. This could reduce pri-
vacy awareness to a so-called tick box approach, in which minimal effort is
invested in complying with the necessary regulations.
The final part of the Action Plan Privacy was identifying the market and systems
imperfections and the presentation of policy recommendations in order to fix these
imperfections. On the market side, firms do not know what kind of tools and
52See (visited March 9, 2015).
Privacy and Innovation: From Disruption to Opportunities
practices are available (information asymmetry). They may experience triggers to
search for privacy respecting approaches, for instance due to regulatory require-
ments. An example is the EU ‘Recommendation on privacy and data protection
principles when using RFID applications’ that promotes the use of PIA when a firm
develops an RFID application. This Recommendation has however not led to the
widespread adoption of practices to respect privacy when offering RFID applica-
tions.53 Organisations are not (sufficiently) aware of the principles they should obey,
and supervision by supervisory authorities is not strict enough to act as a trigger.
This last aspect is a manifestation of institutional imperfections. Imperfections
in market dominance play a role as well. Most large system integrators are rather
reluctant to position themselves as offering privacy respecting architectures, net-
works and services. They hardly advertise their measures to maintain privacy.
Information and cyber security is a relevant market window, but data protection
and privacy still is treated with caution.
The most prominent system imperfections are the institutional imperfections,
the capability imperfections and the interaction imperfections. Supervisory author-
ities do not have the capacity to exert real pressure on the market to obey data
protection regulations. In the Netherlands, a complaint voiced during a consulta-
tion workshop was that the Dutch DPA is not willing to give advice beforehand.
Firms would appreciate the DPA offering a helping hand on which kind of prac-
tices are allowed but the Dutch DPA refrains from providing that service. The
branch organisations indicated that many firms feel they are missing the capabili-
ties to respond to the regulatory requirements. With the advent of the General Data
Protection Regulation, branch organisations feel that the regulatory requirements
impose larger pressures on data processing organisations without offering suffi-
cient support to cope with these requirements.
A positive outcome of this systems imperfection is the emergence of a maturing
juridical consultancy market that develops new services to help small firms that
deal with personal data (such as app developers). Unfortunately, it is very prob-
lematic to insert truly new approaches to privacy into the market (sophisticated
trusted architecture and key encryption schemes, for instance). Turning the inno-
vations in a commercially interesting proposition is difficult. One such initiative
is Qiy. Qiy set itself the objective to realise a structure of secured exchange of
information between various parties such that these parties can share minimal sets
of information in a trusted environment in a manner that respects privacy. Over the
past five years, Qiy is trying to create a business case for this approach. It needs
consensus with many stakeholders to make the solution it offers attractive (net-
work externalities). At this moment (March 2015) it is not clear whether it will
succeed in its mission to realise such a secured infrastructure with sufficient sup-
port of all relevant stakeholders.
53See EC, DG CONNECT INTERNAL REPORT on the implementation of the Commission
Recommendation on the implementation of privacy and data protection principles in applications
supported by radio-frequency identification, (Brussel 2014).
210 M. van Lieshout
The examples of Qiy and CV-OK demonstrate that market and system
imperfections need to be addressed to realise a functioning market of privacy
respecting technologies and services. In the Action Plan Privacy we presented a
number of recommendations that are meant to solve or to overcome the experi-
enced market and system imperfections. Information asymmetry requires
awareness campaigns. Branch and interest organisations play a role in estab-
lishing awareness and promoting practical approaches to privacy respecting
solutions. The branch and interest organisations that were consulted indicated
willingness to play such a role. They indicated that the implementation of the
General Data Protection Regulation, which is now expected to be realised at the
end of 2015, forms an important trigger for informing their customers on what
needs to be done.54 Institutional imperfections are more difficult to address.
The implementation of the GDPR is a trigger for firms to check whether their
approach is still privacy compliant or needs to be attuned. The requirement to
have a data protection officer appointed will lead to the need for more skilled
and trained data protection officers. From the perspective I sketched in this
chapter such a data protection officer should have capabilities on the technical,
the legal and the organisational domain. This is also the way the capabilities are
phrased in the GDPR (and in the current data protection directive).
6 Conclusions
The awareness for the societal role of privacy is growing. Firms start to realise that
privacy itself can be an innovative agent of change. By inserting privacy principles
in the innovation equation, innovative systems can be implemented that realise pub-
lic and economic value by making use of personal data and that meet privacy expec-
tations. In this chapter I used the approach of market and systems imperfections to
address innovation. Overcoming identified market and system imperfections is a
way to realise innovative capacity. Privacy was addressed in terms of three inter-
connected spheres of influence: the private sphere, data protection and information
security. Each of these spheres is characterised by a dominant logic: technological
principles in the case of information security, regulatory principles in the case of
data protection and societal principles in the case of the private sphere. By having
this split, it is possible to have a separate look at what is needed from a technical
perspective, a regulatory perspective and a societal perspective. Issues dealing with
privacy and innovation should look for innovation in each of the spheres.
The Dutch Action Plan Privacy, commissioned by the Dutch Ministry of
Economic Affairs and performed by the PI.lab (in which TNO participates), was
used to discuss the innovative capacities of privacy. The Action Plan Privacy
54The full implementation period of the GDPR will last for two years. Starting at the end of 2015
thus implies that the GDPR will be fully effective at the end of 2017.
Privacy and Innovation: From Disruption to Opportunities
concluded that three strategies can be utilized by firms to become more respectful
of privacy: a firm could decide to embed privacy in their service activities (privacy
as service enabling), a firm could develop new niche products that help protect pri-
vacy (privacy as a niche market), and a firm could decide to restrict itself to being
compliant (privacy as compliance). Examples of firms using the first strategy are
privacy sensitive firms that deal with personal data as a by-product. Examples of
firms using the second strategy are innovative firms offering privacy respecting ser-
vices and systems. Examples of firms using the third strategy are firms that take the
regulatory framework as starting point and seek the easiest way to be compliant.
Overall, the Action Plan has an optimistic tone with respect to the opportunities
privacy offers as an innovation strategy. The upcoming General Data Protection
Regulation already influences privacy behaviour of firms. Firms realise they might
have to strengthen their privacy profile to keep on track with the requirements of
the new GDPR. A second important motive is that firms realise that negative inci-
dents have a considerable impact on their reputation. In a number of situations, a
direct link can be made between how a firm treats privacy matters and a confronta-
tion with an incident with a severe impact on that firm. Thirdly, emerging technical
and organisational solutions help avoiding the ‘all or nothing’ approach that seems
to hinder privacy innovations. System integrators start to implement privacy solu-
tions that can be tuned to the specific requirements of a firm. Privacy by design
strategies and patterns help in fine-tuning solutions to the specific systems in use.
Internal Data Protection Officers and awareness campaigns promote privacy
respecting attitudes in organisations. Instruments such as PIA become standard-
ised. Consultancy firms help to implement these tools and check for compliance of
existing data processing approaches. These activities help in overcoming identified
market and systems imperfections and in embedding an approach that respects pri-
vacy as part of a competitive firm strategy. Government intervention is necessary
to help organise a business climate that respects privacy.55
However, we need to balance this optimistic tone with the following observa-
tions. Firstly, the emergence of personal data markets will continue to put pressure
on protecting privacy. Secondly, the continuing development of an ‘app-econ-
omy’, in which many small firms whose business model is almost exclusively
based on collecting, processing and disseminating personal data, will pose serious
problems in controlling whether appropriate data protection strategies are imple-
mented and secured.
An active approach by public and private organisations (governmental organisa-
tions included) is prerequisite to have the best of both world: innovative practices,
creating economic and public value, and new services that truly respect the privacy
of its customers.
55The Ministry of Economic Affairs published a policy letter on Big Data and Privacy in which
it underscores the relevance of a privacy respecting approach towards big data and in which it
stated that the recommendations of the Action Plan Privacy should be implemented by a working
group that the Ministry will establish on Big Data and Privacy.
212 M. van Lieshout
Acknowledgments I would like to thank Arnold Roosendaal (TNO, PI.lab) and the anonymous
reviewers for their constructive comments on earlier versions of this chapter.
Barras, Richard. 2000. Towards a theory of innovation theory in services. Research Policy 15(4):
Cave, Jonathan, Marc van Lieshout, Neil Robinson, Rebecca Schindler, Gabriela Bodea, and
Linda Kool. 2011. Does it help or does it hinder? Promotion of innovation on Internet and
citizen’s right to privacy. Brussels: European Parliament.
Cavoukian, Anne. 2009. Privacy by design—Take the challenge. Ontario: Information and
Privacy Commissioners Office.
Edquist, Charles. 1997. Systems of innovation: Technologies. Institutions and Organizations: Pinter.
European Commission. 2000. Charter of fundamental rights of the European Union. Brussels:
Official Journal of the European Communities C 364/1 Brussels.
European Commission. 2014. DG CONNECT internal report on the implementation of the
Commission Recommendation on the implementation of privacy and data protection princi-
ples in applications supported by radio-frequency identification. Brussel.
European Court of Justice. 2014. Factsheet on the ‘right to be forgotten’ ruling (C-131/12).
Finn, Rachel, David Wright, and Michael Friedewald. 2013. Seven types of privacy. In European
data protection: Coming of age, ed. Serge Gutwirth, Yves Poullet, et al. Dordrecht: Springer.
Gellert, Raphael, and Serge Gutwirth. 2013. The legal construction of privacy and data protec-
tion. Computer Law and Security Review (CLSR) 29: 522–530.
Goldfarb, Avi, and Catherine Tucker. 2012. Privacy and innovation. In Innovation policy and the
economy, ed. Josh Lerner, and Scott Stern, 65–89. Chicago: University of Chicago Press.
Hippel, Eric von, Georg van Krogt. 2009. Open source software and the “Private-Collective”
innovation model: Issues for organization science. MIT Sloan School of Management
Working Paper 4739-09.
Lenard, Thomas M., and Paul H. Rubin. 2013. The big data revolution: Privacy considerations.
Washington: Technology Policy Institute.
Medhurst James, Joel Marsden, Angina Jugnauth, Mark Peacock, Jonathan Lonsdal. 2014. An
economic analysis of spillovers from programmes of technological innovation support. Report
prepared for ICF GHK.
Nelson, Richard R. 1993. National innovation systems: A comparative analysis. Urbana:
University of Illinois.
Poel, Martijn. 2013. The impact of the policy mix on service innovation—The formative
and growth phases of the sectoral innovation system for internet video services in the
Netherlands. Ph.D thesis, Technical University Delft, Delft.
Rogers, Everett M. 2003. Diffusion of innovations, 5th ed. New York: Free Press.
Roosendaal, Arnold, Marc van Lieshout, Colette Cuijpers, Ronald, Leenes. 2014. Actieplan
Privacy. Delft: TNO-report R11603.
Solove, Daniel. 2002. Conceptualizing privacy. California Law Review 90(4): 1087–1155.
Stamp, Mark. 2006. Information security: Principles and practice. Hoboken, New Jersey: Wiley.
World Economic Forum. 2013. Unlocking the value of personal data: From collection to usage.
World Economic Forum.
ResearchGate has not been able to resolve any citations for this publication.
Full-text available
As technologies to develop, conceptualisations of privacy have developed alongside them, from a “right to be let alone” to attempts to capture the complexity of privacy issues within frameworks that highlight the legal, social-psychological, economic or political concerns that technologies present. However, this reactive highlighting of concerns or intrusions does not provide an adequate framework though which to understand the ways in which privacy should be proactively protected. Rights to privacy, such as those enshrined in the European Charter of Fundamental Rights, require a forward-looking privacy framework that positively outlines the parameters of privacy in order to prevent intrusions, infringements and problems. This paper makes a contribution to a forward-looking privacy framework by examining the privacy impacts of six new and emerging technologies. It analyses the privacy issues that each of these technologies present and argues that there are seven different types of privacy. We also use this case study information to suggest that an imprecise conceptualisation of privacy may be necessary to maintain a fluidity that enables new dimensions of privacy to be identified, understood and addressed in order to effectively respond to rapid technological evolution.
Full-text available
Innovation and technical change play significant roles in both firm and economic growth, resulting in the creation of knowledge and the formation of new products. Due to the competitive aspects of innovation, firms often interact with and share and/or exchange information with other organizations, including other firms and universities, to further their innovative pursuits. Additionally, other factors, such as laws, cultural norms, and social rules, impact a firm's innovative abilities and behaviors. Organizations and institutions, economic infrastructures, sectoral innovation systems, and national imaginations all have a role in innovation systems. This edited work is composed of 17 essays, providing differing perspectives. To better understand the systems of innovation approach to business, this book examines three significant issues: part one dissects conceptual problems related to the theory of the systems of innovation approach; part two discusses the relationship between the systems of innovation approach and other innovation theories; and part three promotes greater understanding of the dynamics of systems of innovation. The various systems of innovation approaches have nine common characteristics: innovations and learning at the center of focus; holistic and interdisciplinary; historical perspective; differences between regional systems (no optimal system); interdependence; encompasses both technological and organizational innovations; institutions are central; conceptual ambiguity; and conceptual frameworks rather than formal theories. The creation and distribution of technological knowledge, including interindustry differences, are also explored. Evolutionary theories of economics and the ways in which they influence the systems of innovation approach are examined. The influence of policy upon technological change is also discussed, as are Technological and institutional change as components in the creation and change of innovation systems. Challenges to the systems approach are examined, including policy-based challenges to firms, paradigmatic shifts in innovation systems, and differences among European systems of innovation. (AKP)
Currently, two models of innovation are prevalent in organization science. The “private investment” model assumes returns to the innovator result from private goods and efficient regimes of intellectual property protection. The “collective action” model assumes that under conditions of market failure, innovators collaborate in order to produce a public good. The phenomenon of open source software development shows that users program to solve their own as well as shared technical problems, and freely reveal their innovations without appropriating private returns from selling the software. In this paper, we propose that open source software development is an exemplar of a compound “private-collective” model of innovation that contains elements of both the private investment and the collective action models and can offer society the “best of both worlds” under many conditions. We describe a new set of research questions this model raises for scholars in organization science. We offer some details regarding the types of data available for open source projects in order to ease access for researchers who are unfamiliar with these, and also offer some advice on conducting empirical studies on open source software development processes.
In this Article, Professor Solove develops a new approach for conceptualizing privacy. He begins by examining the existing discourse about conceptualizing privacy, exploring the conceptions of a wide array of jurists, legal scholars, philosophers, psychologists, and sociologists. Solove contends that the theories are either too narrow or too broad. With a few exceptions, the discourse seeks to conceptualize privacy by isolating one or more common "essential" or "core" characteristics of privacy. Expounding upon Ludwig Wittgenstein's notion of "family resemblances," Solove contends that privacy is better understood as drawing from a common pool of similar characteristics. Rather than search for an overarching concept, Solove advances a pragmatic approach to conceptualizing privacy. According to Solove, when we talk about privacy, we are really talking about related dimensions of particular practices. We should explore what it means for something to be private contextually by looking at privacy problems: instances of particular forms of disruption to particular practices. Solove demonstrates how practices involving privacy have changed throughout history and explains the appropriate way to assess the value of privacy.
In this contribution, the authors explore the differences and interplays between the rights to privacy and data protection. They describe the two rights and come to the conclusion that they differ both formally and substantially, though overlaps are not to be excluded. Given these different yet not mutually exclusive scopes they then apply the rights to three case-studies (body-scanners, human enhancement technologies, genome sequencing), highlighting in each case potential legal differences concerning the scope of the rights, the role of consent, and the meaning of the proportionality test. Finally, and on the basis of these cases, the authors propose paths for articulating the two rights using the qualitative and quantitative thresholds of the two rights, which leads them to rethink the relationship between privacy and data protection, and ultimately, the status of data protection as a fundamental right.
Getting an innovation adopted is difficult; a common problem is increasing the rate of its diffusion. Diffusion is the communication of an innovation through certain channels over time among members of a social system. It is a communication whose messages are concerned with new ideas; it is a process where participants create and share information to achieve a mutual understanding. Initial chapters of the book discuss the history of diffusion research, some major criticisms of diffusion research, and the meta-research procedures used in the book. This text is the third edition of this well-respected work. The first edition was published in 1962, and the fifth edition in 2003. The book's theoretical framework relies on the concepts of information and uncertainty. Uncertainty is the degree to which alternatives are perceived with respect to an event and the relative probabilities of these alternatives; uncertainty implies a lack of predictability and motivates an individual to seek information. A technological innovation embodies information, thus reducing uncertainty. Information affects uncertainty in a situation where a choice exists among alternatives; information about a technological innovation can be software information or innovation-evaluation information. An innovation is an idea, practice, or object that is perceived as new by an individual or an other unit of adoption; innovation presents an individual or organization with a new alternative(s) or new means of solving problems. Whether new alternatives are superior is not precisely known by problem solvers. Thus people seek new information. Information about new ideas is exchanged through a process of convergence involving interpersonal networks. Thus, diffusion of innovations is a social process that communicates perceived information about a new idea; it produces an alteration in the structure and function of a social system, producing social consequences. Diffusion has four elements: (1) an innovation that is perceived as new, (2) communication channels, (3) time, and (4) a social system (members jointly solving to accomplish a common goal). Diffusion systems can be centralized or decentralized. The innovation-development process has five steps passing from recognition of a need, through R&D, commercialization, diffusions and adoption, to consequences. Time enters the diffusion process in three ways: (1) innovation-decision process, (2) innovativeness, and (3) rate of the innovation's adoption. The innovation-decision process is an information-seeking and information-processing activity that motivates an individual to reduce uncertainty about the (dis)advantages of the innovation. There are five steps in the process: (1) knowledge for an adoption/rejection/implementation decision; (2) persuasion to form an attitude, (3) decision, (4) implementation, and (5) confirmation (reinforcement or rejection). Innovations can also be re-invented (changed or modified) by the user. The innovation-decision period is the time required to pass through the innovation-decision process. Rates of adoption of an innovation depend on (and can be predicted by) how its characteristics are perceived in terms of relative advantage, compatibility, complexity, trialability, and observability. The diffusion effect is the increasing, cumulative pressure from interpersonal networks to adopt (or reject) an innovation. Overadoption is an innovation's adoption when experts suggest its rejection. Diffusion networks convey innovation-evaluation information to decrease uncertainty about an idea's use. The heart of the diffusion process is the modeling and imitation by potential adopters of their network partners who have adopted already. Change agents influence innovation decisions in a direction deemed desirable. Opinion leadership is the degree individuals influence others' attitudes
This anthology examines national systems of technical innovation. An introductory chapter provides an overview of the principal topics in current discussion of industrial and technology policy. Innovation is defined as the processes by which firms master and put into practice product designs and manufacturing processes that are new to them. A wide range of factors, organizations, and policies influence the capabilities of a nation's firms to innovate. Technology and pure science are distinguished, and the social institutions that play a role in innovation are examined. These include industrial and government research laboratories, research universities, and industrial policy agencies. These institutions provide the core for the analyses of national innovation systems. Individual chapters are devoted to six large high-income countries (France, Italy, Japan, the U.S., the U.K., and West Germany), four smaller high-income countries (Australia, Canada, Denmark, and Sweden), and five lower income countries (Argentina, Brazil, Israel, Korea, and Taiwan). Each chapter is a detailed description of each country's structure and behavior in the development of product and process technologies, and catalogues the innovation strategies of each country, covering topics including historical analysis of technological development, breakdown of industries, and investigation of these institutions in terms of R&D expenditures and their influence. Differences in the innovative patterns include size and resource endowments, national security considerations, and historical and social beliefs. Factors leading to effective innovative performance include strong core competencies, high-quality education and training, and stable and facilitative economic and trade policies. A final retrospective chapter compares and contrasts the various innovation systems. It assesses whether identifying an innovation system is useful, considers whether national institutions matter when commerce and technology are becoming transnational, and reflects on the future of national systems in such a world. (TNM)
Information and communication technology now enables firms to collect detailed and potentially intrusive data about their customers both easily and cheaply. This means that privacy concerns are no longer limited to government surveillance and public figures' private lives. The empirical literature on privacy regulation shows that privacy regulation may affect the extent and direction of data-based innovation. We also show that the impact of privacy regulation can be extremely heterogeneous. Therefore, we argue that digitization means that privacy policy is now a part of innovation policy.Institutional subscribers to the NBER working paper series, and residents of developing countries may download this paper without additional charge at