Privacy and Innovation: From Disruption
Marc van Lieshout
© Springer Science+Business Media Dordrecht 2016
S. Gutwirth et al. (eds.), Data Protection on the Move,
Law, Governance and Technology Series 24, DOI 10.1007/978-94-017-7376-8_8
Abstract In this chapter I present an approach of privacy from the perspective of
innovation theory. I bring two conceptual approaches together. First, I disentan-
gle privacy in three interconnected concepts: information security, data protection
and the private sphere. Each of these concepts has its own dynamics and refers
to a speciﬁc logic: technology in case of information security, regulation in case
of data protection and society in case of the private sphere. By interconnecting
them, a more nuanced perspective on the innovative incentives stemming from pri-
vacy considerations arises. Second, innovation is considered to be hampered by
market and system imperfections. These imperfections reduce the efﬁciency of
the innovation system. Analysing which imperfections exist helps in overcoming
them by identifying adequate counter-strategies. I will use a policy study that has
been performed for the Dutch Ministry of Economic Affairs to elaborate the rela-
tion between privacy and innovation in more detail. The resulting tone is optimis-
tic: during the study several indications for a more privacy respecting approach by
ﬁrms were found. Still, the challenges to be addressed are huge.
Keywords Privacy · Innovation theory · Market and systems imperfections ·
Information security · Data protection · Privacy and innovation
Many organisations perceive privacy as an ‘innovation killer’. Innovative applica-
tions which make use of personal data are constrained because they need to meet
legal obligations. Data mining and data analytics are at the forefront of today’s
M. van Lieshout (*)
TNO Strategy & Policy, Van Mourik Broekmanweg 6, 2628 XE Delft, The Netherlands
196 M. van Lieshout
information and communication technologies (ICTs).1 For data analytics, ‘purpose
speciﬁcation’—that needs to be articulated before data collection and processing
are to take place—seems to be a relic of past times. In a similar way the ‘Right to
be Forgotten’2 is considered to complicate business processes of organisations that
collect vast amounts of personal data. Google, being brought to court by a Spanish
citizen and convicted in a ruling by the European Court of Justice (May 13, 2014),
faces an on-going stream of requests to remove speciﬁc links from the results of a
search query.3 According to the court ruling, justiﬁed requests must refer to
removal of data being “inaccurate, inadequate, irrelevant, or excessive”.4 So, not
all personal data will be removed on request from search queries but only data that
are inaccurate, inadequate, irrelevant or excessive, categories that are hard to
deﬁne with precision. Google received more than 220,000 requests in the months
following upon the publication of the rulings. As a consequence, Google stated
that it will look to speciﬁcs within the legal framework of the European Union in
order to stay ahead of new requirements that need to be met.5 It established an
advisory network that will try to discover common terms and approaches to deal
with the various requests.6
This illustration is interesting: though it seems to show that regulation may
stiﬂe innovation (Larry Page, Google’s CEO, warned that the ruling “could dam-
age the next generation of Internet start-ups and strengthen the hand of repres-
sive governments inclined to restrict online communication”7), the ruling could
force Google to be creative and think of novel ways to deal with the thousands of
requests that ﬂood its ofﬁces. Up till now, Google allegedly uses man power to
deal with the requests, and has not introduced other more innovative
1World Economic Forum, Unlocking the value of personal data: from collection to usage (World
Economic Forum 2013).
2European Court of Justice (2014). Factsheet on the ‘Right to be Forgotten’ Ruling (C-131/12),
March 4, 2015).
controversial-ruling-boundary-between (visited March 4, 2015).
4European Court of Justice (2014, p. 2).
right-to-be-forgotten (visited March 4, 2015).
6https://www.google.com/advisorycouncil/ (visited March 12, 2015).
be-forgotten-could-stiﬂe-innovation-and-empower-repressive-regimes/ (visited March 4, 2015).
(vistied March 4, 2015).
Privacy and Innovation: From Disruption to Opportunities
A Dutch example shows how organisations may retreat to a combination of
organizational and technical innovations to deal with potential issues of privacy
invasion. The Dutch railway organization, NS, had acquired negative attention
some years ago with the introduction of the ‘OV-chip’card, a contactless RFID-
based public transport card. The Dutch Radboud University showed in 2008 that
the OV-chip could easily be hacked.9 The chip in use was an old and basically out-
dated version of the MiFare Classic chip, with a modest level of protection. While
this vulnerability could only indirectly be attributed to the Dutch railway organiza-
tion (it was NXP10 that sold the relatively unsecure chips to TransLink Systems,
the organisation that introduced the OV-chip into the Dutch public transport sys-
tem), the NS still was publicly held responsible. TransLink Systems had been
warned as early as 2005 by the Dutch Data Protection Authority that it should
reﬁne its procedures and guidelines under which data collected through the OV-
chip would be used for business and client purposes. In 2010, the Dutch DPA
warned TransLink Systems, the Dutch NS and two other public transport providers
(of two major Dutch cities) that they did not provide sufﬁcient detail on how they
would use collected data of students travelling with the student version of the pub-
lic transport card.11 As a result of the negative experiences and the negative public
image, NS appointed a privacy ofﬁcer who is able to halt projects and activities
that could be invasive to customer privacy, and who has the responsibility to safe-
guard the privacy of travellers in NS activities.12 Since NS has adopted several
policies in which it consciously incorporates privacy considerations. One example
is the monitoring of passenger movements on railway stations, a relevant activity
for both the spatial organisation of railway stations and for determining economic
hotspots within the railway station. NS used a system in which infrared detection
of passengers was combined with using MAC addresses of Bluetooth and WiFi
connections that were used by passengers. To prevent identiﬁcation by MAC
addresses, these addresses were complemented with information about the day on
which the monitoring took place, and the resulting data were subsequently one-
way hashed. An encompassing information policy that also included procedures
for removal of data that were not needed anymore and campaigns to raise aware-
ness by the employees who had access to the data, complemented the NS
This creative and innovative approach shows that privacy may have interesting
innovation consequences as well. At the same time, NS does not publicly convey
this image of respecting privacy in its activities. In our research we have met with
9https://ovchip.cs.ru.nl/Main_Page (visited March 4, 2015). The hack took place in 2008.
10The MiFare chip was originally a product produced by Philips, but at the time the hack became
public, the chips were made and sold by NXP, the successor of Philips.
met-de-wet (visited March 4, 2015).
12Arnold Roosendaal et al., Actieplan Privacy (Delft: TNO-report R11603, 2014), 24 ff.
13Roosendaal, 24 ff.
198 M. van Lieshout
a number of organisations that all express the intention to respect consumer pri-
vacy, but which all are hesitant to advertise this fact.14
Privacy and innovation thus do not really seem to merge in an easy and conven-
ient manner. In this chapter I will start with presenting a pragmatic perspective on
privacy, by disentangling it into three intersecting circles: information security,
data protection and the private sphere. Then I will present some studies that
researched the relationship between privacy and innovation. The next section
introduces innovation theory and especially the existence of market and system
imperfections as a conceptual approach to understanding how privacy and innova-
tion practices can be related. This will be followed by a discussion of the results of
a study the PI.lab performed for the Dutch ministry of Economic Affairs on pri-
vacy and innovation. The PI.lab is an expertise centre, formed by the Dutch organ-
isations, Radboud University, SIDN, Tilburg University and TNO.15 The study
was dedicated to studying how Dutch businesses dealt with privacy requirements
in their practices and policies. The concluding section will add some perspectives
on research in this ﬁeld.
2 The Concept of Privacy
Many authors have presented views on privacy.16 In this paper, I will explore a dif-
ferent kind of approach, one that will start by distinguishing three main pillars.
The European Charter of Fundamental Rights distinguishes between a right to pri-
vacy (article 7) and a right to the protection of personal data (article 8).17 While
the right to privacy relates to fundamental notions of the integrity of the body, the
intimacy of the family, the sacrosanct place of the house and the right to conﬁden-
tial communications, the right to data protection refers to fundamental principles
to be obeyed when personal data are at stake. These principles are articulated in
the present EU directive on data protection.18 One of these principle is the princi-
ple that data controllers and processors should take appropriate technical and
14We did not publish on this issue, but we encountered this attitude at a number of Dutch organi-
sations. A few of these will be mentioned in this article.
15See http://pilab.nl/ (visited March 12, 2015).
16See for instance Rachel Finn, David Wright, and Michael Friedewald, “Seven types of privacy”,
in Serge Gutwirth, Yves Poullet et al. (eds.), European Data Protection: Coming of Age (Dordrecht:
Springer, 2013) who present a challenging sevenfold dimensioning of privacy, based on previous
work by amongst others Roger Clark.
17EC, Charter of Fundamental Rights of the European Union, (Brussels: Ofﬁcial Journal of the
European Communities, C 364/1, 2000).
18For the FIP, see Robert Gellman, Fair Information Practices: A Basic History, http://bobgellman
.com/rg-docs/rg-FIPShistory.pdf (visited March 9, 2015). The title of the EU Data Protection
Directive 95/46/EC states: “[O]n the protection of individuals with regard to the process-
ing of personal data and on the free movement of such data”. See: http://eur-lex.europa.
eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (visited March 9, 2015).
Privacy and Innovation: From Disruption to Opportunities
organisational measures for safeguarding the security of the systems that store and
process personal data. Together with the right to privacy and the right to data pro-
tection this leads to the following scheme (see Fig. 1).
The ﬁgure presents three intersecting circles with distinct orientations:
1. Information security focuses on technical requirements stemming from the
treatment of personal data and the basic principles used in information security:
conﬁdentiality of data, integrity of data and availability of data.19
2. Data protection focuses on legal and regulatory issues stemming from laws and
regulations, such as the EU directive on protecting personal data, 95/46/EU20 and
the ePrivacy directive (2002/58/EU), in line with the OECD Fair Information
Principles and Practices.21
3. The Private sphere focuses on issues of individual privacy, the autonomy of the
individual, the safeguarding against interference by others and the ability to
determine one’s life.
Choice, control and consent are the three basic principles that relate to each of the
circles. By subdividing the discourse on privacy in these three domains I try to
overcome the following barriers:
1. The discussion on privacy issues is often obfuscated by the dominance of
technical issues (encryption as the key to all privacy problems) over societal
19Mark Stamp, Information Security—Principles and practice (Hoboken, New Jersey: John
Wiley & Sons, 2006): p. 2.
20With the 95/46/EC directive to be replaced by the General Data Protection Regulation in due time.
21See http://oecdprivacy.org/ (visited March 5, 2015).
Fig. 1 Conceptual relations between private sphere, data protection and information security
200 M. van Lieshout
and regulatory ones.22 Information security clearly plays a role, but it is obvi-
ous that good technical solutions cannot ﬁx everything.
2. Gutwirth and Gellert argue that data protection is based on the deﬁnition of a
number of procedures on how to deal with personal data, while privacy deals
with social phenomena such as autonomy and the right to self-fulﬁlment. These
latter issues always need to be assessed in a speciﬁc context. No general rules
or procedures are available to decide if and in what sense privacy is infringed.23
When dealing with issues in which personal data and privacy play a role we
need both perspectives (the procedural and the so-called substantive one). In
the scheme I use I address both aspects separately.
3. Data protection is often considered to be the domain of lawyers and legally
trained professionals. However, the legal perspective alone is not at all sufﬁ-
cient to cover relevant DP issues. By separating the DP-approach from the pri-
vate sphere and the security approach I intend to both emphasize the relative
relevance of the legal (procedural) issues which are brought forward by the
data protection legislative frameworks while keeping a strict eye on the techni-
cal and societal dimensions which are explicit parts of these frameworks as
The ﬁgure presents and reconciles the various dimensions one has to deal with
when personal data are at stake. Innovation processes play a role in each of the
three domains. Innovation in security processes relates to new encryption tech-
niques, such as homomorphic encryption. These encryption techniques can be part
of the ‘appropriate organisational and technical measures’ which are requested in
the data protection regulations. Data protection impact assessments and data pro-
tection audits are examples of organisational innovations. And new approaches
which combine technical, organisational and user-related dimensions, such as
information processes that use data vaults, are an example of a more complex and
multidimensional innovation process, directed at enhancing autonomy, choice and
control by the data subjects.25
22One telling example is the response of Phil Zimmerman during the panel on privacy innova-
tions who responded to a question on whether privacy was more than securing data, that, indeed,
in the end it all comes down to using encryption for safeguarding data. In my view, which I also
introduced during the panel, this perspective falls short to capture on what privacy is about.
23Raphael Gellert and Serge Gutwirth. “The legal construction of privacy and data protection”
Computer Law and Security Review (CLSR) 29 (2013): 522–530.
24One interesting issue in this respect is the capabilities data protection ofﬁcers need to have.
In the Directive and the Regulation it is emphasized that DPOs should have sufﬁcient legal ánd
technical knowledge. Given the need for additional DPOs (triggered by the new Regulation) one
would expect multidisciplinary vocational courses to emerge that teach basic and advanced legal
ánd technical insights.
25Examples of these innovations will be provided in the next section. One example relates to the
opportunity to organize one’s CV in a data vault, thereby anticipating on the increasing num-
ber of self-employed professionals who need to convey their professional details to (potential)
Privacy and Innovation: From Disruption to Opportunities
3 Privacy and Innovation—A Conceptual Framework
According to the OECD Manual on innovation, innovation is either ‘something
new to the ﬁrm, something new to the market or something new to the world’.26
Over the years, the OECD has expanded its deﬁnition of innovation in order to
capture a broader array of activities: in addition to technological innovations,
organisational innovations have become part of the deﬁnition. New production
methods, new service distribution models, new ways of organising the collection
and distribution of data within an organisation are all examples of innovation.
Theoretical and conceptual approaches on the differences between the service ori-
ented character of many business practices today and the older industry-led pro-
duction model have led to variations on the traditional ‘innovation-diffusion’
model, but the main elements of this model are still in place.27
Innovation systems face different kind of imperfections. One such imperfection
is, for instance, a regulatory framework that is not up to date and that blocks inno-
vative activities because it forbids speciﬁc services that are part of a novel
approach of businesses.28 Modelling imperfections from an innovation systems
perspective has led to the identiﬁcation of market and system imperfections.29 The
model I use identiﬁes ﬁve categories of imperfections that can arise in the innova-
tion system and four categories of imperfections that can arise in the functioning
of the market (Table 1).
3.1 Market Imperfections
Market imperfections refer to imperfections in the functioning of a market. These
imperfections may have consequences for individuals, an example being the exclu-
sion from speciﬁc products of services.
26OECD Oslo Manual (1997). The measurement of Scientiﬁc and Technological activities—Proposed
guidelines for collecting and interpreting technological innovation data. http://www.oecd.org/science/
inno/2367580.pdf (visited March 4, 2015).
27Richard Barras, “Towards a theory of innovation theory in services”, Research policy 15 (4)
(2000): 161–173. Everett M. Rogers, Diffusion of Innovations (5th edition) (New York: Free
28This illustration could be applied to the example I provided before on purpose speciﬁcation in
data analytics situations. Purpose speciﬁcation as such may not be sufﬁcient to block an innova-
tion in the ﬁeld of data analytics, but combined with other regulatory requirements it may hinder
29Martijn Poel, The impact of the policy mix on service innovation—The formative and
growth phases of the sectoral innovation system for internet video services in the Netherlands,
(Enschede: GildeprintDrukkerijen 2013). Poel discusses these imperfections as market and
systems failures. In a study project I have been part of in recent years, some participants urged
to use the less intrusive vocabulary of ‘imperfections’ instead of ‘failures’. I will follow this
approach in this contribution.
202 M. van Lieshout
Externalities and spill-overs refer to the situation in which the activities of one
party have consequences, or spill over to other parties. These spill-overs can be of
different kinds: knowledge spill-overs, market spill-overs or network spill-overs.30
A well-known example of a positive spill-over relates to the so-called network
externalities: in a service which relies on the exchange between its participants (a
social media app for instance), each participant proﬁts from the addition of a new
Public goods are goods that embody public values, such as knowledge that
could become available to everyone who would like to use it. Non-exclusivity
however could be a barrier for innovation. When no party is able to capture the
competitive advantages of exclusive knowledge no one is willing to invest in real-
ising this knowledge. But exclusive availability of knowledge may hinder innova-
tion as well since only one party may capture the beneﬁts. Open innovation
approaches, in which knowledge is shared in order to enhance the beneﬁts for all,
have been shown to offer advantages, especially in the domain of information and
communication technologies where network effects are important.31
Information asymmetry refers to differences in access to relevant information.
App developers, for instance, are usually small ﬁrms32 which cannot afford to
invest in coping with the peculiarities of privacy regulations. They cannot compete
with larger organisations who can afford to hire a privacy ofﬁcer information
asymmetry may also refer to the relationship between ﬁrms and customers, in
which a customer usually lacks detailed insights on what a ﬁrm knows and can do
with information collected over the individual.
30James Medhurst et al., An economic analysis of spill overs from programmes of technologi-
cal innovation support, (Report prepared for ICF GHK 2014). https://www.gov.uk/government/
31Eric von Hippel and Georg van Krogt, “Open Source Software and the “Private-Collective”
Innovation Model: Issues for Organization Science.” (MIT Sloan School of Management
Working Paper 4739-09, 2009).
32See for instance the EC Green Paper on Mobile Health (Com(2014) 219 ﬁnal, that indicates
that 64 % of mobile app have less than 10 employees (p. 7).
Table 1 Categories of market and system imperfections
Poel (2013, pp. 55–56)
Market imperfections Imperfections in the innovation system
Externalities/spill-overs Imperfections in infrastructural provision and investment
Public goods Lock-in or path dependency
Information a-symmetry Institutional imperfections
Market power Interaction failures
Privacy and Innovation: From Disruption to Opportunities
Market power refers to market dominance. Facebook is a clear example.
Facebook has captured over one billion users. The mere presence of so many
‘peers’ on Facebook makes Facebook an interesting medium. Privacy-respecting
alternatives to Facebook, such as Diaspora,33 face the problem of not offering the
same level of customer spread as Facebook does. Competing with the market
dominance of Facebook is not an easy challenge.
3.2 Systems Imperfections
Imperfections in the innovation system refer more exclusively to arrangements
between parties (ﬁrms, governments and customers) that block the process of
innovation. These imperfections can be of various kinds as well.
Imperfections in infrastructural investments relate to those provisions that cre-
ate opportunities to offer new services and products. The roll-out of broadband
and 4G telecommunications networks is one such provision that is deemed essen-
tial to keep the innovation fabric running. Up till the nineties of the past century
these infrastructures were considered public goods. Since then, market forces
determine the creation of new infrastructures. Public intervention may be neces-
sary to guarantee availability of new infrastructure in locations which are hardly
interesting from a commercial perspective. Another example of such interventions
is the case concerning network neutrality. The US Federal Communications
Commission decided on February 26, 2015 that ﬁrms had to obey the principle of
network neutrality.34 No price competition on network bandwidth is allowed. In
the European Union, a similar debate is going on, with the Commission leaning
towards favouring net neutrality but as yet no clear decision has been made.35
Lock-in or path dependencies relate to the restriction of choice once a choice
for a system has been made. The dominance of Microsoft in previous decades with
its Windows Operating System and the dominance of Apple with its closed plat-
form are examples. Lock-in creates ﬁxed avenues of innovation. For customers it
means that switching costs are high (having to replace all Apple related equipment
and services comes at a high price), while new services need to ﬁt in existing paths
to be interesting to these customers.36
Institutional imperfections refer to failure in the institutional domain to enhance
innovative practices. As a ‘rule’, the regulatory framework lags behind business
practices.37 ‘Purpose speciﬁcation’ for instance, is deemed obsolete, given the
37Technology neutral regulatory frameworks are presented as alternative to this lagging behind,
but—as the example of network neutrality shows—they are difﬁcult to maintain.
204 M. van Lieshout
changes in collecting and processing personal data. However, the regulatory
framework still requires purposes to be deﬁned as legitimate basis for data pro-
cessing. Other imperfections could relate to a failing supervisory authority, for
instance, one that lacks sufﬁcient manpower to exercise all its responsibilities.
Imperfections in the interaction between the dominant players within an inno-
vation network may result in sub-optimal solutions. These could lead to missing
out opportunities because of groupthink among the most dominant actors.38
Capabilities imperfections refer to a sector’s lack of skills and competences to
fully capture the beneﬁts of an innovation. Again, the size of the average app ﬁrm
(64 % fewer than 10 employees) may lead to problems in capturing relevant devel-
opments taking place in the app market. Such developments relate to privacy as well.
While this set of market and system imperfections relate to innovation systems
in general, they can also be related to issues concerning privacy as well. One such
issue is Privacy by design. Promoted by the Canadian Information and Privacy
Commissioner Ann Cavoukian39 and adopted by the International data protection
authorities in its 31st international conference in Madrid,40 privacy by design is
one of the placeholders in the new Regulation.41 Considering privacy by design as
an innovative practice enables analysing the impact of potential market and sys-
tems imperfections on the rise and spread of privacy by design.
4 Privacy and Innovation: It Takes Two to Tango?
An oft-heard statement is that privacy has a stiﬂing effect on innovation. In a report
that formed the basis of a statement for the US Government, Lenard and Rubin
concluded that “the ‘familiar solutions’ associated with the Fair Information
Principles and Practices are a potentially serious barrier to much of the innovation
we hope to see from the big data revolution.”42 However, empirical evidence on the
relation between privacy and innovation is scarce. One article which empirically
studied the impact of privacy regulations on business processes, concluded that the
overall consequences of having to deal with privacy are negative.43 The authors
38Martijn Poel, The impact of the policy mix on service innovation—The formative and
growth phases of the sectoral innovation system for internet video services in the Netherlands,
(Enschede: Gildeprint Drukkerijen, 2013), 56.
39Ann Cavoukian, Privacy by design—Take the challenge, (Ontario 2009).
41Article 23 of the proposed General Data Protection regulation deals with data protection by
design and by default.
42Thomas M. Lenard and Paul H. Rubin, The Big Data revolution—Privacy Considerations,
(Washington: Technology Policy Institute, 2013), 3.
43Avi Goldfarb, and Catherine Tucker, “Privacy and innovation”, In: Josh Lerner and Scott Stern
(eds.), Innovation Policy and the Economy. (Chicago: University of Chicago Press), 65–89.
Privacy and Innovation: From Disruption to Opportunities
studied the consequences of privacy regulations on the adoption of Electronic
Medical Records (EMRs) in the United States. They were able to show that adopt-
ing privacy regulations had a negative impact (compared to having no regulation)
on the adoption of EMRs, which was subsequently shown to have detrimental
effects on the quality of care delivered. The study focused on neonatal mortality
rates. The research showed a decrease in the number of incidences when a hospital
had access to EMRs, which enabled exchange of patient information in critical sit-
uations. Doctors in hospitals that did not utilize EMRs were not able to consult all
available information on a patient’s health situation (in this case of new-born
babies), which could have detrimental effects on the patients. The authors con-
cluded that privacy regulations explained about 5 % of the variation in EMR adop-
tion.44 The authors also studied on-line advertisements and showed that privacy
considerations have a signiﬁcant effect on the efﬁciency of online advertisements
and thus on online advertisement revenues. Targeted advertisements were 65 %
more effective than advertisements that could not use targeting information to
address dedicated groups of customers. The authors conclude that “privacy protec-
tion will likely limit the scope of the advertising-supported internet” and that
“without targeting, it may be the case that publishers and advertisers switch to
more intentionally disruptive, intrusive, and larger adds.”45 A ﬁnal conclusion is
quently has potential consequences for innovation and economic growth.”46
In another study, performed for the European Parliament, the relation between
privacy and innovation was split in four different segments (see Fig. 2).47
44Avi Goldfarb, and Catherine Tucker, 81.
45Avi Goldfarb, and Catherine Tucker, p. 77.
46Avi Goldfarb, and Catherine Tucker, p. 85.
47Jonathan Cave et al., Does it help or does it hinder? Promotion of innovation on Internet and
citizen’s right to privacy, (Brussels: European Parliament, 2011).
Fig. 2 Relation between privacy and innovation (Cave et al. 2011, p. 10)
206 M. van Lieshout
The fourfold relationship between privacy and innovation was investigated in a
number of case studies (biometrics, cloud computing, online behavioural advertise-
ment, RFID and location based services). The overall conclusions of the study are
that innovation practices hardly take notice of privacy concerns and that the domi-
nant logic within these practices promotes innovation at the expense of privacy. The
conceptual approach adopted in the study for innovation enabled the study to dif-
ferentiate between various aspects of innovation (technological dimension, organi-
sational dimension, regulatory dimension and user perspective). Emergent new
technologies are based upon opportunities to collect sensitive personal data (gene
technologies, biometrics) and to collect an ever broader array of personal data
(RFID sensor data and location based services). Awareness of these practices and
developments within organisations and user constituencies is low or absent. The
study recommends distinguishing between normative dimensions of privacy and an
economic dimension of privacy.48 Policy interventions should relate to a number of
issues such as clarifying consent, offering more ﬁne-grained privacy rights and
checking for possibilities to reconcile privacy and economic regulations.49
5 Action Plan Privacy—The Dutch Situation
The preceding section explored a number of perspectives related to privacy and
innovation. Some of the studies I presented, show that adherence to privacy
demands blocks innovation, and may have detrimental impacts on relevant societal
practices such as health care. According to these studies, privacy blocks innova-
tion, or stated the other way around, adopting innovation practices means giving
up on privacy. In order to better unravel the processes of innovation that are at
stake I introduced a conceptual approach towards privacy that distinguishes
between the technical (emphasized by information security), legal/regulatory
(emphasized by data protection) and societal (emphasized by the private sphere)
aspects. This conceptualisation enables us to classify between technical innova-
tions, institutionally oriented innovations and societal innovations.50 We used
these distinctions to examine innovative privacy practices in the Netherlands in a
study, commissioned by the Dutch Ministry of Economic Affairs. The study took a
rather optimistic point of departure in presuming that
(a) It is possible to identify innovative practices that promote privacy.
(b) These practices may have a positive economic impact, while safeguarding
privacy as well.
48Jonathan Cave et al., p. 97.
49Jonathan Cave et al., pp. 98–100.
50This does not assume that data protection for instance only deals with regulatory innovations.
As the example in the text indicate what is manifest in the cross cutting of data protection with
information security, and the private sphere, data protection deals with technical and societal inno-
vations as well. The distinctions should help in pinpointing and focusing, reducing complexity.
Privacy and Innovation: From Disruption to Opportunities
We adopted as starting point that one can identify a certain willingness to engage
with privacy as an agent of change. A recent report by Deloitte concisely phrases
this in its title that says: “Having it all—Protecting privacy in the age of analyt-
ics.”51 It is not the only expression of a changing mood. In consultancy projects
we are engaged with, several organisations indicated a willingness to include pri-
vacy and data protection in customer oriented services, but were reluctant to ‘go
public’ with this approach.
The Action Plan Privacy was based on three subsequent steps:
1. Inventorying best practices and best technologies that could support practices to
2. Identifying organisations that had already implemented privacy respecting
approaches or that offered privacy respecting services.
3. Analysing these practices from an innovation policy point of view, and arriv-
ing at a set of recommendations to the client, the Dutch Ministry of Economic
In the ﬁrst step, the assumption was that many more privacy tools are available
than is generally presupposed. However, these tools are hardly known and hardly
implemented. The inventory identiﬁed the following three categories of privacy
1. Tools and technologies that are directed at safeguarding privacy within a
service; these tools relate to privacy by design approaches (strategies and
patterns), the use of anonymous credentials and anonymisation and pseu-
donymisation techniques, and standards for information security. Many of
these tools relate to the technical pillar of our approach to privacy, which deals
with information security. Organisational tools in this category relate to Privacy
Impact Assessments (PIAs), Privacy Ofﬁcers, and the use of a Privacy Maturity
Model to identify the level of privacy awareness and privacy actions within an
organisation. These tools relate to the data protection pillar as they take the reg-
ulatory framework as starting point.
2. Tools that are directed towards privacy respecting information architectures and
networks. These are technical (inserting a digital vault for instance) and organi-
sational (sticky policies, development and implementation of context aware pri-
3. Tools that are directed towards enhancing the position of the data subject.
These tools underscore the private sphere pillar of our approach. Examples of
these tools are privacy dashboards, informed consent, private browsing, Do not
track and the use of TOR networks and encryption are examples. They cover
technological, organisational and regulatory dimensions.
51Deloitte. Having it all—Protecting privacy in the age of analytics. http://www2.deloitte.com/
content/dam/Deloitte/ca/Documents/Analytics/ca-en-analytics-ipc-big-data.pdf (visited March 5,
208 M. van Lieshout
The study was not able to identify the use of these tools in practice. It identiﬁed
available technologies and tools, some of them still within the academic world,
some of them already available as a commercial product. Trusted third parties for
instance, are well-known as an approach to cope with sensitive data. And privacy
impact assessments (or: data protection impact assessments) are already intro-
duced in a variety of settings.
Within the second step, some anecdotal evidence was collected on organisa-
tions that had embedded privacy tools and techniques in their organisation. I have
already mentioned the NS. Another organisation that based its primary product on
a privacy respecting approach is CV-OK. CV-OK developed a data vault that indi-
viduals can use for storage of accredited documents such as diplomas and other
reference documents. With the rise of ﬂex contracts, in which employees change
jobs more frequently and with a rising number of self-employed individuals
the need for such a data vault is growing. This organisation decided to develop
a secure and privacy respecting data vault that could be used by individuals to
store and forward documents they need when soliciting for a job or a task. Their
approach embodies an attitude that respects privacy, with the user in control, obey-
ing data protection regulation and using security techniques to realise secure stor-
age and handling of personal data.
The Action Plan Privacy also discussed the role of privacy/data protection ofﬁc-
ers and the role of branch organisations in promoting awareness and reﬂection on
business processes and services that respect privacy. Large organisations in which
personal data is processed need awareness campaigns to raise overall awareness
for how to deal with these data and organisational rules concerning access, use and
management of personal data.
Within the study we identiﬁed three sort of privacy approaches. Privacy as ser-
vice enabler refers to ﬁrms that adopt approaches that respect privacy in the ser-
vices they offer to their clients. The NS is an example of such a ﬁrm. These ﬁrms
go beyond the mere need for compliance with the data protection regulations and
try to build in user control, choice, and autonomy in their approach. Privacy as a
niche market refers to ﬁrms that bring new and innovative systems and products
for respecting or maintaining privacy on the market. Qiy is an example of such an
approach, where the data subject is able to determine which data are released to
which party for which purposes.52 We concluded that an important challenge for
these niche ﬁrms is to turn niche products into mainstream products. Finally, pri-
vacy as compliance refers to those ﬁrms that adopt a pragmatic approach towards
privacy and seek to comply with the regulatory framework. This could reduce pri-
vacy awareness to a so-called tick box approach, in which minimal effort is
invested in complying with the necessary regulations.
The ﬁnal part of the Action Plan Privacy was identifying the market and systems
imperfections and the presentation of policy recommendations in order to ﬁx these
imperfections. On the market side, ﬁrms do not know what kind of tools and
52See https://www.qiy.nl/en/ (visited March 9, 2015).
Privacy and Innovation: From Disruption to Opportunities
practices are available (information asymmetry). They may experience triggers to
search for privacy respecting approaches, for instance due to regulatory require-
ments. An example is the EU ‘Recommendation on privacy and data protection
principles when using RFID applications’ that promotes the use of PIA when a ﬁrm
develops an RFID application. This Recommendation has however not led to the
widespread adoption of practices to respect privacy when offering RFID applica-
tions.53 Organisations are not (sufﬁciently) aware of the principles they should obey,
and supervision by supervisory authorities is not strict enough to act as a trigger.
This last aspect is a manifestation of institutional imperfections. Imperfections
in market dominance play a role as well. Most large system integrators are rather
reluctant to position themselves as offering privacy respecting architectures, net-
works and services. They hardly advertise their measures to maintain privacy.
Information and cyber security is a relevant market window, but data protection
and privacy still is treated with caution.
The most prominent system imperfections are the institutional imperfections,
the capability imperfections and the interaction imperfections. Supervisory author-
ities do not have the capacity to exert real pressure on the market to obey data
protection regulations. In the Netherlands, a complaint voiced during a consulta-
tion workshop was that the Dutch DPA is not willing to give advice beforehand.
Firms would appreciate the DPA offering a helping hand on which kind of prac-
tices are allowed but the Dutch DPA refrains from providing that service. The
branch organisations indicated that many ﬁrms feel they are missing the capabili-
ties to respond to the regulatory requirements. With the advent of the General Data
Protection Regulation, branch organisations feel that the regulatory requirements
impose larger pressures on data processing organisations without offering sufﬁ-
cient support to cope with these requirements.
A positive outcome of this systems imperfection is the emergence of a maturing
juridical consultancy market that develops new services to help small ﬁrms that
deal with personal data (such as app developers). Unfortunately, it is very prob-
lematic to insert truly new approaches to privacy into the market (sophisticated
trusted architecture and key encryption schemes, for instance). Turning the inno-
vations in a commercially interesting proposition is difﬁcult. One such initiative
is Qiy. Qiy set itself the objective to realise a structure of secured exchange of
information between various parties such that these parties can share minimal sets
of information in a trusted environment in a manner that respects privacy. Over the
past ﬁve years, Qiy is trying to create a business case for this approach. It needs
consensus with many stakeholders to make the solution it offers attractive (net-
work externalities). At this moment (March 2015) it is not clear whether it will
succeed in its mission to realise such a secured infrastructure with sufﬁcient sup-
port of all relevant stakeholders.
53See EC, DG CONNECT INTERNAL REPORT on the implementation of the Commission
Recommendation on the implementation of privacy and data protection principles in applications
supported by radio-frequency identiﬁcation, (Brussel 2014).
210 M. van Lieshout
The examples of Qiy and CV-OK demonstrate that market and system
imperfections need to be addressed to realise a functioning market of privacy
respecting technologies and services. In the Action Plan Privacy we presented a
number of recommendations that are meant to solve or to overcome the experi-
enced market and system imperfections. Information asymmetry requires
awareness campaigns. Branch and interest organisations play a role in estab-
lishing awareness and promoting practical approaches to privacy respecting
solutions. The branch and interest organisations that were consulted indicated
willingness to play such a role. They indicated that the implementation of the
General Data Protection Regulation, which is now expected to be realised at the
end of 2015, forms an important trigger for informing their customers on what
needs to be done.54 Institutional imperfections are more difﬁcult to address.
The implementation of the GDPR is a trigger for ﬁrms to check whether their
approach is still privacy compliant or needs to be attuned. The requirement to
have a data protection ofﬁcer appointed will lead to the need for more skilled
and trained data protection ofﬁcers. From the perspective I sketched in this
chapter such a data protection ofﬁcer should have capabilities on the technical,
the legal and the organisational domain. This is also the way the capabilities are
phrased in the GDPR (and in the current data protection directive).
The awareness for the societal role of privacy is growing. Firms start to realise that
privacy itself can be an innovative agent of change. By inserting privacy principles
in the innovation equation, innovative systems can be implemented that realise pub-
lic and economic value by making use of personal data and that meet privacy expec-
tations. In this chapter I used the approach of market and systems imperfections to
address innovation. Overcoming identiﬁed market and system imperfections is a
way to realise innovative capacity. Privacy was addressed in terms of three inter-
connected spheres of inﬂuence: the private sphere, data protection and information
security. Each of these spheres is characterised by a dominant logic: technological
principles in the case of information security, regulatory principles in the case of
data protection and societal principles in the case of the private sphere. By having
this split, it is possible to have a separate look at what is needed from a technical
perspective, a regulatory perspective and a societal perspective. Issues dealing with
privacy and innovation should look for innovation in each of the spheres.
The Dutch Action Plan Privacy, commissioned by the Dutch Ministry of
Economic Affairs and performed by the PI.lab (in which TNO participates), was
used to discuss the innovative capacities of privacy. The Action Plan Privacy
54The full implementation period of the GDPR will last for two years. Starting at the end of 2015
thus implies that the GDPR will be fully effective at the end of 2017.
Privacy and Innovation: From Disruption to Opportunities
concluded that three strategies can be utilized by ﬁrms to become more respectful
of privacy: a ﬁrm could decide to embed privacy in their service activities (privacy
as service enabling), a ﬁrm could develop new niche products that help protect pri-
vacy (privacy as a niche market), and a ﬁrm could decide to restrict itself to being
compliant (privacy as compliance). Examples of ﬁrms using the ﬁrst strategy are
privacy sensitive ﬁrms that deal with personal data as a by-product. Examples of
ﬁrms using the second strategy are innovative ﬁrms offering privacy respecting ser-
vices and systems. Examples of ﬁrms using the third strategy are ﬁrms that take the
regulatory framework as starting point and seek the easiest way to be compliant.
Overall, the Action Plan has an optimistic tone with respect to the opportunities
privacy offers as an innovation strategy. The upcoming General Data Protection
Regulation already inﬂuences privacy behaviour of ﬁrms. Firms realise they might
have to strengthen their privacy proﬁle to keep on track with the requirements of
the new GDPR. A second important motive is that ﬁrms realise that negative inci-
dents have a considerable impact on their reputation. In a number of situations, a
direct link can be made between how a ﬁrm treats privacy matters and a confronta-
tion with an incident with a severe impact on that ﬁrm. Thirdly, emerging technical
and organisational solutions help avoiding the ‘all or nothing’ approach that seems
to hinder privacy innovations. System integrators start to implement privacy solu-
tions that can be tuned to the speciﬁc requirements of a ﬁrm. Privacy by design
strategies and patterns help in ﬁne-tuning solutions to the speciﬁc systems in use.
Internal Data Protection Ofﬁcers and awareness campaigns promote privacy
respecting attitudes in organisations. Instruments such as PIA become standard-
ised. Consultancy ﬁrms help to implement these tools and check for compliance of
existing data processing approaches. These activities help in overcoming identiﬁed
market and systems imperfections and in embedding an approach that respects pri-
vacy as part of a competitive ﬁrm strategy. Government intervention is necessary
to help organise a business climate that respects privacy.55
However, we need to balance this optimistic tone with the following observa-
tions. Firstly, the emergence of personal data markets will continue to put pressure
on protecting privacy. Secondly, the continuing development of an ‘app-econ-
omy’, in which many small ﬁrms whose business model is almost exclusively
based on collecting, processing and disseminating personal data, will pose serious
problems in controlling whether appropriate data protection strategies are imple-
mented and secured.
An active approach by public and private organisations (governmental organisa-
tions included) is prerequisite to have the best of both world: innovative practices,
creating economic and public value, and new services that truly respect the privacy
of its customers.
55The Ministry of Economic Affairs published a policy letter on Big Data and Privacy in which
it underscores the relevance of a privacy respecting approach towards big data and in which it
stated that the recommendations of the Action Plan Privacy should be implemented by a working
group that the Ministry will establish on Big Data and Privacy.
212 M. van Lieshout
Acknowledgments I would like to thank Arnold Roosendaal (TNO, PI.lab) and the anonymous
reviewers for their constructive comments on earlier versions of this chapter.
Barras, Richard. 2000. Towards a theory of innovation theory in services. Research Policy 15(4):
Cave, Jonathan, Marc van Lieshout, Neil Robinson, Rebecca Schindler, Gabriela Bodea, and
Linda Kool. 2011. Does it help or does it hinder? Promotion of innovation on Internet and
citizen’s right to privacy. Brussels: European Parliament.
Cavoukian, Anne. 2009. Privacy by design—Take the challenge. Ontario: Information and
Privacy Commissioners Ofﬁce.
Edquist, Charles. 1997. Systems of innovation: Technologies. Institutions and Organizations: Pinter.
European Commission. 2000. Charter of fundamental rights of the European Union. Brussels:
Ofﬁcial Journal of the European Communities C 364/1 Brussels.
European Commission. 2014. DG CONNECT internal report on the implementation of the
Commission Recommendation on the implementation of privacy and data protection princi-
ples in applications supported by radio-frequency identiﬁcation. Brussel.
European Court of Justice. 2014. Factsheet on the ‘right to be forgotten’ ruling (C-131/12).
Finn, Rachel, David Wright, and Michael Friedewald. 2013. Seven types of privacy. In European
data protection: Coming of age, ed. Serge Gutwirth, Yves Poullet, et al. Dordrecht: Springer.
Gellert, Raphael, and Serge Gutwirth. 2013. The legal construction of privacy and data protec-
tion. Computer Law and Security Review (CLSR) 29: 522–530.
Goldfarb, Avi, and Catherine Tucker. 2012. Privacy and innovation. In Innovation policy and the
economy, ed. Josh Lerner, and Scott Stern, 65–89. Chicago: University of Chicago Press.
Hippel, Eric von, Georg van Krogt. 2009. Open source software and the “Private-Collective”
innovation model: Issues for organization science. MIT Sloan School of Management
Working Paper 4739-09.
Lenard, Thomas M., and Paul H. Rubin. 2013. The big data revolution: Privacy considerations.
Washington: Technology Policy Institute.
Medhurst James, Joel Marsden, Angina Jugnauth, Mark Peacock, Jonathan Lonsdal. 2014. An
economic analysis of spillovers from programmes of technological innovation support. Report
prepared for ICF GHK.
Nelson, Richard R. 1993. National innovation systems: A comparative analysis. Urbana:
University of Illinois.
Poel, Martijn. 2013. The impact of the policy mix on service innovation—The formative
and growth phases of the sectoral innovation system for internet video services in the
Netherlands. Ph.D thesis, Technical University Delft, Delft.
Rogers, Everett M. 2003. Diffusion of innovations, 5th ed. New York: Free Press.
Roosendaal, Arnold, Marc van Lieshout, Colette Cuijpers, Ronald, Leenes. 2014. Actieplan
Privacy. Delft: TNO-report R11603.
Solove, Daniel. 2002. Conceptualizing privacy. California Law Review 90(4): 1087–1155.
Stamp, Mark. 2006. Information security: Principles and practice. Hoboken, New Jersey: Wiley.
World Economic Forum. 2013. Unlocking the value of personal data: From collection to usage.
World Economic Forum.