Elsevier

Computers & Security

Volume 99, December 2020, 102065
Computers & Security

Assessing country-level privacy risk for digital payment systems

https://doi.org/10.1016/j.cose.2020.102065Get rights and content

Abstract

As we evolve in the digital age, new risks have emerged and are increasing the complexity of existing global digital ecosystems. These include privacy risks from cyberattacks and the threat of data misuse. Such privacy risks negatively affect consumer confidence, the reputation of an entity, and international consumerism. Prior studies have examined country-level risks, including economic, political, and financial risks; however, very little research has paid attention to country-level privacy risk. In this study, we focus on a key aspect of digital ecosystems, i.e., Digital Payment Systems (DPS). More specifically, we analyze the privacy policies of Mobile Wallets and Remittance (MWR) apps – a component of DPS that contributes to privacy debates- to assess their compliance with the General Data Protection Regulation (GDPR) in order to create a country-level privacy risk index for DPS. We create a framework to help convey country-level risks concerning DPS and inform comprehensive policy recommendations.  The study reveals country-level data privacy and protection practices and provides recommendations for country-level risk assessment exercises. The research contributes to the digital payment ecosystem, privacy risks, privacy policy and regulatory compliance literature.

Introduction

The unprecedented change in the digital ecosystem has ushered new risks and added complexity to existing country-level risks (Deloitte, 2019). Countries around the world are now facing emerging risks such as threats to privacy and cybersecurity and are seeing a changing global landscape.1 According to a Global Risks report, privacy risk is among the top 10 country-level risks with grave impact (WEF, 2019). Privacy risk adversely affects the reputation of the country and hinders cross-border consumerism (Sen and Borle, 2015). To that end, conducting a risk assessment can enhance business and allow countries to focus on the risks that impact them the most (EY, 2018). In this context, it involves a comprehensive assessment of privacy risks alongside other existing risk indicators.

Prior research has examined country-level risks, including credit rating, economic, political, and financial risks (Erb et al., 1996), government debt ratio (Somerville and Taffler, 1995), stock markets (Dumas, 1994), etc. However, very little research has paid attention to country-level privacy risk. Along this backdrop, we assess country-level privacy risk concerning data privacy and protection practices with the primary objective of designing a framework to guide the dialog on privacy risks involving a component of the global digital ecosystem. We concentrate on Digital Payment Systems (DPS) - whose design and functionality have been a cause of privacy and security debates (Johnson et al., 2018). Within the context of DPS, this paper focuses on Mobile Wallets and Remittance (MWR) apps that are digital or virtual wallets designed to store credit/debit card information on a mobile device to make payments.2

We conduct an analysis of the privacy policies of MWR apps to assess their compliance with comprehensive data protection and privacy laws in order to create a country-level privacy risk index. Such compliance assessment with respect to privacy laws can help unmask deficient data privacy and protection practices (Voigt and Von dem Bussche, 2017), and help create policies for mitigating country-level privacy risks.

General Data Protection Regulation (GDPR) is one such regulation with compliance regulations for data privacy and protection, such as data security, security breach notification, and privacy by design, that can mitigate privacy risks and ensure individual rights to data privacy and protection (Kaminski and Malgieri, 2019). Thus, we argue that the GDPR requirements serve as a robust reference for privacy compliance assessment (Voigt and Von dem Bussche, 2017).

To that end, we adopt the ten dimensions of the GDPR from the work of Voigt and Von dem Bussche (2017). The ten dimensions are the classification of the GDPR's core data protection and privacy requirements that a business entity must fulfill to be compliant. Following Wilson et al. (2016), we use a vocabulary to code the presence of the ten GDPR dimensions within MWR privacy policies. Subsequently, we compute a hit ratio to assess a compliance score for each dimension in the GDPR. Finally, we complement the compliance score to derive a score of non-compliance with GDPR and aggregate it at the country level to create a country-level privacy risk index. In this way, we derive the country-level privacy risk based on a proxy of non-compliance of MWR privacy policies with the GDPR dimensions. It is important to note that since non-compliance is difficult to compute directly, we use the complement of the compliance score to represent it.

The contributions of this work are as follows: We examine the compliance of privacy policies of MWR apps based on the GDPR as a reference and use it to assess risk concerning data privacy and protection practices of the apps. We then develop a methodology for privacy policy text classification in order to assess privacy regulatory compliance practices for computing country-level privacy risks. Then, in conjunction with a general risk index drawn from the literature, we suggest a framework that can serve to benchmark country-level risk assessment and privacy risk together.

The research contributes to the DPS, privacy risks, privacy policy, and regulatory compliance literature. The study can help policymakers and digital business entities in making informed privacy-related DPS decisions. The rest of the study is organized as follows: the next section reviews the literature on DPS, MWR services and privacy incidents, GDPR compliance, and country-level risk assessments. The subsequent section explains the research methodology, data collection, and measurement approach and data analysis, while the last part discusses the results of the analysis and provides policy implications.

Section snippets

Literature review

In this section, we review relevant literature to provide conceptual definitions and reveal existing gaps surrounding country-level risks assessment.

Data collection

We collected distinct datasets for both country-level privacy risk analysis (textual data) and general risk analysis (numerical data). The first dataset consisted of the corpus of privacy policies of MWR apps retrieved from the Google play store. We focused on the MWR apps (a component of DPS with the highest adoption rate7) because it is at the center of research debates on data privacy vulnerabilities (e.g. Johnson et al., 2018;

Discussion and implications

In line with the report of OECD (2016), governments, regulators, and policy advocates need to enhance their countries’ data privacy and protection practices to reduce risks of data misuse and ultimately regain both the trust of its citizens and other international communities.

Considering that the GDPR coverage also affects companies outside of the EU that collect, process data, and whose international activities may impact the privacy rights of the EU residents, this study suggests that it is

Conclusion

This paper performs an analysis of the MWR apps’ privacy policies to evaluate their compliance with the requirements of the GDPR in order to assess the country-level privacy risks. It assesses the country-level risks and the GDPR impacts on DPS. It theoretically and practically contributes to the methodology of policy text classification and provides a quick-view assessment for digital business entities on privacy regulatory compliance practices and country-level risks. The study can help

CRediT authorship contribution statement

Oluwafemi Akanfe: Writing - original draft, Data curation, Methodology, Software. Rohit Valecha: Writing - review & editing, Visualization, Investigation. H. Raghav Rao: Conceptualization, Supervision, Validation.

Declaration of Competing Interest

None.

Acknowledgement

We would like to thank the attendees of the 2019 Dewald Roode Workshop on Information Systems Security research held at Bossier City, Louisiana, for their valuable comments and suggestions. We thank the guest editor and the review team for their critical comments that have greatly improved the paper.

Oluwafemi Akanfe (UTSA) is a Ph.D. student in the Department of Information Systems and Cyber Security. His research interests include the area of digital payment systems, privacy and security issues, information assurance, privacy regulations and compliance, natural language processing, among other domains. His research is available online or forthcoming in journal avenues, including IEEE Transactions on Engineering Management and ACM Transactions on Management Information Systems, and has

References (46)

  • S. Agarwal et al.

    Legislative compliance assessment: framework, model, and GDPR instantiation

  • O. Akanfe et al.

    Design of a Compliance Index for Privacy Policies: a Study of Mobile Wallet and Remittance Services

    In: IEEE Transactions on Engineering Management

    (2020)
  • O. Akanfe et al.

    Design of an Inclusive Financial Privacy Index (INF-PIE): a Financial Privacy and Digital Financial Inclusion Perspective

  • S.J. Barnes et al.

    Mobile ubiquity: understanding the relationship between cognitive absorption, smartphone addiction, and social network services

    Comput Human Behav

    (2019)
  • İ. Daştan et al.

    Factors affecting the adoption of mobile payment systems: an empirical analysis

    EMAJ: Emerg. Mark. J.

    (2016)
  • Future of Risk in the Digital Era

    Transformative Change and Disruptive risk

    (2019)
  • E.H. Diniz et al.

    Taxonomy for understanding digital community currencies: digital payment platforms and virtual community feelings

  • B. Dumas

    A test of the international CAPM using business cycles indicators as instrumental variables

  • L. Elluri et al.

    An integrated knowledge graph to automate gdpr and pci dss compliance

  • C.B. Erb et al.

    Political risk, economic risk, and financial risk

    Financ. Anal. J.

    (1996)
  • Ernst and Young [EY] (2018). In a Digital World, Do You Know Where Your Risks Are? Retrieved from:...
  • R.F. Fefer

    Data Flows, Online Privacy, and Trade Policy

    CRS Report

    (2019)
  • J. Garber

    GDPR–compliance nightmare or business opportunity?

    Computer Fraud & Secur.

    (2018)
  • Oluwafemi Akanfe (UTSA) is a Ph.D. student in the Department of Information Systems and Cyber Security. His research interests include the area of digital payment systems, privacy and security issues, information assurance, privacy regulations and compliance, natural language processing, among other domains. His research is available online or forthcoming in journal avenues, including IEEE Transactions on Engineering Management and ACM Transactions on Management Information Systems, and has appeared in proceedings of Americas Conference on Information Systems (AMCIS) and International Federation for Information Processing (IFIP). He is currently involved in multiple projects that include leveraging digital technologies to enhance privacy compliance, policy regulations, digital payment security, digital financial inclusion, among others.

    Rohit Valecha (UTSA) is an assistant professor in the Department of Information Systems and Cyber Security. He has prior work experience in the digital ecosystem and value chain and mobile payment systems. He is involved in designing a certificate program in Digital Pathogens for undergraduate students in biology, information systems, and cyber security, computer science, and computer engineering disciplines to apply digital threat identification, propagation prediction, and mitigation to biological threats. His research interests include social media, information technology, and system design, crisis response management systems, security, and privacy. His research has been published in the ACM Transactions on Management Information Systems, Information Systems Frontiers, and Journal of the Association for Information Systems. He has also taught courses in informatics, digital systems, data analytics, and network security.

    H. Raghav Rao (UTSA) is an AT&T Distinguished Chair in infrastructure assurance and Security and Professor in the Department of Information Systems and Cybersecurity. He also has a courtesy appointment as a full professor in the Computer Science department, UTSA. His research interests include information assurance, emergency response, computer security issues (e.g. insider threats, phishing, and data breaches), and digital payment systems privacy. His research has been published in the Journal of Management Information Systems, Information Systems Research, MIS Quarterly, Journal of the Association of Information Systems, among others. In addition, as part of the GIAN expert program hosted by the government of India, he has contributed to an educational initiative in digital payment systems that touches on financial inclusion as well as important information assurance issues. In 2016, he received the prestigious Information Systems Society Distinguished Fellow Award for outstanding intellectual contributions to the information systems discipline.

    View full text