The Center for Long-Term Cybersecurity at UC Berkeley is hosting an interdisciplinary workshop on July 30, 2021 to examine and compare how firms and consumers have responded to the E.U.’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). This RFP seeks proposals to conduct scholarly inquiry into these topics to inform the workshop and, more broadly, to build the body of scientific knowledge foundational to these issues. Selected proposals will be invited to present and discuss their research-in-progress at the workshop.
This call for papers seeks grounded arguments that examine the effects of, and responses to, the GDPR and CCPA. At a high level, the general principles of the GDPR and CCPA share some similarities in giving consumers expanded rights to accessing, deleting, and porting data, and having rights to know about data collectors’ practices. However the laws have significant differences. For example: the GDPR is rooted in a human rights framework, while the CCPA is rooted in a consumer protection framework; the GDPR has more restrictive lawful purposes of processing and promotes data minimization while the CCPA does not; the CCPA relies on some market-based solutions to improve privacy; the GDPR allows for larger financial penalties to be levied against violators.
We now have 2 years of experience with the two laws in practice (GDPR since 2018, and CCPA since 2020). To build on mostly legal and business analyses which have sought to understand the motivations and likely consequences and implications of these laws, we seek now to focus attention on the empirical evidence of how firms, customers, citizens, and other relevant agents impacted by these laws have acted and reacted — in practice.
We are particularly interested in papers that help shed light on comparative effects: In what areas are the effects of and responses to the GDPR and CCPA converging, and in what areas are they diverging? What aspects of these directional comparisons can be attributed to differences in the laws (as causes) and what aspects can be attributed to differences in how actors respond in California versus the E.U. (as effects). Such analyses might focus on one or more of the following areas:
- Changes in organizational structure and process. How is responsibility for privacy distributed within and/or between organizations in response to GDPR and CCPA? Where are there gaps within organizational responses and operational understandings of privacy? What are the work practices and backgrounds of Data Protection Officers (DPOs) and how does this relate to other similar roles? (e.g., chief privacy officers, security officers). Does DPOs’ independence lead them to be effective privacy advocates?
- Changes in technical design and development processes. How have GDPR and CCPA concretely changed the work that technical practitioners (e.g., engineers, developers, designers, researchers) do in relation to privacy & data protection?
- Changes in business models and practices. How has value & risk been re-distributed within the data ecosystem in response to GDPR and CCPA (such as through new vendors, services, or authorized agents)? Are there new emerging business models in response to GDPR or CCPA that change how organizations view & use personal data?
- Changes in political engagement and contestation. How are a broad range of stakeholders engaging with GDPR and CCPA, or using these measures to advance their goals? What are the strategies and ‘discourses of contestation’ among those opposing or critiquing these measures
- Changes in social norms and behavior. How have consumers and users exercised their rights under GDPR and CCPA, and what factors challenge or empower their ability to do so? Are there inequalities in who has been able to or who is willing to exercise their rights? How do GDPR and CCPA regulatory goals and conceptions of privacy align (or not) with growing concerns the public has about technology?
- Documenting limits of GDPR and CCPA. What are empirical cases where GDPR or CCPA regulations were followed, but data-related harms occurred in spite of (or due to) GDPR or CCPA? Are there inequalities in where these harms occur?
We equally welcome proposals that question our assumptions that the changes in the areas listed above have indeed occurred, or that these changes have helped improve privacy protection. We also welcome proposals that present evidence showing that our assumptions that differences in the laws or in how actors respond to them are not the best or most productive bases for comparing GDPR and CCPA.
We are interested in analyses that focus on the behaviors and practices of firms, of consumers, or on the interactions between firms and consumers. We are also interested in analyses of these behaviors and practices that are either in response to GDPR, CCPA, or a comparison of both. (Should California Proposition 24/California Privacy Rights Act pass in 2020, this may provide an additional point of relevant comparison).
This call is intentionally open to multiple disciplines and interdisciplinary perspectives. We welcome submissions from researchers at all stages of their careers, including graduate students, post-docs, faculty members, and practitioners from research labs in industry and civil society.
The workshop will take place on July 30, 2021, and will most likely be a virtual event. Selected proposals will be invited to present and discuss their research-in-progress at the workshop, and will receive feedback from other workshop participants.
Proposals will be evaluated on the basis of scientific promise, potential impact on theory and practice, and potential for wide dissemination and use of knowledge, including specific plans for scholarly publications.
Proposals will be evaluated by an academic panel and selection is at the discretion of CLTC. Upon participation in the workshop, selected proposals will be awarded an honorarium of $7500 and, if needed, travel reimbursement in accordance with UC Berkeley travel policy.
- Proposal abstract and outline (maximum two pages total). Because this is an interdisciplinary call for a broad range of papers, it is important that proposals situate their argument in the most relevant literature.
- Researcher’s CV
- To submit a proposal, please email the required materials to email@example.com by December 15, 2020.
- Proposal submission deadline: December 15, 2020
- Notification of results: January 22, 2021
- Draft papers due: July 16, 2021
- Workshop and draft paper discussion: July 30, 2021
This project is made possible by a grant from the William and Flora Hewlett Foundation with additional funding from Facebook in support of independent academic research.