One of the objectives of MUSES is to provide policy recommendations to remedy potential gaps and conflicts arising from the existing legal framework on privacy and data protection, and to incentivise end-users towards more responsibility in their interaction with Organisational Security Policies.
Policy Recommendations for the Existing Legal Framework
Technology is continuously changing reality, and law often limps behind to get in line with the shifting conditions of time.
In addition, the harmonisation of general data protection law on EU level is forthcoming, while the protection of employees is typically a national legal competence strongly influenced by local culture and tradition.
The tension between law and technology on the one hand, and the tension between general data protection law and employment law specifications on the other hand, lead to several implementation issues in practice. Both tensions have a negative impact on the legal certainty of employees with regard to the processing of their personal data and on the employers’ need to secure company data assets. When law seems to be difficult to apply to new technologies, and/or when specifications of employment law are inconsistent with the general provisions of privacy and data protection law, employees might experience those inconsistencies as very negatively.
The results of the MUSES research conducted in this regard is reported in D7.2 ‘Policy Recommendations for the Existing Legal Framework’.
Policy Recommendations for end-user responsibility in interaction with Organisational Security Policies
Under the current regulatory framework, end-users are solely addressed as potential victims of security incidents, such as hacking. However, it became clear that the very same end-users are often also the cause of these security incidents, for instance by their lack of knowledge or careless behaviour.
The legal researchers in MUSES are currently analysing which regulatory mechanisms could be used to bring end-users of networked environments to more responsibility in dealing with company data assets and whether regulatory actions can be taken to provide the end-user with more incentives towards compliance with Organisational Security Policies.
The results of this research will be reported in M30 of the project.