week 3
arnita
readingforweek3.pdf
RESEARCH PAPER
The relationship between culture and information privacy policy
Sophie Cockcroft1 & Saphira Rekker1
Received: 13 January 2015 /Accepted: 23 June 2015 /Published online: 5 July 2015 # Institute of Information Management, University of St. Gallen 2015
Abstract Operating in a global market provides challenges for managers concerned with information privacy. This work builds on a branch of research that has evolved to examine the relationship between culture and attitudes to information pri- vacy. Our approach is unique in that our dependent variable is a count variable designed to measure the rate of uptake of privacy laws. It is a departure from studying cultural variables at the individual level. We also identify the cultural impact of legislation at the national level. Previous models generally use a relatively crude division of legislative codes. By contrast, this work examines the impact of culture on baskets of privacy elements drawn from the EU directive. These attributes are candidates for codification in law, but are taken up at varying rates. A key originality and challenge of the work is the use of the GLOBE variables for culture. Results suggest that group collectivism, power distance, assertiveness and uncertainty avoidance are the most powerful cultural predictors of the level of privacy legislation provision.
Keywords National culture . Information privacy .
GLOBE Variables
JEL classification M15 . M38
Introduction
The nature of customer data as a marketing asset and the explosive growth of the use of information systems (IS) within organizations has led many researchers to suggest that issues of consumer privacy may limit future growth of the digital economy (Dinev and Hart 2006; Dinev et al. 2008). Increasing digitization of commerce, and the capacity to store and mine vast amounts of consumer data for competitive ad- vantage, poses a threat to consumer privacy. The role of leg- islation in free trade is well established (Kobrin 2004), but the role of national culture in the development of legislation is less clear. It is worth exploring the relationship between culture and privacy at the national level because globalization has exacerbated the vulnerability of personal and organizational data. In today’s globally connected world it is no longer suf- ficient to examine privacy solely at the individual level (Mennecke et al. 2014).
Currently the influence of national culture on privacy leg- islation is unknown. Most research to date has used the broader Bregulatory approach^ as a dependent variable. That is, how does culture affect the level of governmental involve- ment in corporate privacy management? These levels of reg- ulatory approach are described, from low to high, as self-help, voluntary control, data commissioner, registration and licens- ing (Milberg et al. 2000; Reay et al. 2013). We identify the role of culture in the level of adoption of legislation in more detail than prior studies.
We explore the relationship between national culture and the extent of privacy legislation enacted at the national level. The research question is: BWhat are the cultural factors that deter- mine the extent of information privacy policy? It is an interesting question because most research to date has focused on individ- ual attitudes to information privacy regardless of the legislative regime under which the subjects live (Dinev et al. 2006;
Responsible Editor: Stefan Klein
* Sophie Cockcroft [email protected]
Saphira Rekker [email protected]
1 UQ Business School, University of Queensland, Blair Drive, St Lucia 4072, Australia
Electron Markets (2016) 26:55–72 DOI 10.1007/s12525-015-0195-9
Malhotra et al. 2004; Milberg et al. 2000; Smith et al. 1996; Van Slyke et al. 2006). In some cases, national culture, via the Hofstede variables (1991), is included as an antecedent of pri- vacy concern (see Milberg et al. 1995, 2000). The aim of this work is to isolate national culture as an antecedent of societies’ national governance of information privacy. Another contribu- tion of this work is the use of a novel measure of culture in the form of the Global Leadership and Organizational Behavior Effectiveness (GLOBE) variables.
Privacy defined
Numerous studies have examined the concept of privacy across legal jurisdictions and cultures. For example, Ess (2005) outlines the similarities and differences between the conceptions of privacy, in particular in relation to data privacy protection laws, across Eastern and Western cultures. Although similarities are present, there is no universal consen- sus on the definition of privacy (Cannataci 2009). In fact, Newell (1995) suggests that several languages do not even have a definition for privacy, e.g. Dutch, Arabic, Japanese, Russian and the languages of many tribal societies.
A respected review by Belanger and Crossler (2011) of privacy studies in IS uses Clarke’s (1999) definition of infor- mation privacy, namely Bthe interest an individual has in con- trolling, or at least significantly influencing, the handling of data about themselves.^ For the purpose of our study, we rely on this definition of information privacy.
A number of authors have argued for cultural antecedents of differences in privacy law. In particular, Whitman (2004) explores transatlantic approaches via case law and historical differences. In our study we make a quantitative study of the relationship between culture and privacy law. Through a de- tailed examination of the laws in 35 countries and/or legal jurisdictions across Europe, Asia, North and South America, and via a well-accepted measure of national culture, we pro- vide evidence for this association. (For a full list of countries see Table 1) The major finding is that the relationship between national culture and regulation is strongly negative where the GLOBE variable Bin-group collectivism^ is high, meaning that individuals take pride in membership of small groups such as family and work organizations. This supports previous findings by Milberg et al. (2000). Another outcome of our
analysis suggests that Power Distance, Assertiveness and Uncertainty Avoidance are other powerful cultural predictors of the level of privacy legislation provision.
When examining the evolution of e-commerce it is inter- esting to consider the role played by national culture in the establishment of laws, treaties and trade agreements. National culture, and its influence on information privacy laws, has the power to influence decisions at many levels, particularly the corporate level (Bennett and Raab 2003, 2006). Such deci- sions might include those concerning the location of a firm, strategies for the release of new software, marketing strate- gies, and other business decisions that involve cultural sensi- tivities. Recently, this issue has come to the fore in controver- sy of the use of Google Glass (Marshall 2013) that divided Germany and the US. Location of data centers for cloud com- puting in Europe, to provide assurance of strong privacy, is another example of a potential cultural impact on privacy (Dlodlo 2011). While information privacy is valued in the public conscience (Clarke 1999), it is worth examining wheth- er strong information privacy laws are a cultural artefact that organizations embrace as a form of competitive advantage, or resist in the interests of free trade. The traditional paradigm of privacy is that a citizen can exercise privacy rights against a corporation in the same country. Although the information age has created a blurring of many international boundaries through practices such as trans-global marketplaces, legisla- tion still exists at the national level. It is not yet clear how to measure the effectiveness of such laws in protecting informa- tion privacy, but through culture we can get a measure of how well information privacy laws match information privacy concerns.
Privacy and information systems
Before considering previous research in this area, it is neces- sary to define which aspects of privacy we seek to address.
Privacy is notoriously hard to define, and definitions vary as explained previously. It is often defined following the United States’ Fourth Amendment as the Bright to be left alone.^ Most IS research on privacy explores information or data privacy as opposed to privacy of the person, personal behavior or personal communication (Clarke 1999). A taxon- omy developed by Solove (2006) defines four general
Table 1 List of countries examined Argentina Australia Austria Bolivia Brazil
Canada (English-speaking) China Colombia Costa Rica Denmark
Ecuador Egypt England Finland France
Georgia Germany (former West) Greece India Ireland
Italy Japan Kazakhstan Malaysia Netherlands
New Zealand Poland Portugal Singapore Slovenia
Spain Sweden Switzerland Thailand US
56 S. Cockcroft, S. Rekker
categories of privacy problems: information collection, infor- mation processing (aggregation, (in)security, secondary use and exclusion), information dissemination, and invasion. Those categories around processing form the basis for the legislative elements included in the current study.
In the following sections we present the theoretical back- ground to our study, including a review of previous literature. The variables we have used are then described, followed by hypotheses concerning culture and legislation, the methodol- ogy for our work, and finally the results.
Theoretical background
What causes different countries to legislate differently on aspects of information privacy?
Assuming a focus on data/information privacy, we explore the role of national culture in the establishment of privacy laws. There are clear differences in how societies approach national regulation of information privacy. To account for these differ- ences there are two possible viewpoints: (1) that all people/ societies are equal and that differences in law are accounted for by efficiency of the legal process; and (2) that legal pro- cesses are equivalent and national culture accounts for the differences in take up. Bennett and Raab (2006) assert that the latter is the case, and that culture is indeed an antecedent of societies’ national governance of information privacy. Furthermore, this governance should be closely aligned with the attitudes of that country’s citizens to information privacy, where information privacy is described as the rights that indi- viduals have over how their personal data is collected, proc- essed and used (Bennett and Raab 2006). Government inter- vention in privacy often follows a pattern whereby the first aim of governments in legislating on new issues is to cover government information and powers. Legislation is then ex- tended to private sector commercial and non-government en- terprises and later to other sectors so that, finally, Bpolicy convergence^ occurs as nations identify similarities in their legislation (Galpottage and Norris 2005; Lowry et al. 2010; Shah et al. 2007). Progress is often slow, as governments are unenthusiastic to constrain their actions. This cycle is also described formally by Turner and Dasgupta (2003). Bennett and Raab (2006) characterize the two possible dynamics of privacy regulation as Ba race to the bottom^ with competitive deregulation by countries eager to attract global investment in IT versus Ba race to the top^ with progressive establishment of global privacy standards. Clearly privacy has complex ante- cedents which impact on incorporation in national regulation. We suggest that the underlying tenet for this incorporation is as follows: assuming relatively efficient legal processes and mature levels of democracy, a legal jurisdiction’s laws on pri- vacy will reflect its citizens’ privacy concerns. This is
important in introducing prior research in the area, as it has been concern on the part of the individual that has dominated previous studies.
Prior work on culture and privacy
Culture as a demographic indicator is used in a number of information privacy studies e.g. (Bellman et al. 2001, 2004; Dinev et al. 2009; Earp et al. 2005; Milberg et al. 2000; Rose 2006). Most of these studies relate to individuals’ attitudes to information privacy, with only a small subset exploring the relationship between national regulation and citizens’ concern for information privacy. Table 2 shows a summary of prior work. In IS privacy research hypotheses are most commonly tested using attitudinal surveys (for example, Rose 2006). Typically the dependent variable relates to an individual’s lev- el of concern about information privacy, which is operation- alized using various constructs including Bconcern for infor- mation privacy^ (CFIP) (Smith et al. 1996) and Binternet users information privacy concern^ (IUIPC) (Malhotra et al. 2004). Calls have been made for more research at the group or soci- etal level (Belanger and Crossler 2011).
Researchers frequently focus on differences in attitude cross-culturally. A number of studies compare two cultures; often one of these cultures is the United States e.g. (Dinev et al. 2006; Rose 2006; Park 2008). The US and Europe have dramatically different approaches to ensuring information pri- vacy and thus provide a ready contrast to one another. European countries view privacy as a human right, whereas in the US it is viewed more as a matter for contractual nego- tiation (Reidenberg 2005). A few studies imply that Europeans reserve their deepest distrust for corporations, whilst Americans are far more concerned about their govern- ment invading their privacy (Castaneda and Montoro 2007; Sullivan 2006). One feature of the differences in regulatory approach between the US and Europe is that Europeans are more concerned that the internet has made personally identi- fiable information (PII) a tradable commodity (Castaneda and Montoro 2007).
A recent trend in IS research is to capture this dimension by imputing an economic value for privacy (Dinev and Hart, 2004; Hui et al. 2007; Hann et al. 2007; Poindexter et al. 2006). Many studies make use of the Hofstede (2001) cultural variables to compare opinion in different nation states. Results of these studies are widely accepted, but there is a movement to rethink the concept of culture in the global environment. How up to date these variables are has also been questioned. A study by Wu (2006) illustrates that cultural values are not static and, given that Hofstede’s cultural dimensions were col- lected about 30 years ago, are likely to be outdated. We there- fore use the more recent GLOBE model for measuring cultural dimensions, which adds to the originality of this study. GLOBE distinguishes between values (Bshould be^) and
Privacy and national culture 57
practices (Bas is^) data. We use the practices data as these are more related to what is actually going on in society. Table 3 gives an overview of the GLOBE dimensions.
The authors of the GLOBE model state that even though six out of nine GLOBE have their foundations in Hofstede’s cultural measures (uncertainty avoidance, power distance, in- stitutional collectivism, in-group collectivism, gender egalitar- ianism and assertiveness) only three variables are Bdirect de- scendants of the culture dimension identified by Hofstede^ (House et al. (2004), p.138). These three are power distance, uncertainty avoidance and individualism.
Note also that the original Hofstede Dimensions of individ- ualism and Masculinity are manifested in GLOBE as follows (IND → IC, GC) and (MAS → GE, AS).
Further, of the three antecedent Hofstede variables; power distance, uncertainty avoidance and individualism, only one is argued to be correlated with GLOBE’s practices data, namely power distance.
As discussed previously, the distinction between values and practices presents another difficulty in com- paring GLOBE with Hofstede. Given that we are using
practices data this leaves us with only one variable in our cultural measure that is a direct descendant of Hofstede that is, power distance. Nevertheless, the previous litera- ture on culture and legislation, which often use the Hofstede variables, is still useful in exploring underlying relationships.
There is some evidence for a direct relationship between culture and information privacy legislation. Milberg et al. (2000) describe correlations both between national culture and privacy regulation and CFIP and privacy regulation. In particular, masculinity and individuality are negatively asso- ciated with high levels of government involvement and uncer- tainty avoidance is positively associated with it. There are mixed findings for the effects of power distance (See Table 2).
Bellman et al. (2004) consider national regulation as a means of revealing CFIP, finding it insignificant as a predictor of CFIP when compared to internet experience and national culture, i.e., it is nature and experience rather than government intervention that determines an individual’s attitude to infor- mation privacy. In some studies regulatory approach is con- sidered as the dependent variable. In these studies it is
Table 2 Summary of attitudinal survey research in information privacy
Research question Citation Dependent variables Independent variables Key finding
Does Legislative approach affect concern for information privacy?
Bellman et al. (1999, 2004) CFIP Culture, internet experience, political desires
Culture and Internet Experience predict concern
Milberg et al. (2000) CFIP Regulatory approach (none, self-help, voluntary, data commissioner registration, licencing)
The stronger the regulation the greater the concern.
Dinev et al. (2006) Privacy concern Misuse, secondary use, lack of control, unauthorized access
Individuals in Italy had lower privacy concerns than individuals in the U.S.
Which elements are of concern to a countries’ citizens?
Rose (2006) CFIP Collection, errors, access, secondary use
Access and secondary use are of greater concern
Earp et al. (2005) Privacy dimensions Content of privacy policies, user concerns
Users are concerned in order by transfer, notice/awareness/ storage – User privacy values do not align with website privacy statements
Does National Culture affect the level of government involvement
Milberg et al. (2000) Regulatory approach National culture A country’s cultural values are associated positively but marginally with its regulatory approach
Does national culture affect concern for information privacy
Milberg et al. (2000) CFIP National culture A country’s cultural values are associated strongly with the privacy concerns that are exhibited by its populace,
Does concern for information privacy affect regulatory approach
Milberg et al. (2000) Regulatory approach CFIP Management of privacy issues increases as concerns heighten
Does a CFIP affect regulatory preferences
Milberg et al. (2000) Regulatory preference
CFIP There is a marginal positive association between the level of governmental involvement and respondents preference for strong laws
58 S. Cockcroft, S. Rekker
frequently suggested that cultural values influence a society’s responses to the environment through development and main- tenance of social institution (Hofstede 2001; Milberg et al. 1995; Milberg et al. 2000). Such institutions include political systems and legislation. For example, Milberg et al. (1995) show that countries high in uncertainty avoidance vigorously embrace legislative solutions, and that countries strong in the traits of individualism are more likely to reject organizational and governmental rules. Milberg et al. (2000) find that a country’s cultural values are associated only marginally with regulatory approach.
Two insightful reviews, one of interdisciplinary privacy research (Smith et al. 2011) and one of IS research (Belanger and Crossler 2011), fully explore the literature. In particular, Smith et al. (2011) seek to bring together diverse streams of research via two classification approaches: whether the research is normative, purely descriptive, and empirically descriptive, as well as based on their level of analysis (indi- vidual, group, organizational, and societal). On the other hand, Belanger and Crossler (2011) use Gregor’s critique of IS the- ories (2006) to classify existing privacy research by theoretical contribution and by level of analysis according to the structural view of information privacy proposed by Skinner et al. (2006).
Research model and hypothesis development
This study builds on existing work by exploring in more detail the relationship between culture and regulatory approach de- veloped in prior studies on CFIP. If legislative approach is not culturally determined, the fact that governments act indepen- dently of the attitudes of their citizens in the field of informa- tion privacy will be confirmed.
It is a descriptive, empirical study, situated at the national level. This classification as descriptive and empirical builds on the work of Martinsons and Davison (2003). It is descriptive because it describes a situation in the real world as it is as opposed to prescribing solutions, and it is empirical as it is based on testing theory using positivist, scientific methods. This distinction is elaborated in Smith et al. (2011).
Our study has two key originalities: first, it uses a contem- porary measure of national culture arising from the GLOBE study (House et al. 2002a, b) and second, it looks cross- culturally at regulatory approach in finer detail than previous studies. We examine laws at the level of Blegislative elements^ analogous to policies (See Table 4).
The central hypothesis of this work is that the extent of inclusion of elements in legislation is culturally deter- mined. It is of interest to the IS community because
Table 3 The GLOBE dimensions of culture (House et al. 2002a, b)
GLOBE dimensions Variable name Definition
Power distance PD Degree to which members of an organization or society expect and agree that power should be stratified and concentrated at higher levels of an organization or government.
Uncertainty avoidance UA Extent to which members of an organization or society strive to avoid uncertainty by reliance on social norms, rituals, and bureaucratic practices to alleviate the unpredictability of future events.
Institutional collectivism IC Degree to which organizational and societal institutional practices encourage and reward collective distribution of resources and collective action.
In-group collectivism GC Reflects the degree to which individuals express pride, loyalty and cohesiveness in their organizations or families.
Humane orientation HO Degree to which individuals in organizations or societies encourage and reward individuals for being fair, altruistic, friendly, generous, caring, and kind to others.
Performance orientation PO Extent to which an organization or society encourages and rewards group members for performance improvement and excellence.
Future orientation FO Degree to which individuals in organizations or societies engage in future-oriented behaviors such as planning, investing in the future, and delaying gratification.
Gender egalitarianism GE Extent to which an organization or a society minimizes gender role differences while promoting gender equality.
Assertiveness AS Degree to which individuals in organizations or societies are assertive, confrontational, and aggressive in social relationships.
Privacy and national culture 59
legislative regime impacts the way e-commerce is con- ducted globally (Dinev and Hart 2006). It is also of inter- est to IT policy makers because it enables them to plan beyond the confines of their legislative framework E.g. in such decisions as where to locate data centers as described earlier.
Empirical variables
This study is not based on survey data, but uses published measures of national culture (House et al. 2002a, b) and legislative elements derived from published privacy legis- lation. The use of secondary data is justified as the level
of analysis (legal jurisdiction) is at the same level as the cultural constructs. This is in contrast to previous work where national level constructs of culture are used to mea- sure individual levels of opinion. This very research prac- tice has been the subject of criticism by well-known au- thors and Scholars of GLOBE (Brewer and Venaik 2012). By using secondary data, situated at the national level, we avoid this pitfall.
We first describe the meaning of national culture, our inde- pendent variable. Second, we describe the dependent variable in this research—the number of legislative elements adopted by a legal jurisdiction in respect to information privacy policy. Finally, we outline the independent variables that aim to cap- ture national culture and construct hypotheses.
Table 4 Summary of EU directive
Part 1: Chapter II - General rules on the lawfulness of the processing of personal data
Section II Criteria for making data processing
legitimate
Article 7 Includes issues such as unambiguous consent, legal obligations,
the data subject’s vital interests, and that public interest is over-ridden by the rights/freedoms of the individual
Section III Special categories of processing
Article 8 The processing of special categories of data these include racial or ethnic origin, health, trade union membership, political opinion or sex life
Article 9 Processing of personal data and freedom of expression
Section IV Information to be given to the data subject
Article 10 Information in cases of collection of data from the data subject. Identity of the controller, existence of right of access existence of right to rectify recipients of data from the data subject
Article 11 Information where the data have not been obtained from the data subject
Section V The data subject’s right of access to data
Article 12 Right of access The right to know, if data about the subject is being processed,
what this data is and the logic involved.
Section VI Exemptions and restrictions
Article 13 National security, defense, public security
Section VII The data subject’s right to object
Article 14 The data subject’s right to object
Article 15 Automated individual decisions e.g. creditworthiness, reliability
Section VIII Confidentiality and security of processing
Article 16 Confidentiality of processing
Article 17 Security of processing
Section IX - Notification Article 18 obligation to notify the supervisory authority
Article 19 Contents of notification name and address of the controller
Article 20 Prior checking
Article 21 Publicizing of processing operations
Part 2: Chapter III Judicial remedies, liability and sanctions
Article 22 Remedies
Article 23 Liability
Article 24 Sanctions
Part 3: Chapter IV Transfer of personal data to third countries
Article 25 Principles Does the third country provide adequate levels
of protection?
Article 26 Derogations Exceptions for unambiguous consent, contract, legal
rights and vital interests
60 S. Cockcroft, S. Rekker
National culture
Hofstede undertook seminal work in the area of national culture and the results of his work have had profound effects on the study of IS within organizations. Hofstede (1980) de- fines national culture as Bthe collective programming of the mind which distinguishes the inhabitants of one country from another.^ Education and socialization cause individuals to acquire basic values and beliefs that permeate throughout a given society or nation state. Inhabitants of a country come to share certain basic beliefs and assumptions. The Hofstede (1980) cultural dimensions are widely accepted and used in IS research (for example, Robbins and Stylianou 2003; Steinwachs 1999), however, their applicability has been questioned (Fernandez et al. 1997). We recognize the concerns of Myers and Tan (2003) who argue for a departure from the practice of associating culture with a nation state in acknowl- edgement that the relationship between culture and work prac- tices is more complex. Significant developments in the study of society and culture have been made under the umbrella of the GLOBE (Global Leadership and Organizational Behavior Effectiveness) project. The GLOBE model satisfies some of the problems seen with Hofstede’s model, particularly those linking a culture to a nation state.
Table 3 details the GLOBE cultural dimensions and vari- ables (House et al. 2002a, b). Since the current study is not at the individual level (e.g. survey data), but at the level of na- tional regulation, we avoid the pitfall of applying dimensions of national culture to the individual level (Brewer and Venaik 2012; Venaik and Brewer 2013). Thus when we refer to the attributes of a culture or society we are implicitly referring to the culture at the national level.
Legislative elements
Information privacy legislation normally draws on the princi- ples of notice/awareness, access/participation, integrity/secu- rity, enforcement/redress and choice/consent. These principles broadly relate to Solove’s processing dimensions (Solove 2006). In addition people often exhibit concern about the pro- cessing of sensitive information, information monitoring, and transfer of information (Earp et al. 2005). When identifying which elements to include in the study, it has emerged that the EU directive is the most comprehensive. A little history em- phasizes this point. In 1980, the Organization for Economic Cooperation and Development (OECD) issued the Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data. These are seen as the current best-practice global standard for privacy protection (Earp et al. 2005). Before this in 1973 the Fair Information Practice (FIP) prin- ciples (US Dept of Health Welfare 1973) formed the basis for establishing and evaluating US privacy laws and practices in the US. These guidelines are not legally binding, but are
recognized by all OECD members including the EU. The most comprehensive directive is the EU directive (EU 1995), which is a superset of the OECD guidelines. The US’s FIPs on the other hand are a subset of the OECD guide- lines. For the purposes of this study therefore the EU directive is taken as a benchmark against which the data processing laws of each nation in the study are measured. Twenty ele- ments corresponding to Articles 7 through 26 of the directive are selected for study because they focus specifically on the IS issue of data processing.
Table 4 shows a summary of the EU directive Legislative elements in this study represent the presence of these, or di- rectly corresponding codified legal elements, in a country’s legislation (EU 1995). We have divided this into three parts to elucidate the relationship between National Culture and Privacy Legislation. These three parts are processing, reme- dies and transfer to third countries. It should be noted that an amendment to this legislation has been drafted which came into place in late 2014 (De Hert 2012).
Hypotheses
In this section we develop hypotheses with reference to the existing literature and the inherent challenges therein. Note that the limited literature, that explored the relationship be- tween culture and legislative approach previously, used Hofstede’s scales to measure culture. The debatable connec- tion between these Btwo giants^—Hofstede and GLOBE— makes our hypotheses mainly explorative in nature. We try to capture the fundamental underlying constructs that these variables represent by developing hypotheses in cognizance of the previous literature.
Individualism - collectivism
The GLOBE variables measure individualism via its opposite, namely collectivism. H1 and H2 below are stated in terms of collectivism although there is some debate about whether the individualism and collectivism constructs are the opposite of one another.
Almost all prior research explores individualism via survey research. There is an interesting dichotomy revealed in the results reported in Milberg et al. (1995). These results suggest that countries with higher levels of Bindividualism^ will ex- hibit less government involvement and more individualistic approaches to regulating information privacy. However, this is distinct from the effect of individualism on attitudes to information privacy. Generally, the individualists believe in the right to private life. While cultures with high individualism prefer less government intervention, they are more concerned about the privacy of their personal information than more collective cultures. In turn, higher privacy concern is
Privacy and national culture 61
suggested to lead to higher privacy regulation; we call this the BMilberg Paradox^ and it is depicted in Fig. 1.
In-group collectivism (GC), as captured by the GLOBE variables, is the degree to which individuals express pride, loyalty, and cohesiveness in their organizations or families. People emphasize relatedness with groups. If these forms of collectivism are the opposite of individualism, one could predict that these societies would embrace stronger regulation based on the arguments above. Bellman et al. (2004) developed an alternative theory suggesting that such societies will exhibit less concern for information privacy and feel less need for government intervention. The reason they suggest is that low individualism (IND) and high collectivist societies have a greater acceptance that groups, including the government, can intrude on the private life of the individual. In support of this intrusion theory they cite Milberg et al. (1995, 2000).
In formulating our hypotheses we also have to be aware of the statistical and conceptual relationship between the Hofstede variables used in prior studies and the GLOBE var- iable. Hofstede’s IND is strongly negatively correlated with the GLOBE practices IC and GC (Brewer and Venaik 2011), so stating the converse of the existing findings relating to individualism is acceptable. We hereby also test Milberg’s finding.
H1: Cultures with a high GC will be more likely to include legislative elements relating to all aspects of informa- tion privacy
Institutional collectivism (IC) is the degree to which orga- nizational and societal institutional practices encourage and reward collective distribution of resources and collective ac- tion. In such societies group loyalty is encouraged, even if this undermines the pursuit of individual goals. There are no stud- ies to our knowledge in the IS discipline that look at GLOBE Institutional collectivism in isolation but taking it as a closely related construct to GC we propose:
H2: Cultures with a high IC will be more likely to include legislative elements relating to all aspects of informa- tion privacy
Masculinity/femininity
Masculinity/Femininity in the original Hofstede study is sug- gested to have some similarities with gender egalitarianism (GE) and assertiveness (AS) in the GLOBE variables. However, statistically there are no significant correlations with any of Hofstede’s cultural scales, making it complex to draw hypothesis based on Milberg’s study.
Gender egalitarianism is the degree to which a society min- imizes gender inequality. Women generally have more privacy concerns than do men (Kuo et al. 2007), and secondary use of personal data is often cited as a dimension of concern. In societies with high GE, women are afforded a greater decision-making role in community affairs (Yao et al. 2007). Gender influences the extent to which privacy and security impact satisfaction in e-commerce transactions (San Martin and Jimenez 2011). Countries in such societies are likely to have well developed privacy laws. This leads us to:
H3: Cultures with a high GE will be more likely to include legislative elements relating to all aspects of informa- tion privacy
Assertiveness is the degree to which individuals are asser- tive, confrontational and aggressive in their relationships with others. Societies with high assertiveness will communicate directly and unambiguously, try to have control over the en- vironment, and expect subordinates to take initiative. The con- ceptual antecedent of this dimension, masculinity, is found to be negatively associated with comprehensive privacy regula- tion (Milberg et al. 2000). Following this we propose:
H4: Cultures with a high AS will be less likely to include legislative elements relating to all aspects of informa- tion privacy
Uncertainty avoidance
GLOBE’s uncertainty avoidance (UA) measures the extent to which a society, organization, or group relies on social norms, rules and procedures to alleviate the unpredictability of future events. Culturally, a high UA indicates a tendency to rely on formalized policies and procedures (Milberg et al. 1995). Individuals in such societies are also thought to be more con- cerned about information privacy (Cao and Everard 2007). Bellman et al. (2004) also found that in countries with high UA, concerns about the security of online transactions were higher. Societies with high UA might be expected to incorpo- rate laws that reduce risk. The confounding factor in this hy- pothesis is that all prior research has used Hofstede’s measure uncertainty avoidance, which is positively correlated with GLOBE’s UA values data, but negatively with practices data,
Individualism -ve
Regulation Privacy
Concern
+ve
+ve
Fig. 1 The Milberg paradox
62 S. Cockcroft, S. Rekker
which is what is used for our analysis. Key researchers in GLOBE, Javidan et al. (2006), state that Badditional research is clearly needed to determine why there is such a complex relationship between values and practices.^ Of more relevance here is the fact that the Hofstede values, on which most prior research is based, is negatively correlated with the GLOBE practices values. Venaik and Brewer (2010) propose that Hofstede and GLOBE capture different and opposite, compo- nents of the UA construct. Despite the ambiguity surrounding the Hofstede and GLOBE variable measuring uncertainty avoidance, we would conceptually expect uncertainty avoid- ance to have a positive impact on the extent of privacy regulations.
H5: Cultures with a high UA will be more likely to include legislative elements relating to all aspects of informa- tion privacy
Power distance
Power distance (PD) is the extent to which a community ac- cepts and endorses authority, power differences, and status privileges. Upward social mobility is limited. Resources are available to only a few. Information is localized and hoarded. Individuals in high power distance societies have come to expect their information may be accessed by those in authority (Cao and Everard 2007). The two Milberg studies (1995, 2000) have contrary findings on this dimension. The first hy- pothesizing a positive relationship based on trust being lower in high PD societies leading to first, a tendency seek protec- tion from a higher power, and second, a striving to reduce this distance through legislation. While this hypothesis was ac- cepted, the later study puts forward a more general hypothesis about the relationship between power distance and regulatory approach and finds a negative relationship. The GLOBE variable PD is significantly positively correlated with Hofstede’s measure of power distance. For the purposes of this study we suggest that the high power distance will have the former effect of making it more likely that laws will be included as citizens seek the protection of their governments:
H6: Cultures with a high PD will be more likely to include legislative elements relating to all aspects of informa- tion privacy
Performance orientation
Performance Orientation (PO) reflects the extent to which a community encourages and rewards innovation, high stan- dards, excellence, and performance improvement. One aspect
of this is that such communities view formal feedback as nec- essary for performance improvement and expect direct explic- it communication. This being the case we might expect cul- tures with a high performance orientation to incorporate rules relating to notice and awareness and enforcement and redress to be paramount because these things represent standards that can be measured for improvement. There is little current evi- dence in the literature and thus this hypothesis is mainly explorative.
H7: Cultures with a high PO will be more likely to include legislative elements relating to all aspects of informa- tion privacy
Humane orientation
Humane orientation (HO) is the degree to which an orga- nization or society encourages and rewards individuals for being fair, altruistic, friendly, generous, caring, and kind to others. Members of society are responsible for promot- ing the well-being of others. People are urged to be sen- sitive to all forms of racial discrimination. In such socie- ties one would expect aspects of processing relating to sensitive data to be incorporated thus exceptions that pro- tect human rights and fundamental freedoms would be supported. They would be likely to support sanctions for infringements. Again there is little literature discussing HO specifically with respect to information privacy although Bansal et al. (2010) claimed people in high HO cultures would be less concerned about information pri- vacy in general due to being Bmore forthcoming^ about private life. Their hypothesis is not supported by their data. We seek to explore this relationship, and propose:
H8: Cultures with a high HO will be less likely to include legislative elements relating to all aspects of informa- tion privacy
Future orientation
Future orientation (FO) is the degree to which a societal group encourages and rewards future oriented behaviors such as planning and delaying gratification. Individuals in such soci- eties have a propensity to save now for the future and to emphasize working for long-term success. Kluckhohn and Strodtbeck (1961) first identified this phenomenon that repre- sents a culture’s focus on the past, present or future. A past- oriented culture might evaluate plans in terms of customs, traditions, or history, while a future-oriented culture would evaluate plans in terms of future benefits. We suggest that
Privacy and national culture 63
People with high FO scores would be more concerned about privacy issues. Thus we propose:
H9: Cultures with a high FO will be more likely to include legislative elements relating to all aspects of informa- tion privacy
Data analysis
Methodology
Our study involves the use of a negative binomial regression analysis to provide evidence of cultural predicates for legisla- tive approach in information privacy. The model tested is il- lustrated in Fig. 2 and described in further detail later in this section.
Articles 7 to 26 of the EU directive concerning data pro- cessing are studied. A country is judged to incorporate a leg- islative element only if it can be found in the written law or constitution of the country. Country legislative summaries are presented at www.privacyinternational.org and www. privacyexchange.com. There are 59 countries in the globe study, and 100 countries have detailed descriptions of their legislative regime on the above mentioned websites. Where a country appeared in both data sets it was included in the current study, this resulted in a total of 53 countries under review. Of those, on further inspection, only 37 countries had a full report in the 2008 version of the privacy international reports. In addition the GLOBE study distinguishes between, for example, black and white South Africa, whereas privacy international does not. This reduced the data points available for the current study to 35.
Two researchers coded the country reports that were avail- able in 2008, by reading the full reports on privacy interna- tional and manually noting the presence or otherwise of an element. GLOBE’s cultural measures were published in 2004,
which gives us an appropriate time lag for our analysis. The inter-coder reliability index for the coding of the legislative elements was 1.0. This was carried out using SPSS Cohen’s Kappa. This result is due to the fact that very little coding is involved. All the countries in our study publish an English translation of their core privacy laws laid out in a straightfor- ward manner, there is little controversy or debate about wheth- er a law exists or not, and there is no coding into different classes required. It is therefore relatively simple to identify the presence or absence of a given variable. The procedure is as follows: Find the country of interest on privacy international and search the full report for privacy law, search for key words within the report or follow links to determine the presence or otherwise of a legislative element, then, where possible, check for the presence or otherwise of a particular legislative element with reference to comparative literature e.g. (Bennett and Raab 2006; Poullet 2006). The results are entered into a spreadsheet each row representing a country. There is a col- umn for each GLOBE variable followed by 20 columns representing the 20 legislative elements. Each country was given a 1 for the presence or 0 for the absence of the element. For the purposes of this study a further column indicating the total laws was computed. In addition to the data used from privacyinternational.org and privacyexchange.com, we cross- checked our data for presence of privacy laws with the global tables of data privacy laws and Bills by Greenleaf (2012, 2013).
The countries included in the study are illustrated in Table 1. There are some potential anomalies in this table such as why HK and China are both included but the UK and England are not. The reason for this is twofold. First, to be included in our dataset a country needs to exist in both the GLOBE variables and the privacy sources described above. The UK does not. The second reason is historical. Due to its colonial history, Hong Kong has a different culture and legis- lative landscape than China, illustrated in its presence in both GLOBE and the Privacy legislation sources. The same cannot be said of England and the UK.
Elements of information privacy are distilled from the IS and comparative law literature as described above. Details of the countries and legislative elements under consideration are given in the results section.
We examine the role played by the GLOBE culture vari- ables on the number of legislative elements adopted. We en- code each legislative elements as a binary variable (present or absent) and add them up to create our dependent variable Bnumber of legislative elements^. We seek to identify the impact of each culture variable on the number of legislative elements. The dependent variable is a count variable, so we can use a Poisson regression model if the mean and variance of the dependent variable are equal (Greene 2008). We test for this equality using the delta method (Kolen and Brennan 2014), and find that the mean and variance are not equal. In
Number of Legislative Elements adopted on privacy
in-group collectivism
Institutional collectivism
gender egalitarianism
assertiveness
uncertainty avoidance
power distance
Performance Orientation
Humane Orientation
Future Orientation
Fig. 2 The research model
64 S. Cockcroft, S. Rekker
this case, the negative binomial regression model can be used (Cameron and Trivedi 1998). Since several GLOBE variables are highly correlated (see Table 9), we tested for multi- collinearity by calculating variance inflation factors (VIF). Kennedy’s (2001) rule of thumb says that if the VIF values are less than 10, multi-collinearity does not affect the results of our model. Given our VIF values range between 1.54 (GE) and 5.32(UA), multi-collinearity should not be of major con- cern. However, to control for mild violations of the underlying assumptions, robust standard errors are used as suggested by Cameron and Trivedi (2009).
We first perform a full regression model, with each inde- pendent variable included in the model, to examine the mar- ginal role played by each regressor. Due to the non-zero cor- relation between the independent variables (see Table 9) we also utilize the stepwise model selection criteria to identify the parsimonious subset of independent variables that best explain the number of legislative elements on information privacy. Standard statistical diagnostics are also completed on the final models. By comparing the full model with the parsimonious model, we can identify both the marginal contribution of all regressors to the number of legislative elements, and the most influential regressors.
Descriptive statistics
Table 5 illustrates descriptive statistics of all the countries used in our analysis. There are a number of countries that do not have private sector laws at the federal level. The USA is in- cluded in this group but is distinct from the other countries as the reasons for this non-compliance (lack of legislation) are very different. The USA unlike the other countries in this group (Thailand, China, India and Egypt) does have strong legislation at the state level and specific public sector laws at the federal level. The GLOBE variables do not provide mea- sures at the state level. Egypt, China and India had no laws at this level at the time of data collection, and Thailand and the US only had public laws.
In order to decide whether to exclude the USA based on its specific/unique/distinct nature, we ran a number of tests of robustness. We found that the results are not ro- bust to including or excluding the USA, but are robust for any other country with zero privacy laws, meaning the USA significantly affects our findings. We therefore de- cided to exclude the USA, given that it is significantly different from the other countries in a sense that it does have strong state-level regulation. This is supported by previous literature that states that the average US state- level privacy policy is higher than that of most developing nations (Park 2008), and it is the lack of a unified formal policy that distinguishes the US, not of a lack of policy per se (Langenderfer and Cook 2004; Bygrave 2004).
Results and implications
Our regression results are illustrated in Tables 6 and 7. Table 6 contains the full model and Table 7 uses the stepwise approach to identify the regressors that best explain privacy regulation. Given that our analysis is mostly explorative, and our regres- sors are highly correlated, Table 7 provides the most insightful results. In addition to analyzing the cultural metrics on the total number of privacy laws, we have subdivided the depen- dent variable, the number of privacy laws, into three parts, according to the different Chapters of the European Directive in Table 4. As such, the analysis provides further detail on any possible associations between culture and spe- cific privacy legislation.
The numbers should be interpreted as follows; e.g. if the score on power distance is one point higher in country A than in country B, we expect the log of the expected number of laws on privacy to be 0.867 higher in country A than in coun- try B.
Our results indicate that power distance (PD) (0.867***), uncertainty avoidance (UA) (−0.555***), assertiveness (AS) (0.772***), group collectivism (GC) (−0.958***), and gender egalitarianism (GE) (0.801*) are predictors of total privacy legislation. H3 and H6 are accepted, as GE (although only on a 10 % significance level), and PD are positively associated with privacy regulation. However, the expected effect of GC, AS and UA are in contrast with our hypothesis H1, H4 and H5. Further, we find that both Future Orientation (−0.802***) and Humane Orientation (−0.692***) are negatively associat- ed with remedies, liability and sanctions regarding privacy. These findings are summarized in Table 8 and examined in greater detail in following sections.
Based on the limited evidence available it would seem that nation’s laws do reflect their cultures driven by several cultural attributes.
Group collectivism
With respect to H1 which proposed a positive the relationship between high GC and the number of Privacy elements enacted. There is an association between group collectivism and privacy laws (−0.958***) but it is negative, this likely reflects an overall lack of concern about privacy and, counter to expectations, a disinclination for governments in such so- cieties to vest control of privacy. The GC dimension refers to the extent to which members of a society take pride in mem- bership in small groups such as their family and close circle of friends, and the organizations in which they are employed. In countries with high group collectivism scores, being a mem- ber of a family and of a close group of friends is important and there is an inclination to put friends and family before society’s rules and procedures. This focus and tendency to share may lead people to be less concerned about information
Privacy and national culture 65
privacy and this leads to less rigorous codification of these elements in law. Such countries include the Asian countries Singapore, Malaysia and Japan. One suggestion for this ap- parent anomaly is that the right to a private life is not a fun- damental tenet of such societies. Additionally societies with high GC are less likely to include laws on transfer to third countries of personal data and sanctions are less likely to be present. This overall result is at odds with H1 which suggests
that Collectivist cultures are more likely to include privacy elements in legislation.
Institutional collectivism
Defined as the degree to which organizational or societal in- stitutional practices encourage and reward collective distribu- tion of resources and collective action. This dimension has no
Table 5 Descriptive statistics
Country Total laws (20) in 2008 GLOBE variables (2004)
AS IC GC FO GE HO PO PD UA
Argentina 19 4.18 3.66 5.51 3.1 3.44 3.9 3.63 5.56 3.63
Australia 16 4.29 4.31 4.14 4.1 3.41 4.3 4.37 4.81 4.4
Austria 15 4.59 4.34 4.89 4.5 3.18 3.8 4.47 5 5.1
Bolivia 6 3.78 3.96 5.44 3.6 3.45 4 3.57 4.46 3.32
Brazil 13 4.25 3.94 5.16 3.9 3.44 3.8 4.11 5.24 3.74
Canada (English-speaking) 19 4.09 4.36 4.22 4.4 3.66 4.5 4.46 4.85 4.54
China 0 3.77 4.67 5.86 3.7 3.03 4.3 4.37 5.02 4.81
Colombia 14 4.16 3.84 5.59 3.4 3.64 3.7 3.93 5.37 3.62
Costa Rica 2 3.83 3.95 5.26 3.6 3.56 4.4 4.1 4.7 3.84
Denmark 17 4.04 4.93 3.63 4.6 4.02 4.7 4.4 4.14 5.32
Ecuador 8 3.98 3.82 5.55 3.7 3.09 4.5 4.06 5.29 3.63
Egypt 0 3.91 4.36 5.49 3.8 2.9 4.6 4.15 4.76 3.97
England 12 4.23 4.31 4.08 4.3 3.67 3.7 4.16 5.26 4.7
Finland 18 4.05 4.77 4.23 4.4 3.55 4.2 4.02 5.08 5.11
France 19 4.44 4.2 4.66 3.7 3.81 3.6 4.43 5.68 4.66
Georgia 8 4.15 4.03 6.18 3.5 3.52 4.2 3.85 5.15 3.54
Germany (former West) 17 4.66 3.97 4.16 4.4 3.25 3.3 4.42 5.48 5.35
Greece 19 4.55 3.41 5.28 3.5 3.53 3.4 3.34 5.35 3.52
India 0 3.7 4.25 5.81 4 2.89 4.5 4.11 5.29 4.02
Ireland 16 3.93 4.57 5.12 3.9 3.19 5 4.3 5.13 4.25
Italy 17 4.12 3.75 4.99 3.3 3.3 3.7 3.66 5.45 3.85
Japan 15 3.69 5.23 4.72 4.3 3.17 4.3 4.22 5.23 4.07
Kazakhstan 1 4.51 4.38 5.5 3.7 3.87 4.2 3.72 5.4 3.76
Malaysia 3 3.77 4.45 5.47 4.4 3.31 4.8 4.16 5.09 4.59
Netherlands 17 4.46 4.62 3.79 4.7 3.62 4 4.46 4.32 4.81
New Zealand 16 3.53 4.96 3.58 3.5 3.18 4.4 4.86 5.12 4.86
Poland 20 4.11 4.51 5.55 3.2 3.94 3.7 3.96 5.09 3.71
Portugal 19 3.75 4.02 5.64 3.8 3.69 4 3.65 5.5 3.96
Singapore 2 4.06 4.77 5.66 4.9 3.52 3.3 4.81 4.92 5.16
Slovenia 20 4.01 4.09 5.49 3.6 3.84 3.8 3.62 5.32 3.76
Spain 19 4.39 3.87 5.53 3.5 3.06 3.3 4 5.53 3.95
Sweden 17 3.41 5.26 3.46 4.4 3.72 4.1 3.67 4.94 5.36
Switzerland 20 4.58 4.2 4.04 4.8 3.12 3.7 5.04 5.05 5.42
Thailand 0 3.58 3.88 5.72 3.3 3.26 4.9 3.84 5.62 3.79
USa 0 4.5 4.21 4.22 4.1 3.36 4.2 4.45 4.92 4.15
a Not used in our regression analysis as it is not sufficiently comparable with the other countries
66 S. Cockcroft, S. Rekker
effect in our dataset and thus H2 is rejected. Law making could be defined as such an institution, possibly this dimen- sion would have more impact in other areas of law than pri- vacy such as commercial or criminal law.
Gender egalitarianism
In societies where the differences in gender are high, gender inequality will be apparent. Men tend to focus on hierarchy and independence, while women focus on intimacy and soli- darity, thus women would be more concerned over privacy issues. In the sample data, the influence of GE on elements relating to transfer of personal data to third countries could be due to the very high interest in Scandinavian countries in privacy issues particularly those of trans-border flow. These countries also have a high score for gender egalitarianism. The finding supports Bansal et al. (2010) who found that feminin- ity impacted privacy concern. Regulatory approach was neg- atively associated with Masculinity in the Milberg et al. (2000) study, meaning that higher the masculinity index in society the less government involvement in privacy
regulation. This study supports that finding. H3 is partially accepted (although the influence of this variable is only sig- nificant on a 10 % level).
Assertiveness
Assertiveness in a culture has a positive impact on privacy regulation, though not significantly in regards to remedies and transfer of data to third countries. Contrary to the assertion in H4, it is a positive relationship, the more assertive the culture the more likely these elements are to be in the legislature. Assertiveness is argued to be conceptually, but not statistically, related to Masculinity in the original Hofstede (2001) variables. Earlier studies suggest that Masculinity has a positive effect on the overall level of privacy concern (Milberg et al. 2000), but not government involve- ment. This illustrates the complexity of comparing the GLOBE and Hofstede variables. In the current study this pri- vacy concern appears to have translated to a preference for strong laws. H4 is rejected.
Table 6 Summary of full model of privacy policy vs cultural indicators. Each result displays coefficients of Negative Binomial Regression analysis along with Chi-square test statistics of model fit. Robust standard errors in parentheses, (the subscripts are as follows:*** p < 0.01, ** p < 0.05, * p < 0.1)
Total laws (20) General Rules on the Lawfulness of the processing of personal data (15)
Judicial Remedies, liability and sanctions (3)
Transfer of personal data to third countries (2)
GLOBE cultural variables
Power distance 0.786* 0.738* −0.504 0.919* (0.47) (0.45) (0.49) (0.55)
Uncertainty avoidance −0.648** −0.666** 0.515 −0.166 (0.33) (0.28) (0.51) (0.60)
Institutional collectivism 0.318 0.276 −0.446 0.536 (0.54) (0.50) (0.60) (0.75)
Group collectivism −0.940*** −0.866*** −0.634** −0.488 (0.24) (0.22) (0.27) (0.31)
Gender egalitarianism 0.635 0.517 0.442 1.154
(0.47) (0.44) (0.48) (0.76)
Assertiveness 0.812 0.676 0.320 0.214
(0.85) (0.80) (0.76) (0.86)
Future orientation 0.024 0.070 −1.097* 0.294 (0.34) (0.31) (0.58) (0.69)
Humane orientation −0.260 −0.249 −0.556 −0.447 (0.44) (0.43) (0.37) (0.58)
Performance orientation −0.109 0.020 −0.311 −0.397 (0.30) (0.27) (0.37) (0.56)
Constant 0.365 0.482 10.832** −6.366 (7.53) (7.22) (4.85) (7.82)
Observations 34 34 34 34
Wald Chi2 27.65*** 24.91*** 33.92*** 30.51***
Privacy and national culture 67
Uncertainty avoidance
H5 suggested a positive association between uncertainty avoidance and the number of privacy laws, though the results
of our analysis reflect that cultures that mainly rely on social norms, rules, and procedures to alleviate the unpredictability of future events actually have less privacy regulation. This is interesting, as the GLOBE measure of UA (practices) is in fact
Table 7 Summary of analysis of privacy policy vs cultural indicators. Each result displays coefficients of Negative Binomial Regression analysis selected using a forward selection algorithm (stepwise) along
with Chi-square test statistics of model fit. Robust standard errors in parentheses, (the subscripts are as follows:*** p ≤ 0.01, ** p ≤ 0.05, * p < 0.1)
Total laws (20) General Rules on the Lawfulness of the processing of personal data (15)
Judicial Remedies, liability and sanctions (3)
Transfer of personal data to third countries (2)
GLOBE cultural variables
Power distance 0.867*** 0.659** 0.926***
(0.31) (0.27) (0.31)
Uncertainty avoidance −0.555*** −0.602*** (0.20) (0.20)
Assertiveness 0.772** 0.705**
(0.34) (0.31)
Group collectivism −0.958*** −0.942*** −0.685*** −0.581*** (0.22) (0.22) (0.17) (0.20)
Gender egalitarianism 0.801* 1.402**
(0.43) (0.66)
Humane orientation −0.802*** (0.22)
Future orientation −0.692*** (0.22)
Constant −0.817 3.194* 9.814*** −6.949** (3.20) (1.68) (1.83) (2.96)
Observations 34 34 34 34
Wald Chi2 21.52*** 19.30*** 23.99*** 23.94***
Table 8 Summary of hypotheses and results
Cultural indicator Hypothesis Direction of hypothesis Result Notes
GC H1 +VE Rejected in existing form. Significant in the opposite direction.
IC H2 +VE Rejected. Not a significant predictor
GE H3 +VE Partially accepted. Only on a 10 % significant level. Not significant in the Full Model. Mainly caused by predictor for transfer of personal data to third countries
AS H4 -VE Rejected in its existing form. Significant in the opposite direction.
Not significant in the Full model.
UA H5 +VE Rejected. Significant in the opposite direction
PD H6 +VE Accepted. In Full model only significant on a 10 % level.
PO H7 +VE Rejected in its existing form
HO H8 -VE Partially accepted. Judicial Remedies, liability and sanctions are significantly predicted.
FO H9 +VE Rejected in its existing form. Partly significant in the opposite direction
Judicial Remedies, liability and sanctions are significantly predicted, but in the opposite direction to that hypothesized.
68 S. Cockcroft, S. Rekker
statistically negatively correlated with Hofstede’s measure of uncertainty avoidance, confirming the anomalies and oppor- tunities in this area for future research. The data shows that cultures with relatively low uncertainty avoidance, such as Argentina, Greece, Poland, Portugal and Slovenia, have rela- tively high privacy regulation. H5 is rejected.
Power distance
Our data indicates a positive relationship between PD and the number of legislative elements. In societies where there is a greater tendency to defer to authority, laws are more likely to be included. Our findings indicate that this applies specifically with respect to general rules on the lawfulness [of the process- ing of personal data], and transfer of personal data to third countries. In keeping with H6 these results suggest that soci- eties with high PD do rely on a higher power to protect them. Countries exhibiting a high PD include Latin countries and most Asian countries. H6 is accepted (0.867***).
Performance orientation
Performance orientation describes the degree to which society encourages its members to improve performance and strive for excellence and rewards performance effectiveness and ac- quirements. There was little prior literature on PO and infor- mation privacy concern or legislation, so the results of this section are interesting as there is no significant relationship found. H7 as it stands is rejected.
Humane orientation
Humane orientation describes the degree to which individuals in organizations or societies encourage and reward individuals for being fair, altruistic, friendly, generous, caring, and kind to others. H8 concerning the likelihood of less laws surrounding privacy is only partially accepted. The legal frameworks of societies with a high humane orientation are significantly less likely to include remedies, liabilities or codified sanctions for companies violating rule of lawful processing (−0.802***). Limitations on data collection aside, this could be indicative of the forgiving nature of such societies that they are not likely to enforce sanctions.
Future orientation
Our results show societies with a higher score for FO will be less likely to include laws on one basket of elements: Judicial Remedies, liability and sanctions (−0.692***). The other bas- kets are predicted by FO in line with H9, yet are not significant in the full, nor stepwise, model. H9 is rejected.
Discussion
The cultural dimensions most commonly explored in previous research in privacy, culture and IS are UA, PD and IND. Our results represent a departure from this trend, using new mea- sures of cultural metrics to the prior literature. Individualism is operationalized in the GLOBE study as institutional collectiv- ism (IC) and in-group collectivism (GC). Previous work on the masculinity dimension is partially supported by this work (operationalized as AS and GE). Of more interest however are the specific dimensions of privacy regulation which can be assumed to be culturally determined. For example, previously we could say broadly that societies with a high Masculinity Index would be more likely to take the voluntary control or self-help regulatory approaches or have no formal information privacy regulation. The results of this study find no significant association between AS and inclusion of laws, but societies with high GE are more likely to enact legislation on trans- border flow. The relationship between GE and laws on trans- border flow (1.402**) could reflect the higher values for GE amongst Scandinavian countries which have strong laws in this area. Group collectivism has a negative impact on the inclusion of laws in all three chapters. The source of this negative association is still unclear and is a subject for further research. Three alternative theories are possible. First, members of high GC cultures simply care less about privacy, being content to share aspects of their private lives. Second, as proposed by Park (2008) based on survey research, some collectivist cultures are developing regulatory demands more in line with the US. The final explanation is around the strongly significant positive relationship between Hofstede’s work orientation and GLOBE’s GC (practices), Brewer and Venaik assert that this relationship is likely driven largely by country wealth, in that there is a phenomenon where rich countries score low on in group collectivism and poor coun- tries score high. Likewise rich countries score low on work orientation and poor countries score high. Work orientation is part of the collectivist measure in the Hofstede scales where the notion of cooperation and group work is emphasized, and notably it measures values not practices. So potentially it is the aspirational work orientation of collectivist cultures that make them less likely to include laws on Privacy.
Limitations
The limitations of this study are the small data set, the possi- bility for error in coding presence or otherwise of legislative elements and the possibility of codified laws being absent in the sources we consulted, particularly for non-English speak- ing countries. Despite a diverse and representative sample, worldwide data on privacy regulation and an extended GLOBE database would enhance our analysis substantially.
Privacy and national culture 69
To date there is no database that compares the extent of infor- mation privacy regulation.
Moreover, there is a complex correlation in the sample between the GLOBE variables (Table 9). Even though collin- earity is statistically not a problem, the constructs have been argued to be overlapping. Further research is needed to deal with the use of quantitative analysis using the GLOBE vari- ables. The implicit link of the GLOBE and Hofstede’s scales was found to be complex and dynamic, making our hypothe- ses mainly explorative.
Conclusion
This study reveals what was previously assumed, i.e. that the amount of legislation enacted has a number of antecedents in the cultural values of a nation. The dominant cultural predic- tors in this study are group collectivism, power distance asser- tiveness and uncertainty avoidance—all are significant predic- tors of number of legislative elements. Only power distance is accepted in its current form (Hypothesis H6). The other three (GC, AS and UA) are significant in the opposite direction. Gender egalitarianism, Humane orientation and Future orien- tation are partially significant. Both high FO and HO culture scores make it significantly less likely that laws will be includ- ed on Judicial Remedies, liability and sanctions. GE makes it more likely that there will be laws on trans-border flows. Interestingly Institutional collectivism is not significant here.
Our approach, which builds on established findings using a new measure of culture, has met with some challenges; the major challenge being the existence of some unexpected neg- ative correlations between the GLOBE variables and the Hofstede variables.
The work makes a number of contributions. First, we apply the GLOBE variables at the level of analysis they are intended for, the national level. Secondly, we Bstress test^ the relatively new GLOBE variables themselves. This is a contribution to the growing body of literature in this area which to date has
been confined to the management literature. Venaik and Brewer (2010) discussed at length some of the confounding results produced by researchers using the GLOBE variables in the management field. The current work represents a concert- ed effort to meticulously apply the variables in the IS field.
Beyond the nuances of the variables used, there is a bigger picture of culture and privacy. It is possible that these partic- ular cultural variables are not important in determining laws relating to privacy but may well be significant in other areas of the law. Second there is the notion of policy convergence. Policy convergence occurs when the Brace to the top^ or Brace to the bottom^ motivates national legislation on privacy. It is possible, as implied by Park (2008), that this can outweigh the impact of democracy. Thus what people believe or value is not always reflected in the law. Greenleaf (2012, 2013) suggests that the volume of privacy legislation is increasing globally. There are clearly other factors that will affect how quickly, completely or if at all, a country adopts legislation suggestions would include: GDP, political persuasion, and length of de- mocracy. Use of these variables in a similar study is suggested as an area for further research. There has been little work relating cultural factors to regulatory approach, and less still looking at particular legislative elements within jurisdictions. The findings of this study are a contribution to the emerging theoretical base of information privacy research specifically, elaborating on the complex relationship between culture, pri- vacy concern and regulation.
References
Bansal, G., Zahedi, F., & Gefen, D. (2010). The impact of personal dis- positions on information sensitivity, privacy concern and trust in disclosing health information online. Decision Support Systems, 49(2), 138–150.
Belanger, F., & Crossler, R. E. (2011). Privacy in the digital age: a review of information privacy research in information systems. MIS Quarterly, 35(4), 1017–1041.
Table 9 Summary of correlation analysis of cultural indicators
Cultural indicator AS IC GC FO GE HO PO PD UA
AS 1.000 – – – – – – – –
IC −0.394* 1.000 – – – – – – – GC −0.140 −0.491** 1.000 – – – – – – FO 0.544** 0.495** −0.499** 1.000 – – – – – GE. 0.138 0.94 −0.256 0.042 1.000 – – – – HO. −0.577** 0.330 −0.099 0.033 −0.140 1.000 – – – PO 0.179 0.455* −0.410* 0.590** −0.249 0.097 1.000 – – PD −0.097 −0.584** 0.531** −0.624** −0.281 −0.317 −0.439* 1.000 – UA 0.098 0.586** −0.627** 0.763** 0.029 0.014 0.657** −0.505** 1.000
70 S. Cockcroft, S. Rekker
Bellman, S., Lohse, G. L., & Johnson, E. J. (1999). Predictors of online buying behavior. Communications of the ACM, 42(12), 32–38.
Bellman, S., Johnson, E. J., & Lohse, G. L. (2001). To opt-in or opt-out? It depends on the question. Communications of the ACM, 44(2), 25– 27.
Bellman, S., Johnson, E. J., Kobrin, S. J., & Lohse, G. L. (2004). International differences in information privacy concern: implica- tions for the globalization of electronic commerce. Advances in Consumer Research, 31, 362–363.
Bennett, C. J., & Raab, C. D. (2003). The governance of privacy: Policy instruments in global perspective. Aldershot: Ashgate.
Bennett, C. J., & Raab, C. D. (2006). The governance of privacy: Policy instruments in global perspective (2nd and updated ed.). Cambridge: MIT Press.
Brewer, P., & Venaik, S. (2011). Individualism-collectivism in Hofstede and GLOBE. Journal of International Business Studies, 42(3), 436– 445.
Brewer, P., & Venaik, S. (2012). On the misuse of national culture dimen- sions. International Marketing Review, 29(6), 673–683.
Bygrave, L. A. (2004). Privacy protection in a global context–a compar- ative overview. Scandinavian Studies in Law, 47, 319–348.
Cameron, A., & Trivedi, P. K. (1998). Regression analysis of count data. New York: Cambridge Press.
Cameron, A. C., & Trivedi, P. K. (2009). Microeconometrics using stata. Texas: Stata Press.
Cannataci, J. A. (2009). Privacy, technology law and religions across cultures. Journal of Information Law and Technology, 1(1).
Cao, J., & Everard, A. (2007). Influence of culture on attitude towards instant messaging: Balance between awareness and privacy. In J. Jacko (Ed.), Human-computer interaction. Interaction platforms and techniques, Vol. 4551 (pp. 236–240). Heidelberg: Springer Berlin.
Castaneda, J. A., & Montoro, F. J. (2007). The effect of internet general privacy concern on customer behavior. Electronic Commerce Research, 7(2), 117–141.
Clarke, R. (1999). Introduction to dataveillance and information privacy, and definitions of terms. Retrieved from http://www.anu.edu.au/ people/Roger.Clarke/DV/Intro.html.
De Hert, P. (2012). The proposed data protection regulation replacing Directive 95/46/EC: a sound system for the protection of individ- uals. Computer Law and Security, 28(2), 130–142.
Dinev, T., & Hart, P. (2004). Internet privacy concerns and their anteced- ents - measurement validity and a regression model. Behaviour and Information Technology, 23(6), 413–422.
Dinev, T., & Hart, P. (2006). An extended privacy calculus model for e- Commerce transactions. Information Systems Research, 17(1), 61– 80.
Dinev, T., Bellotto, M., Hart, P., Russo, V., & Serra, I. (2006). Internet users’ privacy concerns and beliefs about government surveillance: an exploratory study of differences between Italy and the United States. Journal of Global Information Management (JGIM), 14(4), 57–93.
Dinev, T., Hart, P., & Mullen, M. R. (2008). Internet privacy concerns and beliefs about government surveillance - an empirical investigation. Journal of Strategic Information Systems, 17(3), 214–233.
Dinev, T., Goo, J., Hu, Q., & Nam, K. (2009). User behaviour towards protective information technologies: the role of national cultural differences. Information Systems Journal, 19(4), 391–412.
Dlodlo, N. (2011, April). Legal, privacy, security, access and regulatory issues in cloud computing. In Proceedings of the European Conference on Information Management & Evaluation (pp. 161– 168).
Earp, J. B., Anton, A. I., Aiman-Smith, L., & Stufflebeam, W. H. (2005). Examining Internet privacy policies within the context of user pri- vacy values. IEEE Transactions on Engineering Management, 52(2), 227–237.
Ess, C. (2005). Lost in translation: intercultural dialogues on privacy and information ethics (Introduction to special issue on privacy and data privacy protection in Asia). Ethics and Information Technology, 7(1), 1–6.
EU. (1995). EU directive on personal data protection enters into effect. EU directive on personal data protection enters into effect, 2014(20/ 02/2014).
Fernandez, D. R., Carlson, D. S., Stepina, L. P., & Nicholson, J. D. (1997). Hofstede’s country classification 25 years later. The Journal of Social Psychology, 137(1), 43–54.
Galpottage, P. A., & Norris, A. C. (2005). Patient consent principles and guidelines for e-Consent: a New Zealand perspective. Health Informatics Journal, 11(1), 5–18.
Greene, W. H. (2008). Econometric analysis. Upper Saddle River: Pearson/Prentice Hall.
Greenleaf, G. (2012). Global data privacy laws: 89 countries, and accel- erating. Privacy Laws & Business International Report, Issue 115, Special Supplement, February 2012 Queen Mary School of Law Legal Studies Research Paper No. 98/2012.
Greenleaf, G. (2013). Global data privacy laws 2013: 99 countries and counting. Privacy Laws & Business International Report, Issue 123, June 2013, 10–13 UNSW Law Research Paper No. 2013–58.
Gregor, S. (2006). The nature of theory in information systems. MIS Quarterly, 30(3), 611–642.
Hann, I.-H., Hui, K.-L., Lee, S.-Y. T., & Png, I. P. (2007). Overcoming online information privacy concerns: an information-processing the- ory approach. Journal of Management Information Systems, 24(2), 13–42.
Hofstede. (1980). Culture’s consequences: International differences in work-related values. Sage Publications, Inc.
Hofstede (1991). Cultures and organizations. Berkshire: McGraw Hill. Hofstede, G. (2001). Culture’s consequences: Comparing values, behav-
iors, institutions, and organizations across nations, 2nd edition. Sage Publications, Inc.
House, R., Javidan, M., & Dorfman, P. (2002a). Understanding cultures and implicit leadership theories across the globe: an introduction to project GLOBE. Journal of World Business, 37(1), 3–10.
House, R., Javidan, M., Hanges, P., & Dorfman, P. (2002b). Understanding cultures and implicit leadership theories across the globe: an introduction to project GLOBE. Journal of World Business, 37(1), 3–10.
House, R. J., Hanges, P. J., Javidan, M., Dorfman, P., & Gupta, V. (2004). Culture, leadership, and organizations: The GLOBE study of 62 societies. Thousand Oaks:Sage.
Hui, K.-L., Teo, H. H., & Lee, S.-Y. T. (2007). The value of privacy assurance: an exploratory field experiment. MIS Quarterly, 31(1), 19–33.
Javidan, M., House, R., Dorfman, P., Hanges, P., & de Luque, S. (2006). Conceptualizing and measuring cultures and their consequences: a comparative review of GLOBE’s and Hofstede’s approaches. Journal of International Business Studies, 37(6).
Kennedy, P. (2001). A guide to econometrics. Cambridge: The MIT Press. Kluckhohn, F.R., & Strodtbeck, F.L. (1961). Variations in value orienta-
tions. Evanston, IL: Row, Peterson. Kobrin, S. J. (2004). Safe harbours are hard to find: the trans-atlantic data
privacy dispute, territorial jurisdiction and global governance. Review of International Studies, 30(1), 111–131.
Kolen, M. J., & Brennan, R. L. (2014). Test equating, scaling, and linking: Methods and practices. New York: Springer.
Kuo, F.-Y., Lin, C. S., & Hsu, M.-H. (2007). Assessing gender differences in computer professionals self-regulatory efficacy concerning infor- mation privacy practices. Journal of Business Ethics, 73(2), 145– 160.
Langenderfer, J., Cook, D. L. (2004). Oh, what a tangled web we weave: the state of privacy protection in the information economy and
Privacy and national culture 71
recommendations for governance, Journal of Business Research, 57(7), 734–747
Lowry, P. B., Zhang, D., Zhou, L., & Fu, X. (2010). Effects of culture, social presence, and group composition on trust in technology sup- ported decision making groups. Information Systems Journal, 20(3), 297–315.
Malhotra, N. K., Kim, S. S., & Agarwal, J. (2004). Internet Users’ Information Privacy Concerns (IUIPC): the construct, the scale, and a causal model. Information Systems Research, 15(4), 336–355.
Marshall, G. (2013). Google Glass: Say goodbye to your privacy. techradar.com. Retrieved April 2015.
Martinsons, M., & Davison, R. (2003). IEEE Transactions on Engineering Management, 50(1), 3–7.
Mennecke, B., Xu, H., Tan, C. H., Smith, J., Shroff, M., Crompton, M., & George, J. (2014). Privacy in the Age of Big Data: The Challenges and Opportunities for Privacy Research. Paper presented at The International Conference on Information Systems: Building a Better World through Information Systems, Auckland December 2014: AIS.
Milberg, S., Burke, S., Smith, J., & Kallman, E. (1995). Values, personal information, privacy and regulatory approaches. Communications of the ACM, 38(12), 65–74.
Milberg, S. J., Smith, H. J., & Burke, S. J. (2000). Information privacy: corporate management and national regulation. Organization Science, 11(1), 35–57.
Myers, M. D., & Tan, F. B. (2003). Beyond models of national culture in information systems research. Advanced Topics in Global Information Management, 2, 14–29.
Newell, P. B. (1995). Perspectives on privacy. Journal of Environmental Psychology, 15(2), 87–104.
Park, Y. J. (2008). Privacy regime, culture and user practices in the cyber- marketplace. Info, 10(2), 57–74.
Poindexter, J. C., Earp, J. B., & Baumer, D. L. (2006). An experimental economics approach toward quantifying online privacy choices. Information Systems Frontiers, 8(5), 363–374.
Poullet, Y. (2006). EU data protection policy. The Directive 95/46/EC: ten years after. Computer Law and Security Review, 22(3), 206–217.
Reay, I., Beatty, P., Dick, S., & Miller, J. (2013). Privacy policies and national culture on the internet. Information Systems Frontiers, 15(2), 279–292.
Reidenberg, J. R. (2005). Technology and internet jurisdiction. University of Pennsylvania Law Review, 1951–1974.
Robbins, S. S., & Stylianou, A. C. (2003). Global corporate web sites: an empirical investigation of content and design. Information and Management, 40(3), 205–212.
Rose, E. A. (2006). An examination of the concern for information pri- vacy in the New Zealand regulatory context. Information and Management, 43(3), 322–335.
San Martin, S., & Jimenez, N. H. (2011). Online buying perceptions in Spain: can gender make a difference? Electronic Markets, 21(4), 267–281.
Shah, J. R., White, G. L., & Cook, J. R. (2007). Privacy protection over- seas as perceived by USA-based IT professionals. Journal of Global Information Management (JGIM), 15(1), 68–81.
Skinner, G., Han, S., & Chang, E. (2006). An information privacy taxon- omy for collaborative environments. Information Management and Computer Security, 14(4), 382–394.
Smith, H. J., Milberg, S. J., & Burke, S. J. (1996). Information privacy: measuring individuals’ concerns about organizational practices. MIS Quarterly, 20(2), 167–196.
Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: an interdisciplinary review. MIS Quarterly, 35(4), 989–1016.
Solove, D. J. (2006). A taxonomy of privacy. University of Pennsylvania Law Review, 477–564.
Steinwachs, K. (1999). Information and culture-the impact of national culture on information processes. Journal of Information Science, 25(3), 193–204.
Sullivan, B. (2006). ‘La difference’ is stark in EU, US privacy laws. Privacy Lost on msnbc. com, 19. http://www.nbcnews.com/id/ 15221111/ns/technology\_and\_science-privacy\_lost/t/la- difference-stark-eu-us-privacy-laws/\#.UwWZMxAzmls.
Turner, E. C., & Dasgupta, S. (2003). Privacy on the web: an examination of user concerns, technology, and implications for business organi- zations and individuals. Information Systems Management, 20(1), 8–18.
US Dept of Health Welfare, U. S. (1973). Records computers and the rights of citizens.
Van Slyke, C., Shim, J. T., Johnson, R., & Jiang, J. (2006). Concern for information privacy and online consumer purchasing. Journal of the Association for Information Systems, 7(6).
Venaik, S., & Brewer, P. (2010). Avoiding uncertainty in Hofstede and GLOBE. Journal of International Business Studies, 41(8), 1294– 1315.
Venaik, S., & Brewer, P. (2013). Critical issues in the Hofstede and GLOBE national culture models. International Marketing Review, 30(5), 469–482.
Whitman, J. Q. (2004). The two western cultures of privacy: dignity versus liberty. Yale Law Journal, 1151-1221.
Wu, M. (2006). Hofstede’s cultural dimensions 30 years later: a study of Taiwan and the United States. Intercultural Communication Studies, 15(1), 33.
Yao, M. Z., Rice, R. E., & Wallis, K. (2007). Predicting user concerns about online privacy. Journal of the American Society for Information Science and Technology, 58(5), 710–722.
72 S. Cockcroft, S. Rekker
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.
- c.12525_2015_Article_195.pdf
- The relationship between culture and information privacy policy
- Abstract
- Introduction
- Privacy defined
- Privacy and information systems
- Theoretical background
- What causes different countries to legislate differently on aspects of information privacy?
- Prior work on culture and privacy
- Research model and hypothesis development
- Empirical variables
- National culture
- Legislative elements
- Hypotheses
- Individualism - collectivism
- Masculinity/femininity
- Uncertainty avoidance
- Power distance
- Performance orientation
- Humane orientation
- Future orientation
- Data analysis
- Methodology
- Descriptive statistics
- Results and implications
- Group collectivism
- Institutional collectivism
- Gender egalitarianism
- Assertiveness
- Uncertainty avoidance
- Power distance
- Performance orientation
- Humane orientation
- Future orientation
- Discussion
- Limitations
- Conclusion
- References
