Abstract

Background: Internet firms (data fiduciaries) that capture and process personal information (PI) of the users for providing services might engage in trade or misuse of personal information for monetary gains. Though most countries have enacted data protection regulations wherein penalties and sanctions are accorded by the regulator on such data fiduciaries who violate the stated rules, enforcement is still weak. In this paper, we provide an alternative mechanism of financially incentivized whistleblowing in firms as a solution to minimize such violations.

Method: We develop an analytical model to describe the interaction between data fiduciaries, the whistle blowers and the regulator when data fiduciaries are involved in the sale of personal information of the users without their consent. We validate the empirical model with extensive simulations using data from some of the major globally significant data fiduciaries for their India operations for the financial year 2022.

Results: We calculate the minimum amount to be paid to the whistleblowers to make it financially unprofitable for the firms to indulge in such illegal use of PI. At the same time, it will be enough to incentivize the whistleblowers to come forward, especially in large Internet firms.

Conclusion: This work is highly relevant for the Board of Directors who are responsible for adhering and enforcing whistleblower policies in firms. Our work also emphasizes the increasing responsibility of Chief Privacy Officers in firms for guiding ethical use of PI of the customers, by putting in enough guardrails including robust whistleblower policies. This work is also relevant for policy makers as it provides a supplementary tool through which data protection regulations can be enforced on large Internet firms. 

Download

Share

COinS