computers & security 99 (2020) 102065

Available online at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

Assessing country-level privacy risk for

digital payment systems

Oluwafemi Akanfe a,∗, Rohit Valecha a, H. Raghav Rao a,b

a Department of Information Systems and Cyber Security, The University of Texas at San Antonio, 1 UTSA Circle,
San Antonio, TX 78249, United States
b AT&T Distinguished Chair in Infrastructure Assurance and Security, College of Business, The University of Texas

at San Antonio, 1 UTSA Circle, San Antonio, TX 78249, United States

a r t i c l e i n f o a b s t r a c t

Article history: As we evolve in the digital age, new risks have emerged and are increasing the complexity
Received 3 April 2020 of existing global digital ecosystems. These include privacy risks from cyberattacks and the
Revised 30 August 2020 threat of data misuse. Such privacy risks negatively affect consumer confidence, the repu-
Accepted 15 September 2020 tation of an entity, and international consumerism. Prior studies have examined country-
Available online 2 October 2020 level risks, including economic, political, and financial risks; however, very little research
has paid attention to country-level privacy risk. In this study, we focus on a key aspect of
Keywords: digital ecosystems, i.e., Digital Payment Systems (DPS). More specifically, we analyze the
Country-level privacy risk privacy policies of Mobile Wallets and Remittance (MWR) apps – a component of DPS that
Mobile wallet and remittance (mwr) contributes to privacy debates- to assess their compliance with the General Data Protection
Privacy policies Regulation (GDPR) in order to create a country-level privacy risk index for DPS. We create
Digital payment systems (dps) a framework to help convey country-level risks concerning DPS and inform comprehen-
Privacy compliance sive policy recommendations. The study reveals country-level data privacy and protection
Gdpr practices and provides recommendations for country-level risk assessment exercises. The
research contributes to the digital payment ecosystem, privacy risks, privacy policy and reg-
ulatory compliance literature.

© 2020 Published by Elsevier Ltd.

consumerism (Sen and Borle, 2015). To that end, conducting a

1. Introduction risk assessment can enhance business and allow countries to
focus on the risks that impact them the most (EY, 2018). In
The unprecedented change in the digital ecosystem has ush-
this context, it involves a comprehensive assessment of pri-
ered new risks and added complexity to existing country-level
vacy risks alongside other existing risk indicators.
risks (Deloitte, 2019). Countries around the world are now fac-
Prior research has examined country-level risks, including
ing emerging risks such as threats to privacy and cybersecu-
credit rating, economic, political, and financial risks (Erb et al.,
rity and are seeing a changing global landscape.1 According to
1996), government debt ratio (Somerville and Taffler, 1995),
a Global Risks report, privacy risk is among the top 10 country-
stock markets (Dumas, 1994), etc. However, very little research
level risks with grave impact (WEF, 2019). Privacy risk adversely
has paid attention to country-level privacy risk. Along this
affects the reputation of the country and hinders cross-border
backdrop, we assess country-level privacy risk concerning
data privacy and protection practices with the primary objec-
∗
Corresponding author.
E-mail addresses: [email protected] (O. Akanfe), [email protected] (R. Valecha), [email protected] (H.R. Rao).
1
http://www3.weforum.org/docs/WEF_Global_Risks_Report_
2019.pdf
https://doi.org/10.1016/j.cose.2020.102065
0167-4048/© 2020 Published by Elsevier Ltd.
2 computers & security 99 (2020) 102065

tive of designing a framework to guide the dialog on privacy explains the research methodology, data collection, and mea-
risks involving a component of the global digital ecosystem. surement approach and data analysis, while the last part dis-
We concentrate on Digital Payment Systems (DPS) - whose cusses the results of the analysis and provides policy implica-
design and functionality have been a cause of privacy and tions.
security debates (Johnson et al., 2018). Within the context of
DPS, this paper focuses on Mobile Wallets and Remittance
(MWR) apps that are digital or virtual wallets designed to store 2. Literature review
credit/debit card information on a mobile device to make pay-
ments.2 In this section, we review relevant literature to provide con-
We conduct an analysis of the privacy policies of MWR apps ceptual definitions and reveal existing gaps surrounding
to assess their compliance with comprehensive data protec- country-level risks assessment.
tion and privacy laws in order to create a country-level pri-
vacy risk index. Such compliance assessment with respect to 2.1. Country-level risks
privacy laws can help unmask deficient data privacy and pro-
tection practices (Voigt and Von dem Bussche, 2017), and help In the modern economy, country-level risk assessment is used
create policies for mitigating country-level privacy risks. to attract foreign investment. Generally, country-level risks
General Data Protection Regulation (GDPR) is one such reg- are considered a mixture of macroeconomic policy and struc-
ulation with compliance regulations for data privacy and pro- tural and regional decadence impacting international trades
tection, such as data security, security breach notification, and (Oetzel et al., 2001). There have been some prior research
privacy by design, that can mitigate privacy risks and ensure that examined country-level credit risk, economic risk, polit-
individual rights to data privacy and protection (Kaminski and ical risk, and financial risk (Erb et al., 1996), government risk
Malgieri, 2019). Thus, we argue that the GDPR requirements (Somerville and Taffler, 1995), stock market risk (Dumas, 1994),
serve as a robust reference for privacy compliance assessment etc. to determine the level of country risk factor impacting
(Voigt and Von dem Bussche, 2017). business or investment with international activity.
To that end, we adopt the ten dimensions of the GDPR from Prior studies, especially in the finance and economics
the work of Voigt and Von dem Bussche (2017). The ten dimen- domain, have mostly considered country risks in terms of
sions are the classification of the GDPR’s core data protection risk characteristics that pertain to doing business interna-
and privacy requirements that a business entity must fulfill to tionally. Meldrum (2000) considers country-level risks in re-
be compliant. Following Wilson et al. (2016), we use a vocabu- lation to doing business across borders by looking at the
lary to code the presence of the ten GDPR dimensions within sources of the risks based on types of investment in an at-
MWR privacy policies. Subsequently, we compute a hit ratio to tempt to increase the expected return of internal invest-
assess a compliance score for each dimension in the GDPR. Fi- ment. Murtaza (2003) looked at country-level risks by eval-
nally, we complement the compliance score to derive a score uating economic and political stability in countries in order
of non-compliance with GDPR and aggregate it at the country to make informed decisions in doing business across bor-
level to create a country-level privacy risk index. In this way, ders. Besides, given the increasing demands of global invest-
we derive the country-level privacy risk based on a proxy of ment, Erb et al. (1996) looked at the economic, political, and
non-compliance of MWR privacy policies with the GDPR di- financial measures in determining future expected stock re-
mensions. It is important to note that since non-compliance turns in countries. In a nutshell, the concept of country risk
is difficult to compute directly, we use the complement of the has been examined in relation to international financial, eco-
compliance score to represent it. nomic, and political wellbeing in the last three decades by var-
The contributions of this work are as follows: We examine ious academic research. In addition, several risk agencies such
the compliance of privacy policies of MWR apps based on the as Economic Intelligence Unit, Standard and Poor’s, etc. and
GDPR as a reference and use it to assess risk concerning data guides such as International Country Risk Guide (ICRG) have
privacy and protection practices of the apps. We then develop derived credit ratings using qualitative and quantitative infor-
a methodology for privacy policy text classification in order to mation across multiple countries to determine the financial,
assess privacy regulatory compliance practices for computing economic and political risks associated with doing business
country-level privacy risks. Then, in conjunction with a gen- in the corresponding countries (Hoti and McAleer, 2004).
eral risk index drawn from the literature, we suggest a frame- However, an examination of the literature shows that lit-
work that can serve to benchmark country-level risk assess- tle research has paid attention to country-level privacy risk.
ment and privacy risk together. Very few studies have considered data privacy and protec-
The research contributes to the DPS, privacy risks, privacy tion compliance as a factor in understanding the country-
policy, and regulatory compliance literature. The study can level risk. As data transfer, especially in the financial and e-
help policymakers and digital business entities in making in- commerce services, becomes an integral part of the global
formed privacy-related DPS decisions. The rest of the study is economy, privacy risk perception of a country continues to
organized as follows: the next section reviews the literature on raise serious concerns and might hinder social and economic
DPS, MWR services and privacy incidents, GDPR compliance, prosperity (OECD, 2006). In fact, prior research has found that
and country-level risk assessments. The subsequent section effective and sustainable commerce relies on digital trades
that flow through channels that ensure data privacy and se-
curity (Fefer, 2019). The implication is that consumers’ trust
2
https://www.investopedia.com/terms/m/mobile-wallet.asp and confidence may be gained, and they are encouraged to do
 computers & security 99 (2020) 102065 3

business with international countries with sound privacy pro- cial institutions.4 Some of the significant factors that con-
tection in place. tributed to the pervasiveness of the DPS include the prolif-
eration of smartphones, growth in the mobile device market,
2.2. Country-level privacy risk advances in internet technology, and the need to increase cus-
tomer service efficiency (Barnes et al., 2019). On the behavioral
As we evolve in the digital age and technology becomes more spectrum, prior research has established that perceived trust,
advanced, new risks emerge for the individual’s privacy. Thus, mobility, usefulness, ease of use, social influence, technology
individual privacy incidents and protection are now a major knowledge, among others, have been the contributing factors
concern (Kokolakis, 2017). In this context, individual privacy to the ubiquity of DPS (Daştan and Gürler, 2016; Johnson et al.,
involves personal data records that, if accessed without au- 2018). To that end, traditional payment systems have been re-
thorization, can put an individual at risk. In reality, privacy vamped to incorporate the DPS framework (Diniz et al., 2016).
risk - which signifies the potential exposure, unauthorised ac- Further, considering that consumers are increasingly fol-
cess, or loss of control of personal records- further discourages lowing the latest digital payment trends, many have reduced
consumers and negatively affects the transaction behavior of the physical usage of their credit card for every transaction.5
individuals (Johnson et al., 2018). Research has shown that the This is because DPS has established a more secure, efficient,
scope and magnitude of privacy risk have substantial effects more convenient transaction processing (Akanfe et al., 2020b;
on consumers’ confidence and negatively impact the global Diniz et al., 2016).
economy in general (Sen and Borle, 2015). While the impacts MWR is a growing technology in the digital ecosystem.
of privacy risk vary, the significant effect is the loss of cus- It is a component of DPS and one of the most used cross-
tomer trust. At the country level, privacy risk negatively affects border business-business and customer-customer artifacts
the reputation of the country and further discourages cross- (Qin et al., 2017). It is a digital or virtual wallet designed to store
border consumerism (Sen and Borle, 2015). Particularly, a pri- credit/debit card information on a mobile device to make pay-
vacy risk could result from low standards for personal data ments.6 It charges a consumer’s credit or checking account on
protection in international data transfer (Wagner, 2018). the back-end and confirms to the merchant that the transac-
Recognizing the adverse effect of privacy risk, some au- tion has been paid for. As a component of DPS, the MWR is ac-
thorities have established the frameworks to assess the pri- cessible via an app on a mobile device. It allows customers to
vacy risks of the technology devices (both new and current) perform financial transactions through their mobile devices
that collect and utilize personal data. For instance, in the US, from anywhere at any particular time and provides flexibil-
the National Institute for Standards and Technology (NIST) ity to consumers to accomplish transactions at the point of
has identified privacy to be at the center of risk management sale (Qin et al., 2017). However, extant research has shown that
assessment (Hiller and Russell, 2017). Besides, digital enti- MWR remains a threat to consumer privacy because it collects
ties now recognize that effective management of privacy risks and transfers personal data to all payment networks, which
need to be in place to enhance privacy protection and fully ap- may lead to profiling, increased telemarketing, identity theft,
preciate the benefits of the digital economy (OECD, 2016). The etc. (Hoofnagle et al., 2012). The design and functionality of
risks involved in privacy breach range from severe financial the MWR have been a cause of privacy and security debates.
implications, legal risks, reputational risks, operational risks, Nonetheless, each MWR app has a privacy policy that is ex-
among others, for the affected company and country, in gen- pected to explain how the customers’ data will be collected,
eral. stored, utilized, or shared. It is a pervasive text feature of mo-
In the next subsections, we discuss DPS, MWR apps, and bile applications (Wilson et al., 2016). However, such privacy
then the GDPR privacy compliance. policies may be incomplete or outdated (Paul et al., 2018) with
respect to country-level regulations and guidelines, inaccu-
rate, or plain difficult to comprehend (Aïmeur et al., 2016).
2.3. Digital payment systems (DPS) and mobile wallet As a result, many customers fall victim to data misuse un-
and remittance (MWR) apps knowingly. So, legislators have sought the adoption of stan-
dard privacy and data protection regulations to regulate the
Owing to the rapid proliferation of internet usage and the processing of personal data involving a person’s contact, de-
lower cost of financial transactions, DPS has emerged as an es- mographic, and financial information. Hence, the MWR apps
sential part of the digital ecosystem. DPS is a growing trend for suffice as a relevant case study for privacy risk and regulatory
executing transactions in many sectors (Akanfe et al., 2020a), compliance analysis.
and represents an umbrella term for digital payment instru-
ments.3 It consists of a network of technology systems involv-
2.4. GDPR compliance
ing three interactive parties (i.e., bank, customer, and busi-
ness) to make transactions in a secure manner (Diniz et al.,
From years of debate and concerns regarding data privacy and
2016).
protection practices, the GDPR was promulgated as a replace-
The DPS market is the cornerstone of innovative technol-
ogy designed to reduce the bottlenecks in traditional finan-
4
https://medium.com/iquii/digital- payments- a- growing-
trend- with- a- focus- on- customer- experience- d31fa69664bc
3 5
https://www.betterthancash.org/tools-research/toolkits/ https://www.bloomberg.com/press-releases/2019-05-08/
payments- measurement/focusing- your- measurement/ consumers- forego- cash- for- digitized- payment- solutions
6
introduction https://www.investopedia.com/terms/m/mobile-wallet.asp
4 computers & security 99 (2020) 102065

Table 1 – GDPR’s Data Privacy and Protection Checklist.

Dimensions Descriptions
Records of DataProcessingActivities (DPA) Indicates details of the “purpose of processing data, classes of data affected description
of technical and organizational security measures applied.”
Data ProtectionImpactAssessment (PIA) Identifies appropriate measures to mitigate the risks of data protection
Data Protection by default and Design (PDD) States the preventive data protection measures in place
Technical and OrganizationalMeasures (TOM) Indicates technical and organizational measures to ensure the protection of data
DataSubjectRights (DSR) Indicates that individuals have comprehensive information and rights against data
processing entities
DataBreachNotification (DBN) Documents the time frame within which individuals will be notified in case of a data
breach
Data ProtectionManagementSystem (PMS) Indicates internal compliance monitoring systems used in monitoring data-related and
safety-related requirements
General requirement for Third-PartyData Transfer Documentation showing that transfer will follow specific protection in order to ensure
(TPD) a proper level of data protection, where data is to be transferred to affiliated parties,
Codes of Conduct & Certification (CCC) Self-regulation mechanisms in place to prove compliance of the certified activities
Data ProtectionContactInformation (PCI) Details on how to contact the company regarding data privacy. Private entities should
designate a data protection officer to monitor data subjects systematically.

ment to data protection directives 95/46/EC (Garber, 2018). It ance and mitigate risks concerning data processing opera-
tightened up the level of underlying data protection princi- tions (CIPL, 2016). The requirements provide guidance for busi-
ples, providing key changes to statutory obligations and li- ness entities in and out of the EU territories on risky data pro-
abilities, and specifying mandatory data processing require- cessing activities and privacy risk.
ments for business entities (Pantlin et al., 2018). Particularly In the next section, we discuss the methodology consisting
in the digital world, where data is an integral part of the busi- of data-driven analysis of privacy policies in relation to the
ness process, the GDPR challenges organizations to revamp prominent GDPR dimensions in order to create a country-level
their data management approach to provide a right to data privacy risk index and also discuss a general risk index that
privacy and protect citizens from unforeseen data breaches captures non-privacy-related country-level risk.
(Agarwal et al., 2018). It requires business entities to conduct a
risk assessment for data protection impact assessment (DPIA)
and other requirements such as data security, security breach 3. Methodology
notification, and privacy by design to reflect accountability
and ensure individual rights to data privacy and protection 3.1. Data collection
(Kaminski and Malgieri, 2019).
The GDPR consists of 99 articles, with defining statements We collected distinct datasets for both country-level privacy
concerning the rights of subjects and processor obligations. risk analysis (textual data) and general risk analysis (numer-
However, most of the statements about the essential require- ical data). The first dataset consisted of the corpus of privacy
ments for data processing entities are complex and not op- policies of MWR apps retrieved from the Google play store. We
erationalized. Hence, we suggest that classifying the 99 arti- focused on the MWR apps (a component of DPS with the high-
cles of the GDPR will reduce complexity. A few studies have est adoption rate7 ) because it is at the center of research de-
classified the GDPR articles based on requirements to de- bates on data privacy vulnerabilities (e.g. Johnson et al., 2018;
rive privacy policy compliance (Renaud and Shepherd, 2018; Sen and Borle, 2015) and, hence, relevant for our case study
Paul et al., 2018). In this study, we adopt the Voigt and Von analysis. We explored the Google play store because it is the
dem Bussche (2017) guide to classify the GDPR articles into default app store for android phone apps, and there are a high
multiple dimensions. We chose the guide because it contains number of MWR apps available on the google play platform.
expert opinions of technology law pundits that summarize For these MWR apps, we retrieved data such as app name, date
the essential requirements of the provision on data process- of release, country of operation, and privacy policy texts. In to-
ing entities and provides a path to how organizations can tal, we extracted 353 MWR apps data with release dates from
achieve compliance. Besides, the guide has been referenced 2010 to 2020, which include the individual app’s privacy policy,
in over 360 research publications – out of which many publi- country of origin, app age, ratings, and the number of down-
cations have referenced the guide’s categorized provision re- loads. These include MWR apps with places of operation in
quirements (e.g. Akanfe et al., 2020a; Truong et al., 2019). The and out of the EU territories.
guide helps to develop ten different compliance dimensions The second dataset consisted of country-level risk indi-
upon which the privacy policy of a digital payment entity can cators8 for 154 developed, emerging, and frontier economies
be assessed. Table 1 presents the GDPR’s data protection and
privacy characteristics that standard privacy policies should 7
https://www.merchantsavvy.co.uk/mobile-payment-stats-
have.
trends/
The ten GDPR dimensions in Table 1 are requirements 8
Variables definitions - http://www.prsgroup.com/wp-content/
that companies need to prioritize to achieve privacy compli- uploads/2014/08/icrgmethodology.pdf
 computers & security 99 (2020) 102065 5

Table 2 – OPP-115 to GDPR Mapping.

OPP-115 Dimension GDPR Dimension Mapping Reasoning

Collection/use Records of Data Processing Activities They both specify how, when and how service providers
(DPA) collect, record, use, and process subject data
Third-Party General requirement for Third-party data They specify how information should be shared with
Sharing/Collection transfer (TPD) and transferred to affiliated parties.
Data Security Data Protection Management System They state how user’s data should be protected or
(PMS) secured.
Data Retention Data Protection Impact Assessment (PIA) They stipulate how long users’ information can be
Assessment stored and the measures to address risks of data
loss/misuse
User Choice/Control Data Subject Rights (DSR) They specify that users have a choice, control, options,
and comprehensive right against data processing
User Access, Edit & Data Protection by default and design They specify user’s right against data processing
Deletion (PDD) entities which include how to access, edit or delete
their data
Policy Data Breach Notification (DBN) They specify the time frame users will be informed
Change/Notification about changes to the privacy policy and data breach.
Do Not Track Technical and Organizational Measures They both specify the use of technical preference
(TOM) expression or common consent mechanism, which
include Do Not Track signal for online tracking and
advertising.
Introductory/Generic Codes of Conduct & Certification (CCC) They both specify the use of generics statements, which
include the introduction of the policy, compliance
with certified activities, etc.
Privacy Contact Data Protection Contact Information (PCI) They both specify details on how to contact the
Information company which includes the use of contacts of data
protection officer

from 2008 to 2016, which were retrieved from an International fines (Li et al., 2019). Hence, prior studies have used the GDPR
Country Risk Guide (ICRG) that contained political, economic, as a framework for privacy practice compliance reference (e.g.
and financial ratings. ICRG guides have been considered rep- Akanfe et al., 2020a; Elluri et al., 2018; Linden et al., 2020).
utable and have been adopted and validated in several prior Further, knowing that privacy policies of MWR apps are
studies (e.g., Erb et al., 1996; Howell, 2011). Hence, the ICRG written in natural language with different content and fea-
guide is a relevant resource for country-level risks score. We tures, we need to extract the essential features and keywords
used the 2016 country-level risk indicators, which are the lat- associated with each GDPR dimension (as discussed in Table 1)
est country-level risks, as at the time of this research. to examine their compliance with the GDPR. This enables us
to determine if the privacy policy contains requirements ex-
3.2. Privacy policy analysis pressed by the GDPR and identify potential compliance.
For determining compliance of privacy policies with the
3.2.1. GDPR dimensions and keywords GDPR dimensions, we adopted an annotated dataset created
For the privacy policy analysis, we chose the GDPR because by Wilson et al. (2016). This dataset utilized 115 diverse on-
it is widely considered as the most comprehensive standard line privacy policies (referred to as OPP-115 corpus) and cre-
(Ingley and Wells, 2018). Besides, the standard recognizes pri- ated a vocabulary of approximately 267,000 keywords and
vacy as an essential human right and checks organizations 27,000 data practices. Several studies have adopted this OPP-
from collecting, using, and processing personal data without 115 dataset for extracting important information from the pri-
the prior consent of the subject (Elluri et al., 2018). Its coverage vacy policies (Zimmeck et al., 2016; Harkous et al., 2018).
reaches activities involving the cross-border flow of data. Ac- We used the annotated OPP-115 dataset for coding the
cording to article 4 of the provision, the GDPR extends to any presence of the GDPR dimensions within the privacy policies.
organization involved in the processing of “personal data”.9 Specifically, we adopted the vocabulary of OPP-115 relevant to
Such coverage is not restricted to organizations in the EU the ten dimensions of GDPR. For example, one of the articles of
whose activities directly impact the EU citizens living in the the GDPR stipulates that “each controller and, where applica-
EU territories, it also affects such companies outside of the EU ble, the controller’s representative, shall maintain a record of
that collect and process data and whose activities may impact processing activities under its responsibility,” and the record
the privacy rights of the EU residents. Given the global influ- shall contain “the purpose of the processing and data recip-
ence of the GDPR, organizations around the world are effect- ient.” This statement specifies how, why, and when subject
ing changes to their privacy protection practices in order to data should be included in records of processing activities. It
be compliant with the GDPR and prevent the liability of hefty corresponds to GDPR’s record data processing activities (DPA)
dimension and OPP-115 s collection and use class. This simi-
9
https://gdpr- info.eu/art- 4- gdpr/
6 computers & security 99 (2020) 102065

Table 3 – Sample of GDPR Keywords.

DPA use service download collect survey improve address

TPD share behalf party sell third advert advertiser
PMS secure safeguard encrypt detect prevent subcribe security
PDD store delete record remove deletion retain database
DSR disable choice agree option opt edit consent
PIA signal request browser profile account update change
DBN communicate post decide notice breach time change- privacy
TOM firewall server technology track settings signal respond
CCC disclose promote send overview conduct application explain
PCI contact feedback staff office file write question

Legend: DPA - Records of Data Processing Activities; TPD - General Requirement for Third Party Data Transfer; PMS - Data Protection Manage-
ment System; PIA - Data Protection Impact Assessment; DSR - Data Subject Rights; PDD - Data Protection by Default and Design; DBN - Data
Breach Notification; TOM - Technical and Organizational Measures; CCC - Codes of Conduct and Certification; PCI - Data Protection Contact
Information.

lar process was performed to establish a loose mapping of the In accordance with this, we estimate the mean values of
GDPR dimensions to the OPP-115 classes (see Table 2). the hit ratios for the GDPR dimensions for the MWR apps ac-
Table 3 provides a sample of OPP-115 s keywords relevant cording to their countries of operation and provide the pri-
to the GDPR’s dimensions. vacy compliance scores for each country. The dataset contain-
ing 353 MWR privacy policies was categorized into 42 distinct
3.2.2. Privacy compliance score using hit ratio countries. These are the nations the MWR service providers
To determine the compliance of MWR privacy policies with designated as their countries of operation. The hit ratios of
standard regulations such as the GDPR, prior studies have the MWR app’ privacy policies in the respective country were
determined scores using the presence of keywords (e.g., averaged to determine the overall country data privacy com-
Harkous et al., 2018). For instance, the ‘hit ratio’ has been used pliance. To that end, the hit ratios for the GDPR dimension
for text retrieval and categorization and has been adopted in by MWR privacy policy were categorized into countries and
prior studies (e.g., Lapata and Keller, 2005; Snow et al., 2008). averaged to determine the privacy compliance score for each
The hit ratio, in this context, represents the ratio of the num- country.
ber of the GDPR related keywords to the total number of words Table 5 shows the privacy compliance score for each GDPR
in each privacy policy for each GDPR dimension. dimension across sample countries. Among the entire dataset,
In this study, we obtain the privacy compliance score based the USA, UK, and India have the highest number of MWR
on the presence of the GDPR keywords in each privacy policy apps operating from their respective countries. For illustra-
of the MWR app. In other words, we used these keywords to tion, we have selected a sample of countries from the entire
create what is termed a ‘hit ratio’ in order to compute a com- 42 countries. For comparison and interpretation, countries are
pliance score for each GDPR dimension of the MWR app. arranged according to the highest average values. In this case,
To calculate the hit ratios, we adopted Linguistic Inquiry the UK, Malaysia, Canada, and the Philippines are the top four
and Word Count (LIWC) software. Using the keywords, we cre- countries with the highest average privacy compliance scores
ated separate GDPR dictionaries distinct from the default dic- across the GDPR dimensions. At the same time, Nigeria, Saudi
tionaries in the LIWC and produced the percentage of hit for Arabia, Kenya, and UAE are the lowest four countries with av-
each GDPR dimension by MWR apps. Table 4 reports hit ratios erage privacy compliance scores across the GDPR dimensions.
associated with the privacy policy of sample MWR apps. 3.2.3. Country-Level privacy risk score
The selected sample in Table 4 includes MWR apps with We derive the country-level privacy risk based on non-
the highest (nine) and lowest (ten) hit ratios from the corpus compliance of MWR privacy policies with the GDPR dimen-
of privacy policies. The hit ratios in Table 4 help us to capture sions. It is important to note that since non-compliance is dif-
the compliance of MWR apps’ privacy policies with the GDPR ficult to compute directly, we use a proxy, i.e., the complement
dimensions. For instance, the hit ratios of PrabhuPAY Mobile of the compliance score. So, we take the complement of the
Wallet app (in the second row of Table 4) show that 4.14% of compliance score to derive a score of non-compliance with
its privacy policy focuses on data processing activities (DPA), the GDPR and aggregate it at the country level to create the
0.71% on third party data transfer (TPD), 4.57% on data protec- country-level privacy risk index. The country-level privacy risk
tion impact assessment (PIA), etc. score is reported in Table 6.
We assume the privacy policies of different apps from an
individual country will share similar thematic structure. So, 3.2.4. Country-Level general risk indicators
the MWR apps’ privacy policies will reflect the privacy and In the modern digital economy, economic and social activi-
data protection practices of the countries they operate from. ties are exposed to many risks which usually hinder innova-
This is because companies across the globe have long used tions and create privacy risks (OECD, 2015). In this regard, we
privacy policy as a tool to reflect their data protection activi- obtained 12 country-level risk indicators (political and social
ties and ease the concerns of online users about their online attributes) for each country from the ICRG (see Table 7). We av-
privacy practices (Linden et al., 2020). eraged the risk indicators into a single general risk value for
 computers & security 99 (2020) 102065 7

Table 4 – Hit Ratios associated with Sample MWR Apps.

MWR APPs DPA TPD PMS PIA DSR PDD DBN TOM CCC PCI
WorldRemit money 4.27 0.73 4.44 4.67 5.79 0.34 0.67 1.18 0.96 0.79
PrabhuPAY - Mobile Wallet 4.14 0.71 4.35 4.57 5.72 0.65 0.71 1.31 0.93 0.65
Azimo Money Transfer 3.13 1.18 4.09 4.27 5.66 0.30 0.52 0.91 0.57 0.74
KMBmoney Remittance 3.09 1.12 3.99 4.29 5.58 0.34 0.51 0.86 0.56 0.73
Xe- money transfer 3.97 0.70 3.73 3.89 4.88 0.70 0.50 1.28 0.70 0.58
UK Asia Remit 2.41 1.13 3.68 3.68 4.25 0.64 0.50 1.42 0.71 1.77
Small World 2.38 1.13 4.99 5.33 4.99 0.23 0.23 0.00 0.11 0.34
TransferGo 1.97 0.71 3.69 3.91 4.62 0.30 0.45 2.05 0.56 1.02
Mobile Bitcoin Wallet 6.31 0.00 0.90 0.90 5.41 0.00 1.80 2.70 0.00 0.90
BOA Mobile Wallet 1.54 0.74 0.42 0.53 1.32 0.05 0.16 0.37 0.42 0.16
PNB Kitty 0.91 0.00 1.82 0.00 0.00 0.00 0.00 1.82 0.91 0.00
T Wallet 1.08 0.13 0.00 0.94 0.13 0.27 0.27 0.00 0.00 2.56
SunTrust Mobile App 0.75 0.00 1.26 1.01 1.51 0.00 0.00 0.00 0.00 0.50
EasyWallet 0.93 0.64 0.13 0.40 1.15 0.22 0.29 0.55 0.33 0.33
SunTrust Masterpass 1.06 0.00 0.71 0.71 1.06 0.35 0.35 0.00 0.00 0.71
U.S. Bank 1.37 0.00 1.37 0.00 0.68 0.00 0.00 0.00 0.00 1.37
Bitcoin Wallet 2.22 0.28 0.00 0.56 0.83 0.00 0.00 0.00 0.28 0.28
SnapScan 1.40 0.40 0.27 0.53 0.73 0.00 0.13 0.13 0.20 0.60
Coles Mobile Wallet 0.40 0.80 0.00 0.00 0.80 0.00 0.00 0.40 0.00 1.61

Legend: DPA - Records of Data Processing Activities; TPD - General Requirement for Third Party Data Transfer; PMS - Data Protection Manage-
ment System; PIA - Data Protection Impact Assessment; DSR - Data Subject Rights; PDD - Data Protection by Default and Design; DBN - Data
Breach Notification; TOM - Technical and Organizational Measures; CCC - Codes of Conduct and Certification; PCI - Data Protection Contact
Information.

Table 5 – Country-level Privacy Scores for GDPR Dimensions.

Country No Apps DPA TPD PMS PIA DSR PDD DBN TOM CCC PCI
UK 27 2.40 1.10 2.12 2.15 3.01 0.46 0.80 0.90 0.70 0.88
Malaysia 6 2.74 1.12 1.75 2.03 2.56 0.29 1.00 0.83 0.57 0.46
Canada 6 2.99 0.95 1.33 1.34 1.92 0.49 0.95 0.66 0.79 0.97
Philippines 11 2.00 0.74 1.81 1.60 2.49 0.44 0.55 1.08 0.66 0.93
Australia 8 2.68 0.59 1.69 1.95 2.16 0.38 0.54 0.92 0.56 0.72
USA 89 2.50 1.39 1.07 1.20 2.09 0.48 0.71 1.14 0.60 0.89
Hong Kong 3 2.00 1.04 1.81 1.69 2.26 0.22 0.47 0.28 0.61 0.47
China 4 2.88 1.18 0.68 0.97 1.67 0.25 0.81 0.70 0.60 0.75
India 45 2.51 0.99 0.94 0.91 1.51 0.24 0.85 0.78 0.73 0.48
Nigeria 5 2.01 0.83 0.84 0.92 1.27 0.37 0.55 1.51 0.56 0.92
Saudi Arabia 3 2.32 1.60 0.46 0.63 0.90 0.30 1.03 1.18 0.30 0.55
Kenya 3 1.72 0.77 0.68 0.80 1.55 0.55 0.69 0.81 0.55 1.11
UAE 7 2.01 0.97 0.79 0.72 1.36 0.26 0.44 0.69 0.51 0.83

Legend: DPA – Records of data processing activities; PIA – Data protection impact assessment; PDD – Data protection by default and design;
TOM – Technical and organizational measures; DSR – Data subject rights; DBN – Data breach notification; PMS – Data protection manage-
ment system; TPD – General requirement for third party data transfer; CCC – Codes of conduct and certification; PCI – Data protection
contact information.

each country. Since all the privacy scores for the GDPR dimen- try level. The framework will help policymakers in providing
sions are below 5, we rescaled the risks’ values to 1–5, with guidelines on how countries can take into account their risk
1 being the least risky country and 5 being the riskiest coun- scores against benchmarks for planning purposes. We provide
try. Table 8 reports country-level general risk scores for sample graphical illustrations to compare high privacy risk countries
countries. with low privacy risk countries at low or high levels of general
risk and draw out conclusions that can be used for informed
3.2.5. Country-Level risk framework policy recommendations.
To ensure that the security measures and practices in place As shown in Fig. 1, we have indicated the general risks ex-
are appropriate to enhance the socioeconomic activities at tracted from the ICRG risk along the x-axis and privacy risk
stake, risks should be assessed in a comprehensive manner scores on the y-axis. As we see, some countries such as the
(OECD, 2016). This will aid an informed decision-making pro- USA, Canada, Australia, and the UK show relatively low scores
cess and policy recommendations. Our goal is to examine the in general risks and privacy risk. Whereas some other coun-
country-level privacy risk scores and general risk indicators in tries, such as Nigeria, China, and Kenya, with relatively high
order to design a framework that assesses the risk at the coun- general risk scores, still show relatively high scores in privacy
8 computers & security 99 (2020) 102065

Fig. 1 – Country-level Risk Framework.

party data transfer (TPD) dimensions. Some other countries,

Table 6 – Country-level Privacy Risks Scores.
such as Malaysia, Hong Kong, and the Philippines, show vari-
Country Privacy Risks∗ ations in their general risks and relatively low privacy risk
UK 3.548 scores in the data subject rights (DSR) dimension. Yet other
Malaysia 3.665 countries such as Nigeria, Kenya, China, and India show rela-
Canada 3.761 tively high scores in both privacy risks and general risks across
Philippines 3.770 all the GDPR dimensions. Thus, any country that wishes to
Australia 3.781 benchmark itself against aspirant or other peer countries can
USA 3.793
do so using the above framework and also consider different
Hong Kong 3.915
China 3.951
dimensions of privacy risk in its risk assessment. In addition,
India 4.006 it serves as a framework to guide a dialog on privacy risks con-
Nigeria 4.022 cerning DPS and allows countries to put a spotlight on the
Saudi Arabia 4.073 risks that affect them the most.
Kenya 4.077 The framework can be utilized as a visual and descriptive
UAE 4.142
dashboard for evaluating the preparedness of digital payment
∗
Privacy Risks values are rescaled to 1–5. corporations and government authorities concerning the im-
pending country-level privacy risks. Thus, it can help in na-
tional policies aimed at creating awareness of privacy risk, and
risks. Countries such as Saudi Arabia, India, Malaysia, Hong guide countries in carrying out plans to prevent any adverse
Kong, with relatively low and average scores concerning their impacts of the risks.
general risks, have relatively high scores in their privacy risks.
Generally, countries need to conduct multiple risks assess-
ment and also consider the contributing factors to the privacy 4. Discussion and implications
risks within their regions. Although the countries show rela-
tively high scores in their privacy risks overall, they could be In line with the report of OECD (2016), governments, regula-
more focused on some aspects of the privacy regulation re- tors, and policy advocates need to enhance their countries’
quirements than the others. Hence, we compare the privacy data privacy and protection practices to reduce risks of data
risks for each GDPR dimension against the general risks (see misuse and ultimately regain both the trust of its citizens and
Fig. 2). other international communities.
As shown in Fig. 2, some countries such as Canada, USA, Considering that the GDPR coverage also affects compa-
Australia, and the UK show relatively low general risks and nies outside of the EU that collect, process data, and whose
variations in their privacy risks across different GDPR dimen- international activities may impact the privacy rights of the
sions. These countries show relatively low scores in general EU residents, this study suggests that it is incumbent upon the
risks and also show relatively low privacy risk scores in the non-EU nations to adopt privacy and protection practice that
data processing activities (DPA) dimension. However, the same not only support the GDPR’s requirements but also enhance
countries show relatively high scores in their privacy risks in their privacy risk management activities. This will help pre-
the technical and organizational measures (TOM) and third- vent hefty fines and compliance investigation concerning data
 computers & security 99 (2020) 102065 9

Fig. 2 – Country-level Risk Framework with various Dimensions of Privacy Risk.

10 computers & security 99 (2020) 102065

Table 7 – Risk Indicators.

Risk Components Descriptions

Internal Conflicts This evaluates the political violence in the country and its impact on governance (both actual and
potential)
Government Stability this assesses the government’s ability to execute its program(s) and remain in office. it evaluates
government unity, legislative strength, and popular support.
Socioeconomic Condition this assesses socioeconomic pressures in the country that limit government activities or create
social dissatisfaction. it evaluates the include unemployment, consumer confidence, and
poverty situations
Investment Profile This includes the risk of investment in a country that is not covered by other political, economic,
and financial risk components. It includes contract viability/expropriation, profits repatriation,
and payment delays
External Conflict This is the risk to the incumbent government from foreign action, ranging from non-violent
external pressure to violent external pressure. It considers war, international conflicts, and
foreign pressures
Corruption It evaluates the corruption within the political system, which includes bribes connected with
import and export licenses, exchange controls, tax assessments, police protection, or loans.
Military in Politics It considers the threat of military take-over of an elected government to change policy or cause its
replacement by another government.
Religious Tension This considers the suppression of religious freedom and the desire of a religious group to express
its own identity, separate from the country as a whole
Law and Order The risk variable considers the strength and impartiality of the legal system and observance of
the law within the country.
Ethnic Tension This assesses the degree of tension within a country that is attributable to racial, nationality, or
language divisions.
Democratic Accountability This measures government responsiveness to its people and the peaceful democratic society.
Bureaucratic Quality This considers the country’s bureaucratic power and the capability to govern without drastic
revision to the institutional policy.

oped nations, having recognized the significant impact that

Table 8 – Average of Country-level General Risk Indica-
incidents of data misuse can cause on their citizens, and their
tors.
socioeconomic activities have started adopting comprehen-
Country Risks∗ sive regulations. Canada passed Canada’s Personal Informa-
Canada 1.98 tion Protection and Electronic Documents Act (PIPEDA) to help
Australia 2.06 mitigate risks companies encounter from the data security
USA 2.07 practices of any third parties they do business with. This step
UK 2.09 taken by Canada, for instance, is beginning to reflect in the
Hong Kong 2.32
digital entities operating from the country. From the graphs
UAE 2.36
Malaysia 2.58
above, although Canada shows relatively high privacy risks in
Saudi Arabia 2.73 a GDPR dimension like TPD, its DPA shows low scores in both
Philippines 2.79 privacy risks and general risks (i.e., Canada is more compliant
India 2.82 with the data processing regulation in this regard).
Kenya 3.01 Based on the data analysis and presentations of the GDPR
China 3.09
privacy compliance scores, privacy risk scores and country-
Nigeria 3.47
level general risk scores will help consumers understand the
∗ risks of conducting transactions in the current digital world
ICRG Risks values are rescaled to 1–5 and reverse coded.
and also help financial investors make an informed deci-
sion. While our datasets represent only a portion of the on-
processing activities. We believe that our data-driven analy-
line privacy policies of digital business entities across mul-
sis in this study will help policymakers to: 1) draw out guide-
tiple countries, the analysis still allows us to argue that the
lines that support data privacy and compliance with GDPR
GDPR can be used as a tool to assess the privacy compliance
provision and 2) assess the data privacy practices of the MWR
of a country and ultimately reduce the privacy concerns of
service providers to enhance their privacy protection strate-
consumers.
gies. Besides, the analysis can help enhance awareness at the
national level, on the danger of non-compliance with data pri-
vacy regulations and the impacts on the country’s reputation.
According to the global risks report by the world economic fo-
rum, data theft or misuse is ranked the fourth highest in terms Conclusion
of likelihood of occurrence.10 Countries, especially the devel-
This paper performs an analysis of the MWR apps’ privacy
10
http://www.rmmagazine.com/2018/12/03/ policies to evaluate their compliance with the requirements
global- regulation- landscape- data- protection- in- 2018/ of the GDPR in order to assess the country-level privacy risks.
 computers & security 99 (2020) 102065 11

It assesses the country-level risks and the GDPR impacts on

DPS. It theoretically and practically contributes to the method-
Declaration of Competing Interest
ology of policy text classification and provides a quick-view
None.
assessment for digital business entities on privacy regula-
tory compliance practices and country-level risks. The study
can help policymakers and digital business entities in mak- CRediT authorship contribution statement
ing informed financial and trade decisions as it assesses
the privacy compliance and the privacy risk at the country Oluwafemi Akanfe: Writing - original draft, Data curation,
level. Methodology, Software. Rohit Valecha: Writing - review & edit-
The theoretical contribution of this study to the literature ing, Visualization, Investigation. H. Raghav Rao: Conceptual-
on DPS, privacy policy, and regulatory compliance is as fol- ization, Supervision, Validation.
lows: It contributes to the methodology for analyzing DPS pri-
vacy policies by extracting essential text features and con-
ducting text categorization. This study examined the core di- Acknowledgement
mensions of the GDPR, utilized a data vocabulary in deriv-
ing relevant dimensions across the corpus of privacy policies, We would like to thank the attendees of the 2019 Dewald
and then provided scores to the MWR and GDPR dimensions. Roode Workshop on Information Systems Security research
Our approach demonstrates applicable methods for assessing held at Bossier City, Louisiana, for their valuable comments
privacy policies that are different from the traditionally used and suggestions. We thank the guest editor and the review
survey inquiry techniques known for assessing such privacy team for their critical comments that have greatly improved
policies. the paper.
The study is a data-driven analysis that reflects the con-
tent richness or deficiency of the MWR privacy policies against R E F E R E N C E S
the GDPR. Hence, this study provides practical contributions
in two aspects: (1) it provides MWR practitioners the step-by-
step basis to evaluate the compliance of their privacy policy Agarwal S, Steyskal S, Antunovic F, Kirrane S. Legislative
with GDPR provisions and (2) the hit-ratio analysis serves as a compliance assessment: framework, model, and GDPR
quick-view assessment for digital business entities on privacy instantiation. In: Annual Privacy Forum. Springer; 2018.
regulatory compliance practices, and consumers on country- p. 131–49.
Aïmeur E, Lawani O, Dalkir K. When changing the look of privacy
level risks assessment when dealing with lengthy privacy poli-
policies affects user trust: an experimental study. Comput
cies. The assessment allows for comparison among different Human Behav 2016;58:368–79.
countries concerning the provisions of GDPR. This is an ob- Akanfe O, Valecha R, Rao HR. Design of a Compliance Index for
jective measurement that companies can adopt to instantly Privacy Policies: a Study of Mobile Wallet and Remittance
assess their privacy policies. Services. In: IEEE Transactions on Engineering Management,
The limitations of our work can be traced to the scope 2020a. doi: 10.1109/TEM.2020.3015222.
Akanfe O, Valecha R, Rao HR. Design of an Inclusive Financial
of the analysis. First, we concentrated on the privacy poli-
Privacy Index (INF-PIE): a Financial Privacy and Digital
cies of the MWR service component of the DPS. The DPS
Financial Inclusion Perspective. In: ACM J. Trans. Mgt. Inf. Syst.
represents an umbrella term for many digital payment in- Special issue on Analytics for Cybersecurity and Privacy;
struments. Hence, strong research efforts should be exerted 2020b. p. 20 June 2020forthcoming.
on analyzing the data privacy and protection activities of Barnes SJ, Pressey AD, Scornavacca E. Mobile ubiquity:
other payment instruments within the DPS context. A fur- understanding the relationship between cognitive absorption,
ther study focusing on the combination of many DPS in- smartphone addiction, and social network services. Comput
Human Behav 2019;90:246–58.
struments may help understand the different privacy risks
Center for Information Policy Leadership [CIPL] (2016). Risk, High
and their contributing factors concerning data processing
Risk, Risk Assessments, and Data Protection Impacts
regulation and privacy protection compliance. Secondly, this Assessments under GDPR: CIPL GDPR Interpretation and
study did not consider assessing the technology (i.e. hard- Implementation Reports. Retrieved from https://iapp.org/
ware and software) features of the MWR apps. A data pri- media/pdf/resource_center/cipl_gdpr_risk_21_dec_2016.pdf
vacy and protection-enforcing DPS entity should have a strong (Accessed on April 1, 2020)
privacy-enhancing technology feature embedded in its ap- Daştan İ, Gürler C. Factors affecting the adoption of mobile
payment systems: an empirical analysis. EMAJ: Emerg. Mark. J.
plication. Additional case study research is required to sub-
2016;6(1):17–24.
stantiate the MWR apps’ privacy statements with their prag- Delloitte. Future of Risk in the Digital Era. Transformative Change
matic methods of enforcing such data privacy and protection and Disruptive risk 2019. Retrieved from https:
requirements. //www2.deloitte.com/content/dam/Deloitte/us/Documents/
Lastly, we acknowledge there may be issues concerning dif- finance/us- rfa- future- of- risk- in- the- digital- era- report.pdf.
ferences in the regulatory environment of the non-EU coun- (Accessed on August 29, 2020).
Diniz EH, Siqueira ES, van Heck E. In: Annual Workshop of the AIS
tries that may impact the design of the country-level privacy
SIG for ICT in Global Development. Taxonomy for
risks assessment. Although the GDPR has a global influence,
understanding digital community currencies: digital payment
further research is needed to understand the role of each na- platforms and virtual community feelings; 2016.
tion’s regulation and its impact on their data privacy and pro- Dumas B. A test of the international CAPM using business cycles
tection practices. indicators as instrumental variables. In: The
12 computers & security 99 (2020) 102065

internationalization of equity markets. University of Chicago oecd- digital- economy- outlook- 2015_9789264232440- en
Press; 1994. p. 23–58. (Accessed on April 1, 2020)
Elluri L, Nagar A, Joshi KP. An integrated knowledge graph to Organization of Economic Co-operation and Development [OECD]
automate gdpr and pci dss compliance. In: 2018 IEEE (2016). Management of Digital Security and Privacy Risk.
International Conference on Big Data (Big Data). IEEE; 2018. Working Party on Security and Privacy in the Digital Economy.
p. 1266–71. Background report for Ministerial Panel 3.2 _ DSTI/ICCP/REG
Erb CB, Harvey CR, Viskanta TE. Political risk, economic risk, and (2016)1/FINAL. Retrieved from: http://www.oecd.org/
financial risk. Financ. Anal. J. 1996;52(6):29–46. officialdocuments/publicdisplaydocumentpdf/?cote=DSTI/
Ernst and Young [EY] (2018). In a Digital World, Do You Know ICCP/REG(2016)1/FINAL&docLanguage=En (Accessed on
Where Your Risks Are? Retrieved from: August 25, 2020)
https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/ Pantlin N, Wiseman C, Everett M. Supply chain arrangements: the
topics/digital/ ABC to GDPR compliance—A spotlight on emerging market
EY- In- a- digital- world- do- you- know- where- your- risks- are- sa- final. practice in supplier contracts in light of the GDPR. Computer
pdf (Accessed on April 1, 2020) law & Secur. rev. 2018;34(4):881–5.
Fefer RF. Data Flows, Online Privacy, and Trade Policy. CRS Report Paul N, Tesfay WB, Kipker DK, Stelter M, Pape S. Assessing Privacy
2019:45584. Policies of Internet of Things Services. In: IFIP International
Garber J. GDPR–compliance nightmare or business opportunity? Conference on ICT Systems Security and Privacy Protection.
Computer Fraud & Secur. 2018;2018(6):14–15. Springer; 2018. p. 156–69.
Harkous H, Fawaz K, Lebret R, Schaub F, Shin KG, Aberer K. Qin Z, Sun J, Wahaballa A, Zheng W, Xiong H, Qin Z. A secure and
Polisis: automated analysis and presentation of privacy privacy-preserving mobile wallet with outsourced verification
policies using deep learning. In: 27th {USENIX} Security in cloud computing. Computer Standards & Interfaces
Symposium ({USENIX} Security 18); 2018. p. 531–48. 2017;54:55–60.
Hoofnagle, C.J., Urban, J.M., and Li, S. (2012). Mobile payments: Renaud K, Shepherd LA. How to make privacy policies both
consumer benefits & new privacy concerns. Available at SSRN GDPR-compliant and usable. In: 2018 International
2045580. Conference On Cyber Situational Awareness, Data Analytics
Hoti S, McAleer M. An empirical assessment of country risk And Assessment (Cyber SA). IEEE; 2018. p. 1–8.
ratings and associated models. J Econ Surv 2004;18(4):539–88. Sen R, Borle S. Estimating the contextual risk of data breach: an
Howell LD. International country risk guide methodology. East empirical approach. J Management Inf. Sys. 2015;32(2):314–41.
Syracuse, NY: PRS Group 2011. Snow R, O’connor B, Jurafsky D, Ng AY. Cheap and fast–but is it
Hiller JS, Russell RS. Privacy in crises: the NIST privacy good? evaluating non-expert annotations for natural language
framework. J. Conting. Crisis Management 2017;25(1):31–8. tasks. In: Proceedings of the 2008 conference on empirical
Ingley C, Wells P. GDPR: governance Implications for Regimes methods in natural language processing; 2008. p. 254–63.
outside the EU. In: Proceedings of the European Conference on Somerville RA, Taffler RJ. Banker judgement versus formal
Management, Leadership & Governance; 2018. p. 105–13. forecasting models: the case of country risk assessment. J
Johnson VL, Kiser A, Washington R, Torres R. Limitations to the Bank Financ 1995;19(2):281–97.
rapid adoption of M-payment services: understanding the Truong NB, Sun K, Lee GM, Guo Y. Gdpr-compliant personal data
impact of privacy risk on M-Payment services. Comput management: a blockchain-based solution. IEEE Trans. on Inf.
Human Behav 2018;79:111–22. Forensics and Security 2019;15:1746–61.
Kaminski, M.E., and Malgieri, G. (2019). Algorithmic Impact Voigt P, Von dem Bussche A. In: A Practical Guide. The eu general
Assessments under the GDPR: producing Multi-layered data protection regulation (gdpr). 1st Ed. Cham: Springer
Explanations. Available at SSRN 3456224. International Publishing; 2017.
Kokolakis S. Privacy attitudes and privacy behaviour: a review of Wagner J. The transfer of personal data to third countries under
current research on the privacy paradox phenomenon. the GDPR: when does a recipient country provide an adequate
Computers & security 2017;64:122–34. level of protection? Int. Data Privacy Law 2018.
Lapata M, Keller F. Web-based models for natural language Wilson S, Schaub F, Dara AA, Liu F, Cherivirala S, Leon PG,
processing. ACM Transactions on Speech and Language Norton TB. The creation and analysis of a website privacy
Processing (TSLP) 2005;2(1) 3-es. policy corpus. In: Proceedings of the 54th Annual Meeting of
Li H, Yu L, He W. The Impact of GDPR on Global Technology the Association for Computational Linguistics (Volume 1:
Development. J. Global Inf. Technol. Management Long Papers); 2016. p. 1330–40.
2019;22(1):1–6. doi:10.1080/1097198X.2019.1569186. World Economic Forum [WEF] (2019). Global Risks Reports: 14th
Linden T, Khandelwal R, Harkous H, Fawaz K. The privacy policy edition. Retrieved from: http://www3.weforum.org/docs/
landscape after the GDPR. Proc. on Priv. Enhanc. Technol. WEF_Global_Risks_Report_2019.pdf ( Accessed on April 1,
2020;2020(1):47–64. 2020)
Meldrum D. Country risk and foreign direct investment. Bus. Zimmeck S, Wang Z, Zou L, Iyengar R, Liu B, Schaub F,
Econ. 2000;35(1):33–40. Reidenberg J. In: 2016 AAAI Fall Symposium Series. Automated
Murtaza MB. Fuzzy-AHP application to country risk assessment. analysis of privacy requirements for mobile apps; 2016.
American Business Review 2003;21(2):109.
Oetzel JM, Bettis RA, Zenner M. Country risk measures: how risky Oluwafemi Akanfe (UTSA) is a Ph.D. student in the Department of
are they? J World Bus. 2001;36(2):128–45. Information Systems and Cyber Security. His research interests in-
Organization for Economic Co-Operation and Development clude the area of digital payment systems, privacy and security is-
[OECD] (2006). Report on The Cross-Border Enforcement of sues, information assurance, privacy regulations and compliance,
Privacy Laws. Retrieved from: natural language processing, among other domains. His research
http://www.oecd.org/sti/ieconomy/37558845.pdf (Accessed on is available online or forthcoming in journal avenues, including
April 1, 2020) IEEE Transactions on Engineering Management and ACM Trans-
Organization of Economic Co-operation and Development [OECD] actions on Management Information Systems, and has appeared
(2015) Digital Economy Outlook, OECD Publishing, Paris. in proceedings of Americas Conference on Information Systems
Retrieved from: (AMCIS) and International Federation for Information Processing
https://www.oecd-ilibrary.org/science-and-technology/ (IFIP). He is currently involved in multiple projects that include
leveraging digital technologies to enhance privacy compliance,
 computers & security 99 (2020) 102065 13

policy regulations, digital payment security, digital financial inclu- H. Raghav Rao (UTSA) is an AT&T Distinguished Chair in infras-
sion, among others. tructure assurance and Security and Professor in the Department
of Information Systems and Cybersecurity. He also has a cour-
Rohit Valecha (UTSA) is an assistant professor in the Department tesy appointment as a full professor in the Computer Science de-
of Information Systems and Cyber Security. He has prior work partment, UTSA. His research interests include information as-
experience in the digital ecosystem and value chain and mobile surance, emergency response, computer security issues (e.g. in-
payment systems. He is involved in designing a certificate pro- sider threats, phishing, and data breaches), and digital payment
gram in Digital Pathogens for undergraduate students in biology, systems privacy. His research has been published in the Journal
information systems, and cyber security, computer science, and of Management Information Systems, Information Systems Re-
computer engineering disciplines to apply digital threat identifica- search, MIS Quarterly, Journal of the Association of Information
tion, propagation prediction, and mitigation to biological threats. Systems, among others. In addition, as part of the GIAN expert
His research interests include social media, information technol- program hosted by the government of India, he has contributed to
ogy, and system design, crisis response management systems, se- an educational initiative in digital payment systems that touches
curity, and privacy. His research has been published in the ACM on financial inclusion as well as important information assurance
Transactions on Management Information Systems, Information issues. In 2016, he received the prestigious Information Systems
Systems Frontiers, and Journal of the Association for Information Society Distinguished Fellow Award for outstanding intellectual
Systems. He has also taught courses in informatics, digital sys- contributions to the information systems discipline.
tems, data analytics, and network security.