This article considers the purchasing of hacking technology by governments and the role of government procurement processes in regulating the hacking market and reducing risks to the buyer. While the proliferation of hacking technology for government actors has led to various proposed solutions for accountability, little consideration has been given to public purchasing of this technology. This article explores whether public contracting processes could be used to help minimize the risks that arise from the use of government hacking technology, and, if so, the types of contractual clauses and institutional supports that might be useful to achieve that goal. In exploring this issue, this article considers theories of government by contract and the publicization of the private sector. These theories posit that public contracting can be used as a vehicle to impose public considerations—for example, certain policy goals—on the private sector. It argues that requirements of transparency and accountability that inhere on the public sector could be transferred in part to the private sector through the vehicle of a public contract and explores how public contracts for government hacking technology could be structured in order to reduce risks posed by the use of this technology.
Keywords: Hacking | Law | Surveillance | Technology | Procurement | Contracts

A series of recent developments highlight the increasingly important role of online platforms in impacting data privacy in today’s digital economy. Revelations and parliamentary hearings about privacy violations in Facebook’s app and service partner ecosystem, EU Court of Justice judgments on joint responsibility of platforms and platform users, and the rise of smartphone app ecosystems where app behaviour is governed by app distribution platforms and operating systems, all show that platform policies can make or break the enjoyment of privacy by users. In this article, we examine these developments and explore the question of what can and should be the role of platforms in protecting data privacy of their users. The article first distinguishes the different roles that platforms can have in ensuring respect for data privacy in relevant ecosystems. These roles include governing access to data, design of relevant interfaces and privacy mechanisms, setting of legal and technical standards, policing behaviour of the platform’s (business) users, coordinating responsibility for privacy issues between platform users and the platform, and direct and indirect enforcement of a platform’s data privacy standards on relevant players. At a higher level, platforms can also perform a role by translating different international regulatory requirements into platform policies, thereby facilitating compliance of apps in different regulatory environments. And in all of this, platforms are striking a balance between ensuring the respect for data privacy in data-driven environments on the one hand and optimization of the value and business opportunities connected to the platform and underlying data for users of the platform on the other hand.
After this analysis of platforms’ roles in protecting privacy, the article turns to the question of what should this role be and how to better integrate platforms in the current legal frameworks for data privacy in Europe and the US. The article will argue for a compromise between direct regulation of platforms and mere self-regulation, in arguing that platforms should be required to make official disclosures about their privacy-related policies and practices for their respective ecosystems. These disclosures should include statements about relevant conditions for access to data and the platform, the platform’s standards with respect to privacy and the way in which these standards ensure or facilitate compliance with existing legal frameworks by platform users, and statements with respect to the risks of abuse of different data sources and platform tools and actions taken to prevent or police such abuses. We argue that such integration of platforms in current regulatory frameworks is both feasible and desirable. It would make the role that platforms already have in practice more explicit. This would help to highlight best practices, create more accountability and could save significant regulatory and compliance resources in bringing relevant information together in one place. In addition, it could provide clarity for business users of platforms, who are now sometimes confronted with restrictive decisions by platforms in ways that lack transparency and oversight.
Keywords: Online platforms | Smartphones | Data protection | Privacy | Regulation | Disclosures

By imposing a market like governance and directing entrepreneurs towards professional management, debt, and especially business debt, can serve as a reliable signal for outside equity investors. Such signals of firm accountability can alleviate the stringent information asymmetry at the early stages of the firm, and become stronger for bank business debt, in the presence of personal debt, and in high capital industries. Using the Kauffman Firm Survey, we find evidence consistent with our hypotheses. Outside investors can rely on the governance role of debt and its underpinnings such as the bank-firm relationship. We also corroborate that young firms tend to focus on growth rather than profitability.
Keywords: Governance | Entrepreneurship | Financing | Information asymmetry | Debt | Equity

Even though we have gotten better at meeting the iron triangle of cost, time, and scope, many projects sti l l do not achieve the strategic benefitsdespecially those that are nonmonetaryddesired in most contemporary projects. Given that no one is specifically accountable for delivering these benefits, it should be no surprise that these projects are largely unsuccessful. We consider multiple possible candidates for this role of accountabilitydthe CEO, the project manager, the sponsor, and the program managerdand find none of them acceptable, thereby necessitating the formalization of a new role: a project owner. The project owner would be accountable for delivering the strategic benefits desired from each project. In this article, we describe the responsibilities of the project owner at each phase of the project, the sources for candidates to fulfill this role, and the training needed for project owners to find success. We conclude with a case study of an organization that has taken this route and discuss the advantages and challenges that resulted from its strategic organizational change initiative.
KEYWORDS : Project management | Organizational change | Project manager | Project success | Project owner | Project lifecycle | management

This article examines the two major international data transfer schemes in existence today – the European Union (EU) model which at present is effectively the General Data Protection Regulation (GDPR), and the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules system (CBPR), in the context of the Internet of Things (IoT). While IoT data ostensibly relates to things i.e. products and services, it impacts individ- uals and their data protection and privacy rights, and raises compliance issues for corpora- tions especially in relation to international data flows. The GDPR regulates the processing of personal data of individuals who are EU data subjects including cross border data trans- fers. As an EU Regulation, the GDPR applies directly as law to EU member nations. The GDPR also has extensive extraterritorial provisions that apply to processing of personal data outside the EU regardless of place of incorporation and geographical area of operation of the data controller/ processor. There are a number of ways that the GDPR enables lawful international transfer of personal data including schemes that are broadly similar to APEC CBPR. APEC CBPR is the other major regional framework regulating transfer of personal data between APEC member nations. It is essentially a voluntary accountability scheme that initially requires acceptance at country level, followed by independent certification by an accountability agent of the organization wishing to join the scheme. APEC CBPR is viewed by many in the United States of America (US) as preferable to the EU approach because CBPR is considered more conducive to business than its counterpart schemes under the GDPR, and therefore is regarded as the scheme most likely to prevail. While there are broad areas of similarity between the EU and APEC approaches to data protection in the context of cross border data transfer, there are also substantial differences. This paper considers the similarities and major differences, and the overall suitability of the two models for the era of the Internet of Things (IoT) in which large amounts of personal data are processed on an on-going basis from connected devices around the world. This is the first time the APEC and GDPR cross-border data schemes have been compared in this way. The paper concludes with the author expressing a view as to which scheme is likely to set the global standard
Keywords: IoT data | GDPR | CBPR | transborder data flows | data protection | privacy | global standard