Polish Privacy Media Discourse: Privacy as Imposed Policies

In this article we look at the Polish media discourse on privacy. In the analysis, we draw on theoretical approaches that understand privacy as having four dimensions: relational, participatory, contextual, and technological. Moreover, we seek whether a specific norm of data-related privacy could be defined/redefined within the discourse. Considering the postcommunist past that shapes a specific approach to surveillance and the general polarisation of polish media discourse, one would expect the key role of privacy issues in the public sphere. Thus, applying a critical discourse studies analysis, the aim was to capture the character of the so far under-researched privacy in Polish media discourse. We study what types of institutional agents are mentioned as creating privacy policies and what dimensions of privacy they tackle. Moreover, we also try to capture whether the institutional position offers a specific normative understanding of privacy and whether this norm is citizen/user-oriented. The results of the study indicate that: both the media discourse and the normative content of privacy policies are dominated by legal aspects concerned with the issues resulting from EU regulations (i.e., General Data Protection Regulation); privacy policies are institutionally dispersed and monopolised by journalists and experts instead of state officials or politicians; and there is only limited evidence of a discursive frame of a citizen-oriented norm of how to protect data-related privacy.


Introduction
The implementation of the General Data Protection Regulation (GDPR) in mid-2018 triggered a Polish media discourse on privacy and animated the first Polish discussion on data protection. The Polish case can be considered as intriguing given its unique historical and contemporary political contexts. Post-communist countries have a sole approach to some privacy issues, for example surveillance. They are also more likely to show general anxiety, which corresponds to increased surveillance concerns (Svenonius & Björklund, 2018). Given this, it might be expected that the issue of pri-vacy would be a particularly salient one Poland, but it was mainly neglected for the last three decades. At the same time, Polish society faces the development of privacy-invasive institutional practices and their consequences for the public. Contemporary political changes in Poland after the electoral victory of conservative and anti-European parties lead to introduction of new surveillance (i.e., the Pegasus surveillance system). Moreover, development of political microtargeting based on users' data resulted in advanced usage of disinformation tools in political campaigns in Poland (Gorwa, 2017). Although the development of privacy-invasive politics and technologies in Poland was tackled in terms of surveillance (Centrum Badania Opinii Społecznej, 2016;Sojka, 2013;Szumańska, Klicki, Niklas, Szymielewicz, & Walkowiak, 2016) or online security (Centrum Badania Opinii Społecznej, 2018) there is limited, up-to-date, and rigorous research output that captures these issues.
On the academic level, there is no comprehensive research on the nature of Polish media discourses on privacy. Only partially, privacy and surveillance were analysed by Möller and Nowak (2018b) in terms of privacy-oriented media practices of civil society agents, by Ptaszek (2018) who studied attitudes and knowledge on surveillance and privacy among adolescents, or by Svenonius and Björklund (2018) who comparatively explored the attitudes to surveillance in post-communist societies. However, privacy-related issues are underresearched when it comes to discourse studies. To fill this gap, this article aims to analyse the character of contemporary privacy media discourse in Poland. We study what privacy dimensions are tackled by particular types of institutional agents promoting privacy policies in the media discourse. Moreover, we try to capture whether the discourse reflects a specific normative understanding of privacy and whether this norm is citizen/user-oriented. By that, we expect to see whether a specific privacy dimensions and agents framed in the discourse enhance normatively citizens and users or, on the contrary, reinforces inequality and imbalance where state actors and tech companies build the privacy-invasive norm. To do so, we have designed a research framework that follows Nissenbaum's (2010) idea of contextual integrity that understands privacy as being contextual and having a normative element. Based on this, we attempt to ascertain whether norms of data-related privacy can be (re)defined in the discourse. Moreover, we implement Nowak (2018a, 2018b) take in which theoretical approaches to privacy are considered as four dimensional: Contextual, relational, participatory, and technological.

Theoretical Framework
Our theoretical approach uses the discursive analysis to track the character of Polish media discourse on privacy. We understand discourse as a form of communicative social practice. In other words, "texts, as forms of interaction, are seen as discursive practices, and these discursive practices are also social practices" (Bennett, 2018). It means that the discourse reaches above the level of language. It is rather a "a two-way relationship between a particular discursive event and the situation(s), institution(s) and social structure(s), which frame it: the discursive event is shaped by them, but it also shapes them" (Unger, Wodak, & KhosraviNik, 2016, p. 907). In the context of this article, this means that the social institutions 'think' and 'act' according to how they 'speak' about it. Hence, tracking the privacy dimensions in the media discourse allows for analysis of the understandings of privacy in relation to institutional actors putting them forward available in the Polish public debate.
In general, the Polish political discourse can be captured with three most distinctive features. The first one is polarisation, where the discourse re-creates political divisions and frames the oppositional camps (Balczyńska-Kosman, 2013) and ideological conflicts (Czyżewski, Kowalski, & Piotrowski, 2010). The second concerns negativity and emotionality, where institutional actors frame particular political issues in terms of negative labelling of the opponents (Balczyńska-Kosman, 2013). The third is the media-orientation, where media shape the political discourse due to specific priming and framing (Balczyńska-Kosman, 2013). Thus, the question rises if the discourse on privacy also follows such characteristic? Especially when we compare it to Germany where the issues of privacy are addressed in terms of criticizing the current level of privacy and the need of enhancing it (cf. von Pape, Trepte, & Mothes, 2017) or normalization of surveillance technology (Meissner & von Nordheim, 2018).
As a starting point in seeking traces of privacy in the discourse, we apply the Nissenbaum's idea of contextual integrity (2010) and multi-dimensional composition of privacy proposed by Möller and Nowak (2018a). Thus, we use the approach where privacy is characterised by five dimensions: Contextual, normative, relational, participatory, and technological.
Firstly, privacy is contextual and as such must be situated and researched in specific contexts. Nissenbaum introduces the notion of contextual integrity that: Provides a rigorous, substantive account of factors determining when people will perceive new information technologies and systems as threats to privacy; it not only predicts how people will react to such systems but also formulates an approach to evaluating these systems and prescribing legitimate responses to them. (Nissenbaum, 2010, p. 2) Thus, privacy depends on and constitutes social norms, resources, rules, and cultural arrangements that may substantially differ from one society to another. For example, when considering technology as a threat to privacy, this is contextual and has to be perceived whilst taking multiple variables into account (including cultural, historical, and even geographical). Yet, according to Nissenbaum (2010, p. 11), the framework of contextual integrity fits "to model peoples' reactions to troubling technology-based systems and practices as well as to formulate normative guidelines for policy, action, and design." Thus, concerning Polish historical and contemporary privacy-invasive politics, the way in which discourse on privacy is framed may shed more light on how the particular contexts effect or model the privacy policy addressed by institutions.
Secondly, privacy is normative. Thus, a normative approach to privacy attempts to capture whether a specific norm of data-related privacy is present within the media discourse. Drilling down, a more specific question is whether this norm is citizen-oriented or not. Both Möller and Nowak's (2018a), and Nissenbaum's (2010) frameworks are practice-oriented and dwell on the idea that users are able to respond to the surveillance using media technologies. Or, to fine tune it slightly, how people should take care of their privacy and data protection while they use communication technologies. This is especially germane to the Polish media discourse case, where data protection and privacy are relatively new phenomena. Indeed, the GDPR's introduction launched the first major national discussion on privacy, not only by prescribing some legal norms but also by exposing the category of 'privacy' in the discourse, making it visible and discussed in society. Möller and Nowak (2018a), who draw on Nissenbaum's approach, aside from contextual privacy, list three other dimensions: relational, participatory, and technological. Thus, thirdly, relational privacy concerns the relationship between people, the information they produce and the third parties that manage the information. Understood in such a way, privacy depends on the place of the individual (or institution) in relation to the level of privacy and openness one wants to preserve within communication processes in society (cf. Westin, 2015). Concerning the media discourse, this dimension allows observing how the discourse manifests the relations between society shaped by post-communist experiences and the state that conducts a privacy-invasive politics. The relational dimension regarding privacy in the Polish discourse is also important since Poles believe that data sharing is non-alternative and data protection is becoming a very important issue for citizens (European Commission, 2015). Thus, regarding the state's politics, one would expect the media discourse to refrain citizenoriented relation in order to protect people's privacy.
Fourthly, privacy is participatory, which means that the actual privacy practices presume the active participation of individuals in the process of setting the privacy. This dimension, on the one hand, allows for tracing the media discourse in Poland in terms of privacy as a bottomup perspective when it is actively implemented in the everyday media practices of users (Kubitschko, 2018). As the studies prove, Polish users' privacy practices are following the idea of "acting on media" in terms of surveillance (Möller & Nowak, 2018b). On the other hand, participatory dimension considers also the advocacy of organisations that participate actively in promoting privacy (Bennett, 2008). The search for a manifestation of the participatory dimension in the privacy discourse in Poland can be linked to the activity of privacy advocacy organizations as Panoptykon (a countersurveillance and privacy advocacy NGO) or Zaufana Trzecia Strona (data security and privacy advocacy collective). Thus, traces of the participatory dimension in the discourse will indicate not just the specific privacy practices but also the politics of privacy that such institutions propose.
The last dimension is a technological one. The privacy-oriented practices of individuals and groups strongly rely on communication technologies and data protection. Digital technology and social media companies that offer the unlimited space for interactions are the most powerful data-harvesters. At the same time, users' access to their personal data is efficiently limited. Eventually, a communication market evolves towards an imbalanced struggle between centralized privatelycontrolled data flows and decentralization, i.e., giving it back to users (Möller & von Rimscha, 2017). Thus, to some extent, the technological dimension of privacy can be understood as a common discursive thread that can run through the other dimensions.
Such theoretical framework allows us to state the main research question: What is the character of media discourse on privacy in Poland? To answer it, we state two subordinate research questions: a) Which institutional agents construct the media discourse; and b) how privacy is framed in the media discourse? Firstly, we conceptualise the character of the institutional discourse on privacy in terms of the five aforementioned dimensions. However, the character of the media discourse may also reflect some other specific features that are illustrative for Polish discourse in general. Thus, besides of the dimensions we search for specific issues concerning mediaorientation, publisher's political position and attitude towards the economy or possible discursive polarisation. Secondly, we search for institutional actors that form the media discourse on privacy. Thus, we analyse how certain dimensions are approached by social institutions and their representatives, including politicians, officials, journalists, experts, or ordinary people. Thirdly, we look at how the discursive relationship between institutions and dimensions is framed in linguistic categories.

Research Design and Methodology
To answer the research questions, we apply a critical discourse studies (CDS) approach that follows the methodological framework recommended by Unger et al. (2016Unger et al. ( , pp. 1191Unger et al. ( -1197. A crucial fact to note is that the applied CDS approach is inductive but it requires stateof-art analysis concerning existing theoretical knowledge on the particular case. Thus, the analytical procedure started with the theoretical notions on discourses of privacy and resulted in shaping the theoretical model and particular privacy-related discursive categories (see Figure 1).
Then, we executed a CDS approach in a three-stage data-based inductive analysis (Unger et al., 2016). Firstly, to have a general outlook on the shape of the discourse, we undertook desk research of privacy-oriented publications from two privacy-activist media websites and one privacy-advocacy NGO website. This totalled 133 privacy-oriented cases from January 2018 to September 2019. It allowed us to extract a list of issues related to privacy in the Polish media discourse in that particular time. As desk research indicated, Polish media discourse was dominated by certain events rather than by

Research quesƟons
Character of privacy discourse InsƟtuƟonal agents Privacy narraƟve frame general privacy-related ongoing debates. This timetable was selected because of two case-related purposes. The first was the initiation of the GDPR debate in Poland. However, to capture its development, we started to collect the data from January 2018, a few months before the GDPR peaked. The second issue concerns the final case of FaceApp that saturated the discourse on privacy in September 2019. Secondly, based on this we defined 12 issue-oriented categories. These are described in Table 1.

CriƟcal Discourse Analysis
Thirdly, we conducted a quantitative and qualitative content analysis of media publications covering the 12 selected categories from January 2018 to September 2019. CDS approaches to text analysis and sampling are directed by the research questions (Bennett, 2018;cf. Unger et al., 2016). Thus, in order to capture the general character of the discourse on privacy, especially its dimensions, agents and frames, we used the purposive sampling. As the result, we collected a full sample composed of 169 texts from the websites of two newspapers (Gazeta Wyborcza [GW] and Fakt), two weekly political magazines (Polityka and Wprost), and two online news portals (wp.pl and wPolityce.pl). Media outlets were chosen according to the highest readership and popularity rates, and differences in editorial slant, both political and economic. Then, we used content analysis to extract the specific codes and linguistic categories of the texts (see Supplementary File) to reflect the five concepts of privacy: Relational, participatory, contextual, technological, and normative. Since the dynamic nature of discourse, these concepts are often collocated in particular texts. To complement the discursive construction of privacy dimensions with the institutional component, we distinguished five concepts related to institutional actors that shape the media discourse: Officials, politicians, experts, journalists, and the regular man. These concepts and their intersections are analysed in Section 4. What is important in terms of CDS framework, is that particular text excerpts are analysed to capture certain ways of argumentation and narrative frames (cf. Jäger, 2002;Wodak, 2002).

The Character of Polish Privacy Discourse and Its Dimensions
Both quantitative and qualitative analysis indicates four main issues in terms of the character of Polish media discourse on privacy. The first one concerns the manifestations of privacy dimensions. Due to the historical experience of Poland and the invasive politics of the government, as well as the interest in privacy protection declared by citizens, we expected that the Polish dis- A relatively equal distribution of these dimensions in the sample resulted in a lower representation of the relational dimension (36.3%) and the participatory one (12.5%). The results indicate that the normative dimension was mainly based on EU privacy policy proceedings that form a top-down legal norm rather than a citizen/user-oriented data privacy 'manual.' Crucially, normative and participatory dimensions are only co-present in 10 (from 169) articles. Secondly, data show that the Polish media discourse on privacy is strongly oriented to the legal and formal aspects of privacy. Thus, it addresses the application of EU-level privacy policy in Poland and general legal proceedings. The distribution of particular topics in the examined period indicates that the theme most often discussed in the context of privacy was GDPR (46.5%), followed by Facebook users' data leakage (7.6%), Lex Uber (7%), and the termination of Google's agreement with Huawei (7%) (see Figure 2). Importantly, the subject of GDPR was the most popular issue in the entire analysed period. Surely, the introduction of the GDPR invigorated the debate on privacy in Poland, yet it also strengthened the formal and legal nature of the discourse lim-iting the same time more user-oriented bottom-up approaches to privacy and data protection.
Thirdly, the media discourse on privacy was not polarized as one would expect concerting media divisions. The issue of privacy is mainly discussed in the dailies (GW-22.5%, the tabloid Fakt-21.3%) and online news portals (wpolityce.pl-23.7%, wp.pl-15.4%). Thus, as a consequence, the issues of complex privacy-related legal changes were communicated as news (65.7%). Meanwhile, columns that allow for a more descriptive and analytical form were much less used (21.3%). One would expect that the media discourse in which the participatory dimension of privacy is emphasized requires a more opinionated contribution. This finding is likely to have been an effect of publication frequency, with weeklies having the lowest ratio . Moreover, the relational, participatory and technological dimensions of privacy were observed more frequently in liberal outlets, like GW. It is worth to add that GW, Polityka, and wp.pl present liberal slant both in terms of politics and the economy. Therefore, we expected that through their texts they would call for the protection of the privacy of the individual. On the other hand, the normative and contextual dimensions were more frequent in conservative outlets. Tabloid Fakt, wPolityce.pl and, to a lesser extent, Wprost promote a conservative worldview and statism in the approach to the economy. Therefore, we expected the texts that indicate the important role of the state and its institutions in shaping the privacy policy. The results, however, indicate that the differences in addressing particular privacy dimensions are not significant in relation with political and economic slants of the medium. For instance, the participatory dimension was observed in 7.7% texts in liberal media to 4.8% in conservative (in terms of politics) and respectively 8.3% to 4.2% (in terms of economy). Normative dimension was observed in 21.4% of texts in liberal media to 27.4% in conservative (in terms of politics) and respectively 26.2% to 22.6% (in terms of economy). Thus, as in the case of political discourse in general, the privacy issues depend on editorial policies, although we are not able to conclude on media-related polarization. Finally, privacy discourse was monopolised by news and informational function of the language used (observed in 89.3% of articles). However, a solid part of the texts was filled with expressive functions (in 37.5%) and persuasive (in 26.8%). Considering the saturation by metaphors (observed in 71.2% of the articles) and hyperboles (in 57.7%), the character of discourse on privacy may resemble the nature of political discourse in general in terms of its emotionality (cf. Balczyńska-Kosman, 2013).

Institutional Agents that Shape Privacy in Discourse
Concerning the institutional agents that shape the Polish media discourse on privacy, it follows two main patterns. The first is institutional dispersal. Among the many agents that contribute to the discourse on privacy, government or public agencies and offices were presented by the Research and Academic Computer Network, CERT Poland, the Ministry of Digital Affairs, the Personal Data Protection Office, the Inspector General for the Protection of Personal Data, the Ministry of Infrastructure, and the Ministry of Internal Affairs and Administration. The expert side was presented inter alia by independent digital security experts, data security experts, Facebook, Niebezpiecznik (a data security and privacy advocacy collective and news website), Panoptykon (a countersurveillance and privacy advocacy NGO), lawyers and law firms (i.e., PwC consultancy firm), and Uber. Therefore, various institutions propose a different policy shaping the discourse on privacy in Poland. Journalists and experts contributed the most to the discourse in the period we examined (98.8% and 41.2%). Officials were framed less often, only in 26.1% of materials. The frequency of politicians' statements was only 9.7%. That observations are significant in the context of today state's privacy-invasive privacy politics. On the one hand, lack of commitment in the way of creating the discourse about privacy can be a deliberate action of state institutions that distract the public opinion from the crucial privacy issues. On the other hand, the low presence of politicians may indicate that the issue of privacy is not perceived as a part of a significant political struggle but rather as a specific policy that is the consequence of legal regulations.
Secondly, the intersection of institutional agents and privacy dimensions indicates that politicians, officials, and experts mostly addressed the contextual, technological and normative dimensions of privacy, leaving a participatory on the lowest level (see Table 2). Yet, the contextual dimension triggered by political actors does not refer to the specific political affairs but rather to the legislative context of applying EU law in Poland. The participatory dimension is most common among journalists (12.8%), slightly less among experts (7.3%). However, it mostly reflects legal arrangements and, besides a few excerpts, does not enhance the user participation in terms, for instance, data protection. Officials (3.7%) and politicians (0.6%) almost bypassed participatory issues, hence,

Discursive Narrative Frames of Privacy Policy
This correlation between institutions and dimensions was analysed in terms of narrative frames that particular agents used shaping the discourse. The analysis indicates three main discursive narratives concerning framing privacy policy by institutional actors. Firstly, as previously demonstrated, the media discourse was mostly framed with the formal narrative based on legal procedures bypassing political aspects of privacy. For instance, texts that focus mostly on the normative dimension are dominated by frames of "regulations," "proceedings," "legal frameworks," and "data processing," often using formal language and informational style captured in formal legal-based discursive manner: Later in the autumn of 2017, the assumptions to the amendment to the Act on the provision of electronic services have been prepared, pursuant to which Facebook could no longer make arbitrary decisions on blocking accounts. (Czubkowska, 2018) Personal Data Protection Office…has to check whether GDPR regulations will be respected. Penalties can be severe because companies are threatened with fines of up to 20 million euros. (Kowanda, 2018) Today, the police and the prosecutor's office process our data on the principles set out in the Personal Data Protection Act of 1997, and their operation is subject to the control of the Inspector General for the Protection of Personal Data. (Ivanova, 2018) Other legal topics-for instance, Uber Lex, the establishment of a Polish National Cyberarmy, and the government agreement with Facebook-were mostly news pieces with short excerpts of official statements of the ministries framed in an informative manner to express involvement of particular institutions, for example: "As there is no legal path of appeal against the decision of social network platforms registered outside Poland, we decided to approach the problem from the administrative angle" (Bednarek, 2018).
Since analysis indicate that privacy-related issues are framed not as a field of political struggle and debate but rather as a policy to be implemented as a consequence of legal regulations, there were limited excepts where the politicians contributed to the discourse, for instance, in case of the GDPR: We collected over three thousand signatures, although a thousand fewer was enough. But two weeks of collecting signatures on the streets and in the markets made me realize that in the era of the GDPR, people do not want to provide their data to a person whom they do not know, and to sign the petition supporting the political committee, you need to provide your name, surname, address and PESEL. (Kursa, 2019) Here and in the other articles on the GDPR, politicians perceive the new regulations as an obstacle to electoral campaigning that they try to find an administrative solution for. For example, GDPR is closed in a frame of an epochal regulation: 'the era of GDPR.' The politician shares his concern of the issue of private data that could be shared 'to a person whom they don't know,' hence he poses himself as the 'stranger,' a person of limited trust. In the initial phrase, the politician claims that despite GDPR they 'collected over three thousands signatures, although…' using at same time the narrative of active involvement that refers to frame us versus them, politicians versus common people who are not willing to support the committee or provide the private data.
A second narrative frame refers to polarisation and contrasting concerning relations of users and the state or corporations. In the following excerpts, the contradiction between users' rights and capabilities in relation with Facebook serves as a crucial narrative juxtaposition: It's really not difficult to violate community rules or Facebook regulations. This happens every day to political activists, organizers of assemblies, social organizations and ordinary users. (Szymielewicz, 2018) The way to restore a blocked account or content more resembles a fruit machine than an objective tribunal. All protests of blocked users go into one bag. Just one click is enough. Facebook gives everyone who is unsatisfied a simple interface but denies them the right to speak. The user has no place to write why he thinks that his content or account has been unjustly blocked. An activist to whom the portal took the work tool, presses the same button as the "regular user" who was cut out from part of a social conversation. They both wait for the machine to grind through the protest and spit out something. The effect of the grinding is either to remove the block (without a word of explanation) or the decision to maintain it (also without a word of explanation). (Szymielewicz, 2018) On the one hand, a tech company is framed with metaphors of 'fruit machine,' 'waiting for the machine to grind' or the 'private censorship' that is used in the title of the article to describe the social media platform's arcane decision-making process. On the other hand, a frame used to capture users' weaker position in relation to tech companies is deployed: 'protests of blocked users go to one bag' metaphor, 'regular users' neologism or 'violation of community rules or Facebook is really not difficult. Every day it happens to political activists, assembly organizers, social organizations and ordinary users' later in the same article. Thus, in this case, normative and participatory dimensions intersected with the institutional actors justify the bottom-up perspective in privacy-oriented norm by ascribing negative attributions through metaphors to tech companies. However, 7 of the 10 articles that intersect normative and participatory dimensions address issues of the GDPR using a narrative of trivialising by referring to the absurdity of its implementation: "Hospitals and clinics have been made stupid by the GDPR" (Watoła, 2018), "GDPR at school. Student number five, acknowledge receipt of the test" (Warchała, 2018), or "Besides, most of what the media call the absurdities of the GDPR results from incomplete knowledge of the rules by administrators and an excessive zeal often caused by fear of high penalties" ("Absurdy RODO," 2018). In general, the sample frequently zooms in onto the frame of "banality" of the GDPR. The norm is again framed around the notion of legal relation between particular institutions and citizens that need to follow the rule that is "banal." Thus, the narrative of trivialising labelled with the frame of "banal" regulation, undermines the participatory and relational dimensions by reinforcing top-down privacy order and inequality between tech company and users.
Thirdly, there were only a few cases where the narrative frame enhanced the privacy of citizens/users and put forward a bottom-up privacy policy. In such cases, the narrative frame of intensification was deployed in addressing the normative dimension and to some extent participatory one. For instance, a solely participatory dimension of privacy was referred to in the articles on data leakages, i.e., from Facebook and the online shop Morele.net: What should you do if you are on the list (of leaked Morele.net data-Authors)? If your email address was on the displayed list, change your password immediately. It is also a good idea to use the already popular two-step authorization option. In most cases this should help. If your email has a good spam filter, there is a chance that you will never realize that your address has been stolen. ("Ze sklepu morele.net," 2019) Such a 'privacy tutorial' based on a do it yourself intensification narrative frame was characteristic for pieces on building data-privacy awareness in the discourse in a bottom-up manner. Privacy policies were directly addressed to the users ("you," "your") and aimed at either protection of their data or to raise awareness of technological issues concerning privacy, as in the Google/Huawei case. It was framed with direct indications to intensify privacy practices: "change your password immediately," "good idea to use," "should help." The evidence, however, indicates that only a few excerpts in the entire sample offer a user-oriented approach to privacy policies.
Similarly, the case of FaceApp follows such a narrative frame. The worldwide popularity of FaceApp also effected the Polish discourse on privacy. Importantly, it addressed the privacy issue not just as a legal, EU-related process, but as a user-oriented "tutorial" of data protection that forms privacy policy of sorts. In the sample, this issue was constructed as predominantly being tack-led by officials, experts and journalists. Discursively, the FaceApp case was framed in multiple narrative schemes. From informative lines describing basic functions of the app, through to the frame of "danger" and "threat," as in tabloid daily Fakt: "FaceApp, the record-breaking Russian mobile app for Apple iOS devices threatens users' privacy, inter alia by sending their photos directly to the cloud servers of the app creators who make them available to the external entities" ("Popularna aplikacja,'' 2019).
There were also some contextual opinions, referring to previous privacy threats and data-security analysis and detailed case studies of users' privacy online practices: The Poles checked whether the application is se-cure….CERT Poland experts examined the conduct of the FaceApp application, which aroused both huge interest and considerable controversy last week. Experts have analysed this software to see if it actually allows for "stealing" data. (Breczko, 2019) Finally, it was critically framed in the discourse from a normative perspective by Katarzyna Szymielewicz (Panoptykon president): We feed data algorithms without reflection, without knowing and being able to predict for what purpose their ability to recognize our biometric features and behaviour modelling-from how we move, what and when we buy-will be used by commercial companies and states that use their knowledge. If you react with slight anxiety to the line "Russian application," I encourage you to remain sceptical about any applications that give you something trivial in exchange for valuable data. (Szymielewicz, 2019) Importantly, with limited knowledge about the actual operations of FaceApp, the initial narrative frame used by state officials was convergent with the "danger" and "threat" scheme connected directly to Russian disinformation strategies, thus "Russian" and its collocation serves in the discourse as a negative label used to deprecation but also as a form of argumentation strategy aimed in justification of negative attribution ascribed to Russia (cf. Lokot, 2020). Yet, over time the narrative frame of perspectivation was deployed with references to experts and their research on the actual function of the application. It shifted the discourse into the more data-based perspective in building a specific norm of privacy captured in frames of, for instance: "CERT Poland experts," "experts have analysed" (Breczko, 2019). Finally, the expert's analysis triggered the normative dimension to frame the norm. On the one hand, the excerpt starts with the frame that justify the imbalance between the users who "feed data algorithms without reflection" and the tech companies referring to users' incompetence and emotions: "without reflection" or "without know-ing" and "slight anxiety" (Szymielewicz, 2019). On the other hand, the narrative frame deploys the intensification of a norm coined in user-oriented call to "encouragement" or being "sceptical." As analysis indicates, the normative frame referred to a crucial data privacy and surveillance issues. However, this frame was triggered the most not by the user-oriented concerns but rather as the issue imposed from a top-down perspective as in the FaceApp case.

Discussion and Conclusion
Privacy is articulated both in terms of policy and politics. Concerning the general character of Polish media discourse, contemporary politics and the historical settings, we would have expected polarized debate with strong references to the communist past. Instead, it seems that Polish debates on privacy are driven by contemporary European politics. Indeed, some data prove the rise of the awareness and good practices in the field of privacy protection in last decade, but the same time 59% of respondents in Poland have not heard of privacy-invasive practices, i.e., data collection, of state or government entities (European Commission, 2015). Despite the fact that Poles declare that the protection of privacy is a very important issue, the research conducted after the implementation of the GDPR shows that 40% of respondents have not heard about the GDPR at all ("Polacy, bez szerszej wiedzy o RODO," 2018). Therefore, when taking up the problem of the specifics of the discourse on privacy in Poland, we were interested in assessing its nature, i.e., whether it is focused on increasing citizens' awareness and knowledge and giving a kind of know-how when it comes to privacy practices.
Three crucial issues characterise the Polish media discourse on privacy. Firstly, participatory and relational aspects of privacy are hardly present. It may seem surprising given the communist mass surveillance past and surveillance current state's politics. Thus, concerning privacy dimensions, the relation between citizen and the state is norm-based, the norm is almost entirely legal, and the citizens' participation is purely data-oriented and limited. In terms of the topic referential frame, the results of our research have shown that the discourse on privacy is dominated by the legal aspects. Moreover, the topic of privacy was primarily related to the EU privacy policy and the GDPR is the most common topic in the narrative throughout the entire analysed period. The emerging privacy discussion in Poland was triggered by external factors and not by internal debates on the importance of privacy in political contexts. As a consequence, the media discourse was primarily informative, focused on mainly framing legal aspects of privacy policies, which is related to the specificity of the procedural issue concerning, e.g., GDPR, Lex Uber, the Cyberarmy, and Facebook regulations.
Secondly, our research shows the variety of institutional agents that shape privacy media discourse.
Apart from journalists, who naturally participate in media debates, the experts and their institutions framed the privacy policy debate (including independent digital security and data security experts, Facebook officials, Niebezpiecznik workers, Panoptykon, PwC, Uber, Bolt, etc.). Representatives of the state institutions and politicians were much less frequently present in the sample, despite the fact that the discourse was tilted towards the legal framework of privacy policies. It may indicate that privacy is not perceived as political or state's representatives may also not be interested in firming privacyconscious public opinion. Thus, the thematic frame confirms that multiple official institutions dealing with privacy regulations, often do not mention 'privacy' at all. The study shows limited evidence that privacy policies present in the media discourse form a norm regarding how to deal with privacy and data protection when it comes to the actual online environment. Moreover, this is led by experts rather than official institutions. If any privacy norm is pursued, it is rather not citizen-oriented but captures the legal relations of state and public/private institutions or public/private institutions with the citizen. Instead of discussions on how to enhance privacy within such a dynamic information environment, as is the case in Germany (cf. von Pape et al., 2017), the Polish media discourse mainly reflected the formal aspect bypassing the context of state's privacy-invasive privacy politics.
Thirdly, the intersection of privacy dimensions and institutional agents that form discourse on privacy was particularly important to our study. Thus, we have analysed particular excerpts to see what narrative frames and with what linguistic tools were deployed. The critical discourse analysis confirms the domination of formal narrative frame focused on legal-based proceedings. Its formality is shaped with an informational report that reinforces the top-down approach to privacy or is accompanied by trivializing narrative using 'banal' frame to capture the legal regulations. Moreover, the juxtaposition narrative slants the frame of inequality between positively labelled users and tech companies labelled negatively. It follows an argumentation strategy used to justify the labels of users' exclusion and their unequal position in the discourse. It, to some extent, resembles the polarisation tendencies of Polish political discourse in general (cf. Balczyńska-Kosman, 2013). However, in building the normative take to privacy, institutional actors (experts) deploy the intensification frame in a more user-oriented manner to mitigate a more bottom-up privacy policy. Yet, these attempts were limited. Instead of targeting the issues of privacy as essential to Polish historical and current political drive, experts and politicians refer to privacy as something "imposed on us" from the outside, whether this is EU regulation or tech company affairs.
Concerning the historical development of privacy in a post-communist country, the media discourse indicates that privacy still resembles the omnipotent control of the state (or the corporation) that tells citizens "what to do" in terms of the entering the legal proceedings. Yet without improving citizens' privacy when it comes to relation with the state or corporation. Concerning the contemporary privacy-invasive politics of the state, the analysis illustrates that privacy is perceived as externally implemented and do not relate to political issues. Thus, privacy policy framed in the discourse does not normalise the relation between the state and the citizen. Apart from the Facebook and government agreement this rarely refers to any specific norm on privacy policy in the participatory dimension. As a result, the privacy policy in Polish discourse reframes or repackages a patchwork of often unrelated narratives reflecting multiple institutions that try to "translate" legal norms to citizens instead of enhancing them with actual awareness and data-privacy skills.