The GDPR : Our Love/Hate Relationship
If the Safe Harbor Act and the EU-U.S. Privacy Shield are pawns in the world of global data regulation, the GDPR is without a doubt the king. Since its recent inception on May 25th 2018, the General Data Protection Regulation (GDPR) is already the most transformative attempt to globally regulate data privacy. This regulation was built upon the 95/46/EC Directive that has been long-standing in the EU, and is meant to act as a single set of laws across all 28 EU member states. However, “its intended reach does not stop there.. In principle, this now affects all organizations who may have operations on the continent or are handling EU citizens’ data regardless if they are actually headquartered there or not.” [GDPR: The Good, the Bad, and the Ugly] Although this Regulation is too new to be used as a case study for historical attempts at unification, we can discuss the ethical implications (good and bad) that follow such an avant-garde piece of legislation.
First, the good. It's important to note that the EU views data privacy as a fundamental human right. This view benefits every individual who has data collected on them. The only entities that don’t benefit from this view are those looking to exploit data. When it comes to data exploitation, one needn’t look further than any big-data driven company. It seems then, that the GDPR is indirectly allowing the ideology of the EU to leak into the incumbent tech-giants of the US. While this is undoubtedly frustrating for American companies, it is incredibly beneficial for the individuals that use any affected platforms. Along with this, it has been very clear that companies are actually making real, drastic changes in order to comply with the GDPR. Even Erin Egan, Chief Privacy Officer of Facebook wrote a statement about the changes that have been happening internally. “It’s one thing to have a policy explaining what data we collect and use, but it’s even more useful when people see and manage their own information… We’re also making it easier to download the data you’ve shared with Facebook – it’s your data, after all.” [Erin Egan Blog Post]
This particular quote sheds some light on an amusing speculation. Egan herself said that the data belongs to the users that it came from. Was she indicating an ownership through association? Or by identity? If it is the latter and not the former, there may be more hope for US data privacy policies after all. Either way, the evidence is strikingly clear; the creation of the GDPR is directly beneficial for individuals residing in, or using platforms that handle data from the EU.
The accountability measures outlined in the GDPR are more monetarily incentivized and theoretically enforced than any legislation that has ever existed in any way. The four human rights of identity, privacy, reputation, and ownership are drilled into every clause of the Regulation. The right to identity, stemming from EU ideology, is the driving force behind the GDPR. Once data is considered as a part of identity, doing anything unlawful to that data constitutes as a breach of human privacy in the eyes of the GDPR. This is why the requirement for informing users about data breaches is more strict than ever anticipated. The right to reputation is addressed in the requirement for individuals to have access to the data that exists on them, in an attempt to allow any needed corrections to be made. Corrections in this case mean the ability for someone to ensure any data that has been collected on them is accurate, so that it can not be used against them.
Here we will address an important topic. One that creates a bridge between the right of reputation and the right of ownership. This ethical dilemma was summed up in Ethics of Big Data nicely; “Does our existence itself constitute a creative act, over which we have copyright or other rights associated with creation? Does the information about our family history, genetic makeup, and physical description, preference for Coke or Pepsi, or ability to shoot free throws on the basketball court constitute property that we own? Is there any distinction between the ownership qualities of that information?” [Ethics of Big Data]. The ability for a user to be able to change their information for accuracy not only allows them to preserve their online reputation, but it also inadvertently acknowledges that their data more than just belongs to them. They aren’t just the owners of this data because they created it. Rather, the data is a part of who they are.
To clarify further, there is a clear, distinct difference between the EU and the US in terms of data and identity. The US believes that data is a matter of property. Meaning it would equate to a tangible item that an individual owns, like a motorcycle. The EU on the other hand considers data to literally be one with a person’s identity, like their hand. They believe that you are your data; so your memories, browsing habits, and advertisements clicked on are categorized as if they were your DNA. There has even been a case where data collected on users from Ancestry was their DNA. Even further, it was found that Ancestry actually claims ownership to all DNA data they collect. This means that “Ancestry.com gets to use or distribute your DNA for any research or commercial purpose it decides and doesn’t have to pay you, or your heirs, a dime.” [info obtained here] The company’s vague privacy policies led to thousands of people unknowingly handing over their data in the form of their actual DNA. This is an eerie case to say the least, but it sheds light on the EU’s ideas of identity quite a bit. To the EU, every piece of data on someone is treated as critically as DNA would be.
To reintroduce the importance of data privacy, the real problem lies in the cumulative and massive nature of big-data. A data breach isn’t a one-time access. It instead involves the collection of data that once outed can exist in the tech-sphere for all of existence. The right to be forgotten simply brings to light the fragility of human reputation within the intangible world of the internet. This notion was quite evident when a data breach at Ashley Madison outed the personal information of more than 32 million users. Ashley Madison is a site created for extramarital affairs. While this is a topic that is loaded with ethical implications in itself, the users of the site sign up with the assurance that their accounts would be kept private. This data breach outed the names, addresses, and even credit card information of all of the people who had ever signed up for the site, whether or not they had actually used their accounts. The reputations of these users were publicly slandered, deservedly or not. Marriages were destroyed, families were broken apart, and individual identities were redefined online and offline forever. [Hackers Finally Post Stolen Ashley Madison Data] This case is just one in a sea of defamation that has occurred in the world of data breaches. The regulations formed in the GDPR finally address historical concerns with the right to be forgotten, because of the EU’s understanding of data being in union with identity.
It may seem now that the GDPR is the award-winning, nobel peace prize of unified regulatory frameworks. It benefits the individual by giving basic human rights a new angle, and it already infiltrated the biggest tech companies in the world. However, just as with any other ground-breaking policy, it is important to look at the positive promises with a grain of salt. In lieu of the notion of transparency, let's take a look at some of the less appetizing outlooks on the GDPR.The Good
First, the good. It's important to note that the EU views data privacy as a fundamental human right. This view benefits every individual who has data collected on them. The only entities that don’t benefit from this view are those looking to exploit data. When it comes to data exploitation, one needn’t look further than any big-data driven company. It seems then, that the GDPR is indirectly allowing the ideology of the EU to leak into the incumbent tech-giants of the US. While this is undoubtedly frustrating for American companies, it is incredibly beneficial for the individuals that use any affected platforms. Along with this, it has been very clear that companies are actually making real, drastic changes in order to comply with the GDPR. Even Erin Egan, Chief Privacy Officer of Facebook wrote a statement about the changes that have been happening internally. “It’s one thing to have a policy explaining what data we collect and use, but it’s even more useful when people see and manage their own information… We’re also making it easier to download the data you’ve shared with Facebook – it’s your data, after all.” [Erin Egan Blog Post]
This particular quote sheds some light on an amusing speculation. Egan herself said that the data belongs to the users that it came from. Was she indicating an ownership through association? Or by identity? If it is the latter and not the former, there may be more hope for US data privacy policies after all. Either way, the evidence is strikingly clear; the creation of the GDPR is directly beneficial for individuals residing in, or using platforms that handle data from the EU.
The accountability measures outlined in the GDPR are more monetarily incentivized and theoretically enforced than any legislation that has ever existed in any way. The four human rights of identity, privacy, reputation, and ownership are drilled into every clause of the Regulation. The right to identity, stemming from EU ideology, is the driving force behind the GDPR. Once data is considered as a part of identity, doing anything unlawful to that data constitutes as a breach of human privacy in the eyes of the GDPR. This is why the requirement for informing users about data breaches is more strict than ever anticipated. The right to reputation is addressed in the requirement for individuals to have access to the data that exists on them, in an attempt to allow any needed corrections to be made. Corrections in this case mean the ability for someone to ensure any data that has been collected on them is accurate, so that it can not be used against them.
Here we will address an important topic. One that creates a bridge between the right of reputation and the right of ownership. This ethical dilemma was summed up in Ethics of Big Data nicely; “Does our existence itself constitute a creative act, over which we have copyright or other rights associated with creation? Does the information about our family history, genetic makeup, and physical description, preference for Coke or Pepsi, or ability to shoot free throws on the basketball court constitute property that we own? Is there any distinction between the ownership qualities of that information?” [Ethics of Big Data]. The ability for a user to be able to change their information for accuracy not only allows them to preserve their online reputation, but it also inadvertently acknowledges that their data more than just belongs to them. They aren’t just the owners of this data because they created it. Rather, the data is a part of who they are.
To clarify further, there is a clear, distinct difference between the EU and the US in terms of data and identity. The US believes that data is a matter of property. Meaning it would equate to a tangible item that an individual owns, like a motorcycle. The EU on the other hand considers data to literally be one with a person’s identity, like their hand. They believe that you are your data; so your memories, browsing habits, and advertisements clicked on are categorized as if they were your DNA. There has even been a case where data collected on users from Ancestry was their DNA. Even further, it was found that Ancestry actually claims ownership to all DNA data they collect. This means that “Ancestry.com gets to use or distribute your DNA for any research or commercial purpose it decides and doesn’t have to pay you, or your heirs, a dime.” [info obtained here] The company’s vague privacy policies led to thousands of people unknowingly handing over their data in the form of their actual DNA. This is an eerie case to say the least, but it sheds light on the EU’s ideas of identity quite a bit. To the EU, every piece of data on someone is treated as critically as DNA would be.
To reintroduce the importance of data privacy, the real problem lies in the cumulative and massive nature of big-data. A data breach isn’t a one-time access. It instead involves the collection of data that once outed can exist in the tech-sphere for all of existence. The right to be forgotten simply brings to light the fragility of human reputation within the intangible world of the internet. This notion was quite evident when a data breach at Ashley Madison outed the personal information of more than 32 million users. Ashley Madison is a site created for extramarital affairs. While this is a topic that is loaded with ethical implications in itself, the users of the site sign up with the assurance that their accounts would be kept private. This data breach outed the names, addresses, and even credit card information of all of the people who had ever signed up for the site, whether or not they had actually used their accounts. The reputations of these users were publicly slandered, deservedly or not. Marriages were destroyed, families were broken apart, and individual identities were redefined online and offline forever. [Hackers Finally Post Stolen Ashley Madison Data] This case is just one in a sea of defamation that has occurred in the world of data breaches. The regulations formed in the GDPR finally address historical concerns with the right to be forgotten, because of the EU’s understanding of data being in union with identity.
The Bad
When any purposeful action is put into place, the law of unintended consequences quickly follows behind. This is remarkably clear in the case of self driving cars, where a seemingly straightforward solution could lead to countless ethical ramifications with ‘moral machines’. This idea can be applied to the incredibly adolescent regulations of the GDPR. Right now this solution seems to be infallible, but what future implications might we be overlooking?
Regulatory Capture is when an attempt to regulate dominating forces in an industry for public interest unintentionally advances the commercial or political concerns of those predominant entities. This was seen as a projected consequence for the Consumer Privacy Bill of Rights, which was another driving reason for its inability to pass. In terms of the GDPR, an intention is to regulate domineering, data-hungry, tech-giants. While ideal on paper, a set of regulations this extensive will more than likely indirectly stifle innovation. A company like Facebook or Google can afford to hire a DPA and a Data Privacy Officer. These companies can also fund research and employees to create greater security protocols within their ecosystems. If they fail to comply to a regulation in the GDPR, they can afford to pay the price. Conversely, a tech startup would struggle greatly with these demands. Exactly the problem that rose with the case study on Uber. If the GDPR had existed ten years ago, would Uber cease to exist? It is at this point that we must ask if innovation is worth the cost of privacy. Or on the other hand, if privacy is worth the cost of stifled innovation.
In a report by Ovum on the potential risks of the GDPR, they outlined the possibility of a shift toward privacy as compliance. Again, while extensive regulations are seemingly ideal on paper; they could unintentionally create a disproportionate emphasis on perceived GDPR gaps at the detriment of other, possibly more important, cyber defences. [GDPR: The Good, the Bad, and the Ugly] Ovum expressed the need for privacy policies to be intrinsically coupled with a company’s concern for their user’s fundamental rights. Not something that is done to check off a box in avoidance of a fee from the EU. “Organizations need a way to cut through the red tape and develop a compliance strategy which includes people, processes and technology.” [Report on GDPR implications by Ovum]
If these case studies have provided anything outside of bewilderment for the future of data privacy in policy, hopefully they have helped shed light onto the importance of education and transparency when it comes to big data. If you weren't keeping up to date on the scandal with Cambridge Analytica and Facebook [check it out here], this case really amplified this need for education. Even though Mark Zuckerberg was publicly infamous in every sphere, after one simple apology, Facebook stocks rose higher than ever before within a week of his hearing. The truth is that people don’t realize what is happening to their data, or rather what can happen to their data. Lack of awareness directly results in a lack of motivation for change.
With Sqzee, the Cal Poly student startup I joined this past year, we were a group of undergraduates who had the power to collect information on users through their Facebook accounts. Had we not attempted to assimilate our platform with the University, we might have never known the discrepancies between private and public data practices. Even further, had our platform only impacted individuals outside of the EU, we would never have had any legal need to comply to any data privacy practice at all. Motivation to give privacy to individual’s data in the US has historically stemmed from either PR concerns or consumeristic goals. For a startup in the US, it is conventional for privacy to be an afterthought. Even in the EU, where identity is encoded into user’s data, it isn’t always guaranteed that privacy driven development will happen.
This is why unification is the key to true privacy. Differing ideologies when it comes to data and identity have created a chasm for global privacy initiatives. The lack of existing frameworks has allowed the biggest tech-giants to get by without accountability. For better or for worse, the EU has taken the reigns on global privacy regulation. What happens next is up to history to decide, but at least one thing can be certain; the GDPR will undoubtedly pave the way for the future, and we can only hope that future is unified, transparent, and bright.
Regulatory Capture is when an attempt to regulate dominating forces in an industry for public interest unintentionally advances the commercial or political concerns of those predominant entities. This was seen as a projected consequence for the Consumer Privacy Bill of Rights, which was another driving reason for its inability to pass. In terms of the GDPR, an intention is to regulate domineering, data-hungry, tech-giants. While ideal on paper, a set of regulations this extensive will more than likely indirectly stifle innovation. A company like Facebook or Google can afford to hire a DPA and a Data Privacy Officer. These companies can also fund research and employees to create greater security protocols within their ecosystems. If they fail to comply to a regulation in the GDPR, they can afford to pay the price. Conversely, a tech startup would struggle greatly with these demands. Exactly the problem that rose with the case study on Uber. If the GDPR had existed ten years ago, would Uber cease to exist? It is at this point that we must ask if innovation is worth the cost of privacy. Or on the other hand, if privacy is worth the cost of stifled innovation.
In a report by Ovum on the potential risks of the GDPR, they outlined the possibility of a shift toward privacy as compliance. Again, while extensive regulations are seemingly ideal on paper; they could unintentionally create a disproportionate emphasis on perceived GDPR gaps at the detriment of other, possibly more important, cyber defences. [GDPR: The Good, the Bad, and the Ugly] Ovum expressed the need for privacy policies to be intrinsically coupled with a company’s concern for their user’s fundamental rights. Not something that is done to check off a box in avoidance of a fee from the EU. “Organizations need a way to cut through the red tape and develop a compliance strategy which includes people, processes and technology.” [Report on GDPR implications by Ovum]
If these case studies have provided anything outside of bewilderment for the future of data privacy in policy, hopefully they have helped shed light onto the importance of education and transparency when it comes to big data. If you weren't keeping up to date on the scandal with Cambridge Analytica and Facebook [check it out here], this case really amplified this need for education. Even though Mark Zuckerberg was publicly infamous in every sphere, after one simple apology, Facebook stocks rose higher than ever before within a week of his hearing. The truth is that people don’t realize what is happening to their data, or rather what can happen to their data. Lack of awareness directly results in a lack of motivation for change.
Final Thoughts...
With Sqzee, the Cal Poly student startup I joined this past year, we were a group of undergraduates who had the power to collect information on users through their Facebook accounts. Had we not attempted to assimilate our platform with the University, we might have never known the discrepancies between private and public data practices. Even further, had our platform only impacted individuals outside of the EU, we would never have had any legal need to comply to any data privacy practice at all. Motivation to give privacy to individual’s data in the US has historically stemmed from either PR concerns or consumeristic goals. For a startup in the US, it is conventional for privacy to be an afterthought. Even in the EU, where identity is encoded into user’s data, it isn’t always guaranteed that privacy driven development will happen.
This is why unification is the key to true privacy. Differing ideologies when it comes to data and identity have created a chasm for global privacy initiatives. The lack of existing frameworks has allowed the biggest tech-giants to get by without accountability. For better or for worse, the EU has taken the reigns on global privacy regulation. What happens next is up to history to decide, but at least one thing can be certain; the GDPR will undoubtedly pave the way for the future, and we can only hope that future is unified, transparent, and bright.
Comments
Post a Comment