Tensions regarding privacy and data protection have been high as of late. People, media and politician’s worries about how our data is being handled is probably one of the defining topics of the decade. And private companies are at the center of it all.
As the US struggles to find open internet laws while protecting its citizens’ data, Europe has gone—for the most part—on the opposite direction. With the two powerhouses of western civilization at odds on how to deal with this problem, it’s worth asking ourselves: are stronger regulations the right path?
We think so. Let’s look at why.
New laws are in place for Europe. With 2018’s General Data Protection Regulation (GDPR), all companies that serve EU customers must adhere to the new rules, no matter the territory they’re based in. These laws contemplate actions even for journalists, academia, philanthropy, civil society and of course—the private sector.
“Any conversation of leveraging data, technology, or innovation to enhance civic life or governance should seriously consider how such a framework could more deeply empower citizens in the United States,” writes Hollie Russon-Gilman, member of the Open Technology Institute and Political Reform Program at New America. In other words, the US should follow in the EU’s footsteps, as the GDPR represents “an important step forward for envisioning a civic life where citizens are empowered not only as data producers but also data owners.”
But what is it, exactly?
In essence, the GDPR is a set of data protection laws designed to unify their legislation across all of the member states of the European Union.
Above all, the GDPR aims to protect personal data. The idea is to build companies with secure practices from the start, instead of scrambling for solutions as they become bigger and bigger. The ones that already big must adapt, of course.
For that, before companies can actually use any data, they are required to receive explicit consent from users, separate from other terms and conditions. Personal data includes everything from email addresses and bank details to posts on social networking sites and medical information.
The GDPR also fosters transparency between consumers and data collectors. For example, if a data breach occurs (and we can probably be certain that it will), the affected organization must disclaim it within 72 hours. Individual users must also be informed in the case that their data has been specifically compromised.
One of the most most promising aspects of the GDPR is the enforcement of “data portability,” a concept that empowers consumers by allowing them to have a clear record of their personal data. That way, they can choose if and how they want their data to appear. GDPR also offers a “right to be forgotten” — if someone wants their data removed, organizations must comply with that request.
To enforce all of this, the EU has strict penalties for any entity that fails to adhere to the regulation (read: fines of up to 21 million euros or 4% of a company’s annual revenue—whichever is higher.)
GDPR sets the stage for a broader governance and civic conversations around the world. This will hopefully lead to more transparency and accountability about algorithms and their inherent biases. “Understanding the implications behind algorithmic decision-making begins with understanding what data is being generated and how that information is being collected, used, disseminated, and re-packaged both to the user and others,” explains Russon-Gilman.
The regulation will also inevitably lead to better practices from the onset with privacy in mind. Public agencies and companies that handle large amounts of data must appoint a data protection officer (DPO). DPOs will be responsible of several tasks such as educating the company, keeping comprehensive records, and working as a middle-man for the authorities enforcing GDPR.
“While the United States does not have its own GDPR, the role of companies with a global reach (which is just about every company) will be illustrative on if and how Congress could regulate this space,” she suggests. Already, companies are releasing new privacy policies and terms and conditions. However, those that don’t plan on adhering to the new rules are blocking EU users altogether to avoid repercussions.
That trend illustrates a part of the world that is still unwilling to advance towards more transparency. And indeed, countries like India or China are using citizen’s data in dubious ways, failing to protect it correctly or using it in questionable manners. GDPR could shine a light on better, more transparent methods for these cases.
On a practical level, where your data is stored will have GDPR implications and as a consumer, you’ll notice several immediate benefits. But on a more normative level, Russon-Gilman explains, “the GDPR should be a wakeup call for a frank, honest, and difficult conversation about how to make data rights a fundamental civic right.”