In the article “What is GDPR? Everything you need to know about the new general data protection regulations” Danny Palmer explains the GDPR and how users and organizations will be affected. The GDPR is an acronym for the General Data Protection Regulation a new law in the European Union effected May 25, 2018. Palmer states under the GDPR European Union citizens will have more control over their personal data. Organizations that collect data must ensure it is legally acquired under strict conditions and are obligated to protect it from any misuse or exploitation. The GDPR also has a wide reach due to the fact that it applies to all EU citizens and anybody who provides the EU citizens with goods or services. This means that any business or organization around the world might have to comply with the regulation. In this case analysis I will argue that consequentialism shows us that the United States should follow Europe’s lead because not only does the new privacy laws provide better protection of people’s data but it also encompasses every citizen resulting in a large amount of good done with its implementation.
In Zimmer’s article “‘But the data is already public’: on the ethics of research in Facebook”, he mentions the idea of k-anonymity. K-anonymity is a method used to remove identifying information from personal data. In this method data is classified into three sections: identifiers, non-identifiers and quasi-identifiers. In this case a person’s name is considered an identifier while a non-identifier would be a non-identifying sensitive attribute such as a person’s disease or income. Age, gender, and religion are some quasi-identifiers. Quasi-identifiers are any information that would not directly identify a person but somewhat would. Using k-anonymity, quasi-identifiers could either be removed altogether or generalized in a way it would be much harder to identify a person. For example, the removal of someone’s religion on a piece of data or generalizing someone’s age into a range. In this method data is made less identifying depending on what is done to the quasi-identifiers.
In the article, Zimmer mentions a study called T3 that was done on a class of Freshman college students in which their profile data was collected from their Facebook accounts. In this study, researchers attempted to de-identify the personal data by removing student names and identification numbers. The researchers attempt only removed identifiers and did not take into account quasi-identifiers. As a result, the data collected was able to be used to re-identify the subjects. The researchers did not use the k-anonymity method in their attempt to de-identify data. Their good faith attempt was a failure.
In consequentialism the actions of an individual would only be considered good if it resulted in a good outcome. The researchers attempt in the T3 project would not be considered a good action because they failed to prevent the re-identification of subjects. The GDPR sets standards and would minimize or prevent cases such as the failures in the T3 project occurring because under the GDPR data collectors must follow strict rules and protect that data or else suffer legal repercussions. Under the GDPR data collectors would be encouraged to use methods such as k-anonymity to protect user data. Due to its guidelines on data collection the GDPR provides better protection of personal data and thus, it is a good action in regards to consequentialism. It would be a good action for the United States to follow Europe’s lead and develop their own law similar to the GDPR because it would result in better protection.
Zimmer also mentions a harm-based theory of privacy protection and a dignity-based theory of privacy. The harm-based theory of privacy protection states that the privacy of individuals can be maintained as long as their data is protected from attackers and anyone who wishes to do harm. On the other hand, the dignity-based theory of privacy states that an attack or harm does not need to take place in order for there to be concerns over someone’s privacy. In the dignity-based theory, removing the information from its intended place would be an offense to a person’s dignity and their ability to control the flow of their information.
In Zimmer’s articles, the T3 researchers failed to consult privacy experts when conducting their study and as a result failed to take into account both the harm-based theory of privacy protection and the dignity-based theory of privacy. The T3 researchers did not take into account the dignity-based theory when conducting their research. The researchers did attempt to act in accordance with the harm-based theory by providing terms and conditions that must be agreed to for anyone wishing access to their data. However, how the terms and conditions would be enforced was unclear. When issues regarding the ethics of their research were brought up, the researchers justified it by stating that the data was public. According to the dignity-based theory, the researchers violated the subjects’ privacy because they took data from its intended location which was on Facebook. The researchers only gave minimal protection to the subjects and as a result their personal information was vulnerable.
The GDPR covers both the harm-based theory of privacy protection and the dignity-based theory of privacy. The GDPR ensures organizations take steps to protect data and notifies the user regarding any breaches that occur so that the individual can take steps to prevent their data from being abused. The GDPR takes into account the dignity-based theory by requiring organizations to detail how they use customer information in a clear and understandable way. The GDPR also gives people the right to have their personal data deleted should they decide they no longer want it to be processed. The GDPR takes into account both theories allowing a higher level of protection. Implementing a similar law would allow the citizens of the United States to get better data protection and prevent breaches of privacy in regards to data collection.
In Buchanan’s commentary, she mentions big data methodologies and the ethics surrounding it. Big data methodologies are methods in which personal data is collected and analyzed to gain insight to an individual. The methodologies have been greatly used by law enforcement and government agencies to protect national security. An example of a big data methodology is the Iterative Vertex Clustering and Classification model. This model has been used for national security by identifying ISIS/ISIL supporters among Twitter users. While big data methodologies can be used positively there is potential for negative uses. Buchanan raised concerns about to what end would the methodologies be used and who would use them. Buchanan states that big data methodologies are not discriminate meaning they can be used regarding any context. The methodologies can also be used by anyone with knowledge of them whether they have good intentions or bad. For example, instead of ISIS/ISIL supporters it can be used to find members of a certain political party or even something as mundane as who are Walmart shoppers. In these contexts, it can be used for target marketing purposes or discriminate against another person based on their information.
Buchanan states that individuals may agree to their data being used for marketing purposes and not intelligence gathering and vice versa. Big data research does not necessarily give users the opportunity to consent to either one. As a result, users often do not know the intent of big data research when it comes to their own personal data. A concern of Buchanan’s was that the lack of interaction between researchers and their data subjects was an ethical step back. Since big data research uses publicly accessible data it results in users not being aware that their data has been used. Anyone can be a part of a study and not know it.
As previously stated, the GDPR will oblige data collectors to disclose to the users how their information is being used and allow them to be able to delete their data anytime they wish. By doing this, the GDPR is protecting the citizens from potential harm that can result from big data methodologies. The GDPR gave users more control over their data. Citizens will be aware of the intentions behind big data methodologies being used on their data. The GDPR also provides users with the opportunity to consent based on the intentions they were told. Citizens are able to better protect their data once they know the intentions behind their data collection.
The implementation of the GDPR can be considered a good action under consequentialism because it protects the citizens from the malicious use of big data methodologies. However, it can also be considered a bad action when looking at big data methodologies being used for the defense of national security. According to utilitarianism, a common form of consequentialism, the implementation of the GDPR would still be considered a good action. In utilitarianism an action is considered good if it maximizes happiness and minimizes suffering. In other words, an action is considered good if it increases the good in the world. The GDPR covers all European Union citizens which is millions and millions of people who are protected against big data methodologies. When all those citizens are taken into consideration there is a larger amount of good with the implementation of the GDPR than without it. When every citizen of the United States is taken into account there is a large amount of good that will be done with the implementation of new privacy laws.
Although the GDPR provides positive benefits, it does come with a few negative effects. Adopting a regulation similar to the GDPR would initially make it difficult for businesses and organizations in and out of the United States if they do not have privacy protections already in place. The regulation would have a larger negative effect on small and medium businesses who may not have the resources to be able to comply. The GDPR has also opened up an opportunity for people with bad intentions. As stated in Palmer’s article, phishing emails were sent to citizens that would ask for their personal information. A similar incident could occur should the United States implement something similar to the GDPR. While there are negative effects, there is quite a large positive effect in regards to personal data. A law similar to the GDPR would provide better protection of user data by obliging data collectors to better protect data through the use of methods such as k-anonymity. Since the GDPR takes into account two theories regarding privacy, people’s privacy is better protected. Due to the GDPR’s good outcome, it is considered a good action under consequentialism. Although there is potential for negative effects, the large amount of good it does makes it a good action under utilitarianism. Therefore, using consequentialism and its other form, utilitarianism, the United States should also develop a similar law to the GDPR.