The article “What is GDPR? Everything you need to know about the new general data protection regulations”, by Danny Palmer, covers the integration of the General Data Protection Regulation developed by the European Union and its consequences on data standards for companies, individuals, and previous global data standards. The General Data Protection Regulation (GDPR), was drafted by the European Commission to update Europe’s data policies to adequately fit current technological standards. The GDPR establishes an array of new policies and regulations that companies/organizations operating within and to the European Union must adopt and uphold, the GDPR also introduces punitive measures for entities failing to comply with their standards and regulations. The implications of the GDPR are wide-reaching, as its verbiage extends not only to companies and organizations within all of Europe but also enforces all companies and organizations doing business in Europe to adhere to the GDPR. Examples of standards introduced by the GDPR include the added infrastructure of more data security policies and personnel to companies and organizations, in addition to a greater degree of company accountability in the event of a breach, and the empowerment of individuals with respect to their personal information. As a result of the GDPR, companies, and organizations have felt effects ranging from financial benefit from the universalization of data protection infrastructure to the decrease in users and profitability in Europe. In this case analysis I will argue that Confucianism shows us that the United States should adopt a similar legislature due to the responsibility companies and organizations have as hosts of sensitive data to users using their services.

An important concept used as justification in this case analysis is the unauthorized use of information for reasons beyond the information owner’s intent or consent, gathered from [“But the data is already public”: on the ethics of research in Facebook], by Michael Zimmer. The paper by Zimmer analyzes an incident where a collection of researchers released information about a large group of college students whose identities were poorly concealed for anonymity, resulting in the identity of the group and their college is quickly revealed. The researchers were criticized for their lack of awareness of privacy expectations and the way they gained the data, as well as their short-lived justifications. Zimmer defines the unauthorized secondary use of information as data gleaned from a user and using it for a purpose without the consent and knowledge of the data’s owner. This strips the user’s autonomy over their own data, violating their privacy. This occurred in Zimmer’s paper wherein the researchers used Harvard students to gather information on students with their statuses set to public within Harvard circles and used sensitive information like personal email addresses and dorm houses to improve their data processing. 

Unauthorized secondary uses of data appear in Palmer’s article as a type of privacy violation that the General Data Protection Regulation (GDPR) admonishes and warrants punishment if a company or organization in or operating within the European Union is caught using user data for unauthorized secondary purposes. The GDPR creates policies that require companies and organizations to be more transparent with user data and how they use it. The GDPR also gives individuals the right to be forgotten, which allows a user of a service holding their information to no longer want that sensitive information with the service, requiring the service to delete the information. An example of a company/organization being punished for breaching GDPR policy is in 2019 after Google was found using user data for advertising purposes without being forthright with their actions, resulting in a $50 million euro fine. The GDPR policies and punishments towards the unauthorized secondary uses of information from companies and organizations epitomize the stance the European Union takes to protect and uphold user privacy rights.

The use of Confucianism in the analysis of this case helps clarify the roles of organizations/companies and the roles of their users, as well as expounding their responsibilities. Confucianism states that righteousness is gained by staying true to your role in life, as well as maintaining proper relationships with others in context to your role. In terms of this analysis, organizations and companies assume a role of trust and responsibility, as users have entrusted them with sensitive information in exchange for using their service. Individuals also have responsibilities in their roles as users of the site or service, agreeing to their terms of service and acting appropriately. According to the virtues of Confucianism, the right thing to do would be to hold companies and organizations accountable and have them uphold the responsibilities of their role in the company/consumer relationship, being candid with how user information is processed and how they use it. 

Another concept worth reviewing for the analysis of this case study is the difference between ethics and methodologies of big data mining, explained by Elizabeth Buchanan’s paper: “Considering the ethics of big data research: A case of Twitter and ISIS/ISIL”. In the paper, Buchanan reviews a report that entails the use of an Iterative Vertex Clustering and Classification model in the data mining of users on Twitter to find ISIS/ISIL supporters. The model essentially enhances the ability to find targeted individuals within large amounts of data with its integration of follows, hashtags, and mentions into the data search. Buchanan also notes that law enforcement and other law agencies are incorporating search techniques involving big data into their surveillance strategies. In her paper, Buchanan asserts that the methodologies for big data mining are valid and adequately defined, and inversely, the ethics of big data mining methodologies are ambiguous and vaguely defined, if at all. This difference in clarity creates the claim that the context in which the methods are used is important, where the methods can be applied indiscriminately but the ethics in question are dependent on context. 

Methodologies and the ethical ambiguities of big data mining are also referenced in the overviews Palmer writes about the General Data Protection Regulation (GDPR). The GDPR officially defines personal data in a wider scope that includes photos, names, addresses, and IP addresses. Using their definition of personal data, the GDPR sets forth different policies and regulations that restrict companies and organizations from using that data in ways that the user was not informed of or did not consent to. Within the context of the actions and methodologies restricted by GDPR policies and regulations in Palmer’s article, the companies and organizations that exercise them are unethical. This conclusion is made by drawing insights from Buchanan’s paper and Palmer’s article explaining the actions the GDPR restricts and the unethicality of mining when done without consent or explanation.

Justification of the unethical nature of actions taken by companies and organizations mining data can be further supported and elucidated by concepts from Confucianism. Significant themes of Confucianism include the role individuals and entities play within the world, how well they act according to that role, and how they interact with other individuals and entities concerning their role. In addition to playing true to one’s role, Confucianism also emphasizes remaining true and consistent in the role one plays. In the context of this case analysis and Confucian morals, the actions taken by the European Commission in creating the General Data Protection Regulation (GDPR) on its responsibility to prepare Europe for the digital age are morally correct. As a governing authority, its role is to protect the rights of its citizens and ensure that organizations and companies within its jurisdiction do the same. Similarly to the responsibilities of the European Commission, companies and organizations have responsibilities as hosts of user services and the information users exchange in return for using those services. The right thing to do according to Confucian virtues is for the United States to adopt a similar policy like the GDPR to protect citizen privacy rights and hold companies/organizations accountable for unethical behavior.

In conclusion, with insights taken from Zimmer and Buchanan and Confucian ethics, the United States should adopt something similar to Europe’s General Data Protection Regulation (GDPR) privacy laws. The policies and regulations upheld by the GDPR universalize privacy protection and information standards for companies and organizations operating in and within Europe, making them accountable for breaches of user information as well as maintaining the responsibility of transparent communication between the user and service on how their data is being used and for what reasons. Companies and organizations using user data in unauthorized ways without the user’s consent or knowledge betray the relationship between service and consumer, making their actions immoral within the purview of Confucian virtues. Consequences of the United States adopting laws such as the GDPR are broad, considering the amount of business done within and to the United States. Companies and organizations operating within the United States could see significant decreases in traffic and revenue due to restrictions and punishments from new privacy laws. However, the morally correct thing to do under Confucian ethics is to uphold the role companies and organizations play in the lives of citizens and protect their privacy rights.