The General Data Protection Regulation, or GDPR, is a new set of rules that the European Union put into place regarding personally identifiable information that is collected and stored online. The rules are designed to reform regulations on the collection and protection of this data for both citizens and businesses. It does this by enacting legislation that ensures that personal data is collected via strictly controlled and legal means, as well as defining penalties for the collectors of this data who fail to respect the rights of the data owners by not properly protecting it from misuse and exploitation. In this case analysis I will argue that in today’s digital world, where increasingly more personal data is collected and stored online, that the GDPR from an ethics of care standpoint, is an overall beneficial thing for all users and that the United States should adopt something like Europe’s privacy laws.

In 2010, Michael Zimmer of the School of Information Studies at the University of Wisconsin published an article on the ethical concerns of data research in Facebook. In 2008 a group of researchers publicly released Facebook profile data that they had been collecting on college students from an unnamed university in the United States. The research team, which was also comprised of students at that same university, took various steps to attempt to protect the subjects’ identities but it was quickly realized that these steps were not thought out enough. It was realized that through piecing together small bits of information such as public comments, friends list, and even what students were majoring in, these elements of information could aid in re-identifying both the university as well as the students themselves. Not enough care was taken by the researchers, who were also students themselves, to ensure that their fellow students’ personal data could not be used to identify them.

The European Union recognized the fact that many different pieces of people’s personal data are collected by a multitude of online entities. In the event of data breaches and hacks, this information can be used to re-identify users, similarly to what was discussed in Zimmer’s article. The GDPR legislation expanded upon what the definition of personal data is. Besides names, addresses, and photos, IP addresses, genetic and biometric data were also added as information that could be used to uniquely identify an individual. The legislation applies to two distinct types of data-handlers, processors, and controllers. When it comes to processing personal data, a controller is a body who decides how and for what purpose the data is collected and a processor is a body which processes the personal data collected on behalf of the controllers. In Zimmer’s example, the university research students collecting the Facebook data would have been the processors and the staff they reported to the controllers. Under the GPDR, there is more legal liability in the event of a data breach, especially where processors are concerned. Had this legislation been in place during the Facebook data collection, more care would have been taken with the student data that was collected in that scenario.

In ethics of care there is an element of emotional, though not entirely emotion-based, partiality that should be shown towards those that we have relationships with. This includes relationships with others that may be personal, professional, or simply just acquaintances within the same organization. Using this line of thinking, I believe that the implementation of the GDPR is a good thing. The fact the European Union decided to implement the new legislation in the first place demonstrates a certain level of caring for people’s livelihoods through a desire to protect their personally identifiable information. It forces those who collect the data to be smarter in how it is collected, stored, and safeguarded, as well as holds them accountable when hacks and data breeches happen. It also ensures that when they do happen, those affected will be notified directly so that they can also begin to take the necessary steps to protect themselves from those with possible malicious intent.

In 2017, Elizabeth Buchanan, at the Center for Applied Ethics at the University of Wisconsin-Stout published a formal commentary on the ethics of large-scale data research methodologies and how certain methods can complicate principles of research methods. In her article she discusses how large-scale data mining, analytics, and big data in the name of national intelligence and security have made it more difficult to protect individual liberties. Big data research is used to identify patterns, structures, or anomalies inside large data sets encompassing multiple sources. One of the driving forces behind this form of analysis is to identify specific individuals and/or groups within networks or organizations that may be involved in violent extremism. The ethics of the methods used in this type of data research are not always clear and can be used in discriminating ways. One of the problems with this is that the search algorithms can be used to identify potential terrorists’ supporters as well as less extreme political dissidents, it just depends on the context the methods are being used for. Additionally, it is important to note the differentiation between marketing and intelligence objectives as well as the intent of the big data analysis. Specifically, while an individual may agree to their data being used for marketing purposes, that does not necessarily mean that they would agree to their data being used for intelligence gathering purposes.

 As I mentioned earlier, one of the major changes that the GPDR brings to consumers and citizens is the right to be notified when their personal data has been hacked or if a breach occurs. Additionally, organizations are required to detail how they use customer information in a way that is both clear and easily understandable. An example of this could be an organization sending out emails to customers detailing how their information will be used with an option to opt-out if they do not consent. Another important legislation that the GPDR provides is additional rights and freedoms to people who no longer want their personal data processed to be able to have it deleted entirely, providing there are no grounds for retaining it. This is particularly important when looking at the context of big data analysis methodologies mentioned by Buchanan. Since the search methods can transcend context, it would certainly be helpful for people to have the right to have their data deleted if they so choose. As an example, a person who may be on the same email distribution list as others who were confirmed as participants in a peaceful political protest of some sort, could potentially be identified by big data search algorithms as a person with potential for extremist behavior. It would all depend on the search context and algorithm being utilized. With the ‘right to be forgotten’ process under the GPDR, this person would more clearly understand how their email address could potentially be used to identify them and have a clearer way to avoid being identified in this manner by removing consent and requesting the deletion of their personal data. With all of this in mind I feel that from an ethics of care standpoint, the GPDR is a beneficial thing for European citizens and consumers. In requiring organizations to clearly spell out what their data is being used for as well as the right to have their data deleted if they do not consent shows great care for people’s personal data.

With all the information discussed I do feel that the United States should incorporate something like Europe’s privacy laws. In our society today every aspect of a person’s life is available as data and stored in various places online. As the digital realm becomes increasingly complex the need to regulate and protect that data becomes more important. Organizations must clearly define what users’ data is used for as well as how it may be used in the future. Most importantly, users need to be able to maintain control over how their information is used and retain the ability to delete their data if they so choose. Privacy laws such as Europe’s GPDR are a good start to what must be in place to accomplish these goals of protection. While there may certainly be drawbacks, such as a person who is involved in violent extremist behavior being able to delete their data to avoid identification, I do still believe that these types of privacy laws are a good foundation to be built upon here in the United States.