Introduction

I think that a framework like the GDPR would be great to implement in the United States, but that it wouldn’t work with the way the country is now. I think the widespread usage of consumer data, and Personally Identifiable Information (PII) has gotten to the point that any attempt to implement something like it in the States would be met with widespread corporate backlash. A framework like the GDPR puts additional weight on businesses, controllers, and processors to safeguard information while better outlining PII, and protected data. It also forces businesses to notify citizens or customers when their data has been illegally accessed, something that normally would be swept under the rug, and barely make a headline in smaller media outlets. This specific change is huge since, for the most part, many corporations or businesses attempt to keep breaches hush-hush, so as not to scare away consumers or lose prestige. Many incidents eventually come out, but US based corporations still drag their feet when notifying victims, with most regulatory bodies requiring them to report to oversight agencies like the CISA, and not consumers directly. They have the leeway under current US law when it comes to protecting customer data, and notifying them of a breach, as well as collection, processing, and use of that data. While I think something like the GDPR would be great in the US, I don’t think it would even get off the ground if it were introduced right now, and I will use the Confucian ethics tool to explain my viewpoint.

Zimmer’s Viewpoint

Zimmer argues that much of the data that is “protected” by companies is already relatively public, easy to access data. A study mentioned in Zimmer’s paper mentioned that from information taken from Facebook, they were able to accurately deduce the school a set of college students went to, their background, gender, majors, and who some of these students were, without much or any of this information directly linking them to it.  This information that was able to identify them, and a lot of their personal data was just sitting there on Facebook, able to be datamined by someone with basic access to their data, or secretly mined by one of Facebook’s many “business partners.”  Even though the data could be used to tie them back to a specific person and clearly identify them out of a set of close to 2000 people here, it was still widely available for people on Facebook to access. It raises the question for some people and companies: “Why should I bother protecting their PII if someone can just mine it off of their social media profiles?” This ties back to why I chose the Confucian ethics tool.

The main goal, or “path” of a business is to succeed and make money. While it isn’t every single business’ goal, I’d argue about 99% of them have that goal in mind. To stay on this path, businesses use a variety of tools at their disposal, and are reduced to being in a number of roles to accomplish this; they end up being providers of both goods, services, and jobs, they are troubleshooters to fix issues with a product, and satisfy customers, they are members of the world’s economy, and must consider how they fit into it among other businesses and competitors, and they are protectors of data, both of their own trade secrets, but of employee and consumer data as well. Because of their path and role, many of them will have access to customer information that, maybe not vital, may end up leading back to certain customers. They could argue “Well you can easily get some of this data off of social media, why do we have to safeguard it?” which is a fair assessment, but it brings us back to my use of Confucianism.

Their role as a business is to protect their business interests, and the customers who do business with them. Their role as business partner, and protecter of customer data means they have a stake in protecting their data, if only for their own company image. If it was reported that they were breached and customer information was leaked, it would damage their image, consumer trust in them, as well as their profit margins which would threaten their path to being a successful business. By implementing sufficient protections to that data to prevent breaches, a hacker would be forced to either give up getting data quickly via hacking, and either mining the data via public sources like social media or giving up entirely; either way the result is protecting the company’s path and roles.

If the US implemented a framework like the GDPR, companies could argue that information is readily available anyways. Their (so far) fairly open use of consumer data, and PII would be stymied and end up slowing, or hurting their business interests, hindering their path of successful business. While I still think 100% that the US should adopt something along the lines of the GDPR, I also think companies would push back enough against it that the framework would end up being altered for their freedom or dropped altogether.

Buchanan’s Viewpoint

Buchanan argues that the use of the data being mined is the most important aspect of it, and while I agree with that sentiment, I don’t 100% agree with the data gathering aspect still. I think as with the prior article using it for business and marketing helps to explain why they collect it, and why businesses should protect it, but it doesn’t really make it a good thing still. Buchanan says that thanks to datamining techniques, and Iterative Vortex Clustering and Classification, many members and supporters of ISIS/ISIL were discovered among Twitter users. By using that collected data, and the data collection technique(s), the government was able to track followers and supporters, stop potential terrorist attacks, and even use it to help prevent other attacks by the terrorist group.

Big data collections and analysis can be used for business gains, like the previous article, but this one shows how it can be used to help protect regular people by effectively highlighting potentially dangerous online individuals in big data dumps. Using the Confucian ethic, we can identify the government’s path or goal as running a country and protecting its citizens. In its role as protector, it must protect us both from physical and digital attacks, and one of the tools that is currently most successful at helping them is the use of data analytic techniques and data dumps, like in this article.  While I don’t agree with the ethical use of them, their effectiveness in tracking dangerous individuals, collecting information on them, and potentially preventing some attacks must be considered. While, again, the previous article states that much of the information is already widely available, having dedicated data miners collecting vast sums of data to be analyzed is significantly faster that collecting the information one by one from social media.

By passing a framework like the GDPR, individual’s information would be further protected from by businesses, and from big data gathering as well. The downside to this is that without the more robust data gathering, or if some information is completely protected, the government’s use of this to track terrorists, criminals, and other dangerous individuals would suffer, potentially leading to people being harmed or killed. While the government has a duty in its role and path to protect its citizens information, and set a standard for protecting it, it also has the duty of protecting them from harm from within and without. By passing something like the GDPR, they would be limiting, or completely doing away with one very useful tool that enables them to protect their citizens. By protecting the data rights of the whole of their citizenry, they may protect some from damage caused by that data, but without being able to use that data to track dangerous individuals, other people could be hurt as a result.

I think in the government’s role as protector, it has a duty to protect the data of citizens first and foremost and investigate other ways to track potentially dangerous individuals. With the resources at their disposal, surely they can fulfill both obligations of their role to protect both data, and its citizens. That being said, there would be a lot of pushback from not only data-mining organizations, but members of intelligence agencies too, against prevention on big data gathering and analysis. To them, in their roles of business and protector respectively, this is too good of a resource not to use. I think 20 or 30 years ago, it could have passed relatively easily but with the way the country and world are now, and how much influence both business and some agencies have on the government, something like the GDPR would see a lot of alterations if it were to be instituted in the US, if at all.

Conclusion

Overall, I think the GDPR would be good to have in the United States, but I think it would never pass, at least not like it is now. Businesses utilize data gathering immensely for their own business practices and marketing strategies. One argument they can use is “It’s publicly available information, why should WE have to protect it if they can get it somewhere else?!” Not only to businesses consider it important for their own use, but the government has its own use for it as well. By using datamining, and big data analysis, they were able to track down ISIS/ISIL members, and potentially prevent harmful acts caused by them as a result. It’s shown to be an effective tool against individuals who use social media or online resources. Without another tool that’s just as effective on hand, it would endanger the roles of both businesses, and the government to reach their goals and follow their paths. I think if the GDPR were to be passed in the US, it would have to be modified, and have significant stipulations regarding the use of big data use, datamining, and business’ role in reporting and following up on a breach.