Introduction
With the 2018 implementation of the EU’s General Data Protection Regulation (GDPR), the world of data
privacy and cybersecurity was completely transformed. Although its underlying goal is to protect human
rights in an increasingly digitalized world, the law has some moral issues. These are concerns around the
privacy-security tradeoff, business costs associated with compliance and innovation chokepoints. In this
article, we discuss the ethics of the GDPR, specifically which rights it safeguards, which restrictions it
carries, and whether it does an adequate job of reconciling personal and shared interests.
Protection and Limitation of Rights
This fundamental premise of the GDPR is defending rights of individuals, including the right to privacy.
It requires companies to gain explicit consent before collecting any data, and gives users a right to view,
amend or unsubscribe from their data. This means users are in full ownership of their online identity. To
quote from Moerel and Prins (2016): “The GDPR is a response to mounting fears of digital age eroding
privacy and an important step towards the enforcement of rights of individuals” (p 44).
But even the GDPR has some limitations that could be considered ethically problematic. The policy
upholds the right to privacy but, when it’s used improperly, enables large-scale data-gathering
technologies like artificial intelligence (AI) and machine learning. These fields have been dominated by
data driven innovation and restrictive data usage regulations such as the GDPR may restrict innovation
for businesses. That makes ethical questions arise about whether the law values the individual rights more
than the shared interests of technology development and prosperity (Mantelero, 2018).
Costs and Benefits of GDPR
The cost of doing business is one of the big moral issues with GDPR. Data protection, data protection
officers, compliance – all these things are a large expenditure but relatively cheap for the size of a large
company. But small and medium-sized companies (SMEs) have a bigger problem. The compliance for
GDPR is almost a nightmare for SMEs, which puts financial pressure or even shutters the company. This
leads to a moral dilemma: GDPR has an intent to protect individuals’ rights but can also adversely affect
small businesses which lack the resources to comply with its rigorous standards (Veale, Binns & Ausloos,
2018).
The advantages of the GDPR, however, are huge for individuals because it gives them more access to
their data and make companies accountable for data breaches. This is crucial at a time when data breaches
and data misuse are not uncommon. But, the regulation’s cost-benefit ratio might be biased against firms
– particularly EU entities not already obligated under GDPR because the GDPR is extraterritorial. These
businesses could incur large compliance fees without enjoying the full advantage of European market
access, so it is not always fair to consider how the policy will be applied across the globe.
Equally Reducing Individual Rights to Individual Interests?
The GDPR clarifies the key ethical issues about data privacy, but it also questions the proper balance of
personal and collective interest. By being so focused on personal privacy, the law can restrict data for
research and development in areas that may be useful to society more generally. For instance, healthcare
data is crucial for medical research, but even anonymised data is strictly prohibited under GDPR. It can
also stifle the studies that could result in novel therapies and public health advancements (Mantelero,
2018).
And the GDPR not only gives people more power, by giving them greater control over their data, it limits
certain freedoms. Businesses, especially tech startups, might encounter ethical difficulties as they strive to
comply with GDPR and also develop and launch new products and services. ‘Ethics is about balancing
competing rights, and in the present draft of the GDPR the right to privacy might be overriding other
desirable rights, such as the right to benefit from technological innovation,’ Floridi (2016) writes (p.10).
Does GDPR Properly Deal With Individuals’ Rights?
The GDPR seeks to protect individuals rights – including the right to privacy – but critics say it may not
do justice to the new digital world. The demand for explicit permission, for example, can occasionally
cause “consent fatigue” as the process becomes flooded with request after request that diminishes the
purpose of what they can say. This is ethically problematic in that we may be asking whether participants
are actually giving informed consent or merely click on an agreement without really understanding the
implications (Veale et al, 2018).
Furthermore, while the GDPR grants individuals a right to have their data deleted (“right to be
forgotten”), this right can conflict with other ethics, such as a right to public information. How to strike a
middle ground between these competing interests is an ethical problem that both policymakers and judges must remain faced with in the new digital age.
Conclusion
The ethical implications of the GDPR are complex – it touches upon questions of individual rights,
corporate expenses, and social good. While it provides meaningful protections for personal privacy, the
regulation also creates ethical issues about its implications for innovation, business resilience and
balancing the interests of individuals and societies. With the advances of digital technologies we will
require continuous ethical thought if the GDPR and similar regulations are to continue navigating the data privacy maze in a fair and just manner.
References
Floridi, L. (2016). The ethics of information transparency. Ethics and Information Technology, 18(1), 9-
11. https://doi.org/10.1007/s10676-016-9404-5.
Mantelero, A. (2018). AI and Big Data: A road map for a human rights, social and ethical analysis of
impact. Computer Law & Security Review, 34(2), 754-772. https://doi.org/10.1016/j.clsr.2018.05.017.
Moerel, L., & Prins, C. (2016). Privacy for the Homo Digitalis: Rethinking data protection regulation in
the era of big data and IoT. Computer Law & Security Review, 32(1): 43-57.
https://doi.org/10.1016/j.clsr.2015.12.007
Veale, M., Binns, R., & Ausloos, J. (2018). Where data protection by design meets data subject rights.
International Data Privacy Law, 8(2), 105-123. https://doi.org/10.1093/idpl/ipy002