Introduction

Especially as cybercrime continues to evolve with advancing technologies, it’s not a matter of if, but when, data breaches will happen. The harm-based theory of privacy protection asserts that it is the organization’s responsibility to circumvent and prevent hackers from accessing data to exploit; however, such a position ignores a much more prevalent issue in the topic of data and privacy in modern-day society: dignity.  The expression “human dignity” appears in Article 88 of the GDPR (2016), requiring data collectors to…

“Include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace.”

The dignity-based theory of privacy concedes that tangible harm need not take place for a user’s privacy to be violated. The General Data Protection Regulation (GDPR) maintains that institutions have a legal obligation to respect data subjects in addition to ensuring data is collected and housed in a way that protects data from misuse, exploitation and hackers. The GDPR is a European Union law that only applies to all EU member states. It’s the core of Europe’s digital privacy legislation. It was designed to give individuals more control over their personal data and to create a uniform data protection framework across the EU. Its main points ascertain that the GDPR:

• requires companies to provide clear and transparent information about how they collect, process, and store personal data.
• gives individuals the right to access their own personal data and ask to delete it.
• gives individuals the right to be informed about any data breaches that affect them.
• requires companies to obtain consent from the individual before collecting their data.
• imposes penalties on companies that do not comply with its rules.

By analyzing readings from Buchanan and Zimmer through a deontologist lens, I assert that the outdated legislation in the US fails to hold agencies and institutions accountable for their actions around data protection, and the current digital environment demands a comprehensive framework of laws that honors user privacy and enforces compliance in ethical data use across agencies and organizations similar to the GDPR.

The combination of deontology and data privacy can ensure customer data is collected and used ethically. By incorporating ethical principles to develop legislation around establishing, collecting, storing, and analyzing customer data, the United States can ensure that institutions take sufficient measures to respect customer privacy and use customer data responsibly. In Fall of 2008, a group of researchers publicly released data collected from Facebook accounts of an entire group of college students at an anonymous, northeastern American university. The data was titled ‘‘Tastes, Ties, and Time’’ (T3 henceforth). The research team took various steps in an attempt to protect the identity of the subjects. According to Zimmer (2010), these included:

1) Only those data that were accessible by default by each RA were collected, and no students were contacted for additional information. 2) All identifying information was deleted or encoded immediately after the data were downloaded. 3) The complete set of cultural taste labels provides a kind of ‘‘cultural fingerprint’’ for many students, and so these labels will be released only after a substantial delay in order to ensure that students’ identities remain anonymous. 4) In order to access any part of the dataset, prospective researchers must agree to a ‘‘terms and conditions for use’’ that prohibits any attempts to re-identify subjects, to disclose any identities that might be inadvertently re-identified, or otherwise to compromise the privacy of the subjects. 5) The entire research project, including the above steps, were reviewed and approved by Harvard’s Committee on the Use of Human Subjects.

Nevertheless, within three days and without access to the full dataset, the anonymous university was identified as Harvard. The T3 team asserted that they did not obtain any information “not otherwise available on Facebook.” They also did not interview anyone, ask them for any information, or “make information about them public (unless, as you all point out, someone goes to the extreme effort of cracking our dataset, which we hope it will be hard to do).” (Zimmer, 2010).  A day later, the entire dataset was cracked. 

This story highlights the primary ethical issues of data use. First of all, the researchers failed to take into account the privacy settings within Facebook to control the flow of personal information. RAs were granted access to Harvard’s Facebook network as students or alumni of the university, not as data miners tracking users’ private information. In turn, profile data that was originally meant for only those within the Harvard network was included in a dataset released to the public without ever notifying the subjects. Knowingly employing RAs with access to Harvard’s network to obtain access to data they would not otherwise have, but later claiming innocence on the grounds of the data being public knowledge is dishonest and unethical. From a deontologist’s perspective, data should be used in a manner that respects the individual’s right to privacy and confidentiality. This means not using or sharing data without the individual’s explicit permission, not using data in ways that may harm the individual, and not using data in ways that are not in the individual’s interest. The T3 researchers failed to do this.  If the US were to adopt legislation similar to GDPR that systematized explicit guidelines for data privacy and outlined swift and severe consequences for not following said guidelines, instances like the aforementioned could be avoided. 

Contrary to popular belief, informed, freely-given, revocable consent consent is only one of five legal avenues the GDPR allows an organization to take to collect data on an individual. The EU GDPR (2016) defines consent as…

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”

Once a legal ground is chosen, data miners must stick with it. Other than consent, the legal grounds for collecting data include: 

1. You need to process the data to comply with a legal obligation.
2. You need to process the data to save somebody’s life.
3. Processing is necessary to perform a task in the public interest or to carry out some official function.
4. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though “fundamental rights and freedoms of the data subject” always override personal interest, especially if it’s a child’s data.

With that being said, in accordance with GDPR and deontology, there needs to be some aspect of informed consent outlined in federal legislation.  In this case, the T3 research team should have obtained informed consent from dataset members prior to collecting any information on them.

In a similar scenario, Buchanan (2017) describes how it is becoming increasingly difficult to protect individuals’ privacy rights as large scale data mining and “big data research” grows exponentially in use, especially as much of the data is accessible to the public, and knowingly publicly shared by the users. The primary differences between the two cases revolve around informed consent, and access to the data. It is commonly accepted that Twitter-unlike Facebook-is a public platform.  In her response to Benigni et al’s paper, she asserts that “researchers operate on the condition that these data are accessible to researchers, law enforcement, and others; the accounts from which data are mined are public (open) accounts, and ultimately, identifying those vulnerable to, or susceptible to online extremism is itself a social benefit, a laudable goal.”

Buchanan describes how many agencies, like one based in Ireland, have begun to use Twitter as a means to identify and monitor members, supporters, and sympathizers of terrorist groups like ISIS as a means of counterterrorism. In this context, big data research is legal under GDPR because of the type of data being collected. Consent is irrelevant because this type of data collection falls within all of the other bases of appropriate data collection listed in the GDPR (2016).  However, this raises further questions about the ethical implications of collecting and analyzing data related to terrorist activity, such as the potential for infringing on the privacy of innocent users. 

Ultimately, the ethical implications of big data research must be carefully considered in order to ensure that no user’s privacy is violated, while also allowing for effective monitoring of terrorist activity. Kant outlined the Command Imperative, which improves on the golden rule: Act as you would want all other people to act towards all other people. That is why one must always respect others as an end in itself rather than a means to an end. Thus, to be “morally right” according to deontology, one must give others the chance to do good. One honors another by respecting them, and at all avoids knowingly causing injustice or harm. One must never use or exploit anyone for whatever purpose. By those parameters, one may argue that the practice of big data research is unethical because not only do data miners fail to respect individuals as beings capable of doing good, they demean them to “data subjects” and exploit them for personal gain. However, that fails to take into account the command imperative, and the focus on intentions versus impact of a decision.  

One might try to argue that if data mining is considered unethical in one context, then it is universally unethical according to deontology; however, in deontology, the intentions of the actor hold more weight than the consequences of the action. Buchanan states that many of those being observed are already convicted terrorists actively engaged in harmful behavior, such as terrorist recruitment and the dissemination of false information in an attempt to further their personal agenda. Data mining in order to monitor extreme terrorist organizations and ensure public safety is ethically right; however, data mining unsuspecting individuals to gain an unfair advantage against your competitors is ethically wrong, and it goes back to dignity and Kant’s golden rule. As Buchannan (2017) points out, the methodology transcends context. The ethical dilemma appears when discussing the parameters of such context, like the example Buchanan gave in regard to Black Lives Matter. What if the radical group were BLM, would it still be okay to collect such data? The point at which an ideology radicalizes enough to pose a threat to society remains uncertain; however, adopting legislation aligned with the GDPR with clear parameters and little room for interpretation would certainly help institutions and companies make that distinction.

Buchannan (2017) also expresses the need for updated United States federal regulations on human research, stating the last revision was in 1991- prior to the explosion of technological advancements. As technology continues to evolve, adopting a system similar to GDPR, which is already established in the EU, will make it easier for international corporations to conform to US regulations. On the basis of data mining reform, legislators must consider dignity-based data collection, which is data-collection focused on gathering data with respect and acknowledgment of the individual’s dignity and autonomy. It is a way to ensure that data is collected in an ethical, meaningful, and respectful way, taking into account factors such as privacy, consent, safety, and respect for the individual’s autonomy. In addition, data collection legislation must preserve the privacy and dignity of the individual. According to deontology, considerations must be taken to ensure data is collected lawfully, that it is collected in accordance with ethical codes, and that it is used responsibly. Lastly, it should be done in a way that does not cause harm, and that honors the individual’s right to privacy and choice.

Summary 

This essay reasserts the United States’ need for data protection reform by means of a comprehensive framework similar to the GDPR. There is no current federal guidance that compares to the GDPR in the United States, and the most recent federal legislation around acceptable data use was written almost 20 years ago. As a result, many institutions and companies are free to establish less-than ethical policies around data use, as explained by both Buchanan (2019) and Zimmer (2010). If the United States does not match the European Union’s strides in data policy, without adequate systemic consequences to protect privacy as an integral part of human dignity, unethical data mining will erase all hopes of “a better tomorrow” and soon become “the American way.”

References

Buchanan E (2017) Considering the ethics of big data research: A case of Twitter and ISIS/ISIL. PLoS ONE 12(12): e0187155. https://doi.org/10.1371/journal.pone.0187155

Palmer, D. (2019). What is GDPR? everything you need to know about the new General Data Protection Regulations. ZDNET. Retrieved February 9, 2023, from https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/ 

Regulation 2016/679/EU. (General Data Protection Regulation). On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC . European Parliament and Council. https://gdpr-info.eu

Zimmer, Michael. (2010). “But the data is already public”: On the ethics of research in Facebook. Ethics and Information Technology. 12. 313-325. 10.1007/s10676-010-9227-5.