Data breaches occur every single day, affecting millions of people around the world (collectively). The European Union (EU), in an attempt to combat these data breaches, has issued new regulations surrounding the protection of data known as the General Data Protection Regulation, or GDPR. It was required to be implemented by May 25, 2018, and replaced the previous Data Protection Directive implemented in 1995. These updates were very much needed, as the cyber environment and the way data is collected and used have changed drastically since 1995. The main changes behind GDPR are supposed to give more guidance around personal data, privacy, and consent throughout Europe. The aim is to benefit users with increased privacy and data protection as well as provide streamlined and unified directives for businesses in order to provide privacy and data protection to their users and customers.

GDPR expanded the definition of what constitutes personal data which now includes names, addresses, photos, passwords, IP addresses, genetic information, biometric data, and more. It also requires that companies directly disclose to their consumers what data they are collecting and how that data is being used in an easy-to-understand manner. Additionally, the GDPR requires companies to notify both national bodies and affected consumers (on a direct, personal basis) in the event of a data breach. Finally, and perhaps most importantly, the GDPR requires steep fines for non-compliance, ranging from 10 million euros to four percent of the company’s annual global turnover as well as fines for mishandling data including but not limited to infringing the rights of those whom the data represents, unauthorized transfer of data, failure to report a data breach, failure to make data privacy an integral part of the product design, and more. All of these are to ensure the privacy and safety of the data for the consumers. In this case analysis, I will argue that consequentialism shows that the United States should follow Europe’s lead because it increases the amount of good overall in the world.

Zimmer’s article details a case concerning research conducted by a university using information gathered from Facebook. The study collected data from students over a four-year period without their knowledge or consent and was published to the public. Despite the researchers’ “best efforts” to keep the university and students anonymous, the university was quickly identified as Harvard College and, subsequently, many of the students were also identified. Now, their private information which was supposed to only be available to certain people whom they knew about and had approved was now openly available and linked to them for anyone who wanted to seek out that information. The fact that their data was collected with neither their knowledge nor consent was an extreme violation of their privacy in the first place, but publicly publishing that data goes beyond even that. It didn’t even take a lot of time or effort for people to find the links between the “anonymous” data and the person it belonged to.

This is exactly the kind of scenario that the new GDPR is trying to avoid, and it would have stopped this invasion of privacy at several different steps. First, it would never have allowed the students’ data to be harvested in that way without their knowledge and consent. Second, it would have prevented the publishing of that data to the public unless consent had been given. Even then, I think certain information would still have to be left out. Third, the researchers would have been required to notify the data subjects about the privacy breach and they would have received large fines for the mishandling of the data. This would make those researchers and future researchers think twice before mishandling data in that way again.

Consequentialist ethics make the argument that what the researchers did was not right. They violated the trust of those students which, in that small case, may not be a huge concern based on consequentialism. However, in the broader scheme of things, it does. If anyone’s data can be taken and published like that at any time, that is not “for the greater good” and does not provide happiness to the largest amounts of people. It could provide happiness to a select few (researchers or criminals) but to the public, it would provide only a lack of trust and maybe even mass panic. People generally like their privacy, and to know that it could be violated at any time would be horrific. Even though the data was eventually rescinded, scrubbed, and republished, the damage had already been done.

If the United States had policies like the EU’s GDPR to preserve data privacy, I don’t think a scenario like this ever would have happened. The EU’s GDPR was created to preserve the rights of the citizens instead of the desires of companies, and this falls perfectly in line with consequentialist ethics. While businesses may want to use data however they want and not incur any penalties or consequences for the misuse of that data, that isn’t in the general public’s best interest. Therefore, to provide the greatest happiness for the most amount of people, the United States should follow the EU and create something similar to their GDPR policy.

Buchanan discusses ethics and data privacy as relating to online extremism and terrorism. Information from open or public accounts was taken and compiled into a larger dataset that was then analyzed and scrutinized. Patterns were created and based on these patterns and networks, other individuals were identified as potentially problematic or with links to extremism. The researchers become farther and farther removed from the individuals they are studying, and perhaps the latter individuals fell under none of the initial criteria when looking for extremism or terrorism. The information was shared with other researchers and government entities, which is beyond the scope of how the individual originally shared their data. Additionally, the subjects never knew that they are part of this research let alone consented to be part of the research.

Palmer’s article does not make any mention of exceptions to the privacy and data laws: how the information is gathered and used, whom it is shared with, and fees that incur from mismanaging that data. If strictly applying the GDPR in all scenarios equally, then monitoring social media and other online data sources for information regarding terrorists would be illegal and not allowed. If it did occur, the companies would receive steep fines for mismanaging data and the users would have to be notified that the data breach occurred. At the very least, if they wanted to use the data in that way, the user would have to know and agree to it. This would be following the GDPR to the very letter uniformly in all cases.

However, consequentialist ethics would make the case that applying the GDPR in all scenarios without regard to how it could affect most, or at least large amounts of people is not actually ethical. In scenarios of terrorism or extremism, it would be ok to monitor and use an individual’s data without them knowing. The rights of a few terrorists to privacy are not greater than the harm they could cause to the public, therefore monitoring and analyzing their data and sharing with the appropriate government officials in order to provide safety and protection to the overall public is completely justifiable. A single terrorist can cause massive amounts of damage and thousands (or more) deaths in the time it takes to blink. Stopping these terrorists from causing so much harm is to the benefit of the public as a whole. That is why, in this case, consequentialism says that it is ok to violate the privacy of the few in order to secure the protection and safety of the vast majority. It would provide the greatest good to the greatest number of people.

Therefore, the U.S. could still create a policy similar to the GDPR while also making exceptions in cases that involve national security and defense issues. The law would need to be very strict in how it outlined the exceptions to data privacy usage, but it would be important to add in those exceptions. Creating strict policies for companies regarding data use while simultaneously allowing for the collection of data for national security and public safety falls perfectly in line with consequentialist ethics. The co-existence of these two parts to the law allows for the greatest public safety and greatest good for the majority of people.

The United States should create privacy policies similar to the EU’s GDPR. It is important to safeguard the privacy of individuals and their data and to make sure it is used in ways that they know and understand. Additionally, there needs to be steep fines and fees for companies who violate the policies. Unfortunately, in many cases, that would be the only way to get companies to comply with the policies. Consequentialist ethics argues that the ethical thing to do is what is best for the majority, but companies are often only out for themselves and don’t necessarily care about ethics. That means they will need more than a slap on the wrist for violating privacy laws. They will need more severe consequences that they can actually feel. It still falls in line with consequentialism, however, to allow for data monitoring and privacy breaches in the case of terrorism in which individuals could be performing great acts of harm to others. In both of these situations, the law would be providing the greatest good to the greatest number of people.

One problem to keep in mind, though, is that data monitoring for any reason can become a slippery slope. If people justify that it is ok to monitor others’ data in cases of national security, they may start to say it is ok to monitor it in other situations, too. It would be important to write into the law that data monitoring could only be performed in very specific circumstances and make sure that part of the law is not in any way vague in order to not descend into expanding the scenarios of when it is ok to monitor individual’s private data. As long as the law was written in this manner, the United States would greatly benefit from laws similar to EU’s GDPR.

https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/