Should the U.S. adopt the EU’s GDPR law?

In this case analysis, we review the article What is GDPR? Everything you need to know about the new general data protection regulations by Danny Palmer. This article explains what the GDPR is and what it entails for businesses and organizations in and working with the European Union. The GDPR is a law that creates a set of rules that businesses must follow and comply with to work with or in the European Union. Organizations that collect data have to follow these rules as they create their products and services, focus on securing any personal data they collect and send out notifications to the victims in the event of a data breach. The GDPR or General Data Protection Regulation was initially proposed in January of 2012 and went through development for four years before being officially accepted on April 14, 2016. It took two years to be fully implemented, and it required compliance from any organizations that conduct business with or within the European Union (Palmer, 2019).

In this case analysis, I will argue that utilitarianism shows us that the United States should follow Europe’s lead because the citizens of the United States should have the same control level of control over their data.

Zimmer

In Michael Zimmer’s article, “But the data is already public”: on the ethic of research in Facebook, it reviews the “Tastes, Ties, and Time” project (T3 Project) and its aftereffects. In 2008, a group of researchers had released the profile data of 1700 students’ Facebook accounts to the public. While there were attempts to hide the student’s identifiable information or the institution’s identity, those efforts were not enough to protect the student’s privacy. Zimmer uses that incident as a case study and expresses the ethical concerns regarding research in social networking sites, expectations of privacy on those sites, and strategies of anonymizing data before public release (Zimmer, 2010).

The researchers spent four years collecting data about the students and then released the data to the public in waves. After the initial data release, anyone could access it by submitting a statement detailing what they intended to use the data for. People were granted access to the data at the group of researcher’s discretion. They had also released a codebook that was accessible without needing to apply, which included detailed descriptions of many data elements. The researchers had tried to remove any identifying information when their project was published. However, their attempts fell short, and people could use that data to identify that the institution was Harvard College (Zimmer, 2010).

As Zimmer had stated, “Had they (T3 researchers) followed the European Union’s guidance, they would have recognized that many of the subjects’ identifying information could be used for re-identification.” Zimmer had defined the subjects’ identifying information as any “physical, physiological, mental, economic, cultural or social identity” (Zimmer, 2010).

This incident can show how companies and organizations can fail to protect the private information of their consumers. The GDPR was developed during a period of rapidly evolving technology that makes it hard for most people to keep up to date. Organizations and businesses create privacy policies that tend to lean towards their favor, but with the enactment of the GDPR, the EU’s Parliament and Council decide the contents of these policies. They make sure that the contents of these privacy policies include a guarantee of every citizen’s right to privacy and that this right would be protected under EU law. It also added a section clarified as the “right to be forgotten” process that allows people to have their private data deleted and no longer processed by an organization or business.

When looking at this from a Utilitarian perspective, we can see that the members of the European Union’s Parliament and Council decided to protect their citizen’s rights over their data when processed by organizations and businesses. When looking at the incident from Zimmer’s article, the GDPR is a safeguard to prevent another incident like the T3 Project from happening within the European Union by broadly defining what is considered “personally identifiable information” (PII) and securing its citizen’s rights to their privacy.

From a utilitarian perspective, one could see that the United States could follow the European Union’s example by adopting a similar law to the GDPR that could prevent another incident like the T3 project. This would follow a utilitarian’s views. The United States would develop a similar law that would protect the citizens’ rights regarding their privacy over the privacy policies that businesses and organizations might create that lean in their favor.

Buchanan

Elizabeth Buchanan’s article reviews the paper “Online extremism and the communities that sustain it: Detecting the ISIS supporting community on Twitter.” The paper introduces the Iterative Vertex Clustering and Classification (IVCC) data mining model utilized to identify ISIS/ISIL supporters on Twitter. Buchanan has explained that this model has enhanced capabilities and is utilized extensively by law enforcement and intelligence agencies. However, ethicists and privacy advocates have pushed back against this large-scale data mining and analytics in the name of national intelligence and security (Buchanan, 2017).

The paper operates on the condition that the data is accessible to researchers, law enforcement, and other organizations; the data is mined from public accounts, and identifying those vulnerable or susceptible to online extremism is itself a social benefit. The paper has its viewers consider the complex relationships between and among research questions, methods, and the uses of research data (Buchanan, 2017).

While the methods of the model described in the paper have helped identify people of ISIS or the Islamic State, the ethical standpoint of the methods is vague and ambiguous regarding privacy rights and autonomy. Datamining has seen a massive rise across the Internet and social media, creating ethical dilemmas regarding privacy, rights, autonomy, and even social justice issues, including discrimination. Some believe that this model can and will be utilized to target other groups such as protestors or political dissidents (Buchanan, 2017).

This issue is just one part of a long-fought battle covering the privacy landscape and the ongoing discourse between data science, analytics, and significant data ethics. One of the problems is that data is readily available and provided by users themselves, which increases the difficulty of protecting individual liberties and privacy. Terrorist organizations such as ISIS and the Islamic State are constantly utilizing methods such as exploiting the nature of social media for recruiting and propaganda. Law enforcement, intelligence agencies, and other organizations utilize the IVCC model to analyze the millions of Twitter posts that occur daily to scope out any mentions of ISIS or the Islamic State for potential members, supporters, or sympathizers (Buchanan, 2017).

Big data science is used to identify patterns, structures, and anomalies in large data sets. It is entwined in many disciplines, including education, criminal justice, communications, business, etc. Researchers utilize big data to exploit and explore the data they can collect from social media sites such as Facebook or Twitter. As big data science and social media continue to grow, they push the boundaries of traditional research methods and ethical principles (Buchanan, 2017).

From a utilitarian perspective, one could advocate that using the IVCC data mining model to detect and identify ISIS or Islamic State members or supporters is the better option as it favors protecting the majority of the populace over the few that complain about privacy concerns. However, with the General Data Protection Regulation, some may exploit the “right to be forgotten” section to distance themselves from Twitter before the IVCC model can identify them.

Conclusion

The U.S. should follow the EU’s lead and adopt a regulation similar to the GDPR. By adopting a similar law, the United States could prevent another T3 project incident and enforce their citizen’s privacy rights. Nevertheless, there is the possibility of people in the United States’ populace exploiting the “right to be forgotten” section of an American GDPR to escape detection of the IVCC model. Many concerns arise with laws regarding privacy, yet an American version of the GDPR would be seen as beneficial for the majority of its citizens. While there might be those who could exploit the U.S. version of this law, it would benefit the populace and instill peace of mind that they have rights over what data companies could collect, which companies they would allow to collect their data, proper notification of any data breaches, and the right to have their data removed from companies databases.

References

Buchanan, E. (2017). Considering the ethics of big data research: A case of Twitter and ISIS/ISIL. PLOS. https://doi.org/https://odu.voicethread.com/lti-student/1126604/

Palmer, D. (2019, May 17). What is GDPR? Everything you need to know about the new general data protection regulations. Retrieved February 20, 2021, from https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/

Zimmer, M. (2010). “But the data is already public”: On the ethics of research in Facebook. Ethics and Information Technology, 313–325. https://doi.org/https://odu.voicethread.com/lti-student/1137766/?tok=21456298726209b01ba6ffd6.64789789