GDPR is an Important Advance in Privacy. Here’s What Must Come Next.
Written by Nuala O’Connor
The General Data Protection Regulation is here, and soon we will see if it ushers in a new era of individual empowerment or raises novel barriers to innovation in technology. Fears of unclear mandates and uneven enforcement have led to the common refrain from company leaders, particularly in the U.S., that innovation will be stymied by draconian regulations and ex ante enforcement will create work without meaningful privacy improvements for individuals.
However, the tone and tenor of that pushback has moderated lately, due in no small part to the recent Facebook-Cambridge Analytica revelations and a larger societal “techlash.” And while the GDPR is not perfect, the values it advances are the right ones: individual autonomy and dignity. Data is how we transact in the digital age, and now is the time for individuals to have greater say in how companies can and cannot use their personal information.
Data is how we transact in the digital age, and now is the time for individuals to have greater say in how companies can and cannot use their personal information.
The United States and Europe, despite different approaches to regulating data, emphasize the role of the individual in determining how their information should be used. But with the GDPR, Europe has become the de facto leader in addressing personal privacy. Major companies worldwide need to comply with the European law, and some are extending its protections to all their customers – not just those based in the EU. But as the online population grows and ever more data is generated about our daily lives, there is still much work to be done on both sides of the Atlantic.
The U.S.-EU relationship has been historically fraught where data privacy regulation, oversight, and enforcement are concerned. The United States continues to argue that its “sectoral approach” to data privacy protects the most sensitive types of data and focuses enforcement where the biggest privacy harms may arise. European regulators have been, at best, dubious of these claims, emphasizing that privacy is a fundamental human right that should not be sacrificed.
Now is the time to move beyond these disputes to create a global framework on privacy that provides transparency, control, and autonomy to individuals online. Transparency into what data is collected – why, how, and by whom – is an important first step, but an accurate understanding of how that data could be shared with other parties or used to make automated decisions is also essential. The ability to access data and delete or remove it from a particular platform, service, or company is also an important element of control.
But transparency and control over data are not enough. It has become increasingly clear that our understanding of the choices we make when engaging with digital tools and services, the consequences of those choices, and our control over our online experiences and lives is limited. From our most trivial likes and dislikes to answers to quiz questions, every bit of data we disclose online — knowingly or unknowingly — can be harnessed to make decisions about us, with potentially lasting effects.
The power dynamic is currently weighted heavily towards corporations, with users left to navigate an opaque world that values and has uses for their data beyond what an individual can comprehend.
The power dynamic is currently weighted heavily towards corporations, with users left to navigate an opaque world that values and has uses for their data beyond what an individual can comprehend. As a result, digital platforms determine not only what ads we see, but also what news stories rise to the top, who should be an “influencer,” and what content should be censored. As Zeynep Tufekci said, “An ordinary person cannot meaningfully consent to this level of complexity and obscurity.” We should be able to grasp what data has been collected about us, how it is being used, and with whom it is being shared without needing to access and understand every line of the code that shapes our lives.
New policy and vigilant regulatory enforcement is necessary to rebalance these information asymmetries that exist, because in the digital economy, individuals often lack any power to disconnect or opt-out of their digital experience. In the United States, comprehensive privacy legislation is needed and should be consistent with emerging global privacy standards across all sectors. On the European side, regulators will need to use their enhanced enforcement powers strategically and focus on the most problematic data practices to address this vast power differential.
Companies must also do more to counter unintentional biases within their systems, and to rapidly adjust these systems and the values embedded in them when they lead to unjust outcomes. Individual agency will only come when people have the ability to challenge the digital decisions that are made about them.
As Cambridge Analytica’s illicit use of data acquired from Facebook illustrates, companies must do more to earn people’s trust than keep personal data secure from traditional breaches. Citizens worldwide are recognizing the value of their personal data, and are demanding more in return. Data has always been personal, powerful, and a meaningful extension of self, and now is the time to finally treat it as such. Policymakers have the opportunity to shape privacy-protective policies that work across borders, while still allowing innovation. The GDPR is a meaningful and ambitious start.