The European Union’s General Data Protection Regulation (GDPR) is scheduled to take effect on May 25. While companies who serve customers in the EU have to adhere, there are numerous applications for civil society, journalists, academia, philanthropy, and the private sector as well. The GDPR represents an important step forward for envisioning a civic life where citizens are empowered not only as data producers but also data owners. Any conversation of leveraging data, technology, or innovation to enhance civic life or governance should seriously consider how such a framework could more deeply empower citizens in the United States.
The GDPR is a set of data protection laws that harmonize regulations across the entire European Union, ending the existing patchwork of cumbersome regulations across member countries. The EU Parliament approved the law in April 2016 to take effect after two years of transition time.
Several core components of the GDPR are relevant for broader governance and civic conversations around the world. First, having a clear sense of who collects your information and what information they collect. This reflects a demand to look under the hood at how your personal information is used and what is shown to you in turn. The GDPR requires notification if a breach has occurred within 72 hours. Hopefully the GDPR will also prompt more transparency and accountability about algorithms and their inherent biases. Understanding the implications behind algorithmic decisionmaking begins with understanding what data is being generated and how that information is being collected, used, disseminated, and re-packaged both to the user and others.
Second, having a right to be forgotten. If I want my data to be removed from a company, the GDPR provides this opportunity. One of the most exciting aspects of the GDPR is the concept of “data portability,” which provides consumers with a clear record of their personal data so that they can choose if and how they want their data to appear.
Third, enhancing data protection responsibilities. The GDPR aims to foster better practices from the onset with privacy in mind. Public agencies and companies, which process large amounts of data, must appoint a data protection officer (DPO). There are many roles and responsibilities of these DPOs including educating the company, training staff involved in data processing, maintaining comprehensive records, and serving as a point of contact for the GDPR Supervisory Authorities. The DPO helps ensure that good data hygiene is practiced with a direct line of contact.
While the United States does not have its own GDPR, the role of companies with a global reach (which is just about every company) will be illustrative on if and how Congress could regulate this space. Already, companies are releasing new privacy policies and terms and conditions. On a practical level, where your data is stored will have GDPR implications (if stored in Europe). But on a more normative level, the GDPR should be a wakeup call for a frank, honest, and difficult conversation about how to make data rights a fundamental civic right.
Ultimately, the conversation surrounding the GDPR needs to seriously consider the value that citizens place in their data. Increasingly, data is a personal asset. Companies are drawing immense value from the information that people freely divulge and the networks they form. The GDPR should spark a discussion over what business models could empower people with data rights. Moving beyond simply data monetization to data empowerment requires acknowledging that data rights are now civic rights.
As communication moves almost entirely to networked online technology platforms, the governance questions surrounding data and privacy have far-reaching civic and political implications for how people interact with all aspects of their lives, from commerce and government services to their friends, families, and communities. That is why we need a discussion about data protections, empowering users with their own information, and transparency.