Towards a JUST data order: Are GDPR and data subject rights the solution?
The new General Data Protection Regulation (GDPR) has raised hopes for the protection of the data of individuals in the EU region irrespective of where the processing takes place. Is it as simple as that? Can a policing approach to safeguard data subjects work in today’s world of big data and analytics and the insatiable appetite of corporations to exploit the possibilities?
Social media is abuzz with news about the recent Facebook data leak, Cambridge Analytica’s reported electoral exploits, and global worries about what happens when data falls in the wrong hands. Mark Zuckerberg’s testimony before the US Congress and demands for his appearance before EU lawmakers, his public apology to users coupled with the warning that there is more to the data breach than what has become public so far — all these have created a stir globally. Yahoo and LinkedIn are just two of the companies to have had massive data breaches in the last few years. News broke this past November that Uber had concealed a major data breach for a year and bribed the hackers to hush up the matter. Global giants like Google have reason to worry about skeletons that may tumble out of their closets.
You can be sure that thousands of other organizations might be found responsible for misuse or leak of individuals’ personal data, or for failure to protect the data of their users from hackers. Seeing the alarming frequency of such incidents across the world, the focus is now truly on the need to protect the personal information of individuals. Organizations that adopt a lackadaisical or adventurous approach to personal information run serious risks, such as closure (Cambridge Analytica), being summoned by lawmaking bodies (Facebook), CEOs being suspended (Cambridge Analytica) or quitting the organization on their own (WhatsApp). At the same time, what we have seen until now is only the tip of the iceberg of what data science and its (mis)use can do.
In this ecosystem of data holders, data-hungry analyzers, indiscriminate marketers, big data/ analytics and the phenomenal growth in computing and inferential capabilities, how safe is the data subject and how sacrosanct are the data subject’s rights? As it stands today, the hapless data subject is at the mercy of data pirates and hackers because the current corporate eco-system is totally focused on financial parameters, and advances in digital technologies and computing capabilities are being pressed into service in pursuit of these financial goals.
Most developed economies have data protection laws even today, but the General Data Protection Regulation (GDPR) which came into effect from 25th May 2018 has raised hopes because it is a rights-based law that puts the data subject at the center, and makes organizations (as data controllers and processors) accountable in multiple ways. This approach is different from several existing laws related to data protection around the world.
GDPR is being touted as a game-changer, but can this approach solve the privacy challenges the world of big data faces? With the regulation now in effect, hopes are building up that its strict provisions, penalties for breaches, institutional set-ups to deploy the regulation, and public awareness, will act as deterrents for organizations and they will start behaving. Is this hope plausible or we are hoping against hope? This brings to the fore a few important questions:
- How do, and how should, organizations treat the personal information of employees, customers/users, other stakeholders, and the public at large?
- What role do organizational ethics (shared beliefs, guidelines for decision-making when in doubt, fairness, and integrity) play in how organizations approach personal information?
- Is it companies’ insatiable desire to increase their market share, revenue, profits which is at the heart of the issue?
- Are immense analytics capabilities so irresistible that organizations end up crossing the ethical line even if they never thought they would?
- Can the ignorance of data subjects be blamed for data breaches and data misuse?
- Is it really about the sporadic unscrupulous actions of a few individuals that have shaken the faith of data subjects? Or is the problem more deep-rooted?
I propose that the crux lies elsewhere, and answers to some of these vexing questions will emerge if we adopt a different paradigm to view data privacy.
Data is just another form/ channel through which human beings interact with each other. In fact, it has become a glue that binds individuals to organizations. Any moral principles we believe should apply to how human beings ought to deal with others should also apply to data and organizations. Let us look at some basic principles and considerations that ought to guide human existence, and therefore organizations and their actions.
Won’t the world be a great place if human beings were fair and transparent in dealing with each other? Apply this to data and things will start falling in place. If I share some personal details with you, shouldn’t you keep them to yourself whether I specifically tell you to keep them confidential or not? If the information is something sensitive, say about my health, should you not handle it with additional care? Should you gather more information about me from third parties, social media etc. as against asking me directly? Should you gather my information without a purpose? The answer is a clear NO. If some information you have about me is incorrect, shouldn’t you correct it at the earliest possible, or ask me for clarification? The answers to all these questions come easily to us because we know that mutual trust and respect are at the heart of these human interactions.
When fairness, transparency, respect, and trust are key to human relationships, shouldn’t the same be true for the working of organizations? Why don’t these principles govern people’s interface with corporations and other organizations?
The answer usually lies in financial considerations. Most data breaches point to the stark reality that the actions of companies are driven by the bottom line, and at some point, everything becomes fair in war and business. A company may argue that it exists to create and maximize wealth for its shareholders, and the ends justify the means. There may be exceptions, where the original intent was noble, but errors of omission and commission created poor data practices.
The last few years have seen an explosive jump in analytics capabilities, artificial intelligence, natural language, and machine learning. Data sets, which were rather innocuous, are being used to draw significant inferences about people, assess their preferences, political inclinations, and a lot more. These are being used for targeted campaigns — be it for selling/marketing or influencing voting decisions. The currently raging controversy about the use of such analytics (from data gathered through social media) to influence elections is for everyone to see. The realm of possibilities (of analysis and drawing inference) has expanded so much that one feels that organizations have started to control people’s minds.
Any argument organizations put forth saying that if data subjects are careful, they have full control over their data, is plain nonsense. Normal human beings have limited capacity to handle information, and when they are flooded with complex and lengthy disclaimers, policies and notices, they are left confused and overwhelmed. In such a situation, people tend to go by the reputation of an organization (name, brand image, size, global spread, familiarity etc.), with a belief in universal principles of trust, respect, fairness, transparency, and truthfulness. There is also an implicit assumption that such an organization will treat their personal information with extra care.
If an organization gathers information about an individual, various articles of GDPR bestow certain rights on the data subject, such as the rights of access, rectification, erasure etc.; and places some constraints on organizations, such as restrictions on processing/ sharing with others, retaining beyond a certain period. But the approach an organization takes to abide by the law depends on its values and culture. A policy driven by a compliance and legalities oriented mindset is more prone to exploiting loopholes when there are financial pressures. A rulebook approach to ethics is manipulated deviously in times and situations of ambiguity and doubt.
It is also hard to believe that leaks, misuses, and abuses of data are the work of a handful of individuals, and these are isolated incidents in an organization. The values and culture of an organization play an important role here. If the management has been emphasizing and exemplifying ethical behavior consistently, such instances are unlikely to happen. This organizational approach and mindset — valuing mutual trust, transparency, greater disclosures when in doubt, respecting all stakeholders — are a result of deeply-held values and consistent behaviors and actions over a long period. If the management wavers in its commitment even a bit, employees may see leeways.
Today, many large corporations hold a hugely dominant position in society. They have an additional responsibility. Not only does their behavior need to be exemplary, but they also need to educate data subjects who are at various levels of maturity. In addition, the default option for them (and other organizations) should be to ensure the highest privacy settings in a digital world. Often, these players have enhanced their market position through acquisitions with the primary motive of getting the enormous data the target company had. They have to be cognizant of the fact that data subjects are not a stakeholder in such acquisitions. Transparency and adequate disclosures in such scenarios will help the eco-system.
The fact that an organization will have data of its employees and customers is almost inevitable. How the organization processes — collects, uses, secures, retains, shares — the data is strongly linked to the ethics and values the organization practices.
For a just data world, the guiding principles for organizational performance have to be (in that order):
- Responsible management
- Trust, transparency, fairness, inclusiveness ingrained in organization values
- Concern for all stakeholders (including data subjects), society and the environment
- A strong sense of accountability for its (and its each individual’s) actions and outcomes
- Using ethics and compliance (to universal ethical principles and not just laws) as key differentiators
- Financial parameters and market share
I strongly believe that if the first five are taken care of, the last one will follow.
Data science is being used, and has tremendous scope, to provide solutions to many vexing problems faced by humankind, such as in agriculture, transportation, healthcare, environment, and education. Nobody would want the immense potential of data science to be thwarted by the actions of individuals or organizations who disregard basic human values. To make the best of data, we must apply the same ethical principles we value in dealing with our fellow humans to the relationship between organizations and data subjects.
The views expressed in this article are his personal views.
Image Credits: Politico Europe