To enact data privacy legislation in the United States, we have to unravel data ownership — we have to figure out who owns data. It might sound like a simple question, but it isn’t; it’s a question that has baffled the US Senate on more than one occasion.
There are two significant schools of thought on this issue: Some people believe that data belongs to the individuals that the information pertains to. (In other words, you should be the owner of your Facebook data.) Others believe that data should belong to the company or organization that operates or owns the product or service you’re utilizing and that they should be allowed to use your data as suits their needs. (This school of thought would argue that Facebook owns your Facebook data.)
Facebook data is an easy example because when people think of data privacy, they often think of their digital data. But while the internet has created a place where creating and collecting data has become easier than ever before, it is not the first nor last word in data. Before we were liking and tweeting and snapping, we were buying things, making phone calls, sending letters, and appearing on CCTV feeds — creating data points every step of the way.
In 2013, NSA infrastructure analyst Edward Snowden leaked documents to American journalists detailing the extent of the NSA’s mass surveillance programs. For Snowden’s actions, he was forced to flee to Russia, where he has remained since, but the world has not forgotten his name. In the wake of his revelations, the US government faced court challenges, new legislation was passed to internal police surveillance, and — most significantly — there was a public outcry. Snowden has said, despite having had to uproot his life, that he does not regret his actions.
“The government and corporate sector preyed on our ignorance. But now we know. People are aware now. People are still powerless to stop it, but we are trying. The revelations made the fight more even.”Edward Snowden
Some espionage activities of the United Kingdom were also exposed by Snowden, and its citizens were likewise enraged, but something quite significant came of their backlash. Last year, the General Data Protection Regulation (GDPR) went into effect to protect the data privacy of European Union residents. The GDPR is not the final evolution of data privacy law, but it is a modernization, and that is significant. The purpose of the GDPR is to “harmonise” European data privacy laws and provide greater protection and rights to individuals concerning their data.
You probably noticed when the GDPR went into effect because you received dozens of emails with subjects like “Our Terms and Conditions have changed.” The GDPR did not revoke organizations’ ability to collect and even use their users/consumers data, but it did stipulate that those users/consumers be better informed about how their data is being collected and used. So which school of thought does the GDPR follow? Neither. But like I said, the GDPR is more of a starting point than the finish line.
But the United States is not the European Union, in many ways. I don’t believe even such a medial law, if passed in this country, would not be met with criticism. This country is passionately capitalist, and therefore legislators are more hesitant to tread on business’ capabilities and, potentially, their property (if you believe that data owned by the controllers of said data). That being said, this country is also extremely passionate about personal liberties and the protection of private property. The future of data privacy in this country will hinge upon toward which of the previously mentioned pursuits the country, and more specifically its courts, chooses to lean.