Nick Dedeke is a professor in the Supply Chain and Information Management (SCIM) Group at Northeastern University in Boston.
The European Union introduced the General Data Protection Regulation (GDPR) in May 2016 to grant users (also called data subjects) more control over their personal data, which is typically under the custody of data aggregators and/or data processors. After an initial period of introduction to the public and stakeholders, the law took effect on May 25, 2018, and the GDPR made several positive contributions to better regulate data protection. First, it expanded some existing rights, such as the subject’s right to information, right to access, right to rectification, right to cancellation, and right to object. The GDPR also created new rights, such as the right to be forgotten, the right to portable data, and the right to restrict the processing of personal data. The GDPR also included several obligations that data controllers owe data subjects.
Second, the GDPR also introduced a notable extension to existing definitions of personal data. Currently, personally identifiable information (PII) includes data such as name, address, phone number, and email. Sensitive personally identifiable information (SPII) includes data such as social security numbers, driver’s licenses or state ID numbers, passport numbers, alien registration numbers, financial account numbers, and biometric identifiers. Some data become SPII when they appear with PII data. For example, data elements such as citizenship or immigration status, medical information, ethnic, religious, sexual orientation, or lifestyle information become SPII when they are linked to the identity of an individual.
GDPR defines personal data as any information relating to an identified or identifiable natural person. The identifiable natural person is someone who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. So personal data includes photographs where an individual is identifiable, cookie ID, Internet Protocol (IP) address, and location data. Article 9 of the GDPR introduced a new category called special personal data, which includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed solely to identify a human being, health-related data, and data concerning a person’s sex life or sexual orientation. The processing of the special category of personal data is forbidden unless for very specific purposes and under specific conditions.
Finally, it is commendable that the EU was the first government body to complete a major update of its privacy law. It helps combat the commoditization of user data by online platforms and sets legal boundaries for the ever-expanding adoption and use of big data analytics, online surveillance, and massive data harvesting technologies. For these reasons and more, the GDPR is a major step forward in society’s quest to protect citizens’ personal data.
Why discuss GDPR’s flaws?
After familiarizing myself with the GDPR, I would not recommend that any country copy it without making significant changes to some of the law’s major assumptions. Although the GDPR is a laudable effort to regulate data processing by data processors and to protect the personal data of citizens, it contains several stipulations and assumptions that I believe are flawed. I raise these issues not because I dislike the law but because privacy, security, and business communities need to discuss these flaws so those communities can develop some shared understanding of the flaws of the GDPR before we engage officials who are thinking of enacting a US version of the GDPR. I hope this article triggers a robust discussion about what the GDPR could improve on. Further, I look forward to learning about what other experts think the flaws of the GDPR are.