Privacy and data controls have been in the spotlight this week, along with Facebook CEO Mark Zuckerberg, who testified in front of Congress Tuesday and Wednesday. While online rights are coming into question, it’s worth considering how those will overlap with offline rights and civic engagement.
The two may initially seem completely separate, but democracy itself depends on information and communication, and a balance of privacy (secret ballot) and transparency. As communication moves almost entirely to networked online technology platforms, the governance questions surrounding data and privacy have far-reaching civic and political implications for how people interact with all aspects of their lives, from commerce and government services to their friends, families, and communities. That is why we need a conversation about data protections, empowering users with their own information, and transparency — ultimately, data rights are now civic rights.
While the US still lacks such data standards, the European Union’s General Data Protection Regulation (GDPR), scheduled to take effect in May, demonstrates a path toward reliable online privacy balanced with transparency. This combination effectively enables Europeans to know what information is being collected on them and provides a simple process for how to remove that information.
There’s plenty of documentation on how the GDPR will affect the practices of consumer-oriented companies and journalism. But the social sector also needs to take note. From civil society organization to think tanks, academia, and philanthropy, these rules will have important, unexamined implications and opportunities outside of Europe.
Though the issue isn’t sparking marches and mass protests, data rights should not be left to a few technical experts — or representatives with no tech background. Because data rules affect everyone in different, unequal ways, we need full, informed democratic participation of everyday people. After all, this may be one of the most fundamental choices the US will make over the next decade.
What exactly is the GDPR?
The GDPR is a set of data protection laws designed to enable uniform regulations across the entire European Union, in part to end cumbersome regulations that differ across member countries. It was approved by the EU Parliament in April 2016 and is set to take effect in May 2018, after two years of transition time.
The GDPR is first a legal bill of rights for personal data. Before companies can process personal data, the law requires them to receive explicit consent from users themselves, separate from other terms and conditions. This type of active consent is in contrast to the standard passive consent that consumers typically have with their data. According to the GDPR, personal data includes everything from email addresses and bank details to posts on social networking sites and medical information. And unlike the more narrow definition of personal data in the US, the GDPR definition extends to any linked data, as well as any organizations that process data.
With these regulations, the GDPR is aiming to foster better practices for designing systems with privacy in mind from the outset. For example, public agencies and companies that process large amounts of data must now appoint a data protection officer (DPO).
Second, the GDPR fosters greater two-way transparency between a user and the collector of data. For example, if a data breach does occur, a given organization needs to report it within 72 hours. If individuals’ personal data is at risk, they, too, need to be informed. One of the most exciting aspects of the GDPR is the concept of “data portability,” which empowers consumers to have a clear record of their personal data so that they can choose if and how they want their data to appear. GDPR also offers a “right to be forgotten” — if someone wants their data removed from an app or company, now it can be.
Finally, in order to implement these ideas, the GDPR has teeth — organizations that breach the regulations can be fined up to 4 percent of their annual global revenue (up to roughly $21.7 million). And these penalties would not stop at European borders. Legally, the GDPR applies not only to organizations located in the EU but also to any foreign organization that supplies goods or services to EU citizens. Therefore, even companies based in Silicon Valley or Austin, Texas, need to comply or face the fine.
Why it matters
These questions will not only impact the private sector or organizations that think of themselves as data collectors in the more traditional sense. The GDPR will broadly address data issues that a variety of sectors across the globe will have to tackle head on — and government, political institutions, and civic engagement should not be exempt from this list. As a result, the norms and implications of the GDPR could also impact the civic fabric underpinning democratic institutions themselves.
First, as companies are considering the ethics of their data collection, it’s worth considering how these problems might also apply to governments. Under Prime Minister Narendra Modi, India is collecting vast amounts of sensitive data from citizens, including using biometric devices to track public sector employee job performance. China is amassing large amounts of data on its citizens, including ranking them on their “social credit.”
The principles of GDPR — limited control and data collection transparency — will become even more important as citizens increasingly need to turn over their data and digital identity in order to receive government services.
But even outside the government itself, we’re seeing that companies’ data policies can have huge political impacts, meaning how data and the political process intersect is just as important. As the 2016 election reminded people, data is not just trapped in the cloud; it influences real-world behaviors, political decisions, and institutions. Users having more control over where their data goes is an important part of regaining some democratic, citizen-based power.
How to best incorporate citizen power into the tech space is a difficult question, however. Ultimately, our governments and tech companies now face a balancing act between opportunity and protection. On the one hand is the tech-utopian vision of our digital lives ushering in new civic opportunities for democratizing access, knowledge, and community. On the other hand, the GDPR is a top-down approach calling for greater regulation by “experts.”
These sectors raise huge challenges. Addressing this issue will have to find a middle ground between these two — and civic participation should play a role in defining citizens’ democratic future.
Tapping into civic energy in America
What could a golden mean in the US look like? Is it possible to take principles of the GDPR and apply a more community based, citizen-centric approach across states and localities in the United States? Could a US version of the GDPR be designed in a way that included public participation? Perhaps there could be an ongoing participatory role? Most of all, the questions underpinning data regulation need to serve as an impetus for an honest conversation about equity across digital access, digital literacy, and now digital privacy.
Across the country, we’re already seeing successful experiments with a more citizen-inclusive democracy, with localities and cities rising as engines of American re-innovation and laboratories of participatory democracy. Thanks to our federalist system, states are already paving the way for greater electoral reform, from public financing of campaigns to experiments with structures such as ranked-choice voting.
In these local federalist experiments, civic participation is slowly becoming a crucial tool. Innovations from participatory budgeting to interactive policy co-production sessions are giving people in communities a direct say in public policies. For example, the Rural Climate Dialogues in Minnesota empower rural residents to impact policy on long-term climate mitigation. Bowling Green, Kentucky, recently used the online deliberation platform Polis to identify common policy areas for consensus building. Scholars have been writing about various potential participatory models for our digital lives as well, including civic trusts.
Can we take these principles and begin a serious conversation for how to translate the best privacy practices, tools, and methods to ensure that people’s valuable online and offline resources — including their trust, attention span, and vital information — are also protected and honored? Since the people are a primary stakeholder in the conversation about civic data and data privacy, they should have a seat at the table.
Including citizens and residents in these conversations could have a big policy impact. First, working toward a participatory governance framework for civic data would enable people to understand the value of their data in the open market. Second, it would provide greater transparency to the value of networks — an individual’s social graph, a valuable asset, which, until now, people are generating in aggregate without anything in return. Third, it could amplify concerns of more vulnerable data users, including elderly or tech-illiterate citizens — and even refugees and international migrants, as Andrew Young and Stefaan Verhulst recently argued in the Stanford Social Innovation Review.
There are already templates and road maps for responsible data, but talking to those users themselves with a participatory governance approach could make them even more effective. Finally, citizens can help answer tough questions about what we value and when and how we need to make ethical choices with data.
Because data-collecting organizations will have to comply abroad soon, the GDPR is a good opportunity for the American social sector to consider data rights as civic rights and incorporate a participatory process to meet this challenge. Instead of simply assuming regulatory agencies will pave the way, a more participatory data framework could foster an ongoing process of civic empowerment and make the outcome more effective. It’s too soon to know the precise forms or mechanisms new data regulation should take. Instead of a rigid, predetermined format, the process needs to be community-driven by design — ensuring traditionally marginalized communities are front and center in this conversation, not only the elites who already hold the microphone.
It won’t be easy. Building a participatory governance structure for civic data will require empathy, compromise, and potentially challenging the preconceived relationship between people, institutions, and their information. The interplay between our online and offline selves is a continuous process of learning error. But if we simply replicate the top-down structures of the past, we can’t evolve toward a truly empowered digital democratic future. Instead, let’s use the GDPR as an opening in the United States for advancing the principles of a more transparent and participatory democracy.