Remember GDPR? The General Data Protection Regulation thing from across the pond that inspires copycat bills in liberal wastelands like California? Two things. First, it isn’t just something the lefties have to figure out — Utah is a great example of how even rightward states are starting to take data privacy seriously. Second is that we appear to be swept up in a trend of reevaluating the significance and enforcement mechanisms of data privacy. From Reuters:
The year 2023 will go down in history as marking the beginning of a profound shift in the philosophy underlying data privacy laws in the United States.
Historically data privacy laws here have been rooted in a “harms-prevention-based” hodgepodge of privacy protections, seeking to prevent or mitigate harms in specific sectors. In contrast, under the broader “rights-based” approach exemplified by the European Union’s General Data Protection Regulation (GDPR), individuals effectively own their personal information and thus presumptively have the legal right to control it, and who can use it is a matter for them to decide.
More states are sure to follow. The implications of this fundamental shift in the underlying philosophical framework regarding data privacy protection will be profound in the years and decades to come.
You’ve probably already caught wind of the changing times. Have you noticed that within the last year or so websites have taken a keen interest in getting your thoughts on cookies? No, this isn’t some big brain ploy by Chips Ahoy. These sites are just covering their asses. Part of the reason that GDPR made the splash that it did was that, despite the confusing legalese rampant throughout the document, it was pretty clear about the heavy fees that could be levied against website owners found noncompliant.
The shift from opt-out to opt-in is still developing and has interesting implications for how the online and legal cultures will handle matters of privacy, surveillance, and the forms you’ll have to fill out just to doom scroll your favorite social media site. A significant part of the growing pains will be thinking through the shift from a harm prevention framework to one that respects articulated rights. Here is a short list of some of them and the values they entail:
•Access — individuals have the right to request access to inspect their personal information.
•Correction — individuals have the right to request that errors in their personal information be corrected.
•Portability — individuals have the right to request that their personal information be transferred to another entity.
•Erasure — individuals have the right to request that their personal information be deleted.
•Consent — individuals have the right to decide whether their personal information may be sold or whether it may be used for purposes of receiving targeted advertising.
•Appeal — individuals have the right to appeal a business’s denial of their request.
The consequences of this rights-based focus can be far reaching. Take the right to erasure, for example. If you wanted a website to take down personal information about you and they refused (or lacked the infrastructure to do what was asked of them), that could land the website in court! As things progress, the enumerated rights will likely vacillate between consolidation and proliferation. As they change over time, both users and providers will have to keep up to date on laws and social norms that will determine reasonable expectations of privacy.
Chris Williams became a social media manager and assistant editor for Above the Law in June 2021. Prior to joining the staff, he moonlighted as a minor Memelord™ in the Facebook group Law School Memes for Edgy T14s. He endured Missouri long enough to graduate from Washington University in St. Louis School of Law. He is a former boatbuilder who cannot swim, a published author on critical race theory, philosophy, and humor, and has a love for cycling that occasionally annoys his peers. You can reach him by email at email@example.com and by tweet at @WritesForRent.