Data privacy and ownership — it's time to address the elephant in the room.

We are making remarkable progress in the fight for open data around the world. It is enabling evidence-driven policymaking and the use of data as a public asset by smart entrepreneurs. However, in order to set us up for success in this new data revolution, we need new institutions, regulations, and international codes of conduct that can guide actions by both the government and the private players who have access to massive amounts of public data. The sessions on the politics of data, Prof Sweeney’s case study driven lecture on AI-driven discrimination, and the conversation with Ziad about Google’s accountability in the Gmail controversy was enriching as I debated in my head if there is at all a need for additional institutions for governing the collection storage and use of data. The conversations spanning private and public sectors and Lies, Damned Lies, and Open Data by Professor Eaves helped me reflect on what is the structure of governance needed to address the pandora’s box that this data revolution has opened.

Regulation

I feel the United States should pass a comprehensive data privacy bill at the federal level aligned with the GDPR coupled with data tax to incentivize data privacy. The existing patchwork of state laws, sector-specific data privacy laws (i.e., HIPAA, Gramm-Leach-Bliley, etc.), constitutional protections under the Fourth Amendment, and Federal Trade Commission (FTC) consumer protection enforcement creates confusion for data governance and fails to adequately protect users.

Let us begin by listing the problems we need to address

1) Willful and implicit biases in data collection, processing, and storage

2) discriminatory algorithms that deepen polarization

3) lack of realistic opt-out

Examining the GDPR, which is hailed as one of the most comprehensive regulations in this space, I feel the US federal law could build upon CCPA (California Consumer Privacy Act) and align with GDPR by adopting the 8 principles:

1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights related to automated decision making including profiling

Implementation

In the enriching discussion between professor Latanya Sweeney and Professor Eaves, I had one of my biggest “aha” moments in the course so far when Professor Eaves asked why some companies like Airbnb respond to concerns of discriminatory algorithms with greater commitment towards resolution than some companies like Facebook. Professor Sweeney thoughtfully responded that it is in fact the structure of the market that dictates these reactions more than organizational culture (in the case of Airbnb the affected party is the actual customer, while for Facebook the actual customer is large marketing organizations who are not the ones affected by the intrusion of personal privacy of users). This made me realize that the guidelines and regulations could do only so much in curbing the privacy concerns — one shall need to change the market structure and economic incentives to ensure sustainability and adherence to the standards.

Hence I propose, the introduction of a data tax for the collection, storage, processing, and sharing of data. This will force compulsory disclosure, explicit opt-in, re-establish the ownership of data with the users and introduce a cost that shall encourage purpose limitation. By assigning an economic value to personal data, both public and private players will now be able to have objective cost-benefit analyses of data collection and usage.

The status quo (with no uniform data privacy regulations) hurts businesses, governments, and users due to confusion about specific guidelines to follow and makes it difficult for newer startups and government initiatives involving open data to preempt possible misuse of the data for unethical discrimination. In order to unlock the highest efficiency of using data and working in the open, it is important to address the concern of privacy unambiguously and immediately.