Digital privacy and security often go hand in hand and the two will continue to be center stage in terms of information management in 2016. As we continue to work through the freedoms and accessibility that come with our connected world, we need to take a broader view than just our community and country. How will digital policy in other parts of the world affect the way we conduct business and how we protect our digital identity? An article this week about emerging policy in the European Union (EU) helped me understand the implications for my own digital persona.
The EU has developed privacy and data protection reforms that could be enacted within two years. According to the new legislation, a European citizen’s information cannot be used for a secondary purpose without their consent. For example, if I agree to reveal my current location to use Google Maps or to find the nearest Olive Garden, that piece of information cannot also be used to target me for a local gym membership advertisement. Anyone intending to sell personal data would need to know the potential buyers ahead of time and must get permission from all individuals whose data may be sold. Because it will be difficult to limit this to EU citizens it could become wide-ranging. This also has implications for anyone doing data mining and analytics to create and sell information or profiles.
Personal profiling is also covered in this recently passed legislation. While not prohibited, it places the burden on the profiler to reveal the information collected and algorithms used to create the portrait. If I eat out every Tuesday night, shop for groceries every Thursday night, and have recently searched online for chef schools, someone could conclude that I am tired of restaurant food and could target me with an ad for a local kitchen store. Before that happens however, I have the right to know just how that data mined profile is created, according to the new legislation. While this helps me as a consumer, as an IT professional I have to be careful conducting any data mining or analytics and now have to be transparent in my work and intent.
In The Cloud
While I applaud the EU for its sweeping reforms I think they will be difficult to enact and enforce. Here is the dilemma for me: how do I reconcile geographical boundaries with cloud boundaries, which by definition are ethereal? For example, as an EU citizen, the data collected about me could be housed on cloud servers in Frankfurt or Mumbai or Buenos Aires or Atlanta. Do the laws refer to me as a citizen living within the European geographical boundaries? Or do they refer to the location of my data? What if I am a German resident but my data is housed and mined outside of the EU? What then?
The European legislation is still at least two years away from being enacted. In that time we need to broaden our thinking beyond government boundaries and create worldwide policies regarding security and privacy. It would be difficult to specifically mark all data belonging to citizens of a particular country, but it would be easier to apply the same standard for users worldwide. It will take a concerted effort to think beyond controlled boundaries and work together to consider what is best for all digital citizens. Do you think we will ever be able to agree on global digital policies? Let me know your thoughts.
Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.