During my internship, I got the opportunity to work on a data privacy assignment.
Data privacy has always been an area of interest to me. Before law school, I worked for a consultancy firm that advised banks and other financial institutions in developing countries to develop business strategies to promote financial products to low-income people, especially women. Because of prominent gender stereotypes and financial sector regulations, women often had a more difficult time accessing quality financial products/services than men. As part of the firm's process, a data analysis team would perform rigorous quantitative analysis in order to help clients (banks or other financial institutions) identify consumer behavior trends. At that time, I certainly did not think about the data privacy of the people we collected data from, or whether there should be any regulations to ensure institutions are protecting such data before they are shared with a third party.
Having read through the latest recommendation released by the European Data Protection Board on compliance with the GDPR, I had the opportunity to re-evaluate the question of strong data privacy protections. On the one hand, data privacy laws help to safeguard the rights of consumers over their data. It also prods institutions to put in place safeguards to protect such data. But is there such thing as too much protection? If developing countries had data protection laws, it would make it nearly impossible for an international development organization to provide technical assistance on how banks can utilize data to help financial institutions understand why their female customers are not as active as their male counterparts. On the other hand, should international development organizations generally have the power to store massive amounts of data about people and conditions in developing countries, even if it is for a good cause? But if institutions do not utilize consumer data, is it still valuable for consumers to "own" their data?