I was recently listening to some Microsoft officials asserting that they would be fully compliant with the new European General Data Protection Regulation, implying that it could be applied here too. There is no doubt that countries that seek to do business with Europe will have to pay special attention to GDPR.
But that does not mean that we should simply do a cut and paste. The GDPR bears the marks of its birth. It may be appropriate for Europe (this article suggests, that too will be a problem).
Thus, the regulation is intentionally ambiguous, representing a series of compromises. It promises to ease restrictions on data flows while allowing citizens to control their personal data, and to spur European economic growth while protecting the right to privacy. It skirts over possible differences between current and future technologies by using broad principles.
But those broad principles don’t always accord with current data practices. The regulation requires those who process personal data to demonstrate accountability in part by limiting data collection and processing what is necessary for a specific purpose, forbidding other uses. That may sound good, but machine learning, for example — one of the most active areas of research in artificial intelligence, used for targeted advertising, self-driving cars and more — uses data to train computer systems to make decisions that cannot be specified in advance, derived from the original data or explained after the fact.