New York GDPR


New York State Assemblyman Vanel (D33) produced Bill A09013 to vet the European Union's General Data Protection Regulation. What should be the objective of a New York Reg? What qualities should the American law have considering that New York is a global financial and advertising capitol?

I want to welcome this diverse group of participants from across the globe to chime in on ways New York might structure a law, influenced by the General Data Protection Regulation. First I’d like to know from each of you what is one thing you’d “enhance” about the EU’s GDPR?
The GDPR (like the Directive) disfavors “automated decision-taking,” but individual agency is increasingly realized not through making each decision but through individual control over algorithms making the decisions. Thus this GDPR can be better adapted to AI/machine learning.
@Jon is there a particular article of the 99 in the EU’s GDPR that should be changed, or should more elaborate language on AI/MachineLearning be established in a separate article for New Yorkers.
Just 1 principle to stimulate debate; 100s of places; e.g., is data protection better served by deference to a treating professional as in Art. 9.3, or through accountability of those responsible for the algorithms which make the recommendations to those providers and patients?
EU’s GDPR may be more a great response to tech change than an effort to envision or enable a digital economy (cf. HIPAA 1996). Art. 9.3 may make perfect sense today, but could it better enable a desired future? One could ask that question throughout, but it may be too much to ask
I see the issue from the perspective of asymmetry of power between individuals and institutions. GDPR is a good start but it stops short of enabling true agency on the part of the individual.
In the 20th Century, agency was achieved when the individual could bring fiduciaries such as an accountant, lawyer, doctor, or trustee to the negotiation with an institution or authority.
In the 21st C The institutions and authorities have armed themselves with technology while the individuals are left with ” notice and consent”. This is unsustainable because the asymmetry is already obvious and will only get worse.
@Adrian, are you suggesting that an American GDPR need to have an article that elaborates on agency and further, representation of that agency by the individual who has data at a “controller” or “processor” (GDPR termonology)?
Yes. An American GDPR has to explicitly address agency as the right to a fiduciary relationship with the “controller” or “processor”. For example, this recently came up in regulations making financial advisors fiduciaries. There was significant political resistance.
If you are a member of this panel, please sign in to contribute.