Big data rules our lives and the economy. In the 1970s, the five biggest companies in the world were General Motors, Exxon Oil, Ford, General Electric and International Business Machines (IBM). In 2018, the five most valuable companies in the world are Apple, Amazon, Facebook, Microsoft and Google (Exxon Mobil comes in at number eight, and Ford Motors at sixty-seven).
These companies have turned data—information—into a commodity. Today, they are generating over $600 billion in sales, and are valued at over $3.6 trillion. Together, their value is more than twice Canada’s GDP.
When you control a commodity that impacts millions (potentially billions) of lives, you have an obligation to be careful, to manage risks, and, ideally, to do no harm. As the data industry grows and increasingly influences our daily lives and global economic forces, nations are waking up to the need to balance the growth of these companies with the risks they potentially pose to others. Just as the oil industry posed a risk to the environment, the data industry poses a risk to our privacy (having personal information compromised), to our identity (having information stolen), and more.
It is precisely this concern that prompted the European Union to incorporate Article 8 of the Human Rights Convention into today’s digital economy. To protect peoples’ privacy, the EU introduced General Data Protection Regulation (GDPR), which came into full effect in May 2018. This new law introduces obligations for data controllers, the companies people are “dealing” with—such as Uber or your bank; and data processors, the technology companies that are hired by controllers to process your data.
Though the law is already having a significant impact on the digital world, stricter action is needed to minimize looming personal and global security risks.
A growing number of the world’s largest consumer-facing companies— Marriott Starwood, Equifax, Facebook, Anthem, eBay, JP Morgan, Target and Home Depot—have been hacked, compromising the personal data of more than 1.5 billion people. And data breaches, are just the beginning. Cambridge Analytica, which used private data from more than 50 million Facebook users to launch targeted ad campaigns, acquired that data from third-party companies without express approval from their users.
Our names, birthdays, social security numbers, credit cards, text messages, photos, geo-location, biometrics, and other highly personal information are handled, stored, owned and processed by thousands of tech companies around the globe because we continue to share an increasingly large amount of personal information online. The result of this is a need for data protection and privacy laws that nurture ethics, transparency and accountability, and prosecute violators.
When the global economy was shaken by massive corporate fraud and accounting scandals in the late 1990s and early 2000s, the United States introduced SOX, the Sarbanes–Oxley Act of 2002. SOX increased oversight requirements for all public U.S. companies, as well as some provisions for privately held businesses. The act introduced strict criminal and civil penalties for violations of its requirements and has since been praised for nurturing a more ethical culture, and for its contribution to the global decline in accounting scandals and fraud.
We have to be honest. If data is truly the new oil, then business will be driven by one thing only: revenue. That’s why we need to shift our perception away from privacy as compliance and see it as a business benefit — what consumers need and want and the overall principal architecture. If we do this, combined with a customer-first approach and embed privacy across all business operations rather than treating it as an afterthought, the results are win-win for everyone.
But, a framework alone is not enough. It must also be accompanied by stricter laws and global regulations, followed by enforcement with real and material consequences to hold offenders accountable. For instance, PIPEDA, Canada’s federal privacy laws, need to be revamped. It currently does not do enough to protect consumers and treats us as second-rate citizens when compared to other regions like Europe. Second, the U.S. is considering a Federal Privacy Law and the California Privacy Act has raised the stakes for everyone in North America. As the foundational principles of the GDPR, known as Privacy by Design, were created in Canada by our own Dr. Ann Cavoukian, it’s time for us to honour those principles and become global privacy leaders, again.
Ultimately, it’s about creating a win-win framework for today’s data-driven economy that will nurture an ethical culture, that increases commerce and respects people’s rights to privacy. This, combined with stricter legislation and enforcement, will allow the digital economy to thrive, become safer, faster growing, and more beneficial to society at large.
Ivan Tsarynny is the CEO and co-founder of Feroot Privacy. He is also a member of the GDPR Advisory Committee at the Standard Council of Canada.