Data privacy is an ongoing debate fraught with complexities. But there is an increasing awareness among the people and an acknowledgment from the industry that they need to inform consumers before using their data. Will the future be witness to a scenario where all concerns around privacy — personal, business and security — are addressed?
Data has been termed the fuel of the information age, in which applications ranging from interconnected devices to smart mobility would primarily hinge on data.
However, this profusion of information has also given birth to concerns around data privacy, which has emerged as a contentious and polarizing issue. The Cambridge Analytica-Facebook scandal is only the tip of the iceberg.
Location for smart analytics
Data usually has two components: spatial and non-spatial. The traditional geospatial data, which includes satellite imagery, national maps, etc. does not come with a privacy rider, as it is purely fact-based. However, when this data gets merged or extrapolated with location data, the privacy concerns come up. Location data of one individual isn’t usually valuable — it becomes useful only when it is aggregated and combined at a population level.
With location data being used in myriad of services, do you approve 24*7 location tracking?
Majority of the 2,000-plus industry professionals who participated in the Geospatial World Annual Readership Survey 2020 approved of location tracking but with a caveat that they were informed how their data is being used.
In 2019, 47% of people were okay with location tracking (Graph 1), as compared to 40% this year (Graph 2). However, a whopping 87% people in 2019 (Graph 3) and 92% in 2020 (Graph 4) had no issues in sharing data, provided companies notify them when they are being tracked and tell them what they do with that data.
The Cambridge Analytica-Facebook fiasco, due to which a visibly embarrassed Mark Zuckerberg had to appear in a senate hearing and Facebook was slapped with a $5 billion fine, can arguably be listed as the biggest data privacy scandal in history. In its aftermath, there was a massive outrage against privacy breach by large corporations. A political consultancy firm, Cambridge Analytica harvested Facebook profile of over 50 million users and targeted them with ads and content that was likely to resonate with them.
In the beginning of 2019, Google was fined EUR 50 million ($55 million) by French data regulator CNIL for violating the European Union’s data protection rules. CNIL said that the hefty fine was imposed due to lack of transparency and absence of a ‘valid consent regarding ad personalization’. It was ascertained that people were not adequately informed about how the data is used to customize advertisements. British Airways too came under the scanner and was fined GBP 183 million ($241 million).
In July 2019, the Federal Trade Commission and Consumer Financial Protection Bureau fined Equifax around $700 million for a 2017 data breach that leaked data of more than 143 million people in the US alone.
This led to heated debates on one of the most pressing issues of the day — contours of data privacy. There are also demands for data localization and data sovereignty from some quarters, which is fraught with many complications as people are not sure who should they trust more: national governments or big tech players.
It is an open secret now that most tech players sell user data to third party aggregators. All of our smartphones have a record of our data and most Android apps gain access to the phone and store our data. There is also an issue of our smartphones/laptops recording audio without authorization. Using this data, anything ranging from behavior manipulation to influencing consumer behaviors, voting patterns, or even something downright nefarious, can be done.
Location-based targeted advertising is a thriving business and most marketers/advertisers want to know where their prospective customers are at any point of time, and what would they most likely buy. This has created a new business model which has data at the heart of it. As a result, there is a rapid rise in companies who engage in collating and analyzing user data. Most of these firms are third-party data aggregators.
The Geospatial World Annual Business Leaders’ Outlook 2020 (a survey of 100+ industry leaders) reveals that top executives are split on sharing data with third party aggregators. While 42% were against sharing their data with any third-party aggregators, 33% were okay with it, while 25% were unsure (Graph 5). On the other hand, an overwhelming majority of professionals (73%) were vehemently against companies selling their data with third-party aggregators (Graph 6).
Is it okay if third party companies use your data?
Are you okay if companies sell your data with third-party aggregators?
Against this backdrop, there has been a global debate around data privacy and escalating public pressure on governments to put in place comprehensive data privacy legislation.
The European Union implemented the General Data Protection Regulation (GDPR) in April 2018. Europe’s GDPR — which has become the gold standard of all data privacy legislations — has had a far-reaching impact on the global consensus around privacy, fostering greater transparency, being a catalyst in the incubation of similar laws and laying the onus on companies to protect user data. After the implementation of GDPR, companies are required to handle user data with more responsibility and accountability.
GDPR requires enterprises to protect the personal data and privacy of EU citizens for transactions that occur within EU states. It also looks into the exportation of personal data outside the EU. According to GDPR, location data is considered as “personal data” in Article 4 (1). Under this clause, personal data is granted extended rights, including the right to access and the right to erasure. Under the right to access, users can obtain confirmation about whether data concerning them is being processed, where and for what purpose.
Taking a cue from the GDPR, the US state of California enacted a similar regulation known as CCPA (California Consumer Privacy Act). According to the CCPA, a consumer has the right to request that a business that collects his/ her personal information discloses it. Also, the business has to inform them about the purpose for which data is being collected. A business cannot use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
While these two are the most comprehensive privacy legislation that address all facets of data privacy, according to the findings of the United Nations Conference on Trade and Development, as of January 2020, 58% of countries around the world have put in place some form of legislation to secure the protection of data and privacy.
Are policies the solution?
At a time when there is heightened awareness and clamor against data breach, bolstered by stringent regulations like GDPR and CCPA, consumers are sharing more location data than ever. As per a research report by HERE, most consumers across the world (76%) are willing to share their location data with navigation and mapping services, public transport, taxis, and ride-hailing services. Mobility as a Service (MaaS) that includes mapping companies and transport and mobility applications, is certainly a sector that enjoys overall high public confidence.
Hardened public attitudes do not change in a couple of years normally, but if people can clearly see the impact before their eyes, they are compelled to reassess their stance. In the 2019 Geospatial World Readership Survey, a vast majority of respondents were not confident that a GDPR-like regulation is equipped to address core privacy issues. Only 27% people were of the opinion that GDPR could be a solution, while 41% were not sure and 32% believed that it wouldn’t be of much use (Graph 7).
In less than a year, there has been a sea change in their attitude, with majority of the people not only endorsing the need for data privacy legislations, but also recognizing its importance in innovations. In the 2020 survey, more than 73% said they believe laws like GDPR can address privacy issues (Graph 8).
Do you think data regulations like GDPR can really solve privacy issues globally?
Will strong data privacy policies positively impact innovation?
Politics of data
Data privacy is not merely about advertisements on Facebook. It is more expansive and includes a lot of factors. Orwellian surveillance machinery and ‘Big Brother’ eyeing you might be the stuff of dystopian thrillers, but the line between facts and fiction does get a little blurred when we look at some of the secret surveillance programs and revelations by whistleblowers like Edward Snowden.
While the tenor of data privacy legislations could be harmonizing and resonate globally, there would a strong variance in practice depending on the prevalent social, cultural norms and the nature of the state.
Where there is free flow of information, right to protest and individual rights enshrined, people can demand accountability and transparency, like in the western countries. For instance, in June 2018, the American Civil Liberties Union, along with Amazon shareholders, mustered a campaign to demand that the company gets out of creeping surveillance business. The issue was Amazon’s Rekognition service that uses facial recognition to spot people, which the Internet behemoth sells to government.
In authoritarian or oligarchic setups, it would not be the same and state surveillance and relentless profiling and data gathering is a given. In China, the government meticulously compiles user data and uses it for the controversial social credit system and other similar programs. Even advanced innovation and entrepreneurship hubs with an enviable standard of living are not completely clean on this. The world’s only smart nation, Singapore, collects citizen data and extrapolates new information every day to build on further citizen-centric services.
Another big issue is the divide over awareness in the developed world vs the developing world. In Western countries, there is a well-established concept of privacy and infringement, while in the developing parts of the world, there is complete lack of awareness about data privacy infringements or the rights associated with it. For instance, in a vibrant democracy like India that is characterized by a lot of contested debates and disagreements, there is a lot of bustle around privacy. Even though awareness is not up to the level of developed countries, an active and engaged civil society ensures that it is recognized as an issue and steps are taken to safeguard it.
People at the core
Data privacy is a complex issue and increasing digitalization of the world and interconnectivity is making things more intricate. In this background, data privacy legislations need to be an ongoing balancing act, with security interests on one side and the interest of the people on the other.
Do we need a business model that puts data generators at the core?
In Geospatial World Business Outlook 2020, an overwhelming 70% of the industry leaders said there was a dire need of a new paradigm that puts the data generators — i.e. the people — at the core of data business and not those who profit from it (Graph 10). On the other hand, an astounding 85% of the professionals who participated in the readers’ survey believed that users should be at the core of data business (Graph 11). It is obvious that there is a consensus among the majority that people should at the core of any debate around data privacy.
Users generate data and companies profit enormously from it, so users should have some stake or incentive in it. Chris Hughes, Facebook co-founder and author of the bestseller ‘Fair Shot: Rethinking Inequality and How we Earn’, is a proponent of the idea that since companies profit from the data pooled in by multitude of users, the economic dividends should accrue to the users as well, and not just remain in the coffers of a handful few businesses. He cites the Alaskan Permanent Fund, wherein all citizens of Alaska are given a dividend by the oil companies that explore oil in Alaska. While this approach may sound a bit too radical, it is just one of the many approaches that focus on users being at the core of the data business and thus entitled to have a say in the way their data is being used, or receive a share in profit.
The Neo-Liberal economic consensus is being shattered and leading business tycoons are more than vocal in calling for reimagining capitalism and shifting the focus from shareholders to more inclusive stakeholders. Data business, which is at the core of tech innovations and disruptive paradigms of the future, cannot function the way it hitherto has.
Another interesting approach that companies are getting interested in is ‘Privacy by Design’, which refers to by-default privacy in a system becoming a prime concern of any enterprise. This is not only ethical but would also boost consumer confidence, which would translate to better brand image and abiding relationship with the customers. Innovation requires transparency, accountability and a conducive environment. All of these are interlinked, with transparency being the first prerequisite for making any system secure and robust. Embedding privacy at the core should be done in such a way that it doesn’t hamper functionality or make the system or app counterproductive. ‘Privacy by design’ is a proactive approach that will preempt privacy breach. It also improves the functionality of a system and enhances accountability, openness and compliance.
Ed Parsons, Geospatial Technologist, Google, sums it up perfectly: “Data privacy is largely about transparency and education. It’s about making it clear when information is gathered about an individual, what that information is going to be used for, and giving control to that individual about whether that information is used or not.”
Key global data regulations
EU: The General Data Protection Regulation (GDPR) came into effect in April 2018. It requires enterprises to protect the personal data and privacy of EU citizens for transactions that occur within EU member states, and also looks into the exportation of personal data outside the EU. Under this law, personal data is granted extended rights, including the right to access and the right to erasure
US: US state of California enacted a regulation known as CCPA (California Consumer Privacy Act) on June 28, 2018. It became effective on January 1, 2020. According to the act, a consumer has the right to request that a business that collects a consumer’s personal information discloses it. Also, the business has to inform them about the purpose for which data is being collected.
Japan: Companies operating in Japan must comply with its Act on Protection of Personal Information (APPI). APPI was one of the first data protection regulations in Asia. It was overhauled in September 2015 after a series of high profile data making it amply clear APPI was no longer equipped to cater to present needs. The amended APPI was enforced on 30 May 2017, a year before GDPR.
South Korea: PIPA (Personal Information Protection Act) PIPA gives South Koreans control over how their personal information is collected and used. Personal information is defined as anything that identifies an individual or can easily be combined with other information to do so.
Australia: In 2019, the Australian federal government amended the Privacy Act, 1988, increasing the penalties for data breaches. The penalty for repeat offenders was raised from AUD 2.1 million to the greater of AUD 10 million; or three times the value of any benefit obtained through the misuse of information; or 10% of a company’s annual Australian turnover
India: The Personal Data Protection Bill, 2019 regulates the processing of personal data of individuals by government and private entities incorporated in India and abroad. It also requires that a serving copy of personal data be stored within the territory of India.
Thailand: In March 2019, Thailand approved the Personal Data Protection Act(PDPA), which aims at regulating the lawful collection, use, or disclosure of personal data that can directly or indirectly identify a person.
Brazil: The Brazilian General Data Protection Law (LGPD), modeled on EU’s GDPR, will be enforced starting from August 2020. It also calls for the creation of a national enforcement authority— the National Data Protection Authority (Autoridade Nacional de Proteção de Dados) (ANPD) that will supervise and enforce data protection regulations and sanctions.
Also Read: Innovation, disruption and sustainability