The recently introduced GDPR-regulation in Europe and the scandal around the misuse of personal data of 87 million Facebook users by Cambridge Analytica have put the subject of big data high on the public agenda again. Below you can read how Triodos Investment Management views the complexities of personal data security and privacy, particularly when it is captured by companies whose business models are to collect and monetize it?
Business has evolved significantly over recent years as digitisation transforms the way we live and work. Whether we know it or not, we leave a digital footprint with almost every (online) action and transaction we make. Privacy and data security are major concerns that present significant challenges for consumers and companies alike.
What’s all the fuss about?
Data capture is not a new concept and customer management systems have existed for a long time. However, they have evolved from once paper-based or simple databases to now more complex systems that include photos, videos, and even text and voice messages. Our personal data is fast becoming company assets, but there are questions about what our rights are to keep our personal information and actions private, and how much we can really trust companies to keep our information secure when more and more companies are collecting information. And we also need to weigh that up against societal benefits such as medical issues being identified and treated sooner, and the more accurate prediction of geopolitical changes and natural disasters that can save lives.
The state of play
Last year we reviewed companies running online platforms for leisure, entertainment and information, as well as marketing and advertising businesses and even software application developers that sell to personal finance and business accounting industries. Many of them are collecting personal information and use pattern recognition to help them better market their products and services, and to make more accurate predictions and to support better decisions. However, the recent controversy of Facebook exposing data of 87 million users to Cambridge Analytica, in combination with the new General Data Protection Regulation (GDPR) in Europe, means companies that gather customer data are now facing increased scrutiny from regulators, politicians, the media and consumers.
The challenge for companies
In our opinion the privacy and security challenges faced by companies relate to violations of human rights, anti-competitive behaviour and violation of regulation amongst other things. Human rights related challenges include censorship and assisting government surveillance. The UN Declaration of Human Rights protects individual rights to privacy and the freedom of speech. But governments can, and have pressured tech companies to censor their content, for example during the 2013 Gezi Park protests in Turkey. In 2016 the US Government sought access to user data sending almost 50,000 requests to Facebook and approximately 28,000 to Google.
Regulatory environments will also need to keep pace as the amount of data being collected rises and as technology advances. The introduction of the GDPR in Europe in May 2018 safeguards personal data and intends to strengthen and unify data protection. Key to the GDPR are the increased rights of individuals, such as the right to access personal data and to know how it is processed, the right to request erasure of personal data, and the right to transfer personal data from one processing system to another. The new regulation also requires that data protection be part of the design of business processes for products and services, and that records of processing activities must be maintained. Companies failing to meet the new regulatory requirements will initially receive warnings, but repeated failures can ultimately lead to fines of up to 4% of group worldwide turnover or EUR 20 million, whichever is greater.
As data gathering technologies develop across all sectors we anticipate the tightening of anti-trust regulation so that it’s better equipped to deal with the business models of companies collecting data. Their strong appetite for data drives the improvement of products and services offered, which attracts more users and then in turn generates more data. In addition, acquisitions of less mature companies by the bigger players could also have detrimental effect on competition and innovation, particularly if companies are acquired before they meet maturity.
Investing in companies that collect data
Respect for privacy is important to Triodos IM – it’s a complex issue that we have been debating for a long time. The recent developments have led us to scrutinise our analysis approach and engagement themes across all sectors. In the end, we expect that there may be a new minimum standard on the topic.
For now though, our position on the key challenges described above remains clear. We do not invest in companies that restrict or violate human rights in any way and we therefore will encourage big tech companies to collect data responsibly and to meet the requirements of the GDPR. We also require companies to act prudently about governmental requests by seeking judicial review to test their legality and protecting their users and customers information.
Our position on anti-competitive behaviour also remains consistent, as we do not invest in companies that abuse their dominant market position. We will exclude companies based on significant and/or frequent controversial behavior. We will also engage with companies whose business models rely on data acquisition, and based on that dialogue, we will develop our approach further.
Read more about our SRI impact investment strategy.