Dominic Fortin, CIO at district m
With the Facebook and Cambridge Analytica scandal coming to a head over the past couple of weeks, a topic that was once nebulous is now put under a bright spotlight and becoming a major concern for all online users: data privacy and protection. The business model that puts personal information at the centre of profitability through advertising is questioned: Should we allow free online and social media in return for monetization of personal information through advertising, or should we charge for online activity? While new subscription-based models are bringing alternatives to the ad-supported internet, I believe we can still have free access to content and services, in return for reasonable use of personal information for advertising.
First of all, Canada ranks high in comparison to the rest of the world on protection of privacy. Let’s use the stringent European privacy law as a prime point of comparison. Canada is one of 11 countries to be recognized under European law as providing adequate privacy protection. By comparison, in the United States, as the country does not have adequacy status, individual corporations need to apply for a certification of compliance in order to obtain the same privileges.
This does not mean Canada is exempt from improving and clarifying its current regulations. A parliamentary report that came out at the end of February suggested modernizing Canada’s privacy laws, and I couldn’t agree more.
Advertising today is dependent on personal data like it has never been before, and as an industry, we are facing the challenge of building ethical and transparent frameworks that will contribute to establishing trust between consumers, service providers and advertisers, and make advertising a healthy part of society. Only if that challenge is met will we be able to trust corporations offering a free service to consumers, such as a social network, to generate their revenue from ethical and lawful use of the data they have gathered for advertising purposes.
So what would be an ethical and lawful use of data? Simply put, anything in the realm of what is reasonable. An unreasonable use would be in a case where the platform would collect data on its users to then sell it to a third party and make a profit out of it. This is where the notion of consent is important: As a user, I agreed to give access to my data (and to specify what sort of data I’m willing to share) to this platform alone. However, I have not agreed to give access to any third party that is not directly involved in the services I have subscribed to. That’s one instance where boundaries need to be drawn.
An encouraging sign that we are seeing right now is the notion of privacy by design that many corporations and technology providers are adopting. More and more platforms are building products with built-in end-to-end encryption and limiting data retention to the bare minimum rather than addressing the problem separately with complex tools and processes. This ensures that data collected will be retained for the shortest time necessary and that all communications and databases will be encrypted to limit the risks of security breaches. In the long run, companies that are transparent about their data use and strive to put data protection at the centre of their mission will win a competitive advantage.
In the midst of all that, there is one thing we must not forget: We, as users, also have resources and tools that can help us control just how much information we give out and what type of advertising we see − starting with our smartphones, which are already packing a ton of controls over what is shared to apps.
On the web, an obvious example may be ad blockers, but there are many other technologies that empower the user to exert their right to data privacy and control their data exposure. A common example is the incognito mode that is available on a majority of browsers that will remove cookies and other data at the end of every session.
Other tools such as secure DNS services, virtual private networks or browser extensions that give granular control over which companies can track browsing habits are all additional tools that users can leverage if they get educated about the subject. As a bonus, some of those tools also help protect against unlawful access from ill-intentioned elements as well.
In the end, in this debate over data protection, I think the efforts will need to come from both sides of the spectrum: Corporations need to take better care of personal data and treat those data in an ethical manner, but also be more transparent about what data are being used and how, in a language that not only tech-savvy users or someone in the legal profession would understand. By providing clarity to the user, we will create more informed users and empower them to take control and so, share the responsibility of data protection with them.
But as far as data protection goes in Canada, we are in a great position to create a healthier online experience for consumers, having received the adequacy status from the EU’s general data-protection regulation, but also with the recommendations that were made to modernize the Personal Information Protection and Electronic Documents Act. These are a couple of great first steps. I think the next one will be how we educate and empower ourselves as consumers over online privacy.