COVID-19: Data privacy risks and potential opportunities
Executive summary:
- The pandemic has presented an opportunity to rethink the dynamics of data privacy risks and opportunities for technology companies
- Our engagement discussions with investee companies has revealed that tech firms have been taking serious steps to mitigate data privacy risks during the pandemic – but more work is needed
- The crisis has accelerated the digital transformation and highlighted the impact technology is having on society from a professional, personal and public health perspective
Social sensitivities around personal information held by external parties, particularly technology firms, has rapidly grown in recent years - and it’s a concern which has escalated in the wake of the COVID-19 pandemic. Before the global lockdown, we published1 a piece highlighting the risks and opportunities relating to data privacy for technology companies and investors. We concluded that while the collection and use of personal data is a major driver of tech companies’ commercial models, they also represent greater risk with regards to data privacy. This is a result of stricter global regulations and subsequent increased scrutiny for firms exposed to privacy issues.
The coronavirus crisis has affected multiple aspects of many people’s lives – including how individuals rely on technology to assist and enable personal and professional responsibilities. Our relationship with tech companies has only accelerated since lockdowns were imposed. As we slowly adjust to, and even embrace this new approach to life, many of us have placed further trust in companies and how they treat our personal data.
We believe this pandemic offers an important opportunity for rethinking risks and opportunities in managing data privacy. This research paper explores not just the downsides, but also the upsides and wider positive societal outcomes linked to tech companies that have been revealed by COVID-19.
In our view, the pandemic represents an opportunity to reshape people’s trust in tech firms, to illustrate what is a legitimate use of data and then to change the way we – and technology companies – manage and regulate the use of personal data. As explained by AXA Research Fund, Scientific Board member, Lawrence Lessig: “We can’t control access to data. It’s just not controllable. What we can control is its use.” This is what we also identified from our engagement activities with tech companies, and we believe that the crisis could lead to a paradigm shift in the way we approach data privacy.
The risks are still real
COVID-19 did not change our findings and the key risks associated with data privacy. Corporations collecting and processing personal data are still exposed to reputational, operational and regulatory risks related to users’ and customers’ privacy.
We built on our findings to run an engagement programme with tech companies exposed to data risks and opportunities. Given these conclusions, during 2020 we engaged with more than 20 technology firms in terms of how their way of working compares with the good practices we identified around:
- Transparency on data privacy policies and practices
- Oversight of the issue at board level
- Data collection minimisation
- Privacy by default
The first positive outcome of our engagement activities is that companies overall were transparent, and happy to have an open dialog with us on data privacy issues. Fifteen firms out of 20 responded to our requests. Of those we spoke to, we had in-depth, positive discussions on their approach to privacy and how the pandemic impacted their business. We also felt that tech companies now want to better understand investors’ expectations around data privacy. Our engagement highlighted that tech companies are acknowledging the materiality of data privacy and taking steps to mitigate risks. Through public disclosure and our dialog with firms, we found that 65% consider data privacy as one the most material environmental, social and governance (ESG) issues they are facing - and is one of their sustainability priorities. With regards to management of privacy issues and day-to-day practices, we often got positive responses from companies. For example, some of the best practices we have seen through our engagement include, among others:
- A company that established a dedicated privacy committee at board level
- A company applying a strict non-content based and behavioural targeting
- A company that published a human rights policy that encompasses privacy issues
Lastly, we were glad to hear that tech companies we have been in discussions with, agree with the main message we have regarding data privacy. This is that responsible privacy practices are key in building and maintaining user trust, therefore allowing these to create and deliver sustainable, long-term value through the collection and processing of data. Of course, work still needs to be done. Some firms did not reply to our requests and we identified areas of improvement for tech companies; therefore, our engagement programme around data privacy will continue in 2021.
Not for Retail distribution