The coronavirus pandemic has prompted millions of people to work from home, do their shopping online, and communicate with friends and family through websites and apps that they hadn’t used before – or perhaps hadn’t even heard of before.
But as we embrace this new approach to communications, many of us have quickly placed our trust in governments and companies, and in how they treat our personal data, when before we may have been more circumspect.
However, helping people continue living as normally as possible during these tough times should not be done at the expense of protecting individuals’ right to privacy and responsible data handling practices.
Data privacy is currently a highly topical issue in Australia, with the recent launch of the government’s COVIDSafe app, part of its strategy to identify, trace and isolate cases of COVID-19 and stop the spread.
While downloading the app is voluntary, Australians have been encouraged to do so in order to expedite the reopening of the local economy and assist the government in contacting those who have been in contact with a COVID-19 carrier.
Australia is also in the midst of a significant change in the way personal data is used, with new legislation being introduced to give consumers greater control over how their data is used and disclosed.
The Consumer Data Right is first being applied to the banking sector. From 1 October 2020 financial services providers must share data relating to credit and debits cards, deposit accounts and transaction accounts. This will be followed by consumer data relating to mortgage and personal loan data.
Currently, when it comes to data privacy, it is not easy to differentiate between firms with good and bad practices. In fact, there is surprisingly little comparable information available on this issue which is so financially and reputationally material to companies, investors and customers.
This is in part due to the inconsistent quantity and quality of transparency around data privacy issues – something which the CDR in Australia aims to address. According to the most recent report on the matter by MSCI, 75 per cent of companies in the MSCI All Country World Index do not actually provide evidence of personal data usage minimisation – i.e. firms essentially limit personal data records to just relevant information.
Transparency and trust – the difference between opportunity and risk
Data processing enables new pathways to value creation and large-scale customisation, which are at the heart of gaining and retaining customers – particularly at a time such as this. The collection of personal data creates a deep knowledge of users’ preferences, which is key to creating and delivering sustainable client value.
Globally, it has been estimated that the personal data market could generate $500 billion by 2024. Provided individual privacy rights are protected, in our view, this represents a major opportunity for investors.
We believe the key factor in making the data opportunity sustainable is, ultimately, customer trust. If companies obtain and maintain users’ consent in processing their data and provide value to them in exchange for their personally identifiable information, data will remain on the opportunity side. This is why we urge companies exposed to the collection of personal data to adopt responsible practices.
The data opportunity rests on transparency towards individuals. It only works when customers give their consent on personal data processing and have the knowledge of the type of data that is collected and how it is used. Simply providing them with the terms and conditions is insufficient. That is why the boundary between the upsides and downsides, related to data privacy, is narrow.
The edge of this boundary lies in customers’ knowledge and active consent around these issues. When customers are not aware of this, companies are highly exposed to data privacy risks. As the coronavirus lockdown continues in multiple regions, and as consumers commit rapidly to more new online services, the effective management of that boundary will be vital.
Figure 1 shows what marks the difference between data opportunity and data risk. The area highlighted in yellow corresponds to the type of data and usage for which the opportunity can turn into a risk. This is where breaches in customer trust can happen. Data privacy risks are higher when:
- Personal data that is collected is the most sensitive, and the more it is processed by companies – i.e. profiling data
- The use of personally identifiable information only benefits the company at the expense of customers who do not get value in exchange for their personal data – i.e. selling to third parties
The role of third parties is central in defining the boundary between data opportunity and privacy risks. Companies need to assess to what extent their data processing practices are risky in terms of data privacy. And investors should pay attention to whether data privacy policies apply to business partners and third parties.
Figure 1: The limit between data privacy opportunities and risks
Best practice in data handling: An investor’s guide
We believe that companies should be transparent in their disclosure on rules and policies around the processing of personal data and the way that customers’ personal data is used. This point is closely linked to the opportunity related to customer trust and retention.
The personal data that is collected should be only a reasonable and relevant amount. It should be useful to the company’s business model – rather than handling huge amounts of data that have no immediate use, reasoning that it might be valuable someday.
Companies exposed to data privacy issues should guarantee the highest level of privacy protection by default. This means firms should:
- Implement proactive data privacy measures and policies
- Automatically protect users’ privacy
- Integrate data privacy at the roots of systems and practices
- Ensure transparency and visibility around personal data collection and usage
- Prioritise individuals’ interest regarding their personal data
Furthermore, the investment industry can – and should – leverage its influence on investee companies around data privacy issues.
We would like to see improved transparency and disclosure around data privacy practices, including reporting on compliance with GDPR and data privacy performance. This is particularly relevant for big technology companies, but also valid for any and every company that is exposed to the collection, handling and processing of personal data.
Companies themselves need to ensure they have a sound organisational structure and enough resourcing to understand the data privacy risks which they face – with oversight by the board and senior executives.
Businesses that operate in different markets should also adopt a single global approach to data privacy where possible. If not, they should be able to explain why they have had to adopt varying jurisdiction-by-jurisdiction standards of data privacy.
In this difficult moment for the world, it is clear that there is an opportunity for digital technology companies to build on the rapid take-up of online consumer services. These businesses are helping people weather an incredible storm, and if they can make sure these key privacy issues are addressed – by adopting responsible data privacy practices – then we believe that investors may find solid opportunities in the sector as data becomes an ever more valuable commodity.
Théo Kotula, ESG analyst, AXA IM
Not for retail distribution: This document is intended exclusively for professional, institutional, qualified or wholesale clients/investors only, as defined by applicable local laws and regulation. Circulation must be restricted accordingly.
This document is for informational purposes only and does not constitute investment research or financial analysis relating to transactions in financial instruments as per MIF Directive (2014/65/EU), nor does it constitute on the part of AXA Investment Managers or its affiliated companies an offer to buy or sell any investments, products or services, and should not be considered as solicitation or investment, legal or tax advice, a recommendation for an investment strategy or a personalised recommendation to buy or sell securities.
Due to its simplification, this document is partial and opinions, estimates and forecasts herein are subjective and subject to change without notice. There is no guarantee forecasts made will come to pass. Data, figures, declarations, analysis, predictions and other information in this document are provided based on our state of knowledge at the time of creation of this document. Whilst every care is taken, no representation or warranty (including liability towards third parties), express or implied, is made as to the accuracy, reliability or completeness of the information contained herein. Reliance upon information in this material is at the sole discretion of the recipient. This material does not contain sufficient information to support an investment decision.
In Australia, this document has been issued by AXA Investment Managers Asia (Singapore) Ltd (ARBN 115203622) (“AXA IM Asia”). AXA IM Asia is exempt from the requirement to hold an Australian Financial Services License and is regulated by the Monetary Authority of Singapore under Singaporean laws, which differ from Australian laws. AXA IM Asia offers financial services in Australia only to residents who are “wholesale clients” within the meaning of Corporations Act 2001 (Cth).