Strong data privacy protections enable corporations to establish boundaries and limit access to information that is protected under data privacy laws.
Following the outbreak of COVID-19, companies and governments have adopted exceptional measures to safeguard employees, customers, and the public. Some of these measures include the use of technology to enable remote workplaces, and to collect, process, and share personal information in new ways.
Companies handling personally identifiable information, financial data, and/or health information must have in place robust cyber security protocols to limit the risk of data and privacy breaches. In addition, the method and type of data collected, how it is used to drive decisions, where it is stored, and for how long, are important considerations for data privacy during the pandemic and beyond.
What is data privacy and how has it evolved over time?
The right to privacy is a “fundamental human right” recognized in the United Nations Declaration of Human Rights, the International Covenant on Civil and Political Rights, and other international and regional treaties. Most countries recognize the right of privacy explicitly within their constitutions. While the definition varies, it may include the privacy of personal data or information (e.g., medical records); the protection of people’s bodies (e.g., drug testing) and personal space (e.g., homes); and the privacy of our communications (e.g., mail, telephones). Data security aims to ensure that any personal information that is collected, used, or stored is protected from unauthorized use.
Over the past decade, governments and consumers have become increasingly concerned about data privacy and security, largely due to the rise of globalization, advancements in technology, the use of multimedia, and the evolution of business models that derive financial value from personal data.
The increased focus on data privacy and security has ushered in a new generation of government regulations. For example, in 2016 the European Union (EU) approved the General Data Protection Regulation (GDPR), which applies to the collection of data from residents by firms inside or outside of Europe. The cost of non-compliance with privacy regulations and requirements can be steep. Companies found to be non-compliant with the GDPR, for example, can be fined up to EUR€20 million, or 4% of a company’s annual turnover (whichever is higher). Many companies have been fined in recent years for data privacy violations or breaches, including British Airways (EUR205 million in 2019), Marriott International (EUR110 million in 2019), and Google Inc. (EUR50 million in 2019) under the GDPR, as well as Facebook (USD$5 billion in 2019), Google and its subsidiary YouTube (USD$170 million) by the Federal Trade Commission (FTC).
How can companies address data privacy?
A company’s exposure to data privacy issues is largely a function of their business model, what data they collect, and how they process, store, and share that data. In order to effectively address data privacy and protect the security of data, a company should:
- Establish board oversight and accountability
- Know and comply with all laws and regulations
- Only collect necessary data
- Understand and receive consent
- Implement robust data security management practices
- Build awareness of data privacy.
How does COVID-19 impact data privacy?
Since the outbreak of COVID-19, companies and governments have taken unprecedented measures to help contain the virus and protect the population. This includes the use of technology to collect, use, and share data with the goal of limiting infections, establishing effective policies, and enabling vaccine research. Under these circumstances, the right balance needs to be struck between public health and safety and the need for data privacy and security.
Data privacy and security related impacts of COVID-19 include the:
- collection and sharing of medical, health, and other personal data
- tracking and monitoring of individuals’ location and status
- threats to data security from digitization of processes and practices, and increased risk of cyber-attacks
- modification of laws related to data privacy and protection
How will data privacy and protection change as a result of COVID-19?
The COVID-19 pandemic has required governments and companies to adapt quickly to a rapidly evolving situation. While data and technology have an important role to play in helping companies and authorities identify, track, and monitor the spread of COVID-19, data privacy and security must remain important considerations. Once the immediate needs of the crisis have passed, companies and governments will need to:
- Verify compliance with privacy laws: Data that may have been collected under emergency acts, modified laws, or specific guidance related to COVID-19, will need to be identified and assessed to ensure that any ongoing collection, processing, or sharing of data is in compliance with all privacy laws.
- Confirm individuals’ consent and data rights: In cases where personal data will continue to be collected and/or held, companies and governments should ensure that consent is provided. While implicit consent or voluntary provision of data may have been adequate during the crisis under modified laws or requirements, explicit consent may be required moving forward, especially if the purpose for which the data is collected has changed.5
- Verify data privacy and security: Technologies or processes, such as video conferencing, remote onboarding, or digital verifications, may have been implemented during the crisis without having gone through an organization’s normal third-party risk-management process. Companies should ensure that any gaps in the verification process are filled to avoid potential non-compliance with privacy laws or security violations.
The quality and effectiveness of a company’s data privacy and security is one factor RBC GAM investment teams consider in their ESG integration processes. This may include consideration of a company’s data collection, use, consent, and monetization process; the strength of its privacy policies; managerial responsibility; privacy and security audits; staff training; reporting; and board oversight. To learn more about RBC GAM’s approach to responsible investment, visit www.rbcgam.com/ri.
 Regulation (EU) 2016/679 of the European Parliament and of the Council, April 27, 2016, European Union Law (Link)
 GDPR Enforcement Tracker, tracked by CMS Law Tax, accessed April 28, 2020 (Link)
 Facebook fined $5 billion by FTC, must update and adopt new privacy, security measures, July 24 2019, USA Today (Link)
 Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law, September 4 2019, Federal Trade Commission (Link)
 COVID-19, Managing privacy and cyber issues, March 2020, McCarthyTetrault