Leveraging your users’ data? Think twice

This article appeared first on MIT Enterprise Forum Pan Arab Region .

“It was my mistake and I am sorry.” This is what Facebook’s Mark Zuckerberg told the US Congress back in 2018 when asked about the data misuse by Cambridge Analytica to publish targeted political ads to Facebook users in the 2016 elections.

Since Mark Zuckerberg promised to do better, Facebook started rolling out new features for users to control their privacy, like the “Your Facebook Information” section, which allows you to see and access the personal data Facebook holds, and the newly-introduced Off-Facebook Activity tool, which allows you to view or clear activity about businesses and organizations you visit off Facebook.

But why is Facebook taking these measures when its business model relies on collecting users’ data to target them with ads?

Three or four years ago, it was common to hear entrepreneurs say that they would sell users’ data to generate more money. But today, tech companies should think twice before considering this business model.

Even Google, a company built on leveraging its users’ data to sell ads, is considering privacy as ‘optional’ in times of crisis. Recently, Google published the Community Mobility Report to show how people are moving around differently due to COVID-19 and the places they visit the most, like supermarkets, pharmacies, workplaces, etc. Google says that this report is created with “aggregated, anonymized sets of location history data from users who have turned on the location history setting, which is off by default.” This means two things: Google knows a lot about its users who want to give the company more access; Second, companies can not hide anymore if they are leveraging personal data or they will be in trouble. Even in the times of global crisis, companies should respect the right for digital privacy and collect as little data as possible to run their apps and services.

In this guide that we are using for tech SMEs, Social Responsibility Is A Business Matter, we identified three business justifications for the protection of users’ privacy and free expression:

Users will have more trust and confidence in your products and services. Imagine a messaging app that keeps leveraging your data and sharing it with governments and third parties without any framework that protects your privacy. Would you continue using this app? Studies show that users are now more concerned about their privacy and security of personal data. According to a 2018 report published by PricewaterhouseCoopers (PwC), 85% of consumers will not do business with a company if they have concerns about its security practice.

One example from the Arabic-speaking region is Sarahah, the anonymous feedback app, which gained global exposure a few weeks after its launch in late 2016. Despite accumulating more than 20 million users in a short period, the app, which was developed by a Saudi entrepreneur, was accused of collecting users’ phone contact lists without their consent. Moreover, the app did not have a publicly available privacy policy or terms of service. The app was eventually removed from the Play Store and App Store for promoting cyberbullying.

More investment and opportunities for growth. In addition to having a great idea, perseverance, a customer and user base, and the team, potential investors want to make sure a startup is reliable, trustworthy, and will give them return on their investment. The Investor Statement in support of the Guiding Principles on Business and Human Rights, signed by 87 investors representing $5.3 billion, stated that “as investors we believe that establishing the respective obligations of States and businesses will enhance the operating environment for companies in which we invest and their long term prospects for financial success.” Moreover, more money is being dedicated to privacy and security companies, as, in 2019 alone, investors injected around $10 billion in these companies.

It’s the law! There is no doubt that 2018 was a turning point in the technology sector, as enforcement of the European Global Data Protection Regulation (GDPR) commenced, and Facebook testified before Congress. But even in the Arab region, an increasing number of countries are working on drafting new laws that aim to protect personal data to some extent. A few days ago, on February 24, the Egyptian parliament approved the Personal Data Protection Law “that aims to protect personal data on online markets, control e-shopping.” In 2019, Saudi Arabia passed the E-Commerce law that “aims to promote a trustworthy environment for online transactions and includes stipulations on online errors, protection of personal data.” Lebanon also enforced its E-Transactions and Personal Data Protection law in January 2019. In the same year, the UAE enforced the Healthcare Data Protection while working on a general Data Protection law, similar to GDPR. While all of these laws are heavily flawed, governments across the region are at least trying to develop legal frameworks for data protection. On a global level, the international standards are set since 2011 by the United Nations Guiding Principles on Business and Human Rights is the crucial document. These principles are developed and unanimously endorsed by the 47 states in the UN Human Rights Council to set out the role that states and businesses should have in respecting human rights – known as the “Protect, Respect and Remedy” framework.

The guide also includes some tips on how a tech SME can make sure it respects these rights. First, tech SMEs need to review their practices and conduct a simple review of their company’s policies, products and services, to identify where privacy and free expression issues might arise, or where these might be at risk. Second, SMEs have to consolidate their understanding to have a better idea of the aspects of their policies, products and services which might have a negative impact on privacy and free expression. After completing these two steps, SMEs should take action and start articulating their policies as these relate to privacy and free expression, and to think about what steps can be taken to avoid or mitigate negative impacts.

Startups and entrepreneurs in the Arab region should start thinking about conducting business in a way that respects users’ privacy and rights. It’s what the big tech companies are doing too.

Abed Kataya, Digital Content Manager at SMEX for Digital Rights. He is also a digital safety trainer and freelance journalist with a focus on technology, economy, and entrepreneurship. Follow him on Twitter @kataya_abd.

This page is available in a different language العربية (Arabic) هذه الصفحة متوفرة بلغة مختلفة

Avatar photo


SMEX is a registered Lebanese NGO that works to advance self-regulating information societies in the Middle East and North Africa.