The following op-ed was written by Will Christodoulou and Sukhman Dulay of Catalyst Cyber Accelerator cohort 6 company Cyder, and was first published in the Toronto Star on Dec 31, 2022. 

Owning something with your name on it, such as a house or car, is often a source of pride and control; you can show it off, keep it to yourself, or even sell it. So, why is one of the most universal assets, personal online data, not thought of in the same way?

The short answer is that we had no idea it could be controlled and monetized in the same way as real estate or cars.

The concept of data privacy should be understood as the ability to own our personal information and control who, or what, can see it.

Tech companies have invested billions of dollars in developing cloud infrastructure that enables organizations to manage, remove, and store data easily, in accordance with user demands. The only problem is that no one realized they had the right to their data, or that it was being extracted and abused.

Until Cambridge Analytica, that is.

Enter the notorious data analytics consulting firm that sifted through millions of data points in order to analyze and ultimately manipulate the American people during Donald Trump’s 2016 presidential election campaign.

In spite of how unprecedented this was to the general public at the time, those in the analytics community were unfazed. This type of data analysis has occurred and continues to occur for most large-scale organizations.

This breach of trust is the reason individuals are becoming far more privacy-conscious, leading to an increase in ad-blockers, virtual private networks (VPNs), data-deletion requests and other privacy tools and technologies.

After this scandal, policy, technology, and education began to catch-up with public outrage. Until 2018, individuals could not truly control their data, and this remained the case until the European-based General Data Protection Regulation (GDPR) went into effect. The GDPR has a number of principles, the most important of which are transparency, confidentiality (security) and accountability. This policy laid the groundwork for individual consumers to see legally where their data is going, and control how it is used, managed, and handled. If the party in charge of the data makes a mistake — think data leak or misuse of personal information — they face hefty fines.

From the GDPR came a flurry of other data-ownership laws that further strengthened this fundamental fact: that people, not organizations, hold true ownership of the data collected about them.

Not only our European neighbours are making this change; on June 16, 2022, the Canadian government tabled the Digital Implementation Act (Bill C-27). Along with a number of increased data privacy, security and control laws, Bill C-27 requires that an organization must obtain an individual’s valid consent for the collection, use, or disclosure of that person’s personal information. Once an organization has gathered the user’s data, it can ultimately dictate how that data can be used if the user consents to it. Organizations guilty of breaking these new laws will be liable to a fine of up to five per cent of global revenue or $25 million, whichever is greater.

It’s difficult to believe that the concept of a person owning their data is just four years old. As data privacy is still in its infancy, academic institutions, technology companies, and governments are collaborating to ensure that individuals’ rights are not inadvertently, or intentionally, compromised. Some organizations, such as Rogers Cybersecure Catalyst and its Catalyst Cyber Accelerator, are directly helping Canadian tech startups in developing compliant technologies that help organizations manage these policies.

However, there is a Catch-22 that must be addressed and that is that we all love personalization. We like to see Netflix shows suggested for us, based on past views, Spotify playlists that fit our vibe, and tailored ads when we’re in the mood to treat ourselves. But, by going incognito and asking for full privacy, we make these customized suggestions nearly impossible.

And herein lies the problem: data privacy does not mean a person must shut off all their data from the world. We need to stop using the excuse “I want to protect my privacy,” because we actually don’t.

What we truly want is the ability to own it.

The world is adapting quickly to give people control over their data. Decentralized and distributed blockchain technologies, for example, can provide users with complete visibility into where their data is going. Apps are now on the market that make it simple and easy for users to choose which organizations have access to their information and to remove easily those that do not honour personal data control. Internet browsers, such as Brave, enable online privacy and block invasive trackers, while extensions like Cyder allow for privacy, ad blocking and assistance in the monetization of a person’s personal digital information, (just as new products, such as Tapestri.io, are giving users the power to monetize their mobile data.)

The good news is a lot has happened in a few short years to ensure personal privacy and protection. But this still requires a change in mindset and business models.

It’s time to protect our digital footprint actively, and encourage forcefully organizations to pay users for access to their data.