Have you ever heard of Digital Out-of-Home (DOOH) advertising? Probably not, but it has most likely seen you, without your consent and without you even realizing it.
The world of advertising has made incredible progress thanks to the digitalization of something as simple as the billboard. Shopping malls, airports and train stations are full of strategically placed DOOH boards that provide you, the traveller or consumer, with real-time targeted messages of which companies are able to measure impact and drive ROI.

DOOH has experienced constant revenue growth over the past 19 quarters  and has successfully revolutionized advertising as consumers become increasingly mobile both in terms of both devices and time spent outside the home. DOOH software is capable monitoring how many people are in front of a display and how long they look at it and is able to obtain data such as gender, approximate age, and identify features such as eyeglasses, beards and moustaches, and perhaps most incredibly, gage emotions, all without the bystander even knowing that their data is being collected.

In Italy, Out-of-Home advertising has recently been the subject of national attention after Giovanni Pellerano, CTO and Secretary of the Hermes Center for Transparency and Digital Human Rights, noticed an error message on one of the digital advertisement displays in Milan’s Central Station.  Giovanni went on to analyze the information he was able to access on the terminal and realized that it was equipped with facial detection and analysis software. The Italian Data Protection Authority has subsequently requested clarification from the company that installs the displays with regards to its data collection practices and should receive a response by the end of April.

In the specific case of Italy, Grandi Stazioni SpA, the subsidiary that manages the major Italian rail stations, the technology used since 2013 is provided by Quividi which also provides such technologies to major retailers like Harrods and JCDEAUX. It can go without saying, however, that all major companies take advantage of the technology which can help understand local consumer behavior.

According to Grandi Stazioni, the totems use anonymous video analytics and do not store any personal data that can be linked to a specific individual. In fact, on its website, Quividi claims that no biometric information is ever stored in the long-term memory of the totem and personal data is not uploaded to the cloud, all collected data is anonymized “by design” as images and videos of faces are never recorded. In simple terms, according to the explanations made available, the software is only able to determine what is in front of it, facial detection and analysis as opposed to facial recognition, and all data processing should occur on-spot only to be aggregated and then destroyed.

More transparency in needed concerning these and similar technologies which are increasingly ubiquitous.
As a result of the Garante’s investigation and with Quividi’s official response, soon enough we should know if the system has truly integrated anonymisation-by-design and if it only recognizes faces and elaborates data in real time without storing any sensitive data.

The point that I want to make here, however, is not about mere legal compliance or the fact that DOOH advertising is challenging citizens’ privacy and data protection rights. This is obvious.

Every day new technologies create not only benefits but also challenges to citizens’ fundamental rights and freedoms. For example, the NHS launched a digital out of home campaign to highlight the life-saving power of blood donation amplified through online and social activity including a Canvas advert for Facebook, sponsored posts on Facebook, Instagram and Twitter and organic social activity.

No present or forthcoming legal framework in itself will ever be able to effectively regulate our data-centric society in terms of maximizing the benefits for citizens while effectively minimizing their risks.

Regulators and institutions can no longer be the police of the Internet and it is time for companies to take responsibility. This has been also recognized by European Data Protection Supervisor (EDPS) Giovanni Buttarelli who has repeatedly stressed the need for an ethical approach in business models and technological development furthered by privacy by design, new rules, and enforcement cooperation.

Data protection compliance should be understood as part of Corporate Social Responsibility. Corporate Social Responsibility is defined as the commitment of businesses to contribute to economic and industrial development while at the same time improving the quality of life of the workforce, families, communities, and society as a whole. The time when companies were able to consider data protection as a mere legal compliance obligation is in the past. Instead, in this data-centric world businesses need to consider privacy and data protection as assets that can help them to responsibly further their economic targets.

As the White House stressed in its 2014 Big Data and Privacy: A Technological Perspective report to President Obama, the effective use of technology can successfully leverage the benefits of big data while at the same time limiting risks to privacy. This, however, can only be done at the company level. Sound corporate policy can allow for data processing in a responsible and sustainable way, furthering the potential of data to improve human existence. It can be used to challenge climate change and to create medical cures we never thought were possible. Data has the power to change the world.

So all companies participating in the data-centric society need to act in a socially responsible way, by complying with five main rules of Socially Responsible Data Protection, regardless of normative control:

1. embed data protection and security in the design of processes;
2. be transparent with citizens about the collection of their data;
3. balance profits with the actual benefits for citizens;
4. publish relevant findings based on statistical/anonymized data to improve society;
5. devote a portion of revenues to awareness campaigns for citizens with regards to the data-centric society.

I propose that companies acting according to such principles be awarded with a seal to be displayed on their sites, media, materials, and products demonstrating that they act responsibly in the data-centric society. Data is the future and instead of regulating alone, we must push for Data Protection to be considered as a genuine aspect of CSR.