Editor’s Note: Regardless of your position on digital privacy laws, the reality is that many legislative bodies are enacting laws that are often complex, contradictory, and inconsistent. This is new territory for us all, and as an industry that is based on handling consumer data it is very easy for insights pros to get caught in the morass of these disparate regulations. Our trade organizations, most notably ESOMAR and the Global Research Business Network (comprised of most of the national trade orgs around the world), are attempting to help MR firm navigate the minefields of the rapidly changing digital privacy landscape.
Today’s guest post by Kim Smouter of ESOMAR is an example of the type of leadership and assistance they can provide to researchers who may be (and rightfully so!) confused by the various laws we need to comply with in different areas of the world. We’re very pleased to post it here on GBB and hope you find it helpful and interesting.
By Kim Smouter
For centuries, European and US historical paths have been inextricably linked. In war and in peace, Europeans and Americans have found many reasons to trade, talk, and even wage war together as allies in a tireless effort to impose a shared worldview built on the principles of democracy and self-determination.
Between the clichéd stereotypes, is mutual admiration and a fascination with each other’s histories and achievements. Few societies in this world are quite so intertwined.
Yet the whole topic of personal privacy seems to be a case where the bonds of brotherly love are increasingly giving way to mutual suspicion, jealousy, and a desire to impose a world view designed and defined by “one camp.”
The situation is not only driven by economic concerns but also by real fundamental values resulting from differences in historical, cultural, and social experiences. One does not need to look very far to see how visible the cracks of discord are when Europe responded to the revelations of the US spying on its allies by calling for immediate changes to the EU/US Safe Harbour framework in place since 2000.
The ripple effects of the loss of the EU/US Safe Harbour framework should not be under-estimated. The framework was put in place to enable transfers of data between the EU and the US. It was an important legal fix as EU data protection law makes data transfers outside of Europe only possible with countries offering the equivalent levels of protection (adequacy), or through complex company contractual structures which most small and medium enterprises find difficult to implement.
The US has adopted a very different data protection approach compared the EU’s own global coverage approach. The US has elected to respond only to sectors where there are specific concerns using primarily consumer and unfair commercial practice as the legal basis for action, with the Federal Trade Commission (FTC) as the enforcement body. The US’ sector-specific approach to privacy and data protection is considered inadequate in light of the EU’s own global coverage approach. It is only through the EU/US Safe Harbour scheme that data has been able to flow freely between the two markets. The scheme offers a voluntary self-certification model whereby US companies’ commit to providing certain levels of redress that comply with the requirements of EU law. Without the Safe Harbour, most cloud services, and any projects involving the transfer of data out of the EU into the US would be unable to operate legally.
The Snowden revelations woke Europe to the fact that its citizens benefited from lower levels of protection (and particularly levels of redress in the event of abuse from either public authorities or companies) on US soil. Additionally, it was also clear that the EU/US Safe Harbour had been laxly enforced in recent years.
So when Europe’s leading officials on data protection called for the strengthening of the EU/US Safe Harbour scheme or its suspension, leading companies on both side of the ocean were deeply concerned. These calls emanated from numerous places, from the European Commission [the closest thing Europe has to a federal government], from the European Parliament [its Congress], as well as the European equivalent to the FTC – the Article 29 Working Party.
The EU followed up by presenting a shopping list of recommendations to its US “partners” who expected the issue would be resolved by this summer. These recommendations included requirements that (1) privacy policies be disseminated to the public at large and (2) US regulatory authorities step up their non-compliance enforcement as well as beefing up of redress options offered to EU residents whose data is being sent to the US for processing.
The FTC’s first response was to step up enforcement action taking 12 companies to task because they had failed to renew their EU/US Safe Harbour certificates and were falsely claiming compliance. The certificates have to be renewed every year. The companies have been hit with 20-year orders against them or face additional civil penalties if they fail to meet the requirements of the order to not misrepresent their compliance to schemes like the EU/US Safe Harbour.
At a recent meeting of ESOMAR’s Legal Affairs Committee, companies present at the table were asked whether the loss of the EU/US Safe Harbour scheme would impact their business. Every company around the table agreed on how important the EU/US Safe Harbour is to enable market, social, and opinion research to be conducted effectively across all our operating bases. This is especially important to small and mid-sized companies who stand to lose from the simplified processes that the EU/US Safe Harbour affords them, saving them having to make major investments in legal support to draft and implement the other burdensome schemes available under EU law.
Whether the FTC’s recent enforcement actions will appease Europe enough remains to be seen, but it is clearly the latest in a series of tit for tat actions that highlight the differences in approach and attitude towards privacy and data protection on the two sides of the Atlantic. There is not much market research can do about this, but there are some concrete steps that research companies and the associations tasked with representing them are and should be doing.
Market, social, and opinion research companies must be careful to ensure that when transferring data between the EU and the US, they do take the time to self-certify through the EU/US Safe Harbour and to renew their certifications every year. Ensuring that a company’s entire supply chain is EU/US Safe Harbour compliant is also extremely important (this can be guaranteed through contracts and periodic audits). Offering comprehensive redress in the face of respondent complaints or requests to remove their personal data is also an extremely important requirement for self-certified companies. Losing your EU/US Safe Harbour coverage would mean that the data transfer is illegal and could mean facing legal actions both in the EU and in the US.
ESOMAR, and partner national associations on both sides of the ocean are also working hard to remind legislators of the importance of getting the EU/US Safe Harbour right and not escalating the situation into a full digital world war where we would all lose. Don’t hesitate to let us know how your companies would be affected by the loss of such a scheme so that we can reinforce our messaging to decision makers.
The key decisions that societies make, both in the private and public sector, are increasingly driven by data, both big and small. The free-flow of information is critical, not just for us as market, social, and opinion researchers but for the whole of society. By working together, we can ensure that the smoke over EU/US Safe Harbour does not turn into a real fire.
Kim Smouter is Government Affairs Manager at ESOMAR. For more information on legislative developments in your region visit www.esomar.org/government-affairs