Data Quality, Privacy, and Ethics

March 31, 2015

Safe Harbor: Is it safe?

There is a threat to Safe Harbor and it raises the specter of a world without a substantial Safe Harbor system

Andrew Jeavons

by Andrew Jeavons

Director Analytics at Signoi

0

SafeHarbor Logo-Lines

 

By Andrew Jeavons

Safe Harbor is a US government program in co-operation with the EU and Swiss governments providing self-certification for companies concerning the security of data gathered outside of the USA, but residing on servers within the USA. It tells the overseas participants, the EU and Switzerland, that the data will be kept private and secure within the USA. Norway, Iceland and Liechtenstein have also agreed to be bound by this agreement.  You can find out if a company is Safe Harbor compliant on the Safe Harbor website, http://www.export.gov/safeharbor/ .

The Safe Harbor framework is vital for any company in the US that carries out data collection (data import in Safe Harbor terms) in Europe using computer systems based in the USA. Without it, the nightmare of having to comply with 30 countries differing security requirements would be crippling to data collection activities.

The introduction by CASRO  of a Safe Harbor assistance program is a tremendous help to US based MR or survey companies who carry out research in Europe. This program makes it easier for CASRO members to become Safe Harbor certified and also provides a mediation channel for dispute resolution, a requirement for Safe Harbor compliance.

So all is right in the world. Become Safe Harbor compliant and you are now all set to collect data from Europe without violating any security requirements of European countries!

The problem is that this isn’t quite true.

There is a threat to Safe Harbor and it raises the specter of a world without a substantial Safe Harbor system. This threat started in Düsseldorf, Germany in 2010. Germany has a federal system of regional government, each of the 16 states within the German federation has significant legal powers. In April of 2010 the “Düsseldorf Circle” met. This was an informal group of data protection officials from each of the 16 states within Germany. They passed a resolution that meant that they no longer accepted membership to the Safe Harbor agreement as reliable enough to allow data collection by US entities within each of the German states. They stated that there was a requirement for further due diligence on the part of German companies “exporting” data to the US beyond those required by Safe Harbor. In short, they needed to undertake their own due diligence with the US data importer and the onus is on the German companies to make sure they are satisfied that the US importer is secure enough.

In practice this means that when you agree a deal with a multinational European company to collect data from all their companies in Europe, you have to not only be a member of the Safe Harbor program but often also sign a separate agreement with the Germany subsidiary company because of German federal law. It also applies to global US based companies; the German subsidiary will often require an agreement of their own. This agreement is often part of the EU directive on data storage, a sort of re-affirmation that the data will be kept safe while in the US. Sometimes the German company simply decided not to be part of the global master agreement and to use local facilities to store German data so it never crosses the shores of the USA.

So far this seems only to be happening with Germany, but it represents a crack in the Safe Harbor system. The United Kingdom has some very strict laws regarding data collection and privacy. For instance, you have to actively agree to allow websites to use cookies on your computer. All UK websites will ask for this permission when you first visit them. Very often UK companies will require that data collected within the UK resides on servers in the UK and that it is not exported to the USA. This trend is becoming more common, companies want their data in the their country. It may only be a matter of time before other European countries follow the lead of Germany and require data exporters to have their own agreements, outside of Safe Harbor, with US data importers.

After the controversy surrounding the revelations by Edward Snowden concerning the USA and government spying, the USA is unfortunately regarded with suspicion in much of Europe when it comes to data security. Earlier last year the French and German governments held talks regarding an Internet communications system that would avoid data (mainly email) passing through the USA to shield it from USA government spying. This shows the level of concern in Europe about USA data security.  It is not in anyone’s interest to go back to having agreements with each nation within the EU concerning data exporting to the USA, it will be very time consuming, chaotic and only to serve to stifle business for US companies who want to collect data globally.

Companies such as Amazon can provide one possible technical solution to local country storage requirements. Amazon, along with selling anything you could possibly think of, also sells cloud-computing resources via “Amazon Web Services” (AWS). AWS is also able to localize the cloud services so that your data can be in a specific place, for instance Frankfurt or Ireland. It could be a solution for US based companies gathering data but needing the data to be stored in another country. But it is by no means simple to split data storage across facilities in this way, so while it sounds like a solution, implementing it could be harder than it looks.

Safe Harbor is very much in the interest of global MR client companies. It allows streamlined data collection operations from a single US source, rather than having to have data collected from many different countries individually. It makes data collection much more efficient and hence more economical, not to mention cutting down the time taken to implement data collection agreements. Safe harbor is vital to US data collection companies and needs to be kept safe.

0

data collectiondata privacyglobalizationmarket research industry newsstate of the industry

Disclaimer

The views, opinions, data, and methodologies expressed above are those of the contributor(s) and do not necessarily reflect or represent the official policies, positions, or beliefs of Greenbook.

Comments

More from Andrew Jeavons

Brand Strategy

Trust, Joy, Sadness and Fear: Primary Election Emotions in 2016

Analyzing the tweets of the main political players in the run up to 3 significant primaries.

Andrew Jeavons

Andrew Jeavons

Director Analytics at Signoi

Research Methodologies

Deconstructing Twitter

Using a corpus of tweets from the NewMR social media study, Andrew Jeavons analyzes the underlying characteristics of Twitter.

Andrew Jeavons

Andrew Jeavons

Director Analytics at Signoi

Why Recall Must Die: Capturing the Point of Emotion

Most market researchers give little to no thought to their reliance on recall and, in doing so, fail to better understand respondents.

Andrew Jeavons

Andrew Jeavons

Director Analytics at Signoi

Research Technology (ResTech)

The Power of Play

Understanding the power of games and how fundamental games are to human thought.

Andrew Jeavons

Andrew Jeavons

Director Analytics at Signoi

ARTICLES

Moving Away from a Narcissistic Market Research Model

Research Methodologies

Moving Away from a Narcissistic Market Research Model

Why are we still measuring brand loyalty? It isn’t something that naturally comes up with consumers, who rarely think about brand first, if at all. Ma...

Devora Rogers

Devora Rogers

Chief Strategy Officer at Alter Agents

The Stepping Stones of Innovation: Navigating Failure and Empathy with Carol Fitzgerald
Natalie Pusch

Natalie Pusch

Senior Content Producer at Greenbook

Sign Up for
Updates

Get what matters, straight to your inbox.
Curated by top Insight Market experts.

67k+ subscribers

Weekly Newsletter

Greenbook Podcast

Webinars

Event Updates

I agree to receive emails with insights-related content from Greenbook. I understand that I can manage my email preferences or unsubscribe at any time and that Greenbook protects my privacy under the General Data Protection Regulation.*