By Kim Smouter-Umans
In a lot of countries, the months of July and August are synonymous with so-called Government recesses. Similar to schools, Governments go on a break and the task of legislation is put on pause as legislators run to find the nearest beaches for some rest and relaxation. That means there’s a significant slow-down in the legislative process in many countries giving us an opportunity to look forward and see what should be on your radar whenever Governments do return to the arduous task of legislating.
ESOMAR’s Legal Affairs Committee met last month to discuss many of these upcoming legislations, top legal advisors and compliance officers of the industry’s largest companies descended in Amsterdam for our quarterly meeting. The conversation, as always very much focused on the biggest regulatory change to hit the data protection and privacy landscape but focusing solely on the now-famous EU GDPR would certainly be a mistake for strategic planners of the industry.
Welcome to the new California Consumer Right to Privacy Act of 2018
For example, are you familiar with the new California Consumer Right to Privacy Act? You would be excused for not having noticed it. In record time, the state government of California adopted a new privacy law in order to prevent a more far-reaching citizen bill from being adopted by referendum.
Inspired by the EU GDPR and driven by recent scandals reaching data breaches and misuse of personal data, the law will bring Californian requirements closer to GDPR requirements by 2020. Fines foreseen for non-compliance of this law are up to US$ 7,500 per record lost, and a record can be as minute as an IP address. The law also provides for rights of access for consumers, a right to restrict further use of data especially for commercial purposes, and stricter disclosure rules about what the data will be used for.
EU ePrivacy Law – GDPR’s little sister (or sibling, or brother?)
You might also be forgiven for thinking that the European Union is done and over with inventing new legislation governing how we collect and use personal data in commercial contexts. Nothing could be further from the truth; the European Union is currently negotiating a revision of its ePrivacy rules which govern the confidentiality of communications but is most recognizable by the pop-up walls we often see on websites asking us for consent on the placement of cookies.
The new ePrivacy laws will feature exactly the same levels of fine as the EU GDPR (which you may recall is about EUR 20m or 4% of annual global turnover, whichever is highest). The ePrivacy rules will require consent for many online services but this consent will need to meet the higher bars set by the GDPR around information, choice, and unambiguity. We’re still working to try and achieve broad exemptions covering many of the online passive research use-cases that create little to no privacy impacts. We’ll be reporting a lot of the developments governing this law to our ESOMAR Plus subscribers first before cascading information to the rest of the ESOMAR community as the negotiations evolve. Currently there is hope from Brussels to have this new law done and dusted before the European Commission’s term lapses in 2019.
And don’t forget text and data mining rules too!
There are a lot of other initiatives on the European legislators’ dockets but another one that is worth calling out is the Copyright legislation which has an impact on text and data mined form social media platforms and particularly identifiable verbatims that may actually benefit from copyright protection under EU law. The EU proposals to date would do little to remove the legal uncertainty currently facing researchers from a copyright perspective. ESOMAR has partnered up with the European Alliance for Research Excellence in order to make the case.
Japan and South Korea: Connecting with Europe on data protection and privacy
One of the ambitions of the EU GDPR has always been to get other countries in the world to adopt largely similar legislation in order to enable adequacy decisions that would facilitate the transfer of personal data between markets, provided they offer high levels of protection to the individuals whose data is being collected and used. Those ambitions seem to already be paying dividend for Europe as two Asian countries, Japan and South Korea have been working hard to secure adequacy decisions from the European Commission which would enable easier data transfers between some of the largest economies in the world.
In the case of Japan, the objective is to achieve a mutual adequacy finding meaning that Japan is also scrutinizing the EU itself in order to determine whether its legal regime meets the requirements set by Japanese law. So far initial meetings with government officials have been positive leading to expectations that there may be new adequacy findings around the corner. For research organisations working between these two markets, it would mean a much simpler contracting process and a lot less paperwork around it.
An unexpected visitor: GDPR’s processor vs controller quandary
ESOMAR is working in close collaboration with EFAMRO and ephMRA following some unexpected developments initiated by expected ICO guidance governing how to attribute the data process and data controller roles, which did not sufficiently reflect the reality on the ground for market research organisations and their partnership with client organisations. Following representations made by our UK counterparts, the case is being brought to the European Data Protection Board for consideration at a European level.
This issue may have massive ramifications on disclosure requirements of clients at the start of the research process. In certain circumstances, disclosing the name of the client could introduce significant bias to the research project, but EU GDPR rules would require their disclosure if they are deemed to be the controllers of the project. Our associations are currently gearing up our representation activities with national authorities in order to achieve the best result from this process and have the least impact on your operations.
As one can see, there’s still a lot of activity on the regulatory front, if you’re interested in finding out more about how these and other legislations are likely to impact you, it might be worth looking into our ESOMAR Plus Basic offer which ensures you remain on the pulse about emerging legislation that are likely to severely impact your operations as early as possible. Contact us to find out more and in the meantime, we hope you’ve placed these new emerging laws on your radar too!
Kim Smouter-Umans is Head of Public Affairs & Professional Standards at ESOMAR