A New Privacy Shield will be in place to protect EU/US data flows starting 1 August 2016
By Kim Smouter
A MAJOR RELIEF?
Europe and the United States have announced that they have come to an agreement on the replacement mechanism to the EU/US Safe Harbour. The Safe Harbour Scheme had been struck down by the European Court of Justice last year forcing European and American authorities to scramble and setup a replacement mechanism allowing the free flow of data between the world’s two largest data markets.
In February, authorities had announced the Privacy Shield which sought to address the European Court of Justice’s opposition to indiscriminate mass surveillance on Europeans and also the inequivalent level of redress afforded to Europeans. But following negative feedback from European politicians, and European and national data protection authorities about the new scheme, it was uncertain the Privacy Shield would ever see the light of day.
Companies wishing to sign up to the new Privacy Shield will be invited to do so starting 1 August 2016, noting that at the moment data transfers using the old Safe Harbor are illegal and subject to enforcement actions. German Data Protection Authorities have already begun issuing fines for companies who are still transferring data using the old scheme.
THE PRIVACY SHIELD SURVIVES SCRUTINY AND POLITICAL OPPOSITION
So, despite political opposition to the new Shield, representatives of EU Member States and the European Commission gave their final nod of approval to the proposed scheme. A new version of the text was prepared to address the negative reviews of the national data protection authorities and the European Data Protection Supervisor who will eventually have enforcement responsibility over the scheme.
The Privacy Shield is a slightly different animal from its predecessor, but for those involved in the previous scheme it should be seen as an evolution of the pre-existing requirements.
Nonetheless, there are a number of changes to highlight from the perspective of a company including:
STRICTER NOTIFICATION REQUIREMENTS
- The Privacy Shield requires additional information be provided to individuals in the Notice Principle, including a declaration of the organization’s participation in the Privacy Shield, a statement of the individual’s right to access personal data, and the identification of the relevant independent dispute resolution body;
STRICTER CONTRACTUAL REQUIREMENTS
- The Privacy Shield strengthens protection of personal data that is transferred from a Privacy Shield organization to a third party controller by requiring contracts that provides that personal data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles;
GREATER EMPHASIS ON DATA CHAIN RESPONSIBILITIES
- The Privacy Shield strengthens protection of personal data that is transferred from a Privacy Shield organization to a third party agent, requiring a Privacy Shield organization to:
- take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
- upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request;
CLARIFICATION OF LIABILITIES
- The Privacy Shield organization (the data importer) is responsible for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf.
- The Privacy Shield organization remains liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage;
- The Privacy Shield also clarifies that Privacy Shield organizations must limit personal information to the information that is relevant for the purposes of processing;
ANNUAL CERTIFICATION REQUIREMENTS
- The Privacy Shield requires an organization to annually certify with the US Department of Commerce its commitment to apply the Principles to information it received while it participated in the Privacy Shield if it leaves the Privacy Shield and chooses to keep such data;
- It also requires that an independent recourse mechanism be provided at no cost to the individual;
STRONG EXPECTATIONS TO RESPOND PROMPTLY TO REQUESTS
- The Privacy Shield requires organizations and their selected independent recourse mechanisms to respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield;
- The Privacy Shield also requires organizations to respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department;
- It further requires a Privacy Shield organization to make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC if it becomes subject to an FTC or court order based on non-compliance.
MORE FLEXIBLE RETENTION PERIODS FOR RESEARCH AND STATISTICAL ANALYSIS
- The Privacy Shield hasn’t forgotten about offering a differentiated regime for research, as organizations may retain personal information for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis.
THAT’S GREAT, BUT WHAT’S THE ADVICE FOR MARKET RESEARCHERS?
Clearly the adoption of a new Privacy Shield offers a much more “user-friendly” mechanism to re-enable data transfers between the EU and the US in the same way that before the Safe Harbour scheme allowed more than 4000 companies to transfer data easily between the two data markets. Market, opinion, and social researchers also benefited from this scheme as leading agencies were using it but also many suppliers into the industry.
The alternatives, like binding corporate rules and standard contractual model clauses provided by the Commission can be cumbersome or worse and sometimes simply cannot be applied to the use-case. So having this scheme can be a relief.
There is, nonetheless, a word of caution to be placed on rushing to adopt the Privacy Shield. As highlighted by the European Parliament’s rapporteur on the General Data Protection Regulation, Jan Albrecht, there are many who think the new Privacy Shield will not pass muster in front of the courts and Privacy Advocates will be rushing to challenge the new decision.
There is therefore a real risk that in the not too distant future, the Privacy Shield may be struck down like its predecessor by the Court of Justice. Companies should think carefully about whether they wish to invest the time and resources to certify under the new scheme in light of this uncertainty.
In light of the new developments, our advice to our members can be summarised as follows and is consistent with the advice we have been providing since the Court of Justice decision namely:
- Conducting an audit of any data transfers susceptible to journey via the US is crucial to determine your exposure to the Court of Justice ruling that personal data transfers to the US under the Safe Harbor scheme is illegal.
- Updating your privacy policies to highlight the existence of these data transfers, if you haven’t already, is a crucial step. The aim should be to notify as clearly as possible what data is transferred to the US, to underline the conditions under which that data is travelling, and the risks involved. It’s important that this is understood to be an indication of goodwill and shouldn’t be mistaken as a compliance measure by the organisation.
- Seeking alternatives to transfers to the US remains a useful step to consider as all transfer schemes currently in existence have proven subject to potential legal challenges.
- Where possible, partner with European-based services to execute your data processing tasks involving Europeans’ personal data as this will reduce exposure to legal problems stemming from inequivalent levels of protections that you may encounter resulting from the use of a non-EU partner. Anonymised data is not subject to restrictions and therefore it may be wise to process the data in Europe, and then send it to US entities as anonymised data sets.
- If this is not possible or practical, then the alternative mechanisms like binding corporate rules, standard model contractual clauses, and the Privacy Shield (Starting 1 August 2016) must be in place before personal data transfers from the EU to the US can take place. If you’ve already adopted one of the other alternative mechanisms it makes no sense to return to the Privacy Shield.
- If you intend to use the Privacy Shield, we recommend that partners you use for data processing be subject to an annual audit of their Privacy Shield certification along with meeting the requirements referenced above.
- It may also be useful to consider adding a safeguard clause into your contracts which allows you to require your partner to work with you to find alternatives should the Privacy Shield be subject to a new legal challenge, and should an alternative not exist, allow the termination of the partnership without any additional fees.
WE’RE HERE TO HELP YOU!
ESOMAR members may feel the need to reach out to determine whether the Privacy Shield is the right mechanism for them. The document itself can be quite daunting! That’s why ESOMAR’s Professional Standards service operates a free queries service for members which can help assist members in their reflections. Members can get in touch with our services at firstname.lastname@example.org. So if you have any questions don’t hesitate to get in touch.
Kim Leonard Smouter is Head of Public Affairs & Professional Standards at ESOMAR.
A Millennial’s Attempt At Understanding Research About Her Own Generation – #ResearchAboutMillennials
By Giulia Gasperi
Ever attended a conference presentation feeling like you were in a Discovery Channel documentary about yourself? If so, you’re probably a Millennial.
Millennials have been placed in the world’s biggest petri dish, by a landslide. The Google search query “Research about Millennials” unleashes roughly 21,300,000 results – that’s 100 times more sources than what lurks behind the search term “Research about GenX”.
Unable to resist the idea of exploring a virtual landscape almost as vast as habitable Planet Earth, I wrote this blog post to start a conversation with you on the broader topic of Research By/About/For/Through/[insert preposition of your choice] Millennials.
I invite you, my fellow researchers, thinkers and Discovery Channel Docu-stars of the Millennial Generation, to help me untangle some of the seemingly contradicting insights related to Millennials. You can do so by casting your vote for different sides of my story in polls sprinkled throughout this post, and by sharing your thoughts in the comment box at the bottom. I look forward to collecting your opinions to tie them into upcoming stuff in my Research X Millennials content series.
Out of hundreds of stats, this one is probably my favorite. As contradictory as it may sound, it perfectly summarizes what happens when you stuff billions of consumers into the same, enormous petri dish. And it begs the question: if they don’t consider themselves a Millennial, then what do they identify with, exactly? Curious to hear your thoughts on this.
1/ Millennials vs older generations
On the fence? Let’s review a few arguments in favor of either schools of thought.
So what? A solve to this divide in opinion proposes that Millennials follow the same life trajectory as previous generations, but with more stops along the way. Their path in life is a snakes and ladders game: less linear than before, a jumble of milestones that result in a more complex journey into adulthood. The differences between “Say” and “Do” are dictated by external factors, such as the economic climate they live in.
A more complicated life journey has repercussions on many aspects of life. Because “Millennials in the workplace” was one of the biggest themes in my 10-Google-page crusade. I decided to take a closer look at this aspect.
2/ Millennials in the workplace
Here are some more stats for both sides of this argument:
|They have not significantly impacted dynamics in the workplace||They have significantly impacted dynamics in the workplace|
They make their own career decisions: they are less influenced by parents or friends than generally expected.
They rely on others for career decisions: Top 1 approach to seeking employment is to be referred by a friend, relative or other connection
So what? This was my Aha! moment:
- While the Economist and CEB Global agree that 51% of Millennials look for jobs elsewhere, compared to 37% of GenX, CEB adds that 53% of Millennials find internal opportunities desirable, suggesting that Millennials are not Job hopping – they’re Experience hopping.
- Why is that? My speculation leads me to think that companies are still looking for the right loyalty triggers to help Millennials stick around. For example:
- 63% believe their leadership skills are not being developed
- Hiring managers today choose to hire more and more freelancers because of their fit with current workplace realities – e.g. the ability to put a supplier to work immediately, scaling employment in a way that mirrors business priorities and accessing specific skills.
In a way, Millennials are thus left with no other choice than to adapt to a more dynamic workplace:
- 79% consider quitting their regular job to work for themselves
- 82% believe starting a business today is easier than it has ever been before.
What looks like a chicken vs. egg argument essentially implies that businesses could do a better job at bridging the gap to ensure a new generation of business leaders is created.
Unleashing loyalty and answering the question “what’s in it for me” is just as important in the Millennial workplace as in other aspects of their lives.
To unleash their loyalty, we need to look at what drives it and better understand Millennial Values and Attitudes.
This shifts the conversation into my third and last monologue/debate.
3/ Millennial Values & Attitudes
Hail The Stats!
|Individualistic & Me-Minded||Inclusive & We-Minded|
They are comfortable in their home nest: 60% eat with their family 4-5 nights per week, 85% mention parents are their best friends
A few thoughts as to why we are so divided on this. The easiest approach is to fall back on the good old “we can’t bundle billions of people together” argument. This article looks at how Millennials choose where to live, and states that while 42% want to stay near their families, 41% decide where to live based on their job and career decisions – that’s an equal share on both sides of the value spectrum. Different people have different priorities, and being a Millennial doesn’t change that.
I’d be ok with that, was it not for the stat about trust, which caught me off guard. How can Millennials be socially minded and distrusting at the same time?
- Less than 1 in 2 Millennials trust experts (e.g. doctors, financial advisors) to convince them of the merit of a brand (vs. 61% non-Millennials)
- 53% say they don’t trust anyone with financial guidance
On the opposite side of the spectrum,
- More than 1 in 2 Millennials trust websites and digital/social media advertising (vs. 33% non-Millennials)
- 60% want their banks to be a partner or friend
Next to this, Forbes argues that Millennials integrate their beliefs in causes of their choice, for companies they choose to support.
They are on the constant search for authenticity, for political and ethical truth.
Millennials are trying to shape their own way of navigating a reality sprinkled with corporate scandals, the fall of many long-standing financial institutions and the dot-com bubble burst. Disillusionment turns into learning experiences, and learning experiences turn one-track minds into multi-faceted chameleons.
Sometimes, the explanation lies on both sides of the spectrum.
Embracing their complexity can help us move closer to Millennial audiences and find new sweet spots to engage with them.
I mean us. 🙂
Enough from my end for now – curious to hear what you think, and specifically, what you believe this means for other big Millennial Labels, like “Shareconomy” or “The Wired Generation”.
Share your comments below!
Giulia Gasperi is known mostly for her faith in unicorns and love for fun facts, she speaks 5 languages and has resided in 9 countries across 4 continents. Today, as Research Director at InSites Consulting, she inspires top-tier brands all over the world and helps them unlock extraordinary insights from everyday consumer realities. Tomorrow, she hopes to become a ballerinastronaut.
Anagha Patwardhan tells us how best to build relationships with ethnic minorities in Canada.
The day research stopped feeling like research
By Bianca Vucescu
In both quantitative and qualitative studies, quality is a hot topic. Fraud prevention is a first step in increasing the quality of research, yet how can we know beforehand if a real participant will offer us the insights we are looking for? We keep talking about data health and data cleaning. And while it’s still a mandatory practice, what if we didn’t have to dedicate any time and energy on this? What if participants would continuously provide high-quality data in research studies? What if we could attract and engage consumers for the long term?
I hear a lot about so-called ’professional participants‘, those who aim to qualify for as many surveys as possible, are driven by extrinsic motivation and give the ’correct‘ answers rather than to provide honest feedback. This affects our industry but also our clients, who take decisions based on this ‘dishonest’ feedback. But then again, aren’t we the ones who reap this behavior based on what we sowed? Aren’t we the ones who offer points, vouchers or other monetary rewards and as such encourage the ‘professional participant’? I am not saying that (monetary) incentives cannot be a part of ‘sustainable’ research, but we should strongly consider what else is valuable to people. It’s not always about money; who can put a price on experience, knowledge, entertainment, involvement or impact?
Our world is becoming increasingly fast and snappy and when conducting research, brands need to align with this reality. We cannot longer conduct endless surveys and expect people to pay attention, when we all know that the attention span is decreasing, especially amongst the younger generation. Looking at the social media landscape, we see that visual apps (like Instagram, Snapchat) have the most rapid usage growth. Isn’t that a clear indication that surveys have to follow the same path? We have to realize that what is considered as boring in ’real life’ will also be perceived as boring in research studies. Let’s not forget about how we can use technology to improve research results, get better insights and shorten the length of surveys. Neuro-marketing tools for research like facial coding, passive meters, implicit measurements, virtual reality, gamification tools can be integrated in research to achieve better and richer insights without overwhelming participants with explicit questions.
What if brands had a dedicated network, built and managed differently than today’s panels, which they could access for research as often as needed?
That’s exactly what a ’Sustainable Consumer Connection’ is: a network of relevant people who are intrinsically motivated to interact and express opinions about specific topics or brands.
The way we sample influences the human experience, so one goal while moving forward is to do so based on the people’s interests. If I feel strongly about a topic or product, I will be more likely to participate, pay more attention during the research and give my honest opinion. This will result in quality insights for the researcher. Research studies should be a positive brand touch point experience for participants. There is nothing worse than asking someone for a drink and while they are waiting to send them a message saying ’Thank you for your interest, but I would rather have a drink with someone else; so no more screen-outs and quota-fulls. Technically, one could argue that studying intrinsically motivated people does not generate random samples. That’s correct, but at least their responses are valid internally and reflect reality. In all honesty, most of the research we conduct is not as representative as we think.
Looking at the young generation, our future participants, they want to be involved more than ever, make an impact and be treated like the intelligent humans that they are. They don’t want to participate in surveys which contain questions that sometimes seem pointless to them. We encourage them to participate in research in order to shape the future of brands and products but they rarely actually know what the impact is of their contribution. Youngsters are curious and we need to feed that curiosity. So why not share with them how their input effectively impacted the future? Isn’t that an incentive which will motivate them to participate in future research?
To sum up, market research should no longer feel like market research! It should be an experience that everyone would like to take part in because it is fun and interactive, they learn something new and can help with the creation of new products.
Future research has to be in line with the traits we see in the future generation: use top-of-the-line technology and be short, snappy, visual, entertaining, relevant to the consumer. This will lead to a win-win situation, where a research activity is not only engaging but also results in fresher and more powerful insights for us researchers.
Rather than trying to keep up with the present, market research should be ahead of times. We need to accept that the old way of gathering sample is not sustainable, so let’s put the consumer at the heart of our business, empowering them and giving them the level of importance that they deserve.
Bianca Vucescu is Senior Media Buyer at InSites Consulting and one of the participants in ESOMAR’s Corporate Youth Programme.
Danielle Todd reflects on the key leanings from ESOMAR UK’s recent ‘Best of’ evening about storytelling.