By Kim Smouter
Since ESOMAR, CASRO, EFAMRO, and MRA organised our EU/US Safe Harbour webinar last month, the headlines in Brussels and Washington have not stopped commenting on the European Court of Justice ruling and its practical implications for businesses.
For the market, opinion, and social research community, I wrote about the fact that any market research project involving the transferring of data between Europe and the United States was potentially impacted by the decision, either directly or indeed indirectly through one’s choice of suppliers.
I commented briefly on the initial feedback of the decision, and my counterpart at the MRA, Howard Feinberg, has usefully posted some further updates on the US reaction that is well worth a read.
Whilst we, as market research associations, initially reported that there was a transition period provided by EU Data Protection Authorities lasting to the end of January, it’s subsequently become clear that this transition period is only regarding mass enforcement of the court ruling rather than a get out of jail free card for companies.
This has implications on the timetables for transitioning to the so-called alternative mechanisms. The worst thing you can do is not take any action, so it’s important that any and all MR agency operating between the EU and the US review their practices to ensure they do not expose themselves to legal and reputational risks.
In this blog post, I wanted to focus on what I think are the 5 steps the market research community can take today now that the European Commission, the national data protection authorities, and US authorities have had a chance to digest the court ruling and issue some guidance designed to reassure business that the world has not collapsed as a result of the EU/US Safe Harbour decision.
Step 1: Conduct an audit of your data transfer flows with a specific focus on cross-border flows
To be able to appreciate how exposed an agency is to the court ruling, the necessary first step has to involve an audit of your data transfer flows.
- Are you passing on data to suppliers that are based in the United States?
- Are you passing on data between business units on the two continents?
- Under what regime are these data transfers taking place and what data sets are involved (i.e. consent, as part of a contract, or some other ground for processing)?
These are the types of questions you will want to be able to comfortably respond to, noting that we’re not just talking about datasets involving respondent data, but also talking datasets involving employee records, business information, etc.
Step 2: Consider the extent by which the data flow can be rerouted
It will take time before a new EU/US Safe Harbour agreement will be established, and whilst alternative mechanisms are being recommended by the European regulators, they can face similar legal challenges as the EU/US Safe Harbour agreement itself and so there is a risk that companies invest both time and money implementing alternative mechanisms that will get struck down by European courts in the coming year.
That’s why the second step is to look at the extent to which data on European citizens that is collected actually needs to be sent to the United States in the first place and whether the data can be better stored in European servers until a more legally certain regime is put in place. To the extent that this is a practicable solution, it is most likely to give you the most legally certain outcome.
Step 3: Update your privacy policies to increase transparency on cross-border data transfers
One of the “valid” alternatives continues to be consent. If respondents, or indeed the individuals you are collecting and processing data from grant it to you, then you are still able to transfer data.
However, consent under European law must be unambiguous, informed, and specific. One of the contentious points within the Court ruling was the lack of transparency and legal redress afforded to European users using Facebook.
One of the ways in which we can address this, in part, is to update privacy policies to explicitly reference that data is being transferred to the United States, for what purpose, and under what conditions. By providing this information, you ensure that respondents have explicitly consented and authorised transfers to the US.
Step 4: If all else fails, the alternative mechanisms are going to be necessary
As reported in our webinar, and in my previous guidance, there are two mechanisms foreseen that can be used in the interim. These are only applicable in the cases that the data transfer isn’t resulting from a contractual obligation, or is happening without consent.
In these instances, one can use standard model contractual clauses or binding corporate rules, each has their advantages and specific uses and I highly recommend walking through these with legal experts to make sure that they are fit for your use-case.
Standard model contractual clauses are snippets of text that must be included in your contracts with your suppliers that will guarantee the same levels of protection as if they were conducted under the EU Data Protection Directive regime. These are useful for transfers taking data out of your company.
For transfers between business units you can use Binding Corporate Rules, which are essentially internal privacy rules that guarantee consistency across your EU and non-EU business units. These need the prior approval of a data protection authority so they take time to setup.
Our friends at the IAPP have provided a fantastic briefing on the topic that may be useful to support your journey into the array of alternative mechanisms should you need to go down this route.
Step 5: Now is a good time to check-in with your data protection authority
Each Data Protection Authority in Europe has predictably reacted differently to the court ruling, some have taken a more reassuring tone whilst others have been quick on the pulse to signal that the alternative mechanisms are just as shaky as the Safe Harbour agreement and that they would not hesitate to enforce bans on data transfers reported to them through citizen complaints.
Since each national data protection authority is able to review and take decision on a case-by-case basis about whether a transfer from the EU to the US is valid, it’s important that they understand your company, what it does, and that your activities are conducted under the global ICC/ESOMAR Code which often exceed the legal requirements foreseen by EU law.
It will help reassure the DPA that you are taking your data handling responsibilities seriously and also should allow you to anticipate any emerging issues more rapidly.
Market research is well equipped to weather this storm
As we keep seeing, the ICC/ESOMAR Code and national equivalents has given ESOMAR members and national association members a head start in dealing with some of the emerging trans border data transfer issues and continuing to follow the Code provides a great starting point to meet these emerging legal requirements.
Taking no action won’t solve the issue, but at least by taking these 5 steps, most market, opinion and social researchers (and their clients!) can continue operating projects in both the EU and the US knowing that they have taken all steps expected of responsible business.
And have no fear; we’ll be sure to keep you posted as the evolving story progresses and particularly if they have implications for your day-to-day business activities.
Kim Smouter is Government Affairs Manager at ESOMAR.