By Kim Smouter
The end of 2015 marked the adoption of Europe’s new General Data Protection Regulation, a legislation with massive implications for research organisations collecting and processing data on data subjects located in the European Union. It’s entry into force May 2018 does not leave a lot of time for companies to comply with the law, and there are still many grey areas in the adopted text that need to be clarified. But it may be tempting to focus solely on the General Data Protection Regulation forgetting that there is a whole set of legislation that may have just as much impact.
By Kim Smouter
Earlier this month, I had the pleasure of attending the IAPP Global Privacy Summit in Washington. It’s our way of taking stock of what the global mood is like in terms of data protection and privacy. The Summit also helps us prepare our advocacy, monitoring, and guidance activities to best match the expected calendar for the year.
Last year, the mood was definitely leaning towards a greater emphasis around coordinated, global enforcement actions and it was interesting, therefore, to see whether the mood had changed or not a year further.
1. GDPR – the 4 letter acronym on everyone’s mind:
As a European, attending a fairly US-dominated conference, it was impressive to see how much the new EU General Data Protection Regulation was exercising everyone’s mind. Nearly half of the sessions covered various aspects of the new legislation. Whether it was in terms of the attitude the enforcers were going to be taking now that they are to receive significantly more enforcement powers [each being capable of wielding fines of up to 4% annual global turnover or €20 million, whichever is the highest!], or indeed how to interpret certain passages of the new law, which despite being a General Data Protection Regulation (GDPR) clearly targets specific use-cases [The right to Data Portability, which principally takes aim at social media platforms, being one example amongst many].
ESOMAR and EFAMRO have worked very hard to achieve a result for the industry that allows us a wide variety of options depending on the nature of the project and the methodology that will yield the best insights for the research commissioner. There are, however, still a lot of unknowns that could usefully be clarified by the European Commission and the future European Data Protection Board. This will be where the bulk of our efforts will be in the coming months.
2. Je t’aime, moi non plus… the EU/US Divide on Data has grown:
The infamous French phrase meaning “I love you, me neither” very much summed up the mood between the European and American data protection authorities. Will we have a Privacy Shield to replace the ill-fated EU/US Safe Harbour scheme? When will it be operational if we do? There wasn’t much insight coming from the Privacy Summit on these critical issues but the discomfort was plain to see for the entire audience.
I wrote a year before the EU/US Safe Harbour Scheme was struck down that there was a serious risk of a Digital War between the two enforcement regimes and we seem closer to this despite the best efforts of the European Commission and the Department of Commerce to come to some sort of agreement that would allow the transatlantic data flow to continue. The Article 29 Working Party who bring together all national data protection authorities in the EU issued a negative opinion of the new Privacy Shield, an opinion which will be hard for the Commission to ignore. What it means is that despite the optimistic calendar of adoption and entry into force in June, it’s more likely than ever that the situation will drag on without a political solution to the problem.
Several data protection authorities have signalled their full intent to investigate and enforce actions on the basis of complaints that data transfers are still taking place between the EU and the US without them being governed by Binding Corporate Rules or Model Contractual Clauses. Now, more than ever, ESOMAR members are urged to review any data flow between their databases stored in the EU and their (or their partners’) databases stored in the US to make sure that these are now covered under the alternative schemes. Additionally, updating privacy policies to make explicit reference to the transfer of data out of the EU into the US is a good practice that should be adopted.
3. Who we get into bed when it comes to our data partners really matters:
The average cost of a data breach in 2016 was a whopping €3.5m euros, with the cost of a lost record reaching nearly €200 per record.
What struck me most about the Privacy Summit was the increasing challenge that all players (from big consumer brands to small research agencies) have to effectively manage their data chains up and down the stream. In a world where we sub-contract many tasks to partners, who in turn may sub-contract them even further, the challenge of managing those who handle our data and ensuring consistency and rigour across the chain is difficult.
I attended a very practical session which discussed how to set up contracts in such a way that one’s suppliers knew what was expected of them without it becoming a bureaucratic nightmare. It highlighted the importance of not neglecting the contractual phase but also of making sure that at the contractual phase you strike the right balance. Many of the companies referenced the critical need to have all contracts reviewed by the Data Protection Officer so that they could maintain an overview of the data flows, but also ensure that no data-related risks would result from signing the contract.
No organisation can claim 100% perfection, whether you’re a small boutique firm or a big multinational giant. We all have limited resources to be able to monitor and keep track of all the data flows, to be able to review every contract that every team signs, and it’s only going to get worse as time goes on. That’s why it’s more than ever important to make sure that ahead of the increasing enforcement of joint liability in the event of a data breach, that you don’t unnecessarily expose yourself to risks by being with the wrong partners in the first place!
4. Latin America is going to be an interesting continent to watch in the future
The Privacy Summit welcomed for the first time a session of Latin American Data Protection Authorities delivered in Spanish. It welcomed some fresh Data Protection Commissioners and some more veteran ones as well covering Mexico, Argentina, Peru, and Uruguay. The session was good natured but also highlighted the specific challenges faced by the Latin American continent.
One of the aspects that repeatedly came back was the extent to which the Data Protection Authorities had the capacity to truly enforce the data protection legislation. Unlike the European and American approaches, it was clear that in Latin America the Data Protection Authorities often didn’t have the resources and therefore needed to be far more creative in how they enforced – with many of them choosing a far more pragmatic consultative role rather than a full enforcement.
Many Latin American countries have also adopted a European legislative model, going for a broad overarching data protection law rather than the US sector-based model. During the session, it was clear that there was no intention from any of the countries to move away from it and if anything, the GDPR would likely accelerate the plugging of legislative gaps on companies or reforms to match the new framework set in Europe.
5. More than ever, the ICC/ESOMAR Code, and its associated guidelines and resources are powerful tools to help chart a safe path forward
The ICC/ESOMAR Code and the associated guidelines and resources that help interpret the Code in specific contexts remains to me a hugely helpful resource for the industry. As the mood towards data protection and privacy continues to move towards a low level of tolerance for data breaches and particular perceived data negligence, being able to use and apply the guidelines and the Code to research projects only serves to elevate their standard and to avoid pitfalls that could easily be picked upon by a Data Protection Authority set on fining you.
Whether it is the guideline on interviewing children, or the data protection checklist which helps you set up projects, or the recently released ESOMAR/GRBN Online Research Guideline, all of these and the many others I haven’t mentioned remain in my view a must-have and a must-use for the modern researcher. The principles that are contained within them and the working ethos that they instil will not only ensure quality research is undertaken, but also ensures that the company and the partners that abide by them are also ahead of the curve when it comes to future compliance requirements being prepared in Summits like the one I attended.
2015 was a year of anticipation, 2016 is the year of clarification
In 2015, everyone was waiting in anticipation of Europe’s Data Protection Regulation – would they adopt it by the year-end? Would it be research friendly or not? Now that the Regulation has been adopted and the lobbying dies down, 2016 is clearly set as the year of clarification. Regulators are looking at the new requirements and will in the coming months and through 2017 pave the way for the new global regulatory order. It is by no means a small feat, and by no means is the project anywhere near being completed – but we’re much further onwards in the journey and so far, no one has given in on the temptation to restrict research further than it already is! It’s up to us to make sure that we are worthy of that vote of confidence.
Kim Smouter is Government Affairs Manager at ESOMAR, #esoGOV #esomar
By Kim Smouter
A month after it was announced, the formal Commission decision establishing the EU-US Privacy Shield has been released. The European Commission (EC) and the US Department of Commerce (DoC) are both confident that this new agreement will stand the test of the European courts and will facilitate the continued flow of personal data between the EU and US.
ESOMAR, alongside CASRO, EFAMRO, and the MRA have started looking into more detail about what the agreement will actual mean for you and your company. However, it’s important to remember that the procedure is still ongoing, and that key European stakeholders still need to give their agreement before the Shield can come into force. The ambition is for the EU-US Privacy Shield to come into force by summer 2016.
How will the Privacy Shield work in practice?
The requirements of the Privacy Shield, and how one complies to it, will be very similar to that of the old Safe Harbor agreement. Companies will again have to register themselves on a Privacy Shield List and self-certify they meet the requirements set out. This procedure must be renewed every year. The Department of Commerce will maintain the List and will also be responsible for monitoring and verifying the companies signing up.
If a company ceases to be a member of the Privacy Shield, they should still process any personal data received under Privacy Shield according to the Shield’s principles. The Department of Commerce will monitor the compliance of companies with the Privacy Shield principles on an ongoing basis, including through detailed questionnaires.
The agreement will not be limited to EU citizens, but everyone residing in the European Union will be protected under the Privacy Shield agreement.
How will the Privacy Shield be enforced?
One of the objections against the Safe Harbor agreement that led to its invalidation, was the lack of complaints and enforcement mechanisms that Europeans could use. So one of the major changes in the new agreement is the way complaints will be dealt with.
Where it used to be that the FTC was free to decide whether it would investigate infringements of Safe Harbor, in the Privacy Shield an elaborate complaint mechanism is foreseen. This includes a dispute resolution platform that will be set up where individuals can file a complaint when they feel that their rights have been violated. Companies will then have 45 days to solve the complaint. The exact implementation is not yet known. ESOMAR will monitor and report when more is known about this platform and any impact on business operations for the US.
In addition, the role of the European Data Protection Authorities (DPAs) has been increased. EU citizens can go directly to their country’s DPA to file a complaint. They will work together with US authorities to investigate complaints. The DPAs will also play a role in ensuring that every complaint is investigated, representing a much stricter monitoring and enforcement compared to Safe Harbor.
As a last resort, if a case is not resolved by any of the other means, there will be an enforceable arbitration mechanism. Moreover, companies can commit to comply with advice from European DPAs. This is obligatory for companies handling human resource data.
The FTC already indicated the following four areas where it will focus on for its enforcement actions: referral prioritization; false and deceptive Privacy Shield claims; continuous monitoring; and engagement with European data protection authorities.
Privacy Shield principles
The heart and soul of the Shield is formed by its principles. The text outlines seven different principles that have to be met by the subscribing company. As was to be expected, these principles reflect to a large extent the approach the European Union has taken with regards to privacy and data protection.
The careful reader will recognise that the ICC/ESOMAR Code on Market and Social Research covers the majority of these point. For market, social and opinion researchers abiding to the Code will thus already comply with most of the points outlined below. Our sector is thus in an excellent position to successfully subscribe to the program, without disproportional extra effort.
These principles are:
- Notice, organisations are obliged to provide information to data subjects on a number of key elements relating to the processing of their personal data (e.g. type of data collected, purpose of processing, right of access and choice, conditions for onward transfers and liability). Further safeguards apply, in particular the requirement for organisations to make public their privacy policies.
- Choice, data subjects may object (opt out) if their personal data shall be disclosed to a third party (other than an agent acting on behalf of the organisation) or used for a “materially different” purpose. In case of sensitive data, organisations must in principle obtain the data subject’s affirmative express consent (opt in). Moreover, under the Choice Principle, special rules for direct marketing generally allowing for opting out “at any time” from the use of personal data apply.
- Accountability for onward transfer, any onward transfer of personal data from an organisation to controllers or processors can only take place (i) for limited and specified purposes, (ii) on the basis of a contract (or comparable arrangement within a corporate group) and (iii) only if that contract provides the same level of protection as the one guaranteed by the Privacy Principles.
- Security, organisations creating, maintaining, using or disseminating personal data must take “reasonable and appropriate” security measures, taking into account the risks involved in the processing and the nature of the data.
- Data integrity and purpose limitation, personal data must be limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current. An organisation may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorised by the data subject.
- Access, data subjects have the right, without need for justification and only against a non-excessive fee, to obtain from an organisation confirmation of whether such organisation is processing personal data related to them and have the data communicated within reasonable time. Where personal information is processed solely for research or statistical purposes, access may be denied. The organisations has to justify its motivations for denying the request.
- Recourse, enforcement, and liability, participating organisations must provide robust mechanisms to ensure compliance with the other Privacy Principles and recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies.
There’s also a supplemental set of principles that includes provisions around sensitive data, secondary liability, the role of data protection authorities, human resources data, pharmaceutical and medical products, and publicly available data.
What about BCRs and Model Clauses?
Safe Harbor wasn’t the only means to legally transfer personal data to the United States. There’s always been to possibilities for Binding Corporate Rules and Standard Model Contracts. But when the Court ruled Safe Harbor as insufficient for EU-US data transfers, the European DPAs, organised in the Article 29 Working Party (A29WP), made it clear that they will not just assess any new agreement but also take these two measures into account.
Nevertheless, they do still provide a short and medium term solution especially for entities that want space to reflect, without the risk of being dragged into a Privacy Shield regulatory storm. According to the Commission, the data collected under the Privacy Shield agreement will cover these alternatives.
The next steps
The Commission has now submitted the Privacy Shield to data protection authorities. The A29WP will meet in Brussels in April to agree a common position on the privacy shield. This opinion will not be legally binding, but it will be a very strong indication whether the Privacy Shield meets the legal requirements from the perspective of top data protection experts.
EU Member States also are able to issue a binding opinion, but it is not expected to that they will oppose the agreement that is reached as their main concern appears to be to restore the data flows for the sake of the digital economy as quickly as possible.
Progress therefore will likely be driven by economic considerations which could lead us to expect to see privacy shield in action as soon as late Spring 2016 to early Summer 2016.
Kim Smouter is Government Affairs Manager at ESOMAR, #esoGOV #esomar