By Finn Raben
Over the weekend the New York Times and Observer newspapers reported that data mining and analysis company Cambridge Analytica, a company that had been employed with considerable success by Donald Trump in the 2016 US presidential campaign, had illegally harvested 50 million Facebook profiles in order to build a powerful software program to predict and influence choices at the ballot box. The Observer reports that data was collected via a digital app on the Facebook platform where hundreds of thousands of users were paid to take a personality test and agreed to have their data collected for academic use. However, the app also collected the information of the test-takers’ Facebook friends.
By Kim Smouter
Seasons greetings came early for European data protection wonks
For those of us working to champion the industry in front of regulators and consumer advocates, Christmas came a little early and our Secret Santa was undoubtedly the European Union. After four long and tiring years of negotiations, the European institutions announced on the 15th December 2015 that they had reached a political agreement on the shape and the content of the future data protection framework.
The rumours collected by our intelligence network, combining the resources of EFAMRO and ESOMAR, proved well founded. Since the summer, top level officials that we were meeting in delegations and conferences were singing in unison that this legislation would be agreed before the end of the Year. And unusually, political promises were kept.
This has been a piece of legislation which has been keeping the entire industry interested, the European Union’s existing data protection framework is amongst the toughest in the world and has inspired regulators across the world to adopt it both out of commercial necessity but also to respond to the growing citizen interest and concern.
The reform codifies many principles underpinning the ICC/ESOMAR Code
So what was finally agreed and is ESOMAR happy with the outcome?
Our Government Affairs Team has analysed in detail the outcome of the negotiators and whilst neither industry nor privacy advocates secured everything they want, ESOMAR is pretty confident that for companies that abide by and operate to the principles enshrined in the ICC/ESOMAR Code (and others), the outcome is a real affirmation that the companies pinned their hopes on the right horse. There are major changes to prepare for and we will be organising two webinars to tell you more about it: ESOMAR is hosting an exclusive webinar on 11 January for its members giving them the opportunity to ask questions. If you are an ESOMAR member, keep an eye on your inbox for the personal invitation. We are also hosting a second industry-wide briefing session with our co-advocacy partner EFAMRO on 19 January 2016, you can register already here.
Ignoring this legislation will cost your company dearly
Let’s begin with the bad news, the European General Data Protection Regulation (GDPR) is not a piece of legislation that research companies will want to avoid. The GDPR’s top-level fines that a data protection authority can levy can amount up to 4% of your annual global turnover from the preceding year. This is intended so that regardless if you’re a Google or a 1-person consultancy, in both cases violating this law will hurt your business’ bottom line.
This amount, however, should come as no surprise to those who have followed me on the awareness-raising trail at ESOMAR events but also major market research meeting highlights like the Printemps des Etudes and Research and Results. Indeed, the European Parliament had already proposed 5% when it adopted its position a year ago.
Research benefits from preferential treatment in the new law
EFAMRO and ESOMAR have worked tirelessly to ensure that the regulators did not split market, opinion and social research from fundamental research and these efforts have paid off. European regulators finally adopted a framework for research which as the new reform outlines “should be defined as broad as possible.” A huge achievement from our advocacy teams that shouldn’t be underestimated, the European Parliament had indeed seriously entertained creating a split between public-interest research on one-side and commercial research on the other. We were able to argue successfully against these efforts.
So the good news is that research conducted within the scope of the ICC/ESOMAR code will benefit from additional exceptions from the general data protection rules, provided we hold steadfast to the key principles enshrined in all our Codes such as pseudonymisation, no-return path to the research participants… Essentially, if you conduct research whilst respecting the rights of the respondent, Europe has put the necessary enabling framework and even has acknowledged the legitimacy of conducting next-gen big data research involving the combination and re-use of data sourced from multiple sources. We’ll go into much more detail about this in our upcoming webinars.
European citizens get a whole set of new rights
European citizens get a whole set of new rights that market, opinion, and social research agencies and research clients alike will need to cater for. Ranging from a right to be forgotten, a right to object to profiling activities, a strengthened right to prior notification before data collection, a right to data portability, European citizens now have – more than ever – a right to know before, during and after you collect their data. These requirements will need to be incorporated into business practices if they are not already.
Another important development focusses on profiling, one of the most hotly contested points in the reform. Any profiling that may have a significant or legal effect on an individual has been banned by the reform, and in all cases European citizens have a right to object, including research. This may create a need to adapt how sampling activities are conducted as they would likely fall under the broad definition of profiling adopted by the negotiators.
Another aspect which is important to outline here is that data breach notification requirements are set to become much tougher. In the event of a data breach, companies are required to report within 72 hours of having identified the breach to the authorities who will then take a decision of the extent to which public disclosure will be required.
Regardless whether you are based in our outside the EU, this law affects you:
One of the major developments that this reform will bring to bear is that the scope of European law is about to get much wider.
All companies collecting European citizens’ data regardless whether they are based in Europe or outside will have to comply to this legislation.
That means if you’re based outside the EU, for example in India or in Latin America, if you collect data on French respondents, you will be required to comply with this legislation.
Towards a simpler regime? Some good news for all businesses
The great promise for industry is that whilst the rights of citizens have been strengthened [and so have the fines in case you violate those rights], the data protection regulation also offers some undeniable advantages compared to the 1995 Directive that it replaces.
This legislation is directly enforceable, starting in 2018, in all 28 EU Member States and the same law will be in effect in all countries. One caveat is research, where Member States will be given the choice on whether they wish to offer additional preferential treatment on top of what is foreseen for all. This will be a source of additional work for national associations, EFAMRO, and ESOMAR to try and secure an even more permissive environment for research across all countries.
The new law will do away with burdensome prior registration requirements with the national Data Protection Authorities when processing data. This, in turn, will make it much easier to establish new data related projects across the Union.
Additionally, there has been a lot of effort put around the creation of a so-called One-Stop-Shop, the concept that for most of your exchanges with data protection authorities, you will only have to deal with a single point of contact. This should make it much easier to develop a constructive relationship with a data protection authority that in turn should be better able to understand your business model and needs.
Additionally, the intention is that by having one law to govern the land and those who operate within it, Europe hopes to have created the necessary level playing field to instil trust and confidence in its Digital Single Market.
From Europe, with love…
And so here we have it, the European General Data Protection Regulation (GDPR) is set to become a central part of our business’ lives within a few years time. The legislation should come into force sometime in 2018.
What happens next in the process is fairly simple: the finalised text will be put up for vote in the European Union’s Parliament and Council of Ministers. If all goes well, and it is expected to, the law should be voted on and adopted by the second quarter of 2016.
We will then all have a lot of work to do, to adapt our processes to comply with the GDPR by the time it comes into force.
In general, the advocacy work of EFAMRO and ESOMAR has paid off and once again, the value of our self-regulation has been reaffirmed with the codification of many of the principles that have been part and parcel of the industry for so many years. As one process closes, another begins, and we will be right there along with you as you start your new compliance journey.
Kim Smouter is Government Affairs Manager at ESOMAR
ESOMAR’s Government Affairs team in partnership with EFAMRO is organising a series of webinars to enable research agencies and clients to get a full briefing on the changes to prepare for, and if in the meantime you have more specific questions, ESOMAR members can contact us at firstname.lastname@example.org where we would be happy to answer any pressing queries you might have.