Two steps forward, one step back

Global data protection developments get trickier than ever

By Kim Smouter

Sometimes you have to wait, and sometimes you have to take action

2016 was always set to be an exciting year for data protection. With the conclusion of the negotiations on the General Data Protection Regulation last December and the European Court of Justice’s ultimatum to the EU and the US to sort out the Safe Harbour programme, the workload was also going to be high for those of us guiding market research’s compliance to data protection legislation.

Enter into the fray the decision of the United Kingdom to “brexit” and you have all the ingredients for a real compliance nightmare. One thing is clear, each and every market research operator needs to weigh carefully when to intervene on business operations and when it is rather wiser to take action immediately in order to stay ahead of the curve or ahead of the enforcement actions.

ESOMAR is looking at how we keep the Code fit for purpose in this context, but I wanted to share my thoughts on two developments – one where we think action is needed, and another where we think you should wait and see to make sure your processes also remain fit for purpose too.

Privacy Shield – the time for waiting is over

The EU and US data transfer framework continues to be significantly disrupted by the ruling of the European Court of Justice rendering the Safe Harbour Programme null and void. The Court ruled that the data transfer framework did not provide sufficient levels of protection as required by the 1995 EU Data Protection Directive. It afforded policy-makers a transition period of a few months to sort the framework out leading the Privacy Shield proposal which is currently battling to see the light of day.

A revised Privacy Shield proposal is expected in the coming months following unanimous critiques from European national data protection authorities who questioned whether it met the test set by the European Court of Justice. Privacy advocates will likely immediately challenge the Privacy Shield once its adopted meaning that this alternative solution will take significant time to come online, and may even then meet the same result as the Safe Harbour.

This decision has tremendous impact on any market research organization that transfers data to US-based entities and it includes popular tools we use every day like Dropbox or indeed common use cases like a transfer to colleagues based in the United States. With the exception of Binding Corporate Rules and Model Contractual Clauses, transfers to the United States from Europe are therefore not allowed and violate both existing and future EU data protection law.

ESOMAR, EFAMRO, MRA, and CASRO worked together in order to deliver some consistent guidance through a number of joint webinars earlier this year advising that members should essentially:

  1. Conduct an audit to determine what if any data was transferring from Europe to the United States,
  2. Update privacy policies to make explicit these data transfers to the United States,
  3. Adopt binding corporate rules with your US-based entities, or adopt model contractual clauses with your third-party partners
  4. Explore switching providers to providers based in the EU, there are many articles online to help you along the way like this one:

Following a meeting of our Legal Affairs Committee, ESOMAR is upgrading this advice underlining that the time for waiting is over and that market research organisations that continue to operate without having followed the guidance expose themselves to significant compliance risk.

Indeed, German Data Protection Authorities have begun enforcing the decision of the European Court of Justice and have targeted three companies for illegal data transfers to the US and they can face fines of several hundred thousand euros as a result per violation.

Brexit – should I wait or should I go?

On the other spectrum, the imminent(?) departure of the United Kingdom from the European Union is inevitably exercising the C-Suite. Do we maintain investments into the United Kingdom, do we need to up stakes and move to another “safer” EU country? What about data protection, are we still going to be to be able to transfer data between the 27 EU member States and the United Kingdom? Unfortunately, a lot of these questions are probably premature.

The United Kingdom is set to enter a long and protected process of negotiations and only during its outcome will we be able to advise what are the next steps. This could last several years and during those years the United Kingdom remains a full member of the European Union with all the benefits and obligations that this entails. Accordingly, from a market research perspective, whilst the time for contingency plans may be dawning in the event your headquarters needs to move from London to one of the other capitals, there isn’t a need to implement them just yet.

From a data protection perspective, as well, it means that the United Kingdom will for the coming few years have the same data protection legal framework as the rest of the European Union. There is nothing that will change from an implementation for the next two years, so there is no need to rush any decision until the UK formally notifies its desire to leave the EU and the negotiations begin. We will then track, alongside our partners at EFAMRO, the impact this may have for market researchers operating from and to the UK.

What might happen, once the United Kingdom withdraws, is that the United Kingdom will need to apply for an adequacy decision which shouldn’t necessarily be complicated. Also, it’s important to note that changes to the way transfers to non-EU countries may also impact companies who intended their “main establishment” to be based in the UK so that their applicable data protection authority would be the ICO. It is likely that any departure of the UK from the EU would mean that a new “main establishment” would need to be notified, for example, based on your next biggest market in the EU, and accordingly you would fall under the jurisdiction of that market’s data protection authority.

Clearly the UK will have an interest in retaining access to Europe’s attractive data market and will be pressing hard to ensure that there is no undue disruption to data transfers from the continent to the UK, but it certainly should remain a consideration for market research organisations to factor in their planning cycles.

Compliance needs to move up the agenda

One aspect which is becoming clear is that the coming two years need to see data protection compliance go up the agenda for market, opinion, and social research organisations operating in Europe (regardless whether they are based in Europe, and coming from another country and collecting data on Europeans). The EU General Data Protection Regulation will start being enforced in 2018 and requires significant auditing of your business practices to align to it.

Starting the work now will be important. ESOMAR and EFAMRO are working as quickly as possible to develop guidance and support for our members. And if you want to get ahead, you can get a copy of the latest version of the General Data Protection Regulation here:

But also increasingly, the fragmentation of the data protection legislation across the world is going to have operational impact that can no longer be ignored or assumed to “sort itself out.” More than ever, our sector needs to be aware of the risk for example of transferring files between Europe and the US and continuing to do so without a legal basis for it. The Courts are unlikely to take kindly to the argument that it was too difficult to look for alternatives!

So whilst we might be in a world where it feels sometimes we take two steps forward only to be brought one step back, sometimes it’s about making sure you know when to pause, and you know when to move forward. It’s a journey that all our members must undertake and ESOMAR will continue to be there right with you.

Kim Smouter is Head of Public Affairs & Professional Standards at ESOMAR