• Home
  • Search
  • FAQs
  • RW Connect
  • Shopping cart
  • Sharing options
  • ESOMAR Directory
  • Search

Stay updated

Subscribe to our newsletter
Back

EU/US Safe Harbor Torn Down: What does it mean for market research?

08 October 2015

Last year, I wrote a piece in GreenBook warning that a Digital First World War was looming between the United States and the European Union, driven in large part by frictions over how to regulate and enforce data protection and privacy. These were coming to a boil with declarations by the sitting Commissioner Viviane Reding threatening to cancel the EU/US Safe Harbor scheme if the United States did not offer equivalent judicial channels to Europeans as they did their own citizens.

With 4472 US companies depending on EU/US Safe Harbor to legally transfer data between these data market giants, such a move would have massive ripple effects on data supply chains.

Since writing the aforementioned article, good progress had reportedly been made by the European Commission and its US equivalents on finding a political solution to the concerns raised by the European side. Both sides were said to be down to two points in a list of demands that Europe wanted to see resolved before they renewed their agreement to a continued EU/US Safe Harbor regime.

What brought this on?

But that was without counting on the European Court of Justice, which on 7 October 2015 invalidated the EU/US Safe Harbour agreement in a spectacular fashion following a query from a lower Irish court.

It’s important to recall the specifics of the case, that a private European citizen did not feel empowered to block the transfer of their personal data whilst using popular social media platforms like Facebook.It’s been a recurring theme within the data protection debate that regulators and the general public alike feel insecure in the face of industries that hold vast amounts of power, and seem to do little in the way of self-regulating.

Whilst not entirely unexpected, the move has left little political manoeuvring for the European Commission and has put a new spin on the power tussle between EU and national governments over who should drive the data protection agenda in Europe.

The judicial court systems in both the US and the EU have been consistent in enforcing the extension of their powers beyond their borders and this move is the latest confirmation that increasingly companies, and by consequence market, opinion, and social research companies need to take into account a complicated web of legal obligations stemming from multiple jurisdictions but applying to single datasets.

Is it time to panic?

No! The worst thing any market, opinion, or social researcher can do at this stage is to panic. The decision to cancel the EU/US Safe Harbour programme will have varying levels of impact on each company and it’s important for agencies and clients alike to tread carefully and not make any rash decisions resulting from this ruling.Companies that have supported the industry by adopting the ICC/ESOMAR Code or many of the national equivalents have found that support rewarded as the Code’s basic principles have preempted many of the compliance requirements now being enforced by authorities and indeed the Court.

 Our commitment to participant-centric approach to conducting research projects is and will continue to pay dividends in the eye of the public and regulators alike.

 As the European Commission itself has announced in reaction to the Court ruling, whilst the EU/US Safe Harbour no longer consists a legal ground for processing and transferring personal data between Europe and the United States, there are still other grounds for processing which need to be privileged moving forward. Those include:

  • Standard Model Clauses which the EU provides for companies to use,
  • Binding Corporate Rules which enable data transfer within a corporate group,
  • (And most importantly) informed consent.

National data protection authorities empowered by the Court as central lynchpins of the European data protection enforcement framework have been quick to underline that they will be looking to offer a coherent and consistent application of the decision and would give companies sufficient time to analyse and implement appropriate remedies before moving to enforcement.

What must I do now?

We anticipate for most agencies working by the norms of the ICC/ESOMAR Code, the impact of no EU/US Safe Harbour on research projects will actually be minimal especially if the data is collected and transferred with the informed consent of the research participant (who has been informed of the purpose of the research project and has been assured that the responses will not be used for purposes other than research).

Nonetheless, we highly recommend that market, opinion, and social researchers, agencies, and clients make sure they consult with a specialist lawyer (should one not exist in-house), in order to evaluate the exposure to this ruling and if necessary fall back on one of the other mechanisms to enable legal data transfers.

This will particularly be the case for clients who may have secured a data set as a result of the performance of a contract but have possibly failed to gain informed consent for its further use for research purposes.

What about when I pass data to another company?

Some of the 4472 certified companies used EU/US Safe Harbour as their only mechanism for passing data between the EU and the US. It’s important for market, opinion, and social research agencies and clients alike to examine their existing US-based “data” partners to make sure that they have fallen back to one of the alternatives proposed by the European Commission.

As has been reported in the press, cloud providers warrant particularly close scrutiny, as they will often be passing data between continents as part of the service provision.

Social media and apps may be another source of issues if the supplier hasn’t foreseen this eventuality. Progressively and swiftly shifting to one of the alternative methods is crucial.

Want to know more?

We are moving swiftly in close partnership with national associations to put together further guidance. We aim to deliver a special webinar next Friday 16th October 2015 at 18h00 CEST / 12pm US EST/ 9am US Pacific to provide a more detailed briefing on these developments and answer any questions that the market research community may be posing itself in light of developments.

More details will appear soon on the ESOMAR website so watch this space!

Related links:

You can find more information and seek guidance from ESOMAR’s Professional Standards and Government Affairs Team by contacting professional.standards@esomar.org if implementing the suggestions of the European Commission prove too difficult to understand.

Below are related links that will be useful to study.

Standard model clauses:

http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm

Standard model clauses work to enable data transfers from the EU to another country, which hasn’t been declared adequate by the EU.

Binding corporate rules:

http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_en.htm

These can be used inside a company to allow data transfers to all business units within a single corporate group.

 

Kim Smouter
Government Affairs Manager
ESOMAR