By Kim Smouter
Earlier this month, I had the pleasure of attending the IAPP Global Privacy Summit in Washington. It’s our way of taking stock of what the global mood is like in terms of data protection and privacy. The Summit also helps us prepare our advocacy, monitoring, and guidance activities to best match the expected calendar for the year.
Last year, the mood was definitely leaning towards a greater emphasis around coordinated, global enforcement actions and it was interesting, therefore, to see whether the mood had changed or not a year further.
1. GDPR – the 4 letter acronym on everyone’s mind:
As a European, attending a fairly US-dominated conference, it was impressive to see how much the new EU General Data Protection Regulation was exercising everyone’s mind. Nearly half of the sessions covered various aspects of the new legislation. Whether it was in terms of the attitude the enforcers were going to be taking now that they are to receive significantly more enforcement powers [each being capable of wielding fines of up to 4% annual global turnover or €20 million, whichever is the highest!], or indeed how to interpret certain passages of the new law, which despite being a General Data Protection Regulation (GDPR) clearly targets specific use-cases [The right to Data Portability, which principally takes aim at social media platforms, being one example amongst many].
ESOMAR and EFAMRO have worked very hard to achieve a result for the industry that allows us a wide variety of options depending on the nature of the project and the methodology that will yield the best insights for the research commissioner. There are, however, still a lot of unknowns that could usefully be clarified by the European Commission and the future European Data Protection Board. This will be where the bulk of our efforts will be in the coming months.
2. Je t’aime, moi non plus… the EU/US Divide on Data has grown:
The infamous French phrase meaning “I love you, me neither” very much summed up the mood between the European and American data protection authorities. Will we have a Privacy Shield to replace the ill-fated EU/US Safe Harbour scheme? When will it be operational if we do? There wasn’t much insight coming from the Privacy Summit on these critical issues but the discomfort was plain to see for the entire audience.
I wrote a year before the EU/US Safe Harbour Scheme was struck down that there was a serious risk of a Digital War between the two enforcement regimes and we seem closer to this despite the best efforts of the European Commission and the Department of Commerce to come to some sort of agreement that would allow the transatlantic data flow to continue. The Article 29 Working Party who bring together all national data protection authorities in the EU issued a negative opinion of the new Privacy Shield, an opinion which will be hard for the Commission to ignore. What it means is that despite the optimistic calendar of adoption and entry into force in June, it’s more likely than ever that the situation will drag on without a political solution to the problem.
Several data protection authorities have signalled their full intent to investigate and enforce actions on the basis of complaints that data transfers are still taking place between the EU and the US without them being governed by Binding Corporate Rules or Model Contractual Clauses. Now, more than ever, ESOMAR members are urged to review any data flow between their databases stored in the EU and their (or their partners’) databases stored in the US to make sure that these are now covered under the alternative schemes. Additionally, updating privacy policies to make explicit reference to the transfer of data out of the EU into the US is a good practice that should be adopted.
3. Who we get into bed when it comes to our data partners really matters:
The average cost of a data breach in 2016 was a whopping €3.5m euros, with the cost of a lost record reaching nearly €200 per record.
What struck me most about the Privacy Summit was the increasing challenge that all players (from big consumer brands to small research agencies) have to effectively manage their data chains up and down the stream. In a world where we sub-contract many tasks to partners, who in turn may sub-contract them even further, the challenge of managing those who handle our data and ensuring consistency and rigour across the chain is difficult.
I attended a very practical session which discussed how to set up contracts in such a way that one’s suppliers knew what was expected of them without it becoming a bureaucratic nightmare. It highlighted the importance of not neglecting the contractual phase but also of making sure that at the contractual phase you strike the right balance. Many of the companies referenced the critical need to have all contracts reviewed by the Data Protection Officer so that they could maintain an overview of the data flows, but also ensure that no data-related risks would result from signing the contract.
No organisation can claim 100% perfection, whether you’re a small boutique firm or a big multinational giant. We all have limited resources to be able to monitor and keep track of all the data flows, to be able to review every contract that every team signs, and it’s only going to get worse as time goes on. That’s why it’s more than ever important to make sure that ahead of the increasing enforcement of joint liability in the event of a data breach, that you don’t unnecessarily expose yourself to risks by being with the wrong partners in the first place!
4. Latin America is going to be an interesting continent to watch in the future
The Privacy Summit welcomed for the first time a session of Latin American Data Protection Authorities delivered in Spanish. It welcomed some fresh Data Protection Commissioners and some more veteran ones as well covering Mexico, Argentina, Peru, and Uruguay. The session was good natured but also highlighted the specific challenges faced by the Latin American continent.
One of the aspects that repeatedly came back was the extent to which the Data Protection Authorities had the capacity to truly enforce the data protection legislation. Unlike the European and American approaches, it was clear that in Latin America the Data Protection Authorities often didn’t have the resources and therefore needed to be far more creative in how they enforced – with many of them choosing a far more pragmatic consultative role rather than a full enforcement.
Many Latin American countries have also adopted a European legislative model, going for a broad overarching data protection law rather than the US sector-based model. During the session, it was clear that there was no intention from any of the countries to move away from it and if anything, the GDPR would likely accelerate the plugging of legislative gaps on companies or reforms to match the new framework set in Europe.
5. More than ever, the ICC/ESOMAR Code, and its associated guidelines and resources are powerful tools to help chart a safe path forward
The ICC/ESOMAR Code and the associated guidelines and resources that help interpret the Code in specific contexts remains to me a hugely helpful resource for the industry. As the mood towards data protection and privacy continues to move towards a low level of tolerance for data breaches and particular perceived data negligence, being able to use and apply the guidelines and the Code to research projects only serves to elevate their standard and to avoid pitfalls that could easily be picked upon by a Data Protection Authority set on fining you.
Whether it is the guideline on interviewing children, or the data protection checklist which helps you set up projects, or the recently released ESOMAR/GRBN Online Research Guideline, all of these and the many others I haven’t mentioned remain in my view a must-have and a must-use for the modern researcher. The principles that are contained within them and the working ethos that they instil will not only ensure quality research is undertaken, but also ensures that the company and the partners that abide by them are also ahead of the curve when it comes to future compliance requirements being prepared in Summits like the one I attended.
2015 was a year of anticipation, 2016 is the year of clarification
In 2015, everyone was waiting in anticipation of Europe’s Data Protection Regulation – would they adopt it by the year-end? Would it be research friendly or not? Now that the Regulation has been adopted and the lobbying dies down, 2016 is clearly set as the year of clarification. Regulators are looking at the new requirements and will in the coming months and through 2017 pave the way for the new global regulatory order. It is by no means a small feat, and by no means is the project anywhere near being completed – but we’re much further onwards in the journey and so far, no one has given in on the temptation to restrict research further than it already is! It’s up to us to make sure that we are worthy of that vote of confidence.
Kim Smouter is Government Affairs Manager at ESOMAR, #esoGOV #esomar