Download the
Join VisionCritical and Forrester's webinar exploring the playbook of insight-driven business on April 4

Is A Digital World War Looming? Would We Survive It?



Editor’s Note: Regardless of your position on digital privacy laws, the reality is that many legislative bodies are enacting laws that are often complex, contradictory, and inconsistent. This is new territory for us all, and as an industry that is based on handling consumer data it is very easy for insights pros to get caught in the morass of these disparate regulations.   Our trade organizations, most notably ESOMAR and the Global Research Business Network (comprised of most of the national trade orgs around the world), are attempting to help MR firm navigate the minefields of the rapidly changing digital privacy landscape.

Today’s guest post by Kim Smouter of ESOMAR is an example of the type of leadership  and assistance they can provide to researchers who may be (and rightfully so!) confused by the various laws we need to comply with in different areas of the world.  We’re very pleased to post it here on GBB and hope you find it helpful and interesting.


By Kim Smouter

For centuries, European and US historical paths have been inextricably linked. In war and in peace, Europeans and Americans have found many reasons to trade, talk, and even wage war together as allies in a tireless effort to impose a shared worldview built on the principles of democracy and self-determination.

Between the clichéd stereotypes, is mutual admiration and a fascination with each other’s histories and achievements. Few societies in this world are quite so intertwined.

Yet the whole topic of personal privacy seems to be a case where the bonds of brotherly love are increasingly giving way to mutual suspicion, jealousy, and a desire to impose a world view designed and defined by “one camp.”

The situation is not only driven by economic concerns but also by real fundamental values resulting from differences in historical, cultural, and social experiences. One does not need to look very far to see how visible the cracks of discord are when Europe responded to the revelations of the US spying on its allies by calling for immediate changes to the EU/US Safe Harbour framework in place since 2000.

The ripple effects of the loss of the EU/US Safe Harbour framework should not be under-estimated. The framework was put in place to enable transfers of data between the EU and the US. It was an important legal fix as EU data protection law makes data transfers outside of Europe only possible with countries offering the equivalent levels of protection (adequacy), or through complex company contractual structures which most small and medium enterprises find difficult to implement.

The US has adopted a very different data protection approach compared the EU’s own global coverage approach. The US has elected to respond only to sectors where there are specific concerns using primarily consumer and unfair commercial practice as the legal basis for action, with the Federal Trade Commission (FTC) as the enforcement body. The US’ sector-specific approach to privacy and data protection is considered inadequate in light of the EU’s own global coverage approach. It is only through the EU/US Safe Harbour scheme that data has been able to flow freely between the two markets. The scheme offers a voluntary self-certification model whereby US companies’ commit to providing certain levels of redress that comply with the requirements of EU law. Without the Safe Harbour, most cloud services, and any projects involving the transfer of data out of the EU into the US would be unable to operate legally.

The Snowden revelations woke Europe to the fact that its citizens benefited from lower levels of protection (and particularly levels of redress in the event of abuse from either public authorities or companies) on US soil. Additionally, it was also clear that the EU/US Safe Harbour had been laxly enforced in recent years.

So when Europe’s leading officials on data protection called for the strengthening of the EU/US Safe Harbour scheme or its suspension, leading companies on both side of the ocean were deeply concerned. These calls emanated from numerous places, from the European Commission [the closest thing Europe has to a federal government], from the European Parliament [its Congress], as well as the European equivalent to the FTC – the Article 29 Working Party.

The EU followed up by presenting a shopping list of recommendations to its US “partners” who expected the issue would be resolved by this summer. These recommendations included requirements that (1) privacy policies be disseminated to the public at large and (2) US regulatory authorities step up their non-compliance enforcement as well as beefing up of redress options offered to EU residents whose data is being sent to the US for processing.

The FTC’s first response was to step up enforcement action taking 12 companies to task because they had failed to renew their EU/US Safe Harbour certificates and were falsely claiming compliance. The certificates have to be renewed every year. The companies have been hit with 20-year orders against them or face additional civil penalties if they fail to meet the requirements of the order to not misrepresent their compliance to schemes like the EU/US Safe Harbour.

At a recent meeting of ESOMAR’s Legal Affairs Committee, companies present at the table were asked whether the loss of the EU/US Safe Harbour scheme would impact their business. Every company around the table agreed on how important the EU/US Safe Harbour is to enable market, social, and opinion research to be conducted effectively across all our operating bases. This is especially important to small and mid-sized companies who stand to lose from the simplified processes that the EU/US Safe Harbour affords them, saving them having to make major investments in legal support to draft and implement the other burdensome schemes available under EU law.

Whether the FTC’s recent enforcement actions will appease Europe enough remains to be seen, but it is clearly the latest in a series of tit for tat actions that highlight the differences in approach and attitude towards privacy and data protection on the two sides of the Atlantic. There is not much market research can do about this, but there are some concrete steps that research companies and the associations tasked with representing them are and should be doing.

Market, social, and opinion research companies must be careful to ensure that when transferring data between the EU and the US, they do take the time to self-certify through the EU/US Safe Harbour and to renew their certifications every year. Ensuring that a company’s entire supply chain is EU/US Safe Harbour compliant is also extremely important (this can be guaranteed through contracts and periodic audits). Offering comprehensive redress in the face of respondent complaints or requests to remove their personal data is also an extremely important requirement for self-certified companies. Losing your EU/US Safe Harbour coverage would mean that the data transfer is illegal and could mean facing legal actions both in the EU and in the US.

ESOMAR, and partner national associations on both sides of the ocean are also working hard to remind legislators of the importance of getting the EU/US Safe Harbour right and not escalating the situation into a full digital world war where we would all lose. Don’t hesitate to let us know how your companies would be affected by the loss of such a scheme so that we can reinforce our messaging to decision makers.

The key decisions that societies make, both in the private and public sector, are increasingly driven by data, both big and small. The free-flow of information is critical, not just for us as market, social, and opinion researchers but for the whole of society. By working together, we can ensure that the smoke over EU/US Safe Harbour does not turn into a real fire.


Kim Smouter is Government Affairs Manager at ESOMAR. For more information on legislative developments in your region visit

Please share...

3 responses to “Is A Digital World War Looming? Would We Survive It?

  1. Hi Kim, changes in data laws and citizen preferences are indeed a major issue. However, I am not sure that we can start the discussion from a Europe good, USA bad position, or indeed that the discussion is even primarily about Europe/USA.

    Europe is worried about its interpretation of data privacy being different from the US (BTW, I find little difference in the views of European citzens and US citizens)

    But, the US is concerned about the lack of security exhibited by Governments in many parts of the world, and the way that many countries (including some in Europe) have protected tax evaders is another data issue.

    I do not think surprised anybody that USA spied on Europeans, Australians spy on Indonesia, and the UK probably spies on everybody. However, when it is uncovered people need to protest.

    Any discussion of this topic cannot focus on just USA/Europe, it needs to consider all of those countries who censor control the flow of information. Ideally, from an objective point of view. China blocking the transfer of data is often seen in Europe as a bad thing, the EU blocking transfers is often seen as a good thing?

    There is also a big issue about the potential economic damage that a country could cause to itself by being out of step with the rest of the world. If Germany, for example, were to tighten its rules so that most cloud-based companies could not work there, it would make very little difference to Amazon, SalesForce, Google, Facebook etc, but it could cripple the Germany economy?

    Also, there seems to be a massive gap between what EU law says and what seems to happen. At nearly every conference I go to I see at least one market research presentation showing personally identifiable data without adequate adherence to the law, and often that data has been moved across borders illegally. At one conference the presenter said they had smuggled the data out of China – so is breaking Chinese law OK?

  2. Hi Ray,

    Thanks so much for taking the time to read my musings. I am so thrilled to be able to type about these developments as the world is indeed changing and the legal framework is becoming ever more complex! I can’t pretend to know all the answers to the questions you’re raising but I think they’re absolutely the right ones to be asking about. [And clearly, the data smuggler is certainly something reprehensible in my book!]

    The US has often pushed back Europe precisely on the point you raise, ineffective enforcement, which is also one of the drivers behind Europe’s attempts to reform it’s data protection laws. In effect, the US FTC has been much more rapid in reacting to abuses and imposing fines that leave marks on business bottom line in a way that few EU Data Protection Authorities have.

    And, indeed, of course, there are many actors which I haven’t even begin to reference, simply because they are not part of the EU/US Safe Harbour debate directly, but there is growing signs that Asian countries under APEC, African countries under the African Union and several Latin American countries are all developing their views which indeed add additional nuances.

    I think you’re absolutely right that there are a wrath of policy concerns that are driving this agenda, not least of which are consumers on both sides which are feeling completely powerless in the face of extensive data collection and use by all sorts of bodies, state-sanctioned or not.

    There is some interesting debates emerging in some of the policy circles which are coining the term digital protectionism, and I think your points about who controls which data flows and who decides whether it’s a bad or a good thing go right to the matter of it. I wonder if this will lead in some distant future to a global body having to promote the free-circulation of data in the same way that we organisations defending free trade….

    Your final points do raise the importance of all trade associations giving useful reminders about the importance of staying on the right side of the law, not just for the company involved but the entire profession – In the end, these issues are not new ones for market, social, and opinion research but it does seem to indicate that associations and their members have to renew calling for adherence to our codes of conduct, local, and national laws if only for the sake of maintaining trust with respondents who provide us the data in the first place!

Join the conversation