Data Quality, Privacy, and Ethics

October 6, 2015

Is Safe Harbor Still Safe?

The European Court of Justice recently invalidated the Safe Harbor progrm. What are the implications for consumer research?

Jason Anderson

by Jason Anderson

Owner at Datagame

0

unsafe data

 

By Jason Anderson

Caveat: I am not a lawyer, and none of this is legal advice. It’s time to wake up your legal team.

For businesses that deal heavily in multi-national data, Safe Harbor offered a cumbersome but effective security blanket. The 15-year-old Safe Harbor agreement established guidelines for the legal transfer of EU consumer data to the United States, circumventing the EU’s much more aggressive security and privacy laws.

Thousands of companies take advantage of the Safe Harbor program, which explains why news of the European Court of Justice invalidating the program spread far and wide. From TechCrunch to Politico to the Wall Street Journal to the National Law Review, it seems that the end of Safe Harbor is a “big deal.”

Why all the fuss?

Bluntly: European law cares greatly about consumer data protection and privacy, while US law couldn’t care less. More broadly, European law has a robust set of rules and definitions governing privacy law, including a directive that only allows the transfer of personal data to countries that provide “an adequate level of protection.”

Safe Harbor was the negotiated program between the US and EU to assure those protections. Without a replacement, technically speaking, the transfer of any consumer data to the US would be against the law. That includes any personally identifiable information (PII) such as email addresses, contact information, or individual demographics – favorite subjects in consumer research.

What’s the risk?

At this particular moment, nothing has changed – the ECJ’s opinion is still only an opinion, and has not become a legal decision. But clearly the scales are leaning away from the current Safe Harbor framework; at a minimum, a “Safe Harbor 2.0” will be required. The greatest risks are (a) Safe Harbor 2.0 being substantially more expensive to implement for compliant businesses, or (b) no Safe Harbor program existing whatsoever.

Why is this happening?

The American ethos about the rights of the individual primarily focus on the relationship between citizens and their government. Laws protect rights to privacy, rights against unreasonable searches and seizures, and rights to free assembly, but in all cases the context for these laws are restricting the abilities of the government.

However, most privacy-related data exchanges take place between businesses and citizens. Yes, the government has its own interests (and violations of trust), but US law does not significantly restrict what Facebook or Google or retailers can do with your data. Once you check that box accepting your 20 page terms of service for your operating system, phone, or website, your rights have typically been transferred to the business that is vacuuming your data.

European perspectives on privacy extend to all spheres of society, including business and commercial interests. This is a fundamentally different point of view, and one that is unlikely to contract to the US definition: once a right has been given, it is not surrendered easily.

What happens next?

The exact outcome is very difficult to predict, so it’s time to begin your scenario planning. Three broad potential outcomes are possible:

  • The final decision on Safe Harbor diverges from the recent court opinion, keeping the existing framework substantially intact. This seems to be the least likely outcome, but would be the least disruptive.
  • The court invalidates Safe Harbor 1.0, and a Safe Harbor 2.0 program is negotiated. A limited window of time may be offered, to allow businesses to update their security and privacy protocols. In this scenario, companies will still be able to piggyback on a negotiated framework but will likely need to make some modifications to process and policy.
  • The court invalidates Safe Harbor, and no replacement is negotiated in a reasonable timeframe. This “worst case scenario” returns the burden of EU-compliant data management to each individual business that operates in both regulatory worlds.

0

consumer researchglobalizationprivacystate of the industry

Disclaimer

The views, opinions, data, and methodologies expressed above are those of the contributor(s) and do not necessarily reflect or represent the official policies, positions, or beliefs of Greenbook.

Comments

Comments are moderated to ensure respect towards the author and to prevent spam or self-promotion. Your comment may be edited, rejected, or approved based on these criteria. By commenting, you accept these terms and take responsibility for your contributions.

More from Jason Anderson

Pokemon Go: Gamification Lessons For Research

Research Technology (ResTech)

Pokemon Go: Gamification Lessons For Research

Pokémon Go has been hugely successful in terms of adoption and engagement. How has Pokémon Go garnered such success so quickly? What can we learn, as ...

Jason Anderson

Jason Anderson

Owner at Datagame

Data Quality, Privacy, and Ethics

The Telephone Consumer Protection Act: We Reap What We Sow

Maybe our own behavior, and the never-ending stream of surveys, has tainted the previously clean karma of the after-work phone survey.

Jason Anderson

Jason Anderson

Owner at Datagame

Of Innovation and Snake Oil

For several years now, the insights industry has been talking about innovation. I struggle to remember what people talked about before.

Jason Anderson

Jason Anderson

Owner at Datagame

Research Methodologies

The State of Gamification in Market Research

Gamification has slowly been gaining traction in the market research space. What is the leading example of successful research gamification?

Jason Anderson

Jason Anderson

Owner at Datagame

ARTICLES

Moving Away from a Narcissistic Market Research Model

Research Methodologies

Moving Away from a Narcissistic Market Research Model

Why are we still measuring brand loyalty? It isn’t something that naturally comes up with consumers, who rarely think about brand first, if at all. Ma...

Devora Rogers

Devora Rogers

Chief Strategy Officer at Alter Agents

The Stepping Stones of Innovation: Navigating Failure and Empathy with Carol Fitzgerald
Natalie Pusch

Natalie Pusch

Senior Content Producer at Greenbook

Sign Up for
Updates

Get what matters, straight to your inbox.
Curated by top Insight Market experts.

67k+ subscribers

Weekly Newsletter

Greenbook Podcast

Webinars

Event Updates

I agree to receive emails with insights-related content from Greenbook. I understand that I can manage my email preferences or unsubscribe at any time and that Greenbook protects my privacy under the General Data Protection Regulation.*