Editor’s note: Kim Smouter-Umans is head of public affairs and professional standards at ESOMAR. This is an edited version of a post that originally appeared under the title, “As governments go on break, what should be on your regulatory radar.”
In a lot of countries, the months of July and August are synonymous with so-called government recesses. Similar to schools, governments go on a break and the task of legislation is put on pause as legislators run to find the nearest beaches for some rest and relaxation. That means there’s a significant slowdown in the legislative process in many countries giving us an opportunity to look forward and see what should be on your radar whenever governments do return to the arduous task of legislating. But focusing solely on the now famous EU GDPR would certainly be a mistake for strategic planners of the industry.
ESOMAR’s Legal Affairs Committee earlier this summer to discuss many of these upcoming legislations, top legal advisors and compliance officers of the industry’s largest companies descended in Amsterdam for our quarterly meeting. The conversation focused on the biggest regulatory change to hit the data protection and privacy landscape.
1. California Consumer Right to Privacy Act of 2018
Are you familiar with the new California Consumer Right to Privacy Act? You would be excused for not having noticed it. In record time, the state government of California adopted a new privacy law in order to prevent a more far-reaching citizen bill from being adopted by referendum.
Inspired by GDPR and driven by recent scandals reaching data breaches and misuse of personal data, the law will bring Californian requirements closer to GDPR requirements by 2020. Fines foreseen for non-compliance of this law are up to $7,500 per record lost, and a record can be as minute as an IP address. The law also provides for rights of access for consumers, a right to restrict further use of data especially for commercial purposes and stricter disclosure rules about what the data will be used for.
2. EU ePrivacy law
You might also be forgiven for thinking that the European Union is done and over with inventing new legislation governing how we collect and use personal data in commercial contexts. Nothing could be further from the truth. The European Union is currently negotiating a revision of its ePrivacy rules which govern the confidentiality of communications but is most recognizable by the pop-up walls we often see on Web sites asking us for consent on the placement of cookies.
The new ePrivacy laws will feature exactly the same levels of fine as the EU GDPR (which you may recall is about EUR 20m or 4 percent of annual global turnover, whichever is highest). The ePrivacy rules will require consent for many online services but this consent will need to meet the higher bars set by the GDPR around information, choice and unambiguity. We’re still working to try and achieve broad exemptions covering many of the online passive research use-cases that create little to no privacy impacts. We’ll be reporting a lot of the developments governing this law to our ESOMAR Plus subscribers first before cascading information to the rest of the ESOMAR community as the negotiations evolve. Currently there is hope from Brussels to have this new law done and dusted before the European Commission’s term lapses in 2019.
3. Text and data mining rules
There are a lot of other initiatives on the European legislators’ dockets but another one that is worth calling out is the copyright legislation which has an impact on text and data mined form social media platforms and particularly identifiable verbatims that may actually benefit from copyright protection under EU law. The EU proposals to date would do little to remove the legal uncertainty currently facing researchers from a copyright perspective. ESOMAR has partnered up with the European Alliance for Research Excellence in order to make the case.
4. Japan and South Korea: Connecting with Europe on data protection and privacy
One of the ambitions of GDPR has always been to get other countries in the world to adopt largely similar legislation in order to enable adequacy decisions that would facilitate the transfer of personal data between markets, provided they offer high levels of protection to the individuals whose data is being collected and used. Those ambitions seem to already be paying dividend for Europe as Japan and South Korea have been working hard to secure adequacy decisions from the European Commission which would enable easier data transfers between some of the largest economies in the world.
In the case of Japan, the objective is to achieve a mutual adequacy finding meaning that Japan is also scrutinizing the EU itself in order to determine whether its legal regime meets the requirements set by Japanese law. So far initial meetings with government officials have been positive leading to expectations that there may be new adequacy findings around the corner. For research organizations working between these two markets, it would mean a much simpler contracting process and a lot less paperwork around it.
5. An unexpected visitor: GDPR’s processor vs. controller quandary
ESOMAR is working in close collaboration with EFAMRO and ephMRA following some unexpected developments initiated by expected ICO guidance governing how to attribute the data process and data controller roles, which did not sufficiently reflect the reality on the ground for market research organizations and their partnership with client organizations. Following representations made by our U.K. counterparts, the case is being brought to the European Data Protection Board for consideration at a European level.
This issue may have massive ramifications on disclosure requirements of clients at the start of the research process. In certain circumstances, disclosing the name of the client could introduce significant bias to the research project but EU GDPR rules would require their disclosure if they are deemed to be the controllers of the project. Our associations are currently gearing up our representation activities with national authorities in order to achieve the best result from this process and have the least impact on your operations.