Change is the Only Constant, Part 2

Market Research and Regulatory Developments in Europe

This post is the second installment of the Change is the Only Constant series. Read part 1 here:
https://www.mv-research.com/blog/change-is-the-only-constant-part-1

Since before its implementation in 2018, privacy experts have focused a great deal of attention on Europe’s General Data Protection Regulation (GDPR). This has been especially true in the market research industry; for those of us involved in ex-US research, many studies likely include EU markets, with countries outside Europe represented more intermittently. Indeed, perhaps due to the level of integration between European and American companies, GDPR turned the spotlight on privacy protection and compliance at many US companies for the first time, though the privacy laws of other countries, like Australia, Morocco, Senegal, and Uruguay, predate it.

As a reminder, this post is not exhaustive and is not intended as a guide to GDPR compliance. Additionally, future court decisions and guidance from regulators will continue to shape the privacy landscape and are likely to degrade the accuracy of this post over time. Remember, also, that I am a lawyer, but I’m not your lawyer. The information provided in this post does not, and is not intended to, constitute legal advice; it is presented for general informational purposes only.

Schrems and US Adequacy

GDPR was not the first European privacy and data protection law (it was preceded by the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and the Data Privacy Directive), though it is the most comprehensive. As such, the US-EU Safe Harbor Framework, which allowed EU-to-US data transfers, had been in place since 2000, when the European Commission issued its initial adequacy decision for the US.

Adequacy decisions attest, in essence, that the laws of a non-EU country can accommodate the European Essential Guarantees: (A) data processing is based on clear, precise, accessible rules; (B) necessity and proportionality are demonstrated relative to the legitimate objectives of the processing; (C) independent oversight exists; and (D) effective remedies are available. In short, an adequacy decision is a finding that a non-EU country has EU-equivalent data protections and allows data transfers from the EU to that country without further safeguards. These decisions have been ratified for relatively few countries, with half being European but non-EU countries (Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey, Switzerland, and the UK) and half being non-European countries (Argentina, Canada, Israel, Japan, New Zealand, South Korea, and Uruguay).

In 2015, Maximilian Schrems, a lawyer (then a law student) and privacy activist, challenged the European Commission’s adequacy decision for the US-EU Safe Harbor Framework. Relying on the Snowden leaks, which exposed the National Security Agency’s data collection practices, Schrems argued that because US intelligence agencies were exempt from the safe harbor framework and could access Facebook data stored on US servers, including data transferred from Europe, US law did not provide personal data protections equivalent to those in Europe, despite the framework. The Court of Justice of the European Union (CJEU) agreed and ruled that the adequacy decision for the safe harbor framework was invalid. This case became known as Schrems I.

So, as privacy and data protection reform negotiations were coming to a head in Europe, the US Department of Commerce and the European Commission began renegotiating the terms of the safe harbor framework, during which time American companies relied on Standard Contractual Clauses to authorize EU-to-US data transfers. In 2016, these negotiations came to fruition roughly concurrently, with the reform negotiations yielding GDPR and the safe harbor renegotiations resulting in the EU-US Privacy Shield, paired with a new adequacy decision for the US.

Shortly after GDPR took effect in 2018, Schrems, who by then had founded the privacy non-profit NOYB (None Of Your Business), challenged the effectiveness of the Standard Contractual Clauses and the validity of the EU-US Privacy Shield, essentially arguing that the issues of Schrems I persisted despite that ruling. The CJEU agreed, and in 2020 ruled that the EU-US Privacy Shield did not provide data protection safeguards equivalent to GDPR, invalidating it (and the US adequacy decision) on the grounds that US authorities’ access to EU data was not restricted by proportionality and the ombuds mechanism did not provide a sufficient guarantee of independent oversight. Further, the court found that the Standard Contractual Clauses would remain valid but require revision. This case became known as Schrems II.

In the aftermath of Schrems II, the US Department of Commerce began reworking the EU-US Privacy Shield, with the goal of finally designing a framework that could withstand activist legal challenges and judicial review. Until then, the Privacy Shield program continues to exist and many companies in the insights community continue to self-certify annually, though for the moment it is a program without a purpose. The Biden administration proposed an evolution of the EU-US Privacy Shield, known as the EU-US Data Privacy Framework, in late 2022, notable in that it addresses the core issue of Schrems I and II (it requires data gathering by US intelligence agencies to reflect the principles of necessity and proportionality). That progress may still stall, however; the European Commission released a draft adequacy decision for the revised program in December 2022 but the European Data Protection Board and European Parliament remain skeptical.

Thus far, the CJEU has remained fairly neutral, issuing decisions that provide technical findings and don’t dramatically change the way GDPR is interpreted. But national courts are increasingly referring questions to the CJEU that appear aimed at allowing rights under GDPR to be limited to some degree. Only time will tell, of course, and as a practical matter, it is unlikely that the legal instrument that has allowed European regulators to levy nearly $3.2 billion in fines will be significantly defanged. On the other hand, newfound UK-EU competition may spur efforts to decrease the compliance burden associated with data protection and privacy regulation. Stay tuned.

Revised Standard Contractual Clauses

Until a new adequacy decision is adopted by the European Commission, American companies must rely on the Standard Contractual Clauses (SCCs) to authorize EU-US data transfers. Revised SCCs were released in June 2021; companies have been required to use these revised SCCs for new data transfers since September 2021 and to replace the old SCCs for ongoing data transfers by late December 2022. For the most part, the revised SCCs are not too concerning from the insights industry perspective. However, because most market research will involve at least one sub-processor (typically a recruiting partner), clause 9(a), which governs the use of sub-processors, is worth a closer look.

Clause 9(a) offers the follow options, one of which must be chosen and subsequently adhered to:

OPTION 1: SPECIFIC PRIOR AUTHORISATION The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the data exporter’s prior specific written authorisation. The data importer shall submit the request for specific authorisation at least [Specify time period] prior to the engagement of the sub-processor, together with the information necessary to enable the data exporter to decide on the authorisation. The list of sub-processors already authorised by the data exporter can be found in Annex III. The Parties shall keep Annex III up to date.

OPTION 2: GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least [Specify time period] in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

Though the idea of clients approving individual subcontractor choices may not have been particularly well received by many of us, the real concern with this clause is the time period that must be specified in either option. Often, clients send SCCs for review with their preferred options already selected and only the appendices clearly marked as requiring input. Some clients, particularly larger companies, may have a legitimate institutional interest in standardizing these to the maximum extent possible, with legal departments making those standardization decisions with an eye to their highest risk vendors, a group that will very rarely include market research providers. As a result, you may see SCCs that require 30- or 45-days’ notice before a new vendor can be used, which could be severely inhibiting if that client also need a nimble research partner or has fast-evolving research needs. Needless to say, long notice periods are highly unfavourable for market research providers and should be negotiated down wherever possible.