Über den Einfluss der ESOMAR in Brüssel, Pseudonymisierung und Datenschutz 2018
Kim Smouter ist Government Affairs Manager bei der ESOMAR. Im Interview, das marktforschung.de mit ihm auf Englisch führte, beschreibt er den Einfluss der ESOMAR auf das Privacy-Shield-Abkommen und welche Rolle die EU-Datenschutzgrundverordnung spielen wird. Außerdem verrät er, an welcher Stelle das Abkommen aus seiner Sicht nicht weit genug geht.
marktforschung.de: How relevant was your influence as a representative of an association and the influence of ESOMAR as an association itself in creating the privacy-shield-agreement?
Kim Smouter: The EU-US Privacy Shield Agreement is a highly political dossier that ESOMAR, EFAMRO, the MRA and CASRO have jointly monitored. Because of the political nature of the dossier, it was clear from the onset that we were going to struggle to really influence the direction of travel. Nonetheless, ESOMAR had the pleasure to organize a high-level delegation visit to Brussels where top market research firms were able to talk to senior European Commission officials about their concerns and to urge a swift resolution to the challenge. Such representations are really important to keep the momentum going and to underline the broad sectoral impact that such developments have.
marktforschung.de: How important is it for the market research branch to reposition itself when it comes to data security regarding the privacy-shield agreement?
Kim Smouter: I think the privacy-shield agreement doesn't fundamentally change the game for research, the issue is much bigger than just the research community. However, the fundamental game changer really is the EU Data Protection Regulation and the framework that it will start enforcing in 2018. Within the regulation, it is very clear to see that regulators are highly uncomfortable with the way data-driven marketing and individual targeting has developed and you see that reflected in the strict requirements that have been put in place. In opposition, the re-use of non-research data for research purposes, and the re-use of research data for non-research purposes have both been deemed legitimate provided certain safeguards are put in place like anonymization and data minimization.
So what we see is that the core principles that have underpinned associations and companies complying to the ICC/ESOMAR Code have been vindicated, but also that the regulators have understood our advocacy efforts to demonstrate the development of new research techniques requires a more flexible and permissive environment. Whether market research was going to benefit from any of this was a huge question mark, and I think we got the best deal possible in the current political environment. What it does mean is that market research needs to position itself quite firmly as the smart research data sector that uses its historical expertise to curate data with full respect of the law, and derive insights. Maintaining the distinction between research activities and non-research is the key.
I think there are a number of possible stumbling blocks that really have to be carefully considered. The first one is relating to the information we provide research participants about our data collection practice as this has been more strictly defined in the new law. So it's all about what information we provide and how. We need to find ways to simplify, clarify, and make it very accessible.
We're also aware that the new data subject rights are going to be very tricky to implement, how can you cater for a request for erasure from a panelist who now wants all their personal data removed even though they've been on a panel for 5 years? How do you cater for data portability where a respondent is supposed to be able to easily take research data you carefully collected about a respondent? Even just basic business projects, regardless research ones, are going to find that quite hard to deal with – the regulators didn’t think about limiting these rights to specific circumstances so it means anything we do that involves the collection of personal data has to factor these new rights into it.
The last aspect I would say is the whole shared liability aspect, so as we as an industry start working increasingly in a partnership model where everyone specializes in one part of the data chain and comes together to provide a comprehensive solution to the client, or if a client commissions partners on the basis of their specialization, the amount of work vetting each partner also increases exponentially and so does the risk if any of the partners somehow fails to meet the requirements set by the future regulation. That too, I think, is going to be a real challenge we need to successfully meet.
marktforschung.de: From ESOMAR's point of view: can you make out a difference on how some of the European countries approach the agreement?
Kim Smouter: We're going to have to see, our understanding is, that there were real philosophical differences between European countries, which means that they don’t all see research in the same way. We know that countries like France, Germany, the UK and the Netherlands played an important hand in securing a permissive environment for research. However, when it comes to the new privacy-shield agreement, we've seen that Germany and Belgians data protection authorities have been quick off the mark to announce enforcement orders whilst other data protection authorities like the British one have tried to be more reassuring. Others haven’t really indicated a position one way or the other and seem to be relying on the Article 29 Working Party, the European grouping of data protection authorities, to set the tone.
marktforschung.de: In the future ombudsmen are supposed to operate the cases of the new privacy-shield-agreement. How do you personally see their role within that particular context?
Kim Smouter: It was obvious to the European Court of Justice that they will have to investigate any complaints filed under the Agreement and determine whether within the context of the particular complaint received, the requirements of the Directive have not been complied to. So the Court simply reconfirmed what everyone's role was, namely that only the Court can decide whether the new Agreement is valid or not, that on a case-by-case basis the Data Protection Authority must continue to investigate whether the conditions of the Directive for safe transfers has been met, and that it's the European Commission's prerogative to issue decisions about transfers to third countries.
marktforschung.de: From your point of view, what are the main problems when it comes to data pseudonymization?
Kim Smouter: I think the biggest threat with pseudonymization is that we forget that pseudonymization is in fact a moving target. What I mean by that is that pseudonymisation is only considered an effective security measure, if the methods we use to pseudonymise and protect the data are continuously updated to stand up to the technologies available to re-identify data. And no one will be able to tell you whether you've gone far enough or have done too little. Nonetheless, if it's easy to break the pseudonymised data and re-identify it, then you might be just as exposed as if you had not undertaken pseudonymization. It shouldn't be seen as the end all and be all, but it should certainly be seen as an excellent first step towards a broader set of required actions to make the data secure. I think the industry sometimes over-relies on this and assumes that it's a free for all once data is pseudonymised which isn’t necessarily the case.
marktforschung.de: When looking at the agreement in more detail, are there any aspects which you believe should have been regulated differently?
Kim Smouter: I think the privacy-shield agreement might struggle to stand up against the tough requirements set by the Court. I imagine that the privacy advocates are going to take this one to Court and challenge that nothing's really changed. I think that's something any company thinking about using the new agreement should be aware of. Regarding the Data Protection Regulation, I think it would have been useful to have had more explicit and generalized derogations on data portability and the right to be forgotten as both are really difficult to implement. Also, we would have loved an even more explicit reference to market, opinion and social research being as a rule included in historical, statistical, and scientific research derogations – that would have maximized the legal certainty we sought but we certainly got close.
Das Interview führte Dorothee Ragg.