In October 2015, the European Court of Justice ruled that 2000’s data protection agreement ‘Safe Harbour’ with the US was no longer valid. This means that American companies can no longer rely on self-certification when transferring data from the EU to the US; instead they must seek to strike ‘model clauses’ in each case to attain permission to transfer data outside of Europe. ExchangeWire asked industry leaders to weigh in.
ExchangeWire invited industry thought leaders to share their opinions on why the digital advertising industry should care about this change.
1. The unknown
I believe that the Safe Harbour suspension will be something to bear in mind for the next few months because even if we know a new deal is on its way to replace it, we don’t really know when, and in which terms, it will be signed (and the terms we know about seem equally strict); so, the other side of the pond keeps looking like a rather unsafe place to store your data. And since we can’t really tell whether this will be a one-off thing, or if it is something that might happen again in some other fashion, I believe this is the time for companies to play it safe and above all consciously.
Companies should never lose touch with their data the way it happened up until now. The big players kept us confident and looked like a viable solution, but other factors (as companies now acknowledge) have to be taken into consideration.
If there is a silver lining to this situation, this should be it: the suspension of Safe Harbour created an opportunity for people to become aware of the trouble of delegating the responsibility of data confidentiality and security to other parties; and we can now become more responsible and proactive about it.
The solution to this problem might encompass various options: from auditing your current provider to looking for new ones that are hosted locally or even in your own infrastructure. I suppose that first-party, on-site solutions will now be regarded as a much more reliable option, since this is the only choice that completely prevents situations like this.
Co-Founder, CEO at ShiftForward
2. International data transfers are fundamental to the digital economy
International data transfers are fundamental to the digital economy where US-based suppliers look to target their services to, amongst others, EU-based customers.
The recent invalidation of the USA’s Safe Harbour regime by the European Court of Justice (under which US companies can self-certify as providing adequate protection for transfers of personal data of EU citizens that they receive) and the uncertain legal framework around transatlantic data directly impact digital business revenue streams.
Transatlantic data sharing will not disappear, but it will become dependent on revised contractual frameworks and updated consumer permissions for processing. In turn, this means that transatlantic advertising deals will become more complicated and harder to fulfil; thus weakening the digital economy and even potentially limiting EU citizens’ access to certain digital services.
Revenue generated from online advertising allows certain digital services to be provided for free to individuals, for example, online newspapers, social networks and email services. Now those deals will be delayed, revised or potentially abandoned while US suppliers decide how their business operations need to be realigned to a post-Safe-Harbour reality. EU-located data centres restricting travel of EU citizens’ data can provide a solution, in part.
However, those deals, like getting new data storing permissions from EU customers, will not happen overnight. In the interim, the very individuals the new EU stance on data transfers is intended to protect are those most likely to see a reduction in the services they can use, temporarily or for good – a contrary consumer outcome?
Head of Data Protection and Privacy at Kemp Little
3. Fewer marketing technology vendor choices for EU operating companies
The latest ruling likely won’t affect Facebook, Google and other tech giants that have the legal and monetary resources to tackle any legislation that the EU throws at them. As with many legal barriers that are put in place, inevitably it will be SMEs that suffer. Smaller brands may find themselves put off by the bureaucracy or unable make changes quick enough to comply. The biggest impact will be fewer US martech companies that offer privacy-by-design that adheres to this new ruling, resulting in a smaller pool of available tech in Europe. For advertisers, this means fewer vendor options to choose from to suit their global business needs. For those who want to continue data-led marketing in Europe, it will be a case of waiting for existing vendors to catch-up, or reintegrating new tech and a potential compromise on services that may be available in the US, but not in the EU. Removing the competitive element that Safe Harbour allowed for will result in a lower quality that comes at a higher cost for advertisers.”
General Manager EMEA, Ensighten
4. Advertisers need to prepare for change
With the EU privacy regulator set to update or replace the Safe Harbour ruling this year, it’s now more important than ever for digital marketers to take notice of what the ruling means for them. Today, digital marketers work with a huge number of third-party affiliates and partners, but there is very little understanding on where data is collected and stored by these companies. In the past, many service providers have not been forthcoming in explaining their server locations to customers, which could leave plenty of digital marketers in hot water and vulnerable to potential threat.
To avoid complications, digital marketers should start by addressing the following steps:
– Create a map of all personal data collected from customers or prospects and where this is being sent, stored and processed.
– Identify any personal data collected by you or any third parties affiliated with your business.
– Review existing contracts with service providers to ensure the EU Model Clauses are recognised, or other methods that allow you to legally transfer data from the EU to the US.
– If you don’t have an explicit agreement with your US-based service provider, the best alternative is probably to migrate to an EU-based service provider as soon as possible, to limit any risk exposure and legal liability.
It is also useful to recall that any data collected through a user’s interaction with email, websites and apps can’t be used for marketing purposes without explicit consent.
UK Marketing Manager at Mailjet
5. The law applies to everyone
The digital advertising industry should acknowledge that the US Safe Harbour Program, the recently invalidated mechanism widely used to transfer personal data from the EU to the US, may have a real impact on the industry.
Many would anticipate that Safe Harbour doesn’t apply to them as they don’t collect and transfer personal data, however there has been an inexorable shift in the definition of personal data from the narrow to the broad. So, if what you’re collecting can be somehow used to identify someone, then it’s safest to consider it personal data.
So, why should I worry if the Program has been invalidated? This is true, however the EU and US are negotiating a new form of the Program. These negotiations are currently ongoing and I am told there are two remaining issues, namely the EU citizen’s right to judicial redress and a limitation of US governmental access to personal data. While we are at a delicate moment in the negotiations, I am confident that the Safe Harbour Program will come back in a new form.
There is also the enforcement moratorium – issued by the WP 29, the powerful consortium of EU Data Protection Regulators – against companies relying upon the Program, and extends through to the end of this month and is about to expire. There is no guarantee it will be extended, and it only extends to enforcement not to investigations. I wouldn’t be surprised if some regulators are actively looking for low hanging fruit to bring a case against as soon as they can. So, what’s the risk if you just do nothing?
There is always a calculation that has to be made, but always know that the digital advertising industry is already under intense scrutiny – so don’t be that low hanging fruit.
Chief Privacy Officer at Ghostery