Protecting participants’ rights
03 June 2014

The theme for the spring ASC conference, held at Imperial College on April 4th was data privacy and security: ‘Where’s my data? Participant privacy in a connected world’. A nuanced title – should the emphasis be on privacy or privacy…

Which may also depend on which side of the Atlantic Ocean you reside, or conduct research! 

Chair for the day, Tim Macer (Meaning), using data from the latest Technology Survey findings, showed how opinions differ amongst market researchers around the world on the importance of privacy as a disruptive influence on market research, from just over a quarter mentioning it in Asia/Pacific (26%), a slightly lower proportion for Europe (23%), but of much lower concern in the USA, mentioned by only 7% of respondents.

However, data privacy legislation is relentlessly spreading around the globe, with enacted legislation in over 100 countries. 

However, a recent survey by Accenture Interactive suggests that 80% of younger consumers (aged 20-40) in the USA and UK believe total privacy no longer exists in the digital world. A higher percentage (87%) believe adequate safeguards are not in place to protect their personal data, and paradoxically, although 49% said tracking was okay if it led to relevant offers, nearly two thirds (64%) were concerned about their buying behaviour being tracked! 

In Europe, the timetable for revised legislation has already lengthened and we wait to see what priority this is given by the new EU parliament following on from the recent elections. At the ASC event, Barry Ryan (MRS) demonstrated the importance and influence of the current legislation, describing how the changes being made to the MRS Code of Conduct (recently approved by the MRS Board), are mainly to create further alignment between the Code and UK data privacy law.

I’ve been running seminars on data privacy and research for the MRS, SRA, BMRA, client-side companies and market research agencies since 2001, when the current EU Directive became UK national law, and these initial presentations led me to reflect on the key concerns and issues that have been raised by delegates over the years – and whether these have changed over time.

Upholding the promise of confidentiality and anonymity

The one issue that constantly crops up is the pressure from clients on researchers to share personal data where survey participants had been assured of confidentiality. This can create tensions between internal research teams and their clients within organisations, as well as between agencies and clients. 

The main issue might be summarised as ‘owning a list of potential participants does not give the client an automatic right to know how each person responded to research. It does leave me wondering the extent to which privacy legislation is understood and enacted within these organisations in general. Researchers also need to make sure that the promises of privacy made to participants are not inadvertently undermined by the contractual relationship between agency and client where the client becomes data controller for all the information collected in a research project.

The whole issue of data sharing is a vexed issue, but the ICO Data Sharing and Anonymisation codes of practice contain very helpful advice for the UK, especially with the emphasis on anonymising data wherever possible – a principle that still sits at the heart of market research. 

I think that there is also a growing awareness amongst researchers of how difficult it can sometimes be to protect anonymity in the internet age, reflecting the finding in the Accenture survey. There’s also that perennial request by clients for videos of group discussions to contend with...

Overall, I think that the Federal Trade Commission (FTC) judgement in the USA regarding promises: ‘You can change the rules, but not after the game has been played’, is a great mantra to adopt regarding data privacy. If you make promises on confidentiality – keep them!

Social media

The recent NatCen report I referred to in my last blog explores the attitudes to the ethical issues of researchers using social media for research purposes, but it’s obvious from my seminars, that as citizens, researchers also have concerns about where the ethical, and legal, boundaries lie, and as researchers they often fail to appreciate the complex issues underlying ‘informed consent’ in the digital world.

Data transfer

Regularly, delegates describe instances of clients using insecure methods to transfer personal data to agencies…despite the high profile cases of lost data reported in the media. 

Incentives

Generally, researchers accept the ruling that in the UK, client branded incentives must not be used in research projects, and understand why this is related to maintaining clear water between research and direct marketing activities.

Globalisation of research

The increasing globalisation of projects, clients and agencies, creates uncertainty and complexity in defining how to apply privacy legislation and the impact on the research process is leading to more queries about the issues. It can be hard to provide general global rules as even though similar principles underpin most legislation around the world, there are many local differences. 

There is also the difference between data being sent to another country where the third party acts only as a data processor, with no rights to use the data for their own purposes, compared to when the off-shore third party claims rights to use the data. 

I’ve discussed some of the queries raised in my recent seminars with Barry Ryan as they are becoming increasingly complicated. Here are some common scenarios that crop up:

• A non-EU company with offices in the EU with must comply with the law of the relevant country (Facebook Ireland Ltd for example). Where there is no such office they must comply with the law of the states where they use equipment to process data (“equipment” has not been litigated but we believe this includes every PC or mobile device through which data is collected).
• The jurisdiction issue is based on the location of the data controller, not the data subject (e.g. research participant). So, non-EU citizens are protected when an EU company processes their data, and all UK based interviews must comply with the current EU Directive even if collecting data in remote corners of the world.
• EU citizens are not protected if they give data to companies based elsewhere (for example, a UK citizen completes a survey in Japan for a Japanese hotel chain – the Japanese Personal Information Protection Act 2003 applies).
• There are model clauses to use for transferring data to countries outside of the EU, but transferring data to the USA, which has no federal data privacy law as such at present, is complex. There is the “Safe Harbor” arrangement run with the FTC, but that relates to only two agreements, one EU-USA and one with Switzerland. It does not cover other DP laws, nor does it cover most financial organisations as they are separately regulated. International companies can use Binding Corporate Rules, where they effectively incorporate the main principles within the EU Directive into their business rules.
• Other countries will have data transfer restrictions – in terms of tracking them down they will usually be members of the Council of Europe and/or the OECD, both organisations require members to introduce data protection laws with transfer limitation principles.

The EU is not a level playing field!

Under the current data privacy directive, legislation across the EU is far from being a level playing field, thanks to the subsidiarity rule agreed within the Maastricht Treaty in the early 1990s. For example, obviously, a research company based in the UK must comply with UK law, but if they also conduct research in another EU Member State where they have a business presence, they must also comply with that states law. In the case of UK and Germany, strictly speaking if the research agency has no business presence in the other country then only their home law applies. But, in Germany all research activity is regulated by the German Research Council, so German rules will always apply in the end – and there are conditions covering research conducted in Germany that were developed in pre EU Directive days.

The UK is said to maintain a good balance between protecting the citizen’s rights and facilitating usage of personal data by the commercial and public sectors. As you might guess from my comments earlier, Germany has a particularly tough attitude towards data privacy, especially where direct marketing is concerned. A recent article in Privacy Laws and Business International Report (Issue 128, April 2014) underlined the differences across the EU. In Spain, the regulation of data privacy is funded by fines imposed on offenders, rather than via notification fees as in the UK for ICO. 

Therefore, it is probably not surprising that Spain accounted for 80% of data protection related fines in the EU for 2011, hoovering up 19,500,000 Euros, and handed out 572 sanctions (compared to 200 in neighbouring Portugal). Interestingly, whilst the UK dealt with the most complaints (13,800 in 2011), double the number in Spain, sanctions are extremely low (under 20). Spain is also much more likely to inspect organisations (5389), compared to, for example, the UK (42). So, take particular care when undertaking research in Spain – any mistakes could be very costly!

It will be interesting to see whether or not any change in the EU legislation will lead to a levelling out of the current differences.

The right to be forgotten?

The proposed changes to the current EU law include the right to be forgotten, but how might this work in practice, and how might it apply in today’s globalised world? A recent ruling in Spain has already started to frame what this might mean in law. A complaint to the Spanish data protection authority (AEPD) made in 2010 by a Mr González against a Spanish newspaper, (La Vanguardia) and Google Spain/Google Inc. seeking removal of or amendments to historic personal data held about him. 

Whilst the action against the newspaper was unsuccessful, the AEPD upheld the complaint against Google stating that the operators of search engines are subject to data protection law and the request for removal of the information should be met. Google challenged this ruling, and the Spanish High Court then referred the matter to the European court for a preliminary ruling. 

The issues were about Google’s operations within the EU, and whether these are subject to EU law; the obligations under the current law to ensure personal data is relevant and not kept longer then reasonably necessary (the point argued by Mr González). Google counter claims it cannot discriminate between the types of data it holds; Google Inc. is not a ‘data controller’ within the EU. The European court has ruled that personal data was being processed by Google; it is a ‘data controller’; Google Spain and Google Inc. are inextricably linked in the context of data processing. 

Therefore, Google is subject to EU data protection law. Here's a longer summary.

This is a judgement with far reaching implications. Google has introduced a new take-down service to remove items of personal data, and received 12,000 requests to do so on the first day alone.

At my seminars I point out that the ‘right to be forgotten’ may not always be in the citizen’s interest. For example, direct marketers mark records with a ‘do not promote’ marker when someone requests removal from their marketing activities, or following an update against the preference service files. 

If instead the record is removed the organisation could pick up this person’s details from elsewhere and start a fresh round of promotions to them. 

A similar scenario could just as easily apply in a research context (but not the preference service screening!). Getting the balance right is going to be challenging!

Barry Ryan will be covering this landmark case in the July issue of ‘Impact’, together with a global round-up of other DP news.

List cleansing

Finally, although it remains a continuing irritant to some citizens, researchers in the UK (or the USA) do not need to clean files against the Telephone and Mail Preference Service databases when using client supplied lists of customers or other contacts, providing that the sample will only be used for conducting a research survey, and not for any other purpose. This is a vitally important exemption.

Get committed!

The MRS Fair Data initiative, launched in January 2013, enables businesses to demonstrate that they take the protection of personal data very seriously. The ICO in the UK also has a scheme called the ICO Promise that organisations can join, again demonstrating a commitment to high standards in protecting personal data. The opportunities are there. So, get committed!