If you conduct international market research, you not only want to measure local attitudes and behavior, but also must comply with local practices, like the European Union’s Directive*on “Safe Harbor” for data privacy.

While this is important for researchers, it now appears that the EU is also using its privacy laws to trip up US-based global marketers such as Google, Amazon and Facebook – who famously mine and share data. See “EU Makes Play for Leverage Over E-Commerce” in The Wall Street Journal, May 6, 2015.

European Central Bank

This directive, in fact, jointly developed by the U.S. Department of Commerce and the European Union is intended to protect consumer privacy, specifically for companies operating in the European Union. They are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will receive adequate levels of protection.

Are Europeans “more uptight” about privacy than Americans? What do they consider privacy and how do they ensure it through regulation?

It’s not that they’re different; it’s more that Europeans have a legal history of guaranteeing online privacy. It started with the European Convention on Human Rights with respect for one’s “private and family life, his home and his correspondence.”

The EU Directive specifies seven “safe harbor” data privacy principles:
1. Notice—data subjects should be given notice when their data is being collected;
2. Purpose—data should only be used for the purpose stated and not for any other purposes;
3. Consent—data should not be disclosed without the data subject’s consent;
4. Security—collected data should be kept secure from any potential abuses;
5. Disclosure—data subjects should be informed as to who is collecting their data;
6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
7. Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.

What do these mean in practice?

Peter Baker, head of his leading U.K. market research agency, Peter Baker Associates, reports that “The Data Protection Act 1998 requires every data controller (eg organisation, sole trader) who is processing personal information to register with the Information Commissioners Office, unless they are exempt. More than 400,000 organisations are currently registered. This means that if we store any data about people or organisations on a computer we must register with the ICO. It is not expensive and it can be checked by others. You simply do that then do not distribute your files to anyone else.”

Monika Grzywa, of PMR Research in Krakow, Poland keeps their privacy reporting very simple. In qualitative studies, PMR does not gather and connect any personally identifiable data with research findings. Also with quantitative studies neither the name of the respondent, nor of course, of the client-sponsor is recorded.

What to Do

To comply is actually easy and most of the steps align with good research practices. Here are three general action areas:

Notice – As in USA online or in-person qualitative, you need to disclose who you are (a research company) and why you’re collecting the data. That’s standard practice.

Consent – All respondents must have opt-in / opt-out choice and then explicitly agree to proceed or step out.

Security – Again as part of the disclosure, you will assure and follow through on securing all personal data – scrubbing any identifying information. It’s unlikely that respondents will want to correct any data, but of course, if for advertising purposes you record say interviews, you will need a signed waiver.

Thus, for European many projects, you need to only document your policies and ensure that you have your checklist in place. It seems the most likely area of concern is how the data are secured. This is up to you, your research partner and your IT staff to double check simple things like changing passwords and checking with all vendors for data security compliance.
Wiest & Co. is a marketing insights and management consulting firm located in San Francisco, California. It provides USA and international market research and analytical services to consumer and B2B marketers and product developers. Please feel free to contact us with any questions, comments or to discuss an upcoming marketing, branding or new product launch question.
* Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is a European Union directive adopted in 1995.