The data privacy debate in social media market research: a legal perspective

by Monique Altheim, Attorney at Law

Greenbookblog.org recently hosted a debate by representatives of research associations and companies engaged in social media research on the subject of data privacy in social media market research. Three major industry bodies were represented: The Council of American Survey Research Organization (CASRO - USA); The Market Research Standards (MRS – UK) and the European Society for Opinion and Marketing Research (ESOMAR - Global). An excellent summary of the debate can be found here.

The debate was spurred on by the recent issuing of new guidelines by ESOMAR, new draft guidelines by CASRO and a discussion paper from MRS. The guidelines seek to apply the old, existing market research industry standards and best practices to social media research. Social media marketing research includes includes netnography, blog mining, message boards, chat rooms, and forum analysis, and web scraping of social media sites.

All the guidelines propose that the core fundamental principles guiding face to face, mail and telephone research (see: ICC/ESOMAR International Code of Marketing and Social Research Practice), should also apply to social media market research. The distinction between public and private space that determines the old marketing research guidelines is carried over online. For example, in “private” spaces, where users would expect their comments to be private, users cannot be identified without their prior consent. In “public” spaces, however, content is posted with the expectation that it will be read by the public. Examples are public blogs and comments left on public blogs and websites. Those users can be quoted and identified.

The industry organizations cite the need to maintain the public’s trust, as well as the hope to prevent impending legislation from applying to market research as the main reasons for encouraging self regulation. The market researchers on the other hand claim that with the advent of big data, social media sites and new technologies, the market research profession has changed. Focus groups and surveys are giving way to newer techniques such as analytics, crowd sourcing and sentiment analysis, and now include professionals that do not consider themselves old-school market-researchers and that do not let themselves be encumbered by the self-regulatory restrictions imposed by the old-school market research industry organizations. Why, say the traditional market-researchers, should they be disadvantaged in the market place by cumbersome self-regulation?

Meanwhile, it is important not to lose track of the legal landscape and examine the already existing national and international data privacy legislation, and see how they apply to market-research. In 1981 the OECD (the organization for economic cooperation and development) published their guidelines on the protection of privacy and trans border flow of data. It set forth 8 principles of protection of data privacy, and these principles became the backbone of most data protection legislations in the world. They are basically common sense rules concerning the collection and use of personal data: For example, one of the rules stipulates that the collection of personal data should occur with the knowledge and consent of the data subject; another one stipulates that the collected data should be accurate; These principles were made into laws by most developed countries.

In the US, these laws apply, on the federal level, only to certain sectors: HIPAA/HITECH applies only to PHI (protected health information) processed by the health industry, GLBA applies only to NPI (non public financial information) processed by the financial industry and FCRA only to consumer reports processed by the consumer reports industry. COPPA applies only to children under 13. No data privacy law applies specifically to research marketers. HIPAA applies to market researchers receiving PHI from the health industry. Data Privacy in most US industries, including the internet and social media, is not regulated. Currently, only a social media site’s terms of service (ToS) and Privacy Policy govern the data privacy obligations of the parties. Under the Federal Trade Commission Act, the FTC can bring an action for “unfair” or “deceptive” business practices. For example, advocacy groups recently asked the FTC to ban Facebook's new “frictionless” sharing feature, as well as the post-log-out tracking, charging that these are "unfair and deceptive trade practices" under the FTCA.

The proliferation by the ad and marketing industry of online practices such as behavioral tracking, geolocation tracking, profiling and the application of facial recognition software in the absence of any federal regulation of data privacy has prompted Congress to act: Currently there are at least 19 draft/for discussion privacy bills proposed by Representatives and Senators of the 112th Congressional Session. They range from comprehensive bills such as the Commercial Privacy Bill of Rights Act of 2011 and Consumer Privacy Protection Act of 2011, to sector specific bills such as the Do-Not-Track Online Act of 2011 and the Do Not Track Kids Act of 2011. Some state laws, such as the California Online Privacy Act and the Massachusetts Privacy Act, cover all personal information in all sectors. Since the internet economy is by definition global, this summary would be incomplete without mentioning global privacy regulations.

The EEA (European Economic Area) that consists of the 27 member states of the EU, plus Iceland, Liechtenstein and Norway, has one of the strictest data protection frameworks in the world. The main legal instruments that regulates data protection in the EEA are Directive 95/46/EC and Directive 2002/58/EC. The European Data Protection regime is currently under review, since the technological developments and globalization of the economy have rendered it outdated. The Directive has been implemented by all 30 national EEA member states into their national laws, and, while the Directive acts as a floor, some national laws have gone even further in their protection of personal data.

Unfortunately, the implementation was not uniform, so that there are now 30 different versions of the Directive to take into account. There are quite a lot of differences in implementation of the Directive: France, Germany, Spain, and Italy have stricter rules, while the UK has more lenient ones. One of the most difficult problems of the EU data protection regime is the lack of harmonization of laws between the member states, and consequently also the difficult but important determination which national law is applicable in any given situation. “Personal data” is construed very broadly as “any information relating to an identified or identifiable natural person or “data subject” (Article 2, (a) of Directive 95/46/EC). Under this definition, even a person’s email address is considered “personal data.”

“Sensitive Personal Data” are personal data that reveal “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life” and processing of such data is in principle prohibited, with a very limited list of exceptions ( Article 8 of Directive 95/46/EC). A picture or video that reveals the racial origin of the data subject might be  “sensitive personal data” under this definition. The processing of personal data within the EEA is subject to extensive regulation, which, in a nutshell, strives to incorporate privacy principles, such as consent, access, proportionality, transparency, necessity and legitimacy.  (Article 6 of Directive 95/46/EC).

According to the Directive, personal data cannot be handled at all, except on the basis of a very limited list mentioned in articles 7 and 8 of the Directive. The only legal basis for market researchers to process personal data of European residents would be “unambiguous consent by the data subject.” (Article 7(a) Directive 95/46/EC). Under the Directive, a data subject’s “consent” means: ‘…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” (Article 2 (h) Directive 95/46/EC).

On July 13, 2011, the Article 29 Data Protection Working Party (hereafter Article 29 WP ) adopted Opinion 15/2011 on the Definition of Consent. This opinion aims to clarify the existing legal requirements for “consent”, and illustrate how they work in practice. The gist of the 38-page opinion is that for consent to be valid, it must be a real expression of intent, as opposed to legalistic, meaningless formulations so common in online transactions. Where the information in question is “sensitive” personal data, a ground for processing under Article 8 of the Directive must be found. In these cases, the appropriate ground would be to rely on the “explicit” consent of the data subject under Article 8(a).

Whereas “unambiguous” consent can be expressed through actions as well, “explicit” requires an active expression of a wish, in writing or orally. A pre-ticked box saying “I agree” (opt-out consent) will not suffise in this case. If the private data are to be transferred to a country outside the EEU, market researchers should make sure the transfer occurs under the rules set forth by Articles 25 and 26 of Directive 95/46/EC. In practice, this means that the transfer will be legitimate if the entity to which the data are transferred is located in an “adequate” country, or has subscribed to the Safe Harbor scheme in the US, or if the transfer occurs under “Standard Contract Clauses” agreements, or if it has Binding Corporate Rules (BCRs) in place. The only countries that the EU has conferred the title of “adequacy” for data protection purposes are Switzerland, Canada, Argentina, Guernsey, Jersey, Isle of Man, the Faroe Islands and Israel.

The advent of cloud computing has created many complicated legal issues. For example, the mere act of looking at data of EU residents online from a device located in the US is considered a “data transfer” according to some authorities. Another example illustrates the difficulties of ascertaining the applicable national law: a market researcher, whose company’s headquarters is located in New York, does a Facebook scraping of German, Austrian and Swiss data subjects. Facebook’s headquarters in Europe is in Ireland. Which national law applies?

Are anonymized data subject to the data transfer regulations of personal data? It probably depends on how easy it is to reverse-engineer or de-anonymize anonymous data. In the EMRA Position Paper regarding the Review of the EU General Data Protection Directive (95/46/EC), The European Market Research Alliance (EMRA) argues for more harmonization of the national data protection rules and takes the position that confidential market research should be considered a form of applied scientific research. It also proposes that the law of the controller should be the applicable law in multi jurisdictional market researches.

The Market Research Society's response to the consultation by the European Commission with regard to the implementation of DIRECTIVE 95/46/EC expresses exasperation with the 30 different national implementations of the directive and suggests self-regulation as an alternative. In what seems to be a global trend, many countries in Asia, South America and Africa have recently passed EU style comprehensive data protection laws. Some examples are: Mexico, South Korea, India, Peru, Costa Rica, China, and most recently, Columbia, and Angola.

In conclusion, whether one opts for self regulation or for national legislation, the enforcement of data privacy principles remains problematic: In the case of self regulation, past history has proven that self regulation does not get enforced. In the case of national regulations, the steady move to the cloud has made the application of national laws beyond a country’s border inevitable. A EU residents’ data should be protected on social media sites, whose headquarters are outside the EU. But how to enforce extra territorial jurisdiction?

Monique is a multilingual and multi-jurisdictional attorney, admitted to the New York Bar, as well as the Belgian Bar in the European Union. Monique specializes in e-discovery, social media and privacy/data protection law. She is a Certified Information Privacy Professional (CIPP), and an active member of The Sedona Conference Working Group 6: International Electronic Information Management, Discovery and Disclosure. As a EU attorney in Belgium, she had six years experience in tort, contract and maritime law litigation. Monique runs a blog, EDiscoveryMap.com, the EDiscoveryMap YouTube Channel, the "European Data Protection Forum" and recently developed her own mobile App for iPhone & iPad and Android, the Monique Altheim Esq App.