In late December, CASRO announced the launch of its Safe Harbor program, which is aimed at supporting CASRO member self-certification to the Department of Commerce’s Safe Harbor Framework in compliance with the EU Directive on Data Protection.
As described on the CASRO Web site, as an independent recourse mechanism providing third-party dispute resolution and enforcement services, CASRO will work with participating members to confirm that their privacy policies meet Department of Commerce requirements to participate in the Safe Harbor and that their adherence is properly documented. CASRO will also provide an independent, online complaint-handling service, in conjunction with the Council of Better Business Bureaus, free of charge to E.U. and Swiss residents.
The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks provide a method for U.S. companies to transfer personal data that originates in the European Union and Switzerland in a way that is consistent with the EU Data Protection Directive.
Research entities that receive personal data about EU citizens must be in compliance with the EU directive on data protection and one way to show compliance is to self-certify with the U.S. Department of Commerce that the business adheres to the seven Safe Harbor Privacy Principles:
1. Notice: notify individuals about the collection of their personal data.
2. Choice: give them choices regarding certain uses of their personal data.
3. Data integrity: ensure the accuracy and integrity of their personal data.
4. Access: allow access, and if necessary, correction of their personal data.
5. Security: protect the security of their personal data.
6. Onward transfer: comply with restrictions on further transfers of their personal data.
7. Enforcement: provide an independent dispute resolution mechanism for privacy complaints concerning European personal data that is collected, received or processed.
* * *
To find out a bit more about the program, I checked in via e-mail with Abby Devine, director of government and public affairs at CASRO.
What were some of the reasons behind the creation of the Safe Harbor Program?
Devine: CASRO wants to help the research industry be a model of compliance with trans-national privacy laws. Adherence to the Safe Harbor Privacy Principles is already required by the CASRO Code and, by stepping into the dispute-resolution space with the BBB, CASRO is able to offer a necessary service to our members at a reduced cost.
Why should U.S. marketing research firms be concerned about safeguarding respondent data privacy?
Safeguarding respondent data and maintaining trust with respondents is the crux of our industry and should be a priority for all research companies. Failure to take proper steps maintain data privacy exposes you to legal ramifications and detracts from your appeal as a business partner.
What are the advantages for research firms of self-certifying?
Any research company that receives personal data from Europe must comply with the EU Data Protection Directive and, for most companies, self-certification to the Safe Harbor Framework is the simplest way to assert compliance with the Directive. It can be a competitive advantage if your company is self-certified and ready to handle European data and your competitor is not and has to either self-certify or work through the cumbersome process of complying with the Directive in another manner prior to handling European data.
What kind of changes, if any, do you foresee happening in the U.S. on the data privacy front?
Europe has, and will likely continue to be more privacy focused than the U.S. but that is not to say that privacy won’t continue to receive increased attention in the U.S. in 2015.