Justice CommitteeWritten evidence from the Market Research Society

EU DATA PROTECTION FRAMEWORK PROPOSALS

Introduction

1. With members in more than 60 countries, The Market Research Society (MRS) is the world’s largest research association. It’s for everyone with professional equity in market, social and opinion research and in business intelligence, market analysis, customer insight and consultancy. In consultation with its individual members and Company Partners, MRS supports best practice by setting and enforcing industry standards. The commitment to uphold the MRS Code of Conduct is supported by the Codeline service and a wide range of specialist guidelines.

Response to Terms of Reference question

Will the proposed Regulation strike the right balance between the need, on the one hand, for a proportionate, practicable but effective system of data protection in the EU, and on the other for business and public authorities not to be stifled by regulatory, financial and administrative burdens placed upon them?

Overview

2. MRS is generally supportive of the current proposal for a General Data Protection Regulation and of the next steps the UK Government proposes to take during the negotiations. We do however have specific concerns about provisions relating to consent, protection of personal data of children, profiling, business burdens created by the proposals and provisions relating to historical statistical and scientific research.

Consent

3. The first principle of the MRS Code of Conduct is:

Researchers shall ensure that participation in their activities is based on voluntary informed consent.

4. Therefore researchers rely heavily on consent as the basis for fair and lawful processing. Much of that consent is very clear—where a researcher invites a data subject to participate and they agree to do so or where a direct question is asked and an answer is spontaneously and voluntarily given.

5. In some cases researchers may rely on the second data principle to process data to invite data subjects to participate in a research project. For example, in the case of customer satisfaction research, an individual whose data has been collected in order to obtain a product or service may be invited to give their views on the quality of service they have received. It has been accepted by the Information Commissioner’s office that processing data in this way (ie inviting them to participate in research) is not incompatible with the purposes for which the data was collected (provision of a product or service).

6. A number of major social research projects also rely on the ability to contact individuals whose data may have originally been collected for non-research purposes. Examples of this include:

Victims of Crime surveys, conducted for the Home Office or for local police forces; and

The GP-Patient Survey for the Department of Health, which interviews patients who have visited their GP in the preceding six months.

7. There are a significant number of European market, social and opinion research projects, aimed at improving society within Europe, where there is a need to be able to gather representative views from European citizens. This is achieved by being able to contact any European citizen on a random basis. If the ability to do this is diminished by legislative actions that are likely to exclude consumers and citizens from taking part, it will dilute the statistical reliability of results for understanding both social and commercial issues. This would be highly damaging for UK and European policy makers and businesses.

8. The current proposal defines the data subject’s consent as:

any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;

9. This appears to be an evolution of the definition rather than a radical change. However this is dependent upon the definition and interpretation of the phrase “by a statement or by a clear affirmative action”. Any definitions within the revised legislation, whether existing or new, should not contain any ambiguity. The current definition for consent is ambiguous. In the past, regulators in Member States such as Germany have defined explicit consent as written consent. It is essential that if the definition of consent is to be amended it does not require written consent. This would seriously undermine the use of current and future technologies for data collection, which are widely used for research purposes.

10. In research a respondent to a research project provides the answers to the questions they are asked, having been informed of the identity of the researcher, the purpose of the interview, and of their right to withdraw at any time. There is not always a specific question to obtain permission for the processing of data, but the freely given, specific, and informed consent of the data subject is explicit nonetheless from the data subject’s willingness to answer questions posed by the researcher. We believe is it essential that any requirement for explicit consent retain the possibility of it being signified by statement or action by the data subject.

Protection of personal data of children

11. Although neither the 1995 Directive nor the 1998 Act explicitly contain provisions for the protection of children, MRS has always recognised that children and young people are vulnerable members of society and the MRS Code of Conduct contains a number of specific rules to offer children additional protection. For example, the consent of a parent or a responsible adult acting in the place of a parent is required before a research interview can be conducted with a person under the age of 16. Separate MRS children’s guidelines also prohibit research with minors on products that are illegal for the age group, and set out additional criteria which should be followed to provide maximum protection for respondents that are under 16.

12. It should also be noted that there are circumstances where the asking of parental consent may harm or adversely affect children, for example, research with users of helpline services such as Childline. The MRS Code of Conduct makes provisions for this by the waiving of parental consent requirements in limited circumstance subject to ethical review and approval of the MRS Market Research Standards Board.

13. MRS, by having specific rules governing research with children, recognises that children and young people are valuable members of society and have the right to participate in society, including participating in research projects relevant to them, whilst offering adequate protection via the MRS Code of Conduct, a robust ethical research framework. We believe this is balanced approach which protects children whilst also respecting that they have views which need to be heard as children wish to be able to determine their future society. If it is decided that additional provisions relating to children are required, the Regulation should take an equally balanced approach.

14. The current proposal defines a child as a person under the age of 18, in line with the UN Convention on the Rights of the Child, but the only substantive provision relating to children is in Article 8:

For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.

15. Persons under 18 may leave school, marry, join the Armed Forces or attend university and are autonomous persons. MRS recommends that if additional restrictions were to be introduced that these mirror the self-regulatory rules already in place in Europe, the majority of which require consent of a parent or responsible adult acting in the place of a parent with under 14s. Consideration should also be given to situations where parents or guardians are not engaged in the children’s lives and where obtaining consent may cause harm or detriment to the interests of the child. As explained above the MRS Code of Conduct requires such consent before interviewing persons under the age of 16.

16. It is the view of MRS that if society is to properly prepare children and young people for the transition from childhood to adulthood that the transition should start at 16 at the latest, not 18.

Profiling

17. The proposed regulation in Article 20 defines profiling as:

(a)a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to valuate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour.

18. MRS welcomes that this definition is limited to measures which produce “legal effects” or “significantly affects” the individual. A broader definition (such as that used by the Council of Europe in its Recommendation 2010(13))1 would encompass many statistical processes (such as sampling) used by research. This could have a huge and detrimental impact on the quality and representativeness of research samples and research results. For research to be robust for evidence based policy making, an important facet of European policy development, plus for broader commercial uses such as business development within Europe, it is essential that researchers are able to classify potential respondents to ensure that representative samples can be drawn. The introduction of a very broad definition could have unforeseen impacts on significant research projects such as Eurobarometer and the Labour Force survey, which are widely used for policy development within Europe.

Business burdens created by the proposals

19. MRS notes that the Commission estimates that businesses in the EU will save up to €2.3 billon by their proposals. However, these benefits would appear to be outweighed by a number of additional obligations and requirements being proposed including the appointment of data protection officers (DPO).

20. Given the detailed responsibilities of the DPO set out in Article 38 of the proposed regulation2, it would not be possible to pool the responsibility of a group of companies under a single officer, meaning that multiple appointments would have to be made. Further the proposal contains additional requirements to conduct privacy impact assessments for all material data processing events and products. While it is difficult to estimate the exact costs of these requirements, for a large research organisation they could easily add over £5 million annually to the cost of doing business. The additional process steps and delays that would take a toll on business performance are not included in this figure.

21. While the independent DPO model is one method of ensuring accountability, as an alternative consideration should also be given the concept of a Chief Privacy Officer who is an integral part of the management of a business and would have overarching responsibility for all data protection and privacy matters in an organisation or group of organisations.

Historical, Scientific and Statistical Research

22. The Commission’s proposals contain a number of provisions relating to historical statistical and scientific research. These build on existing provisions in the 1995 Directive and the 1998 Act and are essential for our sector and we strongly urge that they be retained in any final text. These include:

Personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes (Article 5e).

Processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful (Article 6.2).

The prohibition on the processing of special categories of personal data shall not apply where processing is necessary for historical, statistical or scientific research purposes (Article 9.2i).

Data held for historical, statistical or scientific research purposes is exempt from the right to be forgotten (Article 17.3c).

Conclusion

23. Data protection is a key facet of the business of market, social and opinion research. MRS supports the development of a coherent, harmonised and proportionate framework for this area. We wish to remain closely involved in the process and would welcome further opportunities to comment on the proposed legislation, during its passage through the European Parliament and Council of Ministers.

August 2012

1 Recommendation CM/Rec(2010)13 of the Committee of Ministers to member states on the protection of individuals with regard to automatic processing of personal data in the context of profiling

2 http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf

Prepared 30th October 2012