The United Kingdom's decision to leave the European Union could have significant ramifications for domestic digital marketers doing business internationally. Every day, digital marketers in the U.S. come in contact with mountains of personal data. These can include customer email addresses, browsing habits, age, gender, geographic location and any other data Google, Facebook and other go-betweens allow U.S. marketers to collect.
Until late last year, U.S. marketing agencies were subject to the long-standing Safe Harbor agreement, which regulated the flow of personal data between the EU and the U.S.
Safe Harbor prohibited the transfer of data to a country outside the European Economic Area (EEA) unless that country had adequate data protection measures in place. American agencies receiving EU citizens' personal data could self-certify they complied with Safe Harbor. This basically attested their practices adhered to a range of European privacy standards. Although the agreement applied to any country outside the EEA, it primarily targeted the U.S. and American companies.
The Snowden effect.
Ever since former CIA employee Edward Snowden leaked classified information, the EU has been exceedingly sensitive about the transfer of EU citizens' personal data to the U.S. Truth be told, the EU long had regarded U.S. privacy laws as inadequate. The release of the Snowden documents only strengthened that position. In the wake of the leak, the European Court of Justice convened and re-examined the Safe Harbor agreement. The Court, which is tasked with ensuring EU law is applied equally across the EU, found U.S. compliance with Safe Harbor lacking. In October 2015, the Court invalidated the agreement. The decision was effective immediately.
In December 2015, the EU adopted the General Data Protection Regulation (GDPR) to patch the gap. While the GDPR isn’t enforceable until 2018, most U.S. and international companies are using that framework as their guideline to satisfy the EU's requirements for personal data transfer.
In February, the EU and the U.S. announced Privacy Shield, a new agreement to replace Safe Harbor. Privacy Shield represents a more rigid framework that creates stronger obligations for U.S. companies, stronger monitoring and enforcement from U.S. authorities and an annual review process to ensure new measures are implemented. European and U.S. officials worked throughout the spring to iron out details of the agreement and begin implementing its provisions.
The Brexit complication.
Negotiations surrounding data transfer have gotten only more complex since June 2016, when the U.K. voted to leave the EU. Brexit has raised a number of questions that have yet to be answered. Among them:
- Will the Privacy Shield agreement need to be renegotiated?
- Will the EU need to negotiate a new agreement with the U.K. similar to the one in place with the U.S.? If so, when would that happen?
- Is there a chance the U.K. might find itself flagged by the EU as a jurisdiction with inadequate privacy laws?
- Will data transfers between the U.K. and the U.S. have to undergo scrutiny from the EU because personal data from citizens of EU member states might be included?
- Will Privacy Shield be put on hold while the EU and the U.K. negotiate the withdrawal? If so, what framework will govern transatlantic data transfers in the meantime?
The Brexit vote and the chaos that now surrounds Privacy Shield creates tremendous uncertainty for U.S.-based digital marketers who collect personal data from customers in the EU. In the short term, however, there is some good news. In the wake of the Safe Harbor invalidation, many U.S. companies -- including marketing agencies -- incorporated into their agreements “model contract clauses” and “binding corporate agreements." Both instruments have been approved by EU courts. They allow for the collection and transfer of data from Europe to non-EU jurisdictions, and this practice likely will continue until more answers come into focus.
What comes next?
U.S. marketing agencies still must heed EU privacy laws when dealing with the U.K. Why? Two reasons. First, chances are good that the U.K. independently will adopt many of the same EU policies and procedures. Second, personal data obtained from U.K. sources likely will include information about members within the remaining EU nations.
Marketers target specific demographics on behalf of clients and brands. As the internet has made the world more interconnected, it’s impossible for domestic marketing agencies to simply ignore the data protection measures put in place by countries outside the U.S. Complying with the wishes of these countries makes sound business sense. It enables companies to access some of the world's largest markets and protects agencies from exposure to international violations and liability.
The impact on marketers.
The many obstacles and headaches associated with international data protection compliance may seem onerous to domestic agencies, but doing nothing could present greater problems. Even if U.S. agencies choose to deal solely with domestic companies for the exchange of personal data such as email lists and demographic data, there's no realistic way to sort out which information is outside the EU and which is inside. Companies still have to hash out the names and/or emails on such lists, making it impossible to know which is which and who is who. A single email address belonging to a citizen of the EU in a 5,000-name list obtained by a U.S. marketer is enough to expose all parties involved to a potential violation.
For now, not too much has changed in the wake of Brexit. Every aspect of data collection has the potential to be renegotiated. Privacy Shield has not yet gone into effect, so most companies are using the EU’s GDPR framework to govern their transatlantic personal data transfers.
It's good for third-party marketing vendors to get in the habit of protecting information via hashing -- the process of obfuscating all or part of the digital data. It's an extra reassurance for third parties who might not have requested personal data from the EU but unwittingly received it, all the the same. Hashing is a solid way to protect data and also can make the retrieval process easier.
With so many uncertainties, U.S. marketing agencies can be sure of one thing: Brexit means it almost certainly will cost more to comply with new rules for collecting personal data. Legal fees, compliance initiatives and added layers of security all will be factors. No matter how the future unfolds for the U.K. and the EU, there will be new challenges -- and that means new expenditures.
The good news, of course, is that the U.K.’s departure from the EU could take several years to sort out. For domestic digital marketers, this means continuing to safeguard the personal data they obtain and familiarizing themselves with the GDPR.