In conversation with Dr. Thilo Weichert and Andres Dickehut on Safe Harbour
BY THOMAS LUCAS-NÜLLE
(Published in The Produktkulturmagazin issue 1 2016)
In business, the marketing department often has to take care of customer data. A task which not only requires legal sensitivity in obvious sectors such as health and security, but also in any other consumer areas. As regards to safeguarding privacy it may be decisive for a company to both strengthen its own reputation as well as that it requires a safe haven from immense regulatory fines. Whether one focuses on the Safe Harbor, Privacy Shield or the EU General Data Protection Regulation (GDPR), in any case data protection equals brand protection.
What does ‘Safe Harbor’ mean and what today is its status?
Dr. Thilo Weichert: ‘Safe Harbor’ was a decision taken by the European Commission in 2000, which allowed US companies to transmit European personal data once they were self-certified and thus compliant with data protection. In its judgment of 6 October 2015, The European Court of Justice (ECJ) overruled that decision as it argued it contrary to fundamental rights, precisely because of the element of self-certification. Data is not adequately secured within companies because US security agencies have access to European data in disregard of data protection, such as Former National Security Agency employee Edward Snowden has made public.
After ‘Safe Harbor’ was lifted by the ECJ, it became unclear under what conditions European data from US companies such as Amazon, Apple, Facebook, Google, and Salesforce must be recorded. Vice-versa, it was doubtful what happens when for example Daimler sends data from Germany to its American dealerships. Early February this year the European Commission reached an agreement with the US on replacing ‘Safe Harbor’ with ‘Privacy Shield’. How this new label of data protection will be defined is unclear. It has however been established that this ‘shield’ can hardly be harmonised with ECJ case law.
What exactly does the EU GDPR aim for? What is the status quo?
Dr. T. W.: In December of last year, the Council, the Parliament and the EU Commission agreed on a so-called trialogue on a common European data protection law to take effect in 2018. This basic regulation would replace national laws; in the case of Germany, its Federal Data Protection Act. As regards to contents, data protection is being developed and adapted to the worldwide web and other digital networks. So in future lex loci solutions ought to be applied: when foreign entities like Google or Alibaba do business in Europe, they must comply with European law. Privacy will be further protected by the law. Data protection authorities in Europe need to cooperate closely. Violations of data protection will in future be penalised with up to four percent of a company’s global annual turnover.
What are the consequences for European companies?
Dr. T. W.: In my view there are only benefits for European companies: at last, binding the US competition to European laws creates a level playing field. Next to this harmonisation into a uniform European market, companies can operate in a manner which is legally consistent. Only the head office will be responsible for data protection, thus reducing the administrative burden as one can set up, so to say, a one-stop shop. In addition, the trust of customers and business partners in data protection - and thus ultimately in the business relationship itself - will be strengthened.
Andres Dickehut: Companies should welcome the failure of ‘Safe Harbor’ and the consequential entry into force of the European Data Protection Reform as an opportunity to seriously start caring about data protection. To act later in view of the four percent rule, could be critical to the company. Dealing with all the processes that affect personal data is nothing short of an insurance for any business. The possible fine mentioned earlier is a drastic tightening in comparison to the conditions of the previous scheme. In the field of data protection, customers and agencies alike will become of ever greater importance. It is also about protecting reputations and strengthening brand values. Dealing with data protection in this light can also be seen as a competitive advantage.
What further changes await us this year?
Dr. T. W.: This year the European Council and the EU parliament will have to confirm the outcome of the trialogue of its General Data Protection Regulation. The rulings will then enter into force in 2018. Until then, the companies must have largely adapted their processes to the new rules. National legislators in particular will have to get busy as their data protection laws need revisions. Whereas in the future basic regulation will come into effect, nation states still need to regulate individual issues themselves; such as regards to data protection authorities.
In 2016 the discussion about ‘Privacy Shield’ data transfers to the USA will continue. It is anticipated that the data protection authorities will follow the latest so-called standard contractual clauses and binding corporate rules by which data can also be transferred abroad. Whenever unclear, companies and the European Commission may again have to call for renewed assistance of the ECJ.
What does all this mean for companies operating abroad? What recommendations could you give?
A. D.: To be on the safe side, whenever dealing with personal data we generally recommend always strictly complying with all local legal regulations and to anticipating new developments. On this issue there are no peccadilloes. Under certain circumstances this may lead to the necessity to look for another provider for e-commerce or cloud services, because one’s current provider may not adhere to EU data protection regulations.
Another step which has certain advantages could be leading towards the path of certification: on the one hand internal awareness and an anchor for management to cling onto. As a rule: ‘After the audit is before the audit’. Because whenever certifications are concerned one can be certain to be thoroughly screened. On the other hand one wins trust with customers and partners alike, which in our experience in the true sense of the word always pays off.
The marketing platform of Consultix for example, is a technology leader in secure and automated processing of large quantities of personal data. We have received several awards. Also we were the first CRM vendor to enter into the field of data protection and security - among others, the European Privacy Seal aka ‘Euro Pinch’. We as data processors pass on this safety standard to our customers of certified services as they remain responsible for compliance with the provisions of the Federal Data Protection Act.
Dr. T. W.: At Netzwerk-Datenschutzexpertise.de we have put a treaty text online which can be taken as a basis for data transfers to countries with inadequate levels of protection. Companies which make use of it can thus be on the safe side, regardless of current discussions about ‘Privacy Shield’.
How do you support companies on their way to a data-safe haven?
A. D.: We offer companies an assessment as the basis for optimising their data protection procedures. Already during the first consultations with marketing and data protection officers we can produce a lot of clarity about their applications, processes and data. Following measures may include centralising customer profiles and relying on integrating applications in data processing, both aimed at improved processing and protection. As a rule, also the number of applications can then also be reduced. With our secure Customer Engagement ProCampaign and high-performance infrastructure we also offer technology solutions.
For example, our private cloud and hosting solutions are primarily aimed at marketing and e-commerce. In this area we experience a significant increase in demand. Therefore in autumn we will open another data centre in our very own nuclear bunker in Germany. The technological advance and the certified legal compliance in the EU as well as in other target countries are well-appreciated by our customers.
In what way does ‘ProCampaign’ support the implementation of different marketing activities?
A. D.: With ProCampaign we have in recent years - especially in international fast moving consumer goods - developed a tool for automated campaigns, resulting in a secure customer engagement hub. The SaaS solution now integrates digital marketing, customer lifecycle management, CRM and e-commerce. Essential to ProCampaign still is its centralized and refined customer profiles. Currently we process for our clients over fifty million of them sourced from over eighty countries. The perspective on customers however has turned 180 degrees: when desired we can view our systems as though we were consumers ourselves. Because our additional business intelligence algorithms enable us, even in a mass market, to adopt the views of an individual consumer. That is how we achieve a high degree of interaction and brand loyalty.
What do you think the future of global trade will look like in five to ten years?
Dr. T. W.: Currently as regards to data protection between the US and Europe there is a trade war going on. This transatlantic dispute needs to be resolved, not least because Chinese companies are entering both the European and the US market. My hope is that the US will recognize at last the value of data protection and will thus agree on common constitutional requirements for data traffic.
A. D.: In global e-commerce we expect a continuation of the trend for mobile and smart shopping. At the same time, online and offline will continue to merge with an unbroken trend towards total digitisation.
Dr. Thilo Weichert is Lawyer, Political Scientist and board member of the German Association for Data Protection (DVD). He was Data Protection Commissioner of Schleswig-Holstein for 11 years. Previously he was an advisor to the civic committee for the dissolution of the state security (BAS).
Andres Dickehut is a managing partner of Consultix, which he co-founded in 1994. He focuses on digital marketing, customer engagement, CRM and e-commerce and advises brands such as Lieblingstasche, Payback, PayPal, Jacobs Coffee, Nivea, Milka, LG Electronics or Whiskas.
Consultix offers marketing and IT services for brands in over 90 countries. Flagship is its secure customer engagement hub ProCampaign. Its Software as a Service integrates digital marketing, customer life cycle management, CRM and e-commerce.
Picture credits © Consultix GmbH