Safe Harbor Invalidated: How to Protect and Prepare your Marketing & Analytics Organizations


On October 6th 2015, Court of Justice of the European Union (CJEU) invalidated the Safe Harbor Law putting thousands of businesses exposed to legal ramifications. This new change has put a big question mark on the legacy model of doing business with our European friends. I also think this also puts a lot of pressure on marketing and analytics organizations as we heavily rely on customer data. If you are in analytics and marketing then you may have to make changes on how you operate when it comes to customer data. In this podcast, we discuss what was Safe Harbor Law, why was it invalidated, how this could impact your marketing or analytics organization and finally how you can plan and protect your organizations. (Note: Please consult your legal adviser for legal advise. The purpose of this podcast and blog post is to provide information and we are not providing any legal advise)

A Quick Preview of the Podcast:

  • What was the Safe Harbor Law before it was invalidated.
  • Why was the Safe Harbor agreement invalidated or terminated.
  • How does the end of safe harbor impacts customer data professionals such as analytics, marketing and advertising professionals.
  • 7 privacy principles you should continue to follow even after the death of Safe Harbor agreement.
  • 4 Steps you can take to mitigate the risk and protect your organization.

Listen to the Safe Harbor Invalidated: How to Protect and Prepare your Marketing & Analytics Organization Podcast

Listen on Sticher

Resources discussed in this podcast:

Read The Transcript:

Jeremy Roberts:               Hi and thank you for joining Analytics today, a podcast series that focuses on big data and analytics, digital marketing and the latest trends in digital world. I’m your co-host Jeremy Roberts. With me is my co-host Sameer Khan. Hey, Sameer.

Sameer Khan:                    Hey, how is it going?

Jeremy Roberts:               What’s up?

Sameer Khan:                    Great.

Jeremy Roberts:               How you’ve been?

Sameer Khan:                    Great. Awesome.

Jeremy Roberts:               Yeah, I think today’s topic is really interesting topic. It’s one that not everybody really understands or knows about but I think it’s something that’s really affecting international business today. Today we’re going to be talking about safe harbor laws.

Sameer Khan:                    Yeah, absolutely. That’s one of the topic that has been out there in the market and there are a lot of questions. Most of the time if you look at the companies, they just let their legal departments speak to it and take care of the day to day operational stuff and how safe harbor, the end of safe harbor I should say, should impact marketers or analytics professionals. I think it’s really important from a marketing analytics professional standpoint to understand what this law is and how this impacts us and how we can change things or adapt to new things to make our lives easier and better without getting to the legal trouble.

Jeremy Roberts:               Okay. I guess let’s start with that and so what is the safe harbor law?

Sameer Khan:                    That’s a great question. Without getting too much into the technicalities of what exactly, what are the principle over the safe harbor law or so-called principle is. At the high level it is a mutual agreement between U.S. and European Union to protect the privacy of European Nationals. The agreement is so generally if you think about it, European Union is known to have the strongest customer privacy protection rules. They really care about what data for their people who live there, you know, citizen of …

Jeremy Roberts:               When you say data, are we talking profile data?

Sameer Khan:                    Any kind of data.

Jeremy Roberts:               Okay.

Sameer Khan:                    If it relates to a customer there’s a stringent requirement which safe harbor of course when it was active, the U.S. companies can become certified and it made it easier for them to do business and exchange data with the European company. Let’s say if I have customers in Europe I’m trying to get their data to U.S. and run the data in a data warehouse and perform X, Y, Z actions. This process of safe harbor remove gazillion red tapes and remove several other policies that could impact the business. Otherwise, the companies have to spend months and months just trying to get data from marketing advertising targeting or many other marketing analytics activities to do business and serve customers.

Jeremy Roberts:               Make sense. Really, let’s get into the first question. Why was the safe harbor agreement invalidated or terminated?

Sameer Khan:                    It’s a great question. There’s probably an escalation path. Not all of a sudden that people said, “Hey, tonight we’re going to go and just terminate the law.” That happened in October but it happened through the years and years of escalation. A lot of big companies they’ve already started thinking about the alternative solution and some of the big company like Google they have started using alternative solution. What happened in October was a big month for analytics and marketing professional as well as most in the technology industry.

In the October 6, the European Union Court of Justice ruled that the policy, the safe harbor policy is invalid. Now, imagine a 15 year old policy which is created to do business, mutual business together without any issues that made a lot of things easier it was invalidated so it had a huge impact on the entire technology industry because in the clouds era, you and I have been in the cloud for a long time and we know that how data travels. It goes from one location to the other at the rapid speed. It doesn’t have to reside on one location. That’s what happened.

The reason why those rules are invalidated, to start with, there has been a big concern about consumer privacy, customer privacy and security in general. As a privacy laws if you’d go back in time these laws have been pretty outdated. They have been there since the launch of internet and nothing really has changed on how we govern and how this controls a person’s life and their entire life is online and they are all connected together.

Jeremy Roberts:               I think one thing with that let me make a statement here because I think there’s a difference between personal data and cookies. I think that’s where some people may misinterpret really how safe harbor laws work and really what kind of data is pulled. I remember in a previous podcast we talked about data analytics, the history of cookie tracking and all that stuff. Let’s break it down first. In your own words Sameer, what is the difference between personal information versus cookie data information?

Sameer Khan:                    That’s a great point. That is one of the thing that we from data and analytics and marketing standpoint we’re always aware that the personal which we call as PII, Personally Identifiable Information which is my name, your name, your credit card, address …

Jeremy Roberts:               My birth date, all that stuff.

Sameer Khan:                    Birthday. All the stuff that associates to you as Jeremy Roberts where it says cookie identified data is when you go to a website and anonymous cookies drop into your computer that can just say like, “Hey, this particular person using this particular device access this particular website.”

Jeremy Roberts:               Look at this, click on this or something.

Sameer Khan:                    Right, which is very anonymous. Now, definitely we’re getting into the ways of like, “Hey, there are ways to stitch the journey between an anonymous person to a known person.” That’s where things get muddled up and that’s where things like safe harbor come into play like, “Hey, if you are using our citizen’s data then you better make sure that you follow this check list and you have this particular infrastructure before you start using those data courses.”

Jeremy Roberts:               Sure, sure. That’s a great thing. I think people really need to understand there is a difference. Make sure that you understand the difference between PII and interest data.

Sameer Khan:                    Yeah, one thing I was going to say again going back to the original question, why was the safe harbor law invalidated or terminated. Generally from a technology standpoint, the macro economic factor such as technology improving faster, the rate of anything else on the planet. Technology is going so fast that it is not limited by anything. Right now, no one can say what’s going to happen in the future and what does the five year path looks like. There’s probably is going to be exponential growth in all of the technologies that we’ve seen today.

What happen on October raised a big question mark on that growth in one particular sector which is the customer data sector that impacts a lot of things. Big and small businesses across the two countries now they are getting worried. They are urging major brands and major law entities to go and participate like Facebook, Microsoft, Google. They are all working with their European counterpart to find a solution. In fact, Google’s Eric Schmidt, he raised a concern that, “Hey, if this does not gets resolved quickly then this threatens internet itself.”

It’s a pretty big thing coming directly from Eric Schmidt. What he was saying that without getting too many detail, he was saying that he might create a lot of internets instead of the internet that we use today. A great example is what happen in Russia on September. What they said, “Hey, none of the data about our customer should be located anywhere else but in Russia.” That could be something that could translate across the entire world.

Jeremy Roberts:               Yeah, you see that problem with a lot of these countries who really restrict usage and access to sites and external sites and stuff like that.

Sameer Khan:                    Exactly. It’s funny we see those when we go to the European sites we see those acceptance of cookies link.

Jeremy Roberts:               Exactly. Good one. Let’s go to the next question. How does the end of safe harbor impact customer data professionals such as analytics marketing and advertising professionals.

Sameer Khan:                    This is a valid question that directly impacts our life. First I would say safe harbor if it’s not replaced quickly then based on some of the estimation, based on some of the legal articles out there would definitely increase the cost of serving overseas customer. The alternative process of moving customer data are cumbersome. What it means, as the resource constraints it means a higher cost. Any company that deals with much more processes there have to put more people on it. They’ll have to probably get better legal advice.

Change their legal documents, there’s a lot more cost associated with it. Second, any company that use marketing or advertising data or collect and analyze the European customer data will have to go through new compliance and processes when handling these data. Especially advertiser and marketers when they talk about compliance. I saw the last time, one of the company that started doing, they are compliant already. Marketo is sending a new type of agreement to all of their customers just so that they can get prepped and pretty sure Silverpop is doing the same thing. They have this new law that governs when say if harbor does not exist.

Jeremy Roberts:               Yup.

Sameer Khan:                    Third is getting informed consent from the customer is becoming extremely, extremely important. What it means, we were talking about earlier when you go to European site that would be labeled that puts on the website like, “Hey, do you accept cookies. Click okay and continue.” That’s an informed consent. I think it’s extremely important for us as marketing and analytics professional to start thinking about these ways on how you can get customer’s permission before you start doing stuff to their data.

It’s going to become more important for the customer because customers are really worried about their data especially European customers because they have been protected by their government on how their data is used. They are really concerned and that’s what escalated to the point that we have this 15 year old policy that was completely terminated. The companies who don’t follow the guidelines, they could face up to 300,000 Euros in fine. It is a big deal. It is a big thing to pay attention to and not just ignore.

Jeremy Roberts:               Yeah, I completely agree. Actually, I did find something interesting on the DMA site and DMA is the Direct Marketing Association. They actually have a great article on there. If you go to, if you go into the safe harbor section they actually have a listing of what are the safe harbor privacy principles. What they say here is in order to and for your company to be compliant with the safe harbor framework you must abide by and incorporate the safe harbor privacy principle.

I actually have seven principles right here if you don’t mind. Number one, it says, “Notice, clearly inform customers in a timely manner about what information you’re collecting, why you are collecting it, who you’re forwarding it to, and how it is used can be limited and how the customer can contact you for additional information.” That’s very clear. Basically they are saying just give notice to the customer, don’t do anything shady.

Sameer Khan:                    That’s a very crucial and it latches on to getting the consent of the customer.

Jeremy Roberts:               Exactly. Number two here says choice. It says, “Honor customer’s request to opt out of certain information uses and exchanges and opt in if sensitive information is being used.” That’s number two. Number three of seven says, “Onward transfer.” Ensure that if information is disclosed to agents or subcontractors that they will agree to abide by the safe harbor principles. Make sure there’s a transference of those principles. It’s not just you but if you forward it to somebody else they also have to abide by those principles.

Sameer Khan:                    That’s very important especially if it’s those in marketing again they deal with a lot of different vendor so once they adapt to these new rules and policies it is important for them to transfer that knowledge to others who are handling their customer data. A lot of companies I know they transfer the customer data from U.S. to India so that they can run deep dive predictive analytics or data cleansing. That’s very solid.

Jeremy Roberts:               Number four here says access. Provide customers the ability to access the personal information being maintained by the company and the ability to correct it works inaccurate. Based on the sliding scale principle, the obligation to provide access to information increases where it is used is more likely to be significantly affect the individual. That’s a big thing. I mean, you don’t typically see that type of access in the U.S. I mean it’s creepy to be going to a site and see all the stuff that they are tracking on you but I love this principle. This is a great one here. That’s a great one. I would love to see something like that coming to us. I think U.S. probably is one of the countries where majority of the customer data is available to everyone.

Sameer Khan:                    I think I remember you and I talking once this client, potential client or customer who was an Albatross. Remember that one? They were basically saying do everything you can to get people to register and we’ll pay you seven cents on the dollar for every person that registers. That’s creepy. You look in for the managing expert to really just collect data information as an Albatross to be able to push it off to somebody else. I think there’s a lot of shady companies out there that are doing that stuff, yup. Number five here says security. Take reasonable care in protecting the information you collect from loss, misuse, unauthorized access, disclosure, alteration and destruction.

Jeremy Roberts:               That make sense.

Sameer Khan:                    Yup, number six or seven, data integrity. Ensure that the customer’s personal information is reliable, accurate, complete, current and used for the intended purposes. That’s pretty straight forward there.

Jeremy Roberts:               This is great. I think we should definitely provide a link to this list on our blog, on our podcast site. That would be fantastic just for the customers.

Sameer Khan:                    Absolutely, yeah. This last one here says enforcement. Take reasonable steps to ensure that any consumer privacy concern will be addressed. One by referring customers to your customer service department. Two, subscribing to a third party dispute resolution mechanism to address anything that’s unresolved. Three, just having appropriate monitoring verification or any kind of remedy procedures in place. Just being able to reinforce or take enforcement on anything that happens wrongly.

Jeremy Roberts:               Awesome.

Sameer Khan:                    Yeah. This is a great list. I think this changes everything right, for marketers.

Jeremy Roberts:               It does.

Sameer Khan:                    Now, we are going to be scrutinized more than ever especially for dealing with global customers especially with European Union. These things and these new ways to do business are going to be very critical. If a company is really concerned about the data that they are using and how they are operating that data across the organization, across their data centers they better prepare themselves. As I was saying earlier they could face significant fines.

Jeremy Roberts:               Exactly. I think the learning point of this is just be transparent. Do good marketing. Don’t spam people. If you’re going to offer an advertisement or something to somebody, give them what they want. That’s why data integration tools are even more important these days.

Sameer Khan:                    Which is a basic fundamental that we [preach [00:17:15]] that this is something that’s very …

Jeremy Roberts:               The right message at the right time to the right person.

Sameer Khan:                    Exactly.

Jeremy Roberts:               Let me give you one more question here. What can marketing analytics and advertising professionals do with all the seven principles, with this impact in customer data. All the things we talked about today, how would you sum all that up? What can they do?

Sameer Khan:                    We have four steps to your seven steps earlier. Really powerful and the one that you mentioned so therefore action item specifically for marketing advertising and analytics professional. First, I always say this, if things changes do not panic. I know this is a big change on how business is done globally. Things are going to get settled. There are people that are already working on this. Big entities such as Microsoft, big governments are involved in it. They are going to find a solution pretty quick.

I’m very confident because the economy that we live in in a capitalist economy all these big company they have to do business. They are not just going to sit there and operate and take a long time and stop the technology from progressing the way it has. Having said that, the impact of this new change on different type of marketing analytics, practices will be different like if you’re doing marketing research, most of the time when you collect customer’s data you already get customer’s concept.

If you’re doing something like that, if the customers already agreed to provide information then you’re good. Customer has already taken a step to say, “Hey, use my data. I agree to participate in those survey.” I think the biggest impact that we’re going to see is on the email marketing front from a marketing standpoint which I think that’s the reason why Marketo … Silverpop of the world are taking much more proactive steps because once you collect information and you start sending them data.

That customer’s information is stored in your data center and that data center is not in European Union or with a specific country then you could end up in really big trouble if you have no consent for that customer’s data. Again, going back to the original ideology which is getting customer’s permission. That was the first thing. The second thing is there are several alternative processes to safe harbor that were being used before and even some of the companies who are using during the safe harbor was active and companies such as Google is proactive implementing it. One of them is a model contract clause.

Again, I don’t want to get into the detail what that is but that is something that is to consider. Consider your legal advisor. Again we’re not providing any legal advice here so please consider the property of legal entity that you work with and investigate what is a model contract clause is, what is a binding corporate rules are. PCRs and MCCs and last but not the least which is the customer informed consent. That’s number two. Number three is ask your partners and service providers to get MCC and BCR compliance before you send them the data. It’s not just yeah exactly it’s not just you who’s going to be liable if your partner is not compliant by these new rules and policies. You’re going to end up in trouble because again they are dealing with you.

Jeremy Roberts:               Yeah, exactly.

Sameer Khan:                    Yeah, the last one is really think through your customer’s privacy and security to plan for the future. From now on, take this as a warning sign that hey if I’m going to be using my customer data for X, Y, Z activity it doesn’t matter if it’s marketing, advertising, retargeting, whatever you want to do, just pay attention on how information is being collected, where is information stored and just put a lot more effort than we were putting before this warning came to us. Those are the four steps I would say to summarize on what can marketing analytics professionals do.

Jeremy Roberts:               That’s great. I mean, I think better safe than sorry. I think that’s the most succinct thing I can say.

Sameer Khan:                    In general, we have seen things don’t change until something really makes a chain like a macro economic factor such as this one.

Jeremy Roberts:               Exactly.

Sameer Khan:                    I think it’s a good wake up call for all of us here who are dealing with our customer’s data. It’s a good wake up call for the entire legal premise that existed today to let us know, “Hey, the old rules are not going to work. It’s time to change. It’s time to rethink. There’s no bureaucracy here, it’s just the customer is the front and the center.” The customers that ultimately wins all the time.

Jeremy Roberts:               Yes, especially in international market. You have to be ready for anything. You cannot just be a U.S. marketer who sits in your office in the U.S. and just assume that you can do things your way. Once you started expanding across those oceans that’s really where the job really starts to push it. You got to start thinking.

Sameer Khan:                    Absolutely.

Jeremy Roberts:               This is great man. I mean I think this is a very important topic and I’m glad that we got to talk about this one today.

Sameer Khan:                    I’m happy and again we’re going to put some of this links and resources on our website so people can get access to it.

Jeremy Roberts:               For sure. Okay. I just want to thank everybody for joining us today. I think this has been a great topic and thank you, Sameer again. This has been a great session and we’ll see you guys on air.

Sameer Khan:                    Thank you.

Leave a Reply

Notify of