Data protection 2013

Friday 8 February

#dmadata

Supported by

The DMA Legal update: Summer 2014Thursday 26 June 2014, DMA House#dmalegal

Welcome

Mike Lordan, Director of external affairs, DMA

#dmalegal

8.30am Registration and breakfast

9.00am Welcome

Mike Lordan, Director of external affairs, DMA

9.05am EU Draft Data Protection Regulation – The current position, potential changes and the impact on the industry

James Milligan, Solicitor, DMA

9.35am Consumer rights bill and consumer rights directive

Janine Paterson, Solicitor and legal manager, DMA

9.55am ICO Direct marketing guidance

James Milligan, Solicitor, DMA

Janine Paterson, Solicitor and legal manager, DMA

10.25am Q&A

11.00am Close

Agenda

EU Draft Data Protection Regulation –the current position, potential changes and impact on the industry

James Milligan, Solicitor, DMA

#dmalegal

Impact of the new Data Protection Regulation – Why now?

• Data Protection Directive 95/46/EC ("Directive") (implemented in UK by 1998 Data Protection Act) showing its age

• New technologies and more complex information networks

• Lack of common European law and differences in national implementation

• Consumer concern over privacy

• Data protection now a fundamental right under EU Charter of Fundamental Rights

5

EU data protection reform timeline• Jan 2012 -first draft Data Protection Regulation ("DPR")

• December 2012-amendments suggested by the Rapporteur of EC Committee on Civil Liberties, Justice and Home Affairs ("LIBE Report")

• February – May 2013 – Reported that 4000 amendments tabled

• May 2013- partial "compromise" draft from Justice and Home Affairs Ministers ( "CD" )

• October 2013 -LIBE voted on amendments

• October 2013 – Heads of Government meeting

• December 2013 – Inconclusive Justice and Home Affairs Ministers meeting

6

EU data protection reform timeline

• Jan 2014 Civil servants working group meetings continue

• Mar 2014 Inconclusive Justice and Home Affairs Ministers meeting

• Mar 2014 MEPs adopted LIBE report

• May 2014 European Parliament elections

• June 2014 Justice and Home Affairs Ministers Meeting

• July 2014 Informal Justice and Home Affairs Meeting

• Nov 2014 New European Justice Commissioner and other Commissioners take office??

• Dec 2014 Justice and Home Affairs Ministers agree position??

• 2015 Regulation is passed in Brussels??

• 2017 Implemented into UK law??

8

8

• LIBE report adopted by all MEPs March 2014

• Proposes a number of changes to European Commission original text

• Majority of changes favour consumer rather than businesses

Changes proposed by the European Parliament to the draft Data Protection Regulation (LIBE Report)

The "compromise draft" agreed by EU Justice Ministers 2013-2014

• "More business friendly" compromise draft ("CD") is only partial: Chapters I-IV

• More changes to Chapters I-IV may be needed once the remainder has been updated

• Regulation or Directive? – wording proposed allows for Regulation to be transformed into a Directive (supported by 8 member states)

• June 2014 Chapter V – international issues, transfers of data, applicability of Regulation

9

Headline proposed changes

• Expanded definitions: “personal data” and “data subject”

• Explicit consent required

• Right to be forgotten

• Greater emphasis on accountability

• Notification of data security breaches

• More onerous sanctions for breach

• Data processors directly covered

Consent

Consent: Current Position Consent: Proposed Position

- Freely given, specific, informed indication of the data subject’s wishes

- Explicit consent required for sensitive personal data only

-Freely given, specific, informed and explicit indication of data subject’s wishes

-Given either by a statement or a clear affirmative action

- Data controller / data subject relationship to be taken into account

- Burden of proof on controller to demonstrate consent

Introduction of opt-in/explicit consent

• Review language used at point of data collection to ensure that consent is explicit /opt-in

• Opt-in /explicit consent not required for postal marketing in European Parliament version of the text

• Do people understand what they are agreeing to? – nation of liars

• Think about how you will update legacy databases

• Children – consent wording for under 13’s if offering them an information society service

Key points in the draft RegulationIP addresses and cookies

• Definition of personal data extended so could cover some IP addresses and cookies as “online identifiers”

• But IP addresses identify a device not an individual + some IPs are general

• Huge implications for digital marketers• Web analytics & profiling made much more difficult, if not

impossible• Interaction with new cookie rules problematic

IP addresses and cookies

• Think about how you will deal with extension to Include location data, IP addresses, cookies, online identifiers

• Pseudonymous/annonymous data – will you be able to take advantage of exceptions?

• Right for individuals to request organisations to delete any information held on them

• Drafted with social media in mind – but goes beyond this• Problem of information that has already been passed on to

third parties• Possibility of misleading consumers by raising unrealistic

expectations• Changes to current text likely • European Court of Justice Google Spain case

Key points in the draft Regulation -The right to be forgotten

The right to be forgotten• Prepare to respond to requests • Deletion/ suppression• Other legal requirements to keep information e.g.

accounting, tax, money-laundering

Key points in the draft Regulation -Data Breach notification

• Any data security breach to be notified to ICO and the individuals concerned within 24 hours

• Report to cover:• nature of breach• number of data subjects• categories of data• proposed mitigation

• Not always obvious if there has been a breach or how extensive it is

• Problem of notification fatigue• No threshold level specified

Data security breach notification

• Introduce breach notification detection procedures

• Think about how you will notify data protection authorities and affected individuals within whatever timescale is agreed

• Develop/review your data breach response plan

Key points in the draft Regulation -Subject Access Requests (SARs)

• Data subjects to be able to request full information on data held on them free of any charge

• Currently can levy a £10 fee – doesn’t cover cost but deters time-wasters, frivolous or vexatious requests

• Costs organisations £50 million p.a. now to meet SARs

• Proposal that can provide data in electronic form if data subject agrees to this

• Particular problem for financial services with mis-selling issues and claims management firms

Subject Access Rights

• New Regulation may lead to increased public awareness of rights e.g., right to request information ( Data Subject Access Requests, Right to be forgotten)

• Plan ahead for increase in queries from clients/public• Training for client/customer service teams• Amend wording on privacy policies/data collection notices to

take account of new rules on profiling.

Key points in the draft Regulation -Compliance obligations

• Data protection obligations now shared between agencies and clients, for example if holding client’s database

• Privacy by Design/Privacy by Default• Appointment of DP officer (250+ employees)

- 2 year appointment- Independent reporting to board- Information and training - Maintenance of documentation- Data protection impact reports

• International transfers of data outside EEA – law would apply to any processing of data or EU citizens

Compliance obligations

• Review amount of data being processed, erasure policies and data retention policies

• Requirement to demonstrate compliance will mean more documentation in respect of policies and procedures

• Contact centres, mailing houses, email/SMS broadcasters will also be subject to these new obligations, especially in respect of data security

• Review staff training in data protection.

• Appointment of a data protection officer?

• Risk- based approach to compliance and data protection impact assessments

Key points in the draft Regulation -Proposed enhanced sanctions

• Up to €500k or 1% annual worldwide turnover intentional or negligent failure to respond to subject access requests in accordance with Regulation

• Up to €1m or 2% of annual worldwide turnover for other compliance failures

• Depends on:-

- size of organisation involved

- nature and gravity of breach

- whether intentional or negligent

- technical and organisational measures

- previous breaches

- co-operation with ICO

Enhanced sanctions/fines

• Watch out if you get it wrong!

• Increase focus on compliance – board level issue

• Review internal policies and procedures

Key Points in the draft Regulation -Delegated Acts

• Many details to be implemented through additional delegated legislation – some 45 Delegated Acts mentioned.

• Details will not be clear until Regulation is passed

• These areas of secondary legislation will include:

- powers to specify further procedures

- technical standards for Privacy by Design/Default

- specification of lawful processing condition

- additional responsibilities for national data protection authorities; etc.

• European Commission taking significant powers to itself away from the national authorities - raises serious issues of subsidiarity and accountability

• National governments and Data Protection Authorities are concerned

• Main establishment/ one- stop shop provisions

• Think about which country’s national data protection authority will be lead regulator

• Possibility of changing country where head office is located

• Review arrangements for transfers of data outside EEA (28 Member States of EU + Iceland ,Liechtenstein, Norway)

• Global group – application to EU citizens’ personal data.

• European Court of Justice Google Spain right to be forgotten case - link between Google Spain and Google USA

Key Points in the draft RegulationCross – border issues

Impact on direct marketing

•Existing databases may not be usable: could decimate prospect lists. Legacy data? •No tracking data, profiling or segmentation without explicit consent – less targeted and more generic communication?•List broking severely restricted •New information requirements and rights of the data subject, e.g Right to be Forgotten•Increased costs - £76,000 per business to comply + possible £47 billion of lost sales in UK

Draft Regulation - DMA View

• DMA welcomes the Commission’s aim to reduce red tape and simplify bureaucracy – but proposals do not achieve that: overly strict, bureaucratic and unworkable

• Needs to be a fair balance between privacy and legitimate business interests

• Current proposals will stifle innovation, add considerably to business costs and place unnecessary obstacles to e-commerce jobs growth

• Will be particularly harmful to SMEs – MoJ says demonstrating compliance will cost £10m p.a.

• Hard to say how Commission’s estimate of 2.3 billion euro saving to businesses was calculated

Ministry of Justice

• Disagrees with Commission’s 2.3bn Euro savings – burdens imposed will far outweigh net benefits: in UK cost @ £100-360 million

• Many unintended consequences, esp for SMEs

• Changes to consent, profiling & definition of personal data particularly costly to industry

• Likely knock-on effects for growth in technological sector and internet economy

• Regulatory Impact Assessment quotes DMA’s figures & examples

• Impact on behavioural advertising

• Creates unrealistic expectations for consumers – R2BF proposal is “unworkable”

Key lobbying messages • Data is essential for economic growth

- UK has leading role in EU digital economy

- SMEs particularly affected

• Transparent and responsible use of data is a vital business practice

- In industry’s interests to handle data with care

- Self-regulation has valid role to play

- Regulation will not stop bad players

• The proposed regulation is bad for consumers

- Would damage users’ online experience

- Danger of tick-box culture & unrealistic expectations

• Need a proportionate data regime that recognises that not all data is the same

- Personal data, sensitive data, anonymous/pseudonymous data

- Different levels of protection required

Lobbying activity

• In Brussels with key individuals in Council, Commission & Parliament, e.g. MEPs & advisers; party groups

• In UK, Ministers in MoJ, DCMS, BIS, HM Treasury + Opposition spokesmen

• Alliance of interests – UK Data Group, FEDMA, CBI, etc. - for collective lobbying of Council and Parliament & lobbying directly where there is no national DMA

• Position papers on priorities for industry + draft amendments to text

• Research on consumer attitudes to privacy and on economic value of the dm industry

DMA lobbying toolkitwww.dma.org.uk

Contacts

James Milligan, Solicitor, DMA

T – 020 7291 3347

James.milligan@dma.org.uk

Legal Advice Helpline

T- 020 7291 3360

legaladvice@dma.org.uk

Consumer rights bill and consumer rights directive

Janine Paterson, Solicitor and legal manager, DMA

#dmalegal

What’s happening?

• Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013

• The Consumer Protection from Unfair Trading (Amendment) Regulations 2013

• Consumer Rights Bill

The Consumer Contracts (Information,

Cancellation and Additional Payments)

Regulations 2013

• Implementation of the rest of the EU Consumer Rights Directive which was passed in 2011

• Came into effect 13th June 2014.

• Regulations deal with contracts between a trader and a consumer:

– Made on-premises, ie a shop

– Made off-premises, ie at consumer’s home or place of work, and

– Made at a distance, ie telephone or over the internet.

• Certain contracts are excluded including gambling, health services and services of banking and insurance.

Three main areas

• Information

– Depending on the type of contract, the trader must provide certain information.

– Many provisions already exist but new ones are introduced especially around digital content, where information on what systems or hardware is compatible will need to be given.

• Cancellation

– consumers have 14 days to cancel off-premises and distance contracts – double current provision

– Consumer have to return goods within 14 days notice cancellation

– Traders can withhold refund until goods are returned

– Traders can deduct from refund if the consumer has handled the goods more than expected.

Three main areas – cont.

• Hidden costs and obligation to pay

– Consumers will have to give active consent for all payments and the use of pre-ticked boxes for additional charges will not be allowed

– Customer service telephone lines can only be charged at the basic rate – premium rate lines will be banned

– Traders that operate an online retail site will need to ensure that consumers understand that there is an obligation to pay when placing an order. “Pay Now” not “Confirm your order”.

The Consumer Protection from Unfair Trading (Amendment) Regulations 2013

• Amendments to the 2008 regulations to allow consumers who have been victims of misleading or aggressive practices to seek redress.

• Comes into effect 1st October 2014

• Covers three types of contract:

– Sale or supply of a product to a consumer by a trader;

– Sale or supply of a product to a trader by a consumer;

– A payment by a consumer to a trader.

• Need to show:

– purchased a product from a trader;

– trader engaged in behaviour that was either misleading under Regulation 5 or aggressive under Regulation 7.

• Remedies - depending on the type of contract:

– Unwind the contract and get a refund;

– Discount on the product;

– Damages for the breach.

The Consumer Protection from Unfair Trading (Amendment) Regulations 2013

The Consumer Protection from Unfair Trading (Amendment) Regulations 2013

• Misleading: includes

– providing false information or information that could deceive the average consumer;

– marketing a product which causes confusion with competitor’s products;

– failing to comply with a Code of Practice when you say you do.

• Aggressive: includes

– Timing and location of the behaviour;

– whether any threatening or abusive language is used or;

– any exploitation by the trader of the consumer’s personal circumstances.

Consumer Rights Bill

• Published in draft in June 2013. Will not come into force until late 2015/ early 2016.

• A major overhaul of existing consumer rights legislation –consolidating 100+ consumer laws and introducing new rights for consumers and businesses.

• Follows two consultations late last year by BIS on goods, services and digital content; and the Law Commission & Scottish Law Commission’s on unfair contract terms.

Consumer Rights Bill

• Basic rights not changing

• Aim to present rights and remedies in a simpler and clearer way to make consumers better informed and empowered

• 3 parts:

• Consumer contracts for goods, digital content and services – rights and remedies

• Unfair terms in contracts

• Miscellaneous: investigatory powers, enhanced consumer measures, enforcement, competition, etc.

Consumer Rights Bill

Rights and remedies:

• To receive some money back after one failed repair to faulty goods (or one faulty replacement)

• To have substandard services redone or receive a price reduction

• To receive a repair or replacement of faulty digital content such as film/music downloads, e-books and online games

• To return faulty goods within 30 days and receive a refund

• Collective redress allowing consumers and companies to challenge anti-competitive behaviour.

Consumer Rights Bill

• Consolidates the law around unfair terms in contracts with consumers.

• Fairness to be determined by taking into account:

• The subject matter

• All the circumstances existing when term was agreed

• All the other terms of contract or any other contract on which it depends

• Various terms listed that cannot be assessed for fairness

46

Contacts

Janine Paterson, Solicitor & Legal Manager, DMAT - 020 7291 3356janine.paterson@dma.org.uk

Legal Advice Helplinelegaladvice@dma.org.uk

ICO Direct marketing guidance

James Milligan, Solicitor, DMAJanine Paterson, Solicitor and legal manager, DMA

#dmalegal

Structure

• What the Guidance consists of?

• Status

• Context

• Buying and Selling data

• Consent

• DMA Clarification of ICO Guidance

– Host contact and indirect third party consent

– Time limits for indirect third party consent

– Solicited/unsolicited marketing

– Pre-ticked opt-in boxes

– Win back campaigns

What the Guidance consists of

• Direct Marketing Guidance

• Direct Marketing Checklist

• Guidance for organisations receiving unwanted marketing

Status

• Not a code of practice

• ICO not trying to rewrite the law

• Reflects ICO evolving view of area

• Future proofing against draft Data Protection regulation

• Remember ICO enforcement is complaint driven – “Don’t annoy your customers”

• New ICO Data Protection Enforcement Policy

Context

• Consolidate all previous guidance

• Focus on areas which come up in enforcement

• Focus on areas of widespread abuse

• Rebalancing towards customer consent and choice in the Big Data age

• Data privacy now a brand differentiator – Customer Acquisition Barometer 2014

• List broking is the next big issue after nuisance calls -Which? Taskforce on consent

Buying and Selling Data

• Boundaries on data chains

• Better Together/Scottish referendum undertaking

Case study 1 – complex data sources and consent failures

• Campaigning organisation

• Mass unsolicited SMS marketing

• Particular ICO concerns?

• Outcome - undertaking

Case study 1 –the data chain

Instigator

Sender

List broker

List broker List broker

List broker

List broker

Lead generation company

Insurance broker

List broker

List broker

Insurance company

List broker

Loan provider

Price comparison

website

Mail order company

List broker

Publishing company

Prize draw website

Insurance broker

Loan broker

Lead generation company

List broker

Insurance company

Publishing company

Insurance broker

Loan provider

Debt management company

List broker

Debt management company

Insurance broker

Credit card

provider

Insurance company

Price comparison

website

Loan broker

List broker

List broker List broker

Travel company

Travel company

Prize draw website

List broker

Online retailer

List broker

List broker List broker

List broker

List broker

List broker

List broker

List broker

Case study 1 – examples of ‘consent’• ‘Archival personal injury leads’

• ‘…you also agree that we may disclose your information to […]

(iii) other carefully selected product suppliers in the future with

a view to them offering you products they feel may be of

interest to you.’

• ‘We may share your information with our business partners for

marketing purposes or we may send you information about

other organisations’ goods and services. [ ] By providing us

with your contact details you consent to being contacted…’

• ‘All information you supply will be kept confidential to [ ] and

the insurers whom it deals, unless [ ] are required by law with

subpoenas.’

Sourcing data/ Due diligence

• Who compiled the list? When? Has it been amended or updated since?

• When was consent obtained?

• Who obtained consent and what was the context?

• Was it opt-in or opt-out?

• Was information provided clearly and intelligibly? How was it provided?

• Did it list organisations by name, by description, or any third party?

Consent

• Basic requirements under DPA 1998

• Additional requirements under PECR 2003 as amended

• Age of consent

• Context in which given

• Nature of relationship

DMA Clarification of ICO Guidance

• Host contact and indirect third party consent

• Time limits for indirect third party consent

• Solicited/unsolicited marketing

• Pre-ticked opt-in boxes

• Win back campaigns

Host contact

• Host contact is the ICO and DMA preferred method of distributing third party offers via email, text and automated telephone calls

• Host contact – how does it work

• 1) where first party organisation collects the contact details of customers and customers subscribe/opt-in to receive third party offers

• 2) First party organisation does not pass on contact details to third party

• 3) First party will be the sender of the message

Host Contact

• Host contact – how does it work

• 4) First party rents body copy in the message to the third party

• 5) Third party includes call to action in message

• 6) Third party collects its own marketing consents when recipients respond to message

• 7) Third party does not have access to data of those recipients who do not respond.

Indirect/ Third party consent

• Where consent not given by individual to organisation sending out marketing message but given via third party e.g. list owner.

• Host contact method is not considered by ICO and DMA to be indirect third party consent

• Not valid for marketing channels under PECR, voice calls to telephones, email and mobile messaging

Indirect Third Party Consent

• Exceptions

• 1) First party collecting contact details specifically names third parties to which it will pass contact information on

• Example of 1) in the context of booking a flight to New York with a UK based airline

• “Please tick this box if you are happy for our partner airline xxxx Airlines to contact you by email/SMS with details of their US domestic flights

Indirect Third Party Consent

• Exceptions

• 2) Third party falls into a specific category of organisations which the first party included in a list of types of organisations which it obtained consent from the recipient when they collected the electronic marketing contact details

• Example in the context of booking a flight to New York with a UK based airline

• “Please tick this box if you are happy for our partner organisations to contact you by email or SMS with details of their promotions and offers in New York which you may find useful during your visit to New York.”

Indirect Third Party Consent -Time limits

• Third party organisation making contact for the first time by electronic channels using indirect third party consent should not rely on consent given more than six months ago to the first party

• General rule of thumb

• Third party using contact details more than six months after first collected need to justify why using those contact details

• Context is key – ICO accepts that third party can use contact details collected more than six months ago in the case of annual services – e.g. insurance, seasonal products.

Unsolicited/Solicited Marketing

• ICO definition of solicited and unsolicited different from industry definition

• ICO consider an unsolicited marketing message to be a marketing message which the recipient has not requested

• If a consumer has subscribed/opted-in to receiving marketing messages and an organisation sends a marketing message then that message will be unsolicited

• However will be compliant with PECR because consumer consented

Unsolicited/Solicited Marketing

• Practical advice – follow PECR

• Consumers must be clear about what they are signing up to.

• Organisations pay attention to wording in data collection notices

Pre-Ticked Opt-In Boxes

• ICO and DMA best practice do not use for consumers to subscribe/ opt-in to receiving unsolicited marketing messages via email and SMS

• DPA/PECR rules - to subscribe/opt-in requires a positive action on the part of a consumer

• Consumer leaving a pre-ticked opt-in box pre- ticked is not a positive action

Pre-Ticked Opt-In Boxes

• Can be used in rare circumstances where another stage in the sign up process amounts to positive consent

• Use of pre-ticked opt-in boxes as an unsubscribe /opt-out mechanism – consult with DMA Legal or other usual legal advisers

Win- back campaigns

• ICO guidance unclear as to legality of win –back campaigns

• ICO have confirmed to DMA that win – back campaigns are legal provided

• 1) Consumer subscribed/opted-to to receive marketing messages or

• 2) Consumer did not unsubscribe/opt-out if existing customer/ soft opt-in exemption rule applies and conditions met

• Practical issue – confirm preferences when customer leaves/ cancel

• Remember retention rules and accurate/ up –to date

70

Contacts

James Milligan, Solicitor, DMAT- 020 791 3347James.milligan@dma.org.uk

Janine Paterson, Solicitor & Legal Manager, DMAT - 020 7291 3356janine.paterson@dma.org.uk

Legal Advice HelplineT – 020 7291 3360legaladvice@dma.org.uk

Q&A

#dmalegal

Useful links

ICO Direct Marketing Guidance

DMA Supplementary Note on ICO Guidance

ICO Direct Marketing Checklist

ICO Guidance for organisations receiving unwanted marketing

Which? Taskforce on consent and lead generation in the direct

marketing industry call for evidence

Upcoming events

Introduction to data protection (Manchester) –1 July 2014 – Book now

Data works: connecting the data dots –17 July 2014 – Register now

A TV dinner (Manchester) –15 July 2014 – Register now

ZEDTalk 1: Creativity and ideas –24 July 2014 – Register now