DDMA Data Driven Monday: Privacy law for data driven marketing and the regulatory challenges ahead
1. Sirius Legal
Data Driven Marketing and the EU: the Regulatory challenges ahead
Data Driven Monday, 13 April 2015
2. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Privacy means many different things
3. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
The right to privacy between individuals
Nosy neighbours
EU Privacy law does not deal with this aspect of privacy
National (civil) law
4. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
The right to privacy in relationship to the government
NSA
Police
Tax authorities
Specific rules and regulations on international and national level
5. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Electronic processing of personal data
Electronic processing
Personal data
Usually for commercial purposes
EU Data Protection Directive 95/46/EC
E-privacy Directive 2002/58
6. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
New balls, please…
EU Data Protection Directive 95/46/EC
E-privacy Directive 2002/58
Have been around for 20 years
Principles no longer fit economical and technical reality
7. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
New balls, please…
EU is working on new set of rules
Work in progress since 2012
End is not in sight…
Uniform rules based on EU Regulation (as opposed to Directive)
ETA: 2016 - 2017
8. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Current Privacy Law
Based on EU Regulation
Transferred into national law by each member state
Set of rules dates back to nineties
Based on location of company and/or server
At the time most elaborate and progressive set of rules in the world
9. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Current Privacy Law
“Right to privacy” >< data processing
Definition of personal data is very large
ECJ 2015: Even IP address – browser history
Impact on data collection and big data is considerable
10. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Current Privacy Law
Straight and simple:
Prior “opt-in” for all processing
Or implicite opt-in if “justified reasons” for processing
“Free and informed” opt-in
Transfer of data to third party = additionnal opt-in
Cfr. Analytics tools, apps, cookies, database enrichment through mailings
and actions, …: always opt-in
Cfr. also social media content
11. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Current Privacy Law
Rights
opposition – access – correction - information
Obligations
Information – opt-in – data security – (export)
12. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
New regulation
2016 – 2017
Regulation in stead of Directive
Work in pogress since 2012
Complex procedure in European Institutions
Heavy lobbying
Political slow down
13. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
New regulation
How the EU legislative process works…
2012 Proposal European Commission (Reding)
2012-2015 Parallel track in European Parliament and European Council
2014 Proposal Parliament accepted (Amendements “Michel”)
2015 Parallel proposal Council Work in progress
2016 Both proposals have to be merged into one final text…
14. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Commission Proposal
Heavily influenced by consumer protection activists in EP
LIBE Committee (protection of civil liberties)
Result:
Consumer friendly, but unrealistic for direct marketing sector, e-commerce
sector, …
15. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Commission Proposal
For all services offered in EU (even free services)
Personal data = also online identifiers, “pseudonymous data”
Explicite opt-in
Information obligation (icons)
Right not to be submitted to profiling
Warning obligations in case of data breach
“Data protection by design”
“Data protection officer”
Sanctions: LIBE: up to 5% of yearly turnover or 100 million euro
16. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Council Proposal
Work in progress
Last ammendments made in March 2015
Much more industry focused
Influence of direct marketing (through eg BDMA - FEDMA) is bigger
17. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Council Proposal
Explicite opt-in
But opt-out or implicite opt-in has been put back in if “legitimate interest”
Next chapters discussed in upcoming months
To be expected:
Lower penalties and less strict obligations
Data protection officers obligation tuned down
Softer rules on profiling prohibition
18. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
What should you do in the meantime?
Follow up on discussion (eg through our website www.siriuslegal.be)
Start review vendor contracts (in view of data security obligation)
Start to prepare for full update of policies, contracts, business processes
Put in place data breach notification procedure
Appoint (temporary) data security officer
Put in place impact assessment and/or risk analyses policy
Create compliance statements for annual business reports
Train staff
Sit back and wait for final text of regulation for final details…
19. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
And now for something completely different…
Cookies
20. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Cookies
EU e-privacy directive 2002/58/EC
Belgium: new article 129 in Telecom law since October 2012
21. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Cookies
Always opt-in
Except for purely functional cookies:
Absolutely needed for technical reasons
Absolutely needed for communication
22. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Cookies
Law is vague, unclear and leaves too much
room for interpretation
Sector is still waiting for clarifications by Privacy
commission, BIPT/IBPT or FOD Economy…
23. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Cookies
EU point of view however is very clear
“Working Party 29”
Rules in neighbouring countries are clear
(Netherlands begin 2015 tuned down for Google Analytics)
24. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Cookies
Opt-in should be:
Free (i.e. website visit possible without opt-in)
Explicit (requires active deed by visitor)
Informed (prior info)
Prior to placing cookies
Revocable
25. Data Driven Marketing and the EU
Data Driven Monday, 13 April 2015
Cookies
2015
Netherlands tune down law
France holds giant “cookie sweep”
Spain inflicts high penalties
Italy imposes use of overlays
Belgium…?
26. Legal update in e-commerce
E-shop Expo, Brussels, 18 March 2015
Cookies
2016-2017
Juncker commission announces review
Streamlining with Privacy regulation
Also: technical evolution (fingerprinting, etc…)
Absolutely unclear what is going to happen in upcoming 2 to 3 years…
27. Media & advertisement law
Copyright - trademarks - datebase - software - knowhow
Travel & consumer protection
Tax & tax planning
IT, Internet & e-commerce
Privacy & cookies
Gambling & gaming
Sirius Legal