DMA Legal update winter 2013 - 17 december


Published on

Published in: Marketing, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

DMA Legal update winter 2013 - 17 december

  1. 1. Data protection 2013 DMA Legal update: winter 2013 Tuesday 17 December #dmalegal 8 February Friday #dmadata Supported by
  2. 2. Agenda 8.30am - Registration and breakfast 9.00am - Welcome 9.05am - Data Protection Regulation The current position, potential changes and the impact on the industry Caroline Roberts, Director of Public Affairs, DMA James Milligan, Solicitor, DMA 9.55am - Questions 10.05am - Round up Consumer rights bill and consumer rights directive Janine Paterson, Solicitor, DMA 10.35am - Questions 11.00am - Close
  3. 3. EU Draft Data Protection Regulation The current position, potential changes and the impact on the industry Caroline Roberts, Director of Public Affairs, DMA James Milligan, Solicitor, DMA 3
  4. 4. Impact of the new Data Protection Regulation – Why now? • Data Protection Directive 95/46/EC ("Directive") (implemented in UK by 1998 Data Protection Act) showing its age • New technologies and more complex information networks • Lack of common European law and differences in national implementation • Consumer concern over privacy • Data protection now a fundamental right under EU Charter of Fundamental Rights 4 4
  5. 5. EU data protection reform timeline • Jan 2012 -first draft Data Protection Regulation ("DPR") • December 2012-amendments suggested by the Rapporteur of EC Committee on Civil Liberties, Justice and Home Affairs ("LIBE Report") • February – May 2013 – Reported that 4000 amendments tabled • May 2013- partial "compromise" draft from Justice and Home Affairs Ministers ( "CD" ) • October 2013 -LIBE voted on amendments • October 2013 – Heads of Government meeting • December 2013 – Inconclusive Justice and Home Affairs Ministers meeting 5 5
  6. 6. EU data protection reform timeline • Jan- ?? 2014 Civil servants working group meetings continue • Mar 2014 Next Justice and Home Affairs Ministers meeting • April 2014 All MEPs vote on LIBE report • June 2014 European Parliament elections • ?? Sept – Dec 2014 3 way negotiations (trilogue) between European Commission, Justice and Home Affairs Ministers and European Parliament • ?? Dec 2014 Regulation is passed in Brussels • ?? Dec 2016 Deadline for implementing new Regulation into UK law. 6 6
  7. 7. Changes proposed by the European Parliament to the draft Data Protection Regulation (LIBE Report) • LIBE report adopted in Oct 2013 • Proposes a number of changes to European Commission original text • Majority of changes favour consumer rather than businesses 7 7 7
  8. 8. The "compromise draft" agreed by EU Justice Ministers 31 May 2013 • "More business friendly" compromise draft ("CD") is only partial: Chapters I-IV • More changes to Chapters I-IV may be needed once the remainder has been updated • Regulation or Directive? – wording proposed allows for Regulation to be transformed into a Directive (supported by 8 member states) • CD already criticised by Commissioner Reding, France and Germany as a backward step • Ministers currently getting bogged down on one stop shop 8 8
  9. 9. Headline proposed changes • • • • • • • Expanded definitions: “personal data” and “data subject” Explicit consent required Right to be forgotten Greater emphasis on accountability Notification of data security breaches More onerous sanctions for breach Data processors directly covered 9
  10. 10. Consent Consent: Current Position Consent: Proposed Position - Freely given, specific, -Freely given, specific, informed and informed indication of the explicit indication of data subject’s data subject’s wishes wishes - Explicit consent required -Given either by a statement or a for sensitive personal data clear affirmative action only - Data controller / data subject relationship to be taken into account - Burden of proof on controller to demonstrate consent 10
  11. 11. Introduction of opt-in/explicit consent • • • • Review language used at point of data collection to ensure that consent is explicit /opt-in Do people understand what they are agreeing to? – nation of liars Think about how you will update legacy databases Children – consent wording for under 13’s if offering them an information society service 11
  12. 12. Key points in the draft Regulation IP addresses and cookies • • • • • Definition of personal data extended so could cover some IP addresses and cookies as “online identifiers” But IP addresses identify a device not an individual + some IPs are general Huge implications for digital marketers Web analytics & profiling made much more difficult, if not impossible Interaction with new cookie rules problematic 12
  13. 13. IP addresses and cookies • • Think about how you will deal with extension to Include location data, IP addresses, cookies, online identifiers Pseudonymous/annonymous data – will you be able to take advantage of exceptions? 13
  14. 14. Key points in the draft Regulation The right to be forgotten • • • • • Right for individuals to request organisations to delete any information held on them Drafted with social media in mind – but goes beyond this Problem of information that has already been passed on to third parties Possibility of misleading consumers by raising unrealistic expectations Changes to current text likely 14
  15. 15. The right to be forgotten • • • Prepare to respond to requests Deletion/ suppression Other legal requirements to keep information e.g. accounting, tax, money-laundering 15
  16. 16. Key points in the draft Regulation Data Breach notification • • • • • Any data security breach to be notified to ICO and the individuals concerned within 24 hours Report to cover: • nature of breach • number of data subjects • categories of data • proposed mitigation Not always obvious if there has been a breach or how extensive it is Problem of notification fatigue No threshold level specified 16
  17. 17. Data security breach notification • • • Introduce breach notification detection procedures Think about how you will notify data protection authorities and affected individuals within whatever timescale is agreed Develop/review your data breach response plan 17
  18. 18. Key points in the draft Regulation Subject Access Requests (SARs) • Data subjects to be able to request full information on data held on them free of any charge • Currently can levy a £10 fee – doesn’t cover cost but deters time-wasters, frivolous or vexatious requests • Costs organisations £50 million p.a. now to meet SARs • Proposal that can provide data in electronic form if data subject agrees to this • Particular problem for financial services with mis-selling issues and claims management firms 18
  19. 19. Subject Access Rights • New Regulation may lead to increased public awareness of rights e.g., right to request information ( Data Subject Access Requests, Right to be forgotten) • Plan ahead for increase in queries from clients/public • Training for client/customer service teams • Amend wording on privacy policies/data collection notices to take account of new rules on profiling. 19
  20. 20. Key points in the draft Regulation Compliance obligations • Data protection obligations now shared between agencies and clients, for example if holding client’s database • Privacy by Design/Privacy by Default • Appointment of DP officer (250+ employees) • 2 year appointment • Independent reporting to board • Information and training • Maintenance of documentation • Data protection impact reports • International transfers of data outside EEA – law would apply to any processing of data or EU citizens 20
  21. 21. Compliance obligations • Review amount of data being processed, erasure policies and data retention policies • Requirement to demonstrate compliance will mean more documentation in respect of policies and procedures • Contact centres, mailing houses, email/SMS broadcasters will also be subject to these new obligations, especially in respect of data security • Review staff training in data protection. • Appointment of a data protection officer? • Risk- based approach to compliance and data protection impact assessments 21
  22. 22. Key points in the draft Regulation Proposed enhanced sanctions • Up to €500k or 1% annual worldwide turnover intentional or negligent failure to respond to subject access requests in accordance with Regulation • Up to €1m or 2% of annual worldwide turnover for other compliance failures • Depends on:• size of organisation involved • nature and gravity of breach • whether intentional or negligent • technical and organisational measures • previous breaches • co-operation with ICO 22
  23. 23. Enhanced sanctions/fines • Watch out if you get it wrong! • Increase focus on compliance – board level issue • Review internal policies and procedures 23
  24. 24. Key Points in the draft Regulation Delegated Acts • Many details to be implemented through additional delegated legislation – some 45 Delegated Acts mentioned. • Details will not be clear until Regulation is passed • These areas of secondary legislation will include: • powers to specify further procedures • technical standards for Privacy by Design/Default • specification of lawful processing condition • additional responsibilities for national data protection authorities; etc. • European Commission taking significant powers to itself away from the national authorities - raises serious issues of subsidiarity and accountability • National governments and Data Protection Authorities are concerned 24
  25. 25. Key Points in the draft Regulation Cross – border issues • Main establishment/ one- stop shop provisions • Think about which country’s national data protection authority will be lead regulator • Possibility of changing country where head office is located • Review arrangements for transfers of data outside EEA (28 Member States of EU + Iceland ,Liechtenstein, Norway) • Global group – application to EU citizens’ personal data. 25
  26. 26. Impact on direct marketing • • • • • Existing databases may not be usable: could decimate prospect lists. Legacy data? No tracking data, profiling or segmentation without explicit consent – less targeted and more generic communication? List broking severely restricted New information requirements and rights of the data subject, e.g Right to be Forgotten Increased costs - £76,000 per business to comply + possible £47 billion of lost sales in UK 26
  27. 27. Draft Regulation - DMA View • DMA welcomes the Commission’s aim to reduce red tape and simplify bureaucracy – but proposals do not achieve that: overly strict, bureaucratic and unworkable • Needs to be a fair balance between privacy and legitimate business interests • Current proposals will stifle innovation, add considerably to business costs and place unnecessary obstacles to ecommerce jobs growth • Will be particularly harmful to SMEs – MoJ says demonstrating compliance will cost £10m p.a. • Hard to say how Commission’s estimate of 2.3 billion euro saving to businesses was calculated 27
  28. 28. Ministry of Justice • Disagrees with Commission’s 2.3bn Euro savings – burdens imposed will far outweigh net benefits: in UK cost @ £100360 million • Many unintended consequences, esp for SMEs • Changes to consent, profiling & definition of personal data particularly costly to industry • Likely knock-on effects for growth in technological sector and internet economy • Regulatory Impact Assessment quotes DMA’s figures & examples • Impact on behavioural advertising • Creates unrealistic expectations for consumers – R2BF proposal is “unworkable” 28
  29. 29. Key lobbying messages • Data is essential for economic growth • UK has leading role in EU digital economy • SMEs particularly affected • Transparent and responsible use of data is a vital business practice • In industry’s interests to handle data with care • Self-regulation has valid role to play • Regulation will not stop bad players • The proposed regulation is bad for consumers • Would damage users’ online experience • Danger of tick-box culture & unrealistic expectations • Need a proportionate data regime that recognises that not all data is the same • Personal data, sensitive data, anonymous/pseudonymous data 29 • Different levels of protection required
  30. 30. Lobbying activity • In Brussels with key individuals in Council, Commission & Parliament, e.g. MEPs & advisers; party groups • In UK, Ministers in MoJ, DCMS, BIS, HM Treasury + Opposition spokesmen • Alliance of interests – UK Data Group, FEDMA, CBI, etc. - for collective lobbying of Council and Parliament & lobbying directly where there is no national DMA • Position papers on priorities for industry + draft amendments to text • Research on consumer attitudes to privacy and on economic value of the dm industry 30
  31. 31. DMA lobbying toolkit 31
  32. 32. Current UK ICO issues Privacy impact assessments Anonymisation code Direct marketing guidance ICO 2020 Strategic Vision 32
  33. 33. Direct marketing guidance • • • • • • • • • ICO interpretation does not change law Issued 9 September Retrospective , transitional period Respect consumer expectations and preferences Tightening up of third party consent for digital marketing Time limits for consent Proof of consent DMA written to ICO Meeting in January 2014 33
  34. 34. Draft Privacy Impact Assessment Code of Practice • • • • • Consultation closed 5 November 2013 Annex 1 – PIA screening questions Annex 2 – PIA template Annex 3 – PIA and data protection principles Relevance to draft Regulation 34
  35. 35. Anonymisation Code of Practice • Issued 20 November 2012 • Re-identification – "motivated intruder" test and risk assessment of future identification • Big Data – does it make anonymisation of data impossible? • Consent – "legitimate interests“ • Pseudonymous and anonymous data may be included in draft Regulation 35
  36. 36. ICO 2020 Strategic vision • Challenges • What and how the ICO expects to do over next 5 years 36
  37. 37. Contacts Caroline Roberts, Director of Public Affairs, DMA T - 020 7291 3346 James Milligan, Solicitor, DMA T - 020 7291 3347 Legal Advice Helpline T - 020 7291 3360 37
  38. 38. Questions? Caroline Roberts, Director of Public Affairs, DMA James Milligan, Solicitor, DMA 38
  39. 39. Consumer Law and other key issues Janine Paterson, Solicitor, DMA
  40. 40. Consumer Rights Bill • Published in draft in June 2013. BIS hoping it will come into force, together with the UK implementation of the Consumer Rights Directive, by June 2014. • A major overhaul of existing consumer rights legislation – consolidating 100+ consumer laws and introducing new rights for consumers and businesses. • Follows two consultations late last year by BIS on goods, services and digital content; and the Law Commission & Scottish Law Commission’s on unfair contract terms.
  41. 41. Consumer Rights Bill • Basic rights not changing • Aim to present rights and remedies in a simpler and clearer way to make consumers better informed and empowered • 3 parts: • Consumer contracts for goods, digital content and services – rights and remedies • Unfair terms in contracts • Miscellaneous: investigatory powers, enhanced consumer measures, enforcement, competition, etc.
  42. 42. Consumer Rights Bill Rights and remedies: • To receive some money back after one failed repair to faulty goods (or one faulty replacement) • To have substandard services redone or receive a price reduction • To receive a repair or replacement of faulty digital content such as film/music downloads, e-books and online games • To return faulty goods within 30 days and receive a refund • Collective redress allowing consumers and companies to challenge anti-competitive behaviour.
  43. 43. Consumer Rights Bill • Consolidates the law around unfair terms in contracts with consumers. • Fairness to be determined by taking into account: • The subject matter • All the circumstances existing when term was agreed • All the other terms of contract or any other contract on which it depends • Various terms listed that cannot be assessed for fairness
  44. 44. The Consumer Contracts (Information, Cancellation and Additional Payments) Regulations 2013 • Implementation of some of the EU Consumer Rights Directive which was passed in 2011 • In most areas, implementation will follow the Directive. • Regulations deal with contracts between a trader and a consumer: – Made on-premises, ie a shop – Made off-premises, ie at consumer’s home or place of work, and – Made at a distance, ie telephone or over the internet. • Certain contracts are excluded including gambling, health services and services of banking and insurance.
  45. 45. Three main areas • Information – Depending on the type of contract, the trader must provide certain information. – Many provisions already exist but new ones are introduced especially around digital content, where information on what systems or hardware is compatible will need to be given. • Cancellation – consumers have 14 days to cancel off-premises and distance contracts – double current provision – Consumer have to return goods – Traders can withhold refund until goods are returned – Traders can deduct from refund where the consumer has handled the goods more than expected.
  46. 46. Three main areas – cont. • Hidden costs – Consumers will have to give active consent for all payments and the use of pre-ticked boxes for additional charges will not be allowed – Customer service telephone lines can only be charged at the basic rate – premium rate lines will be banned
  47. 47. The Consumer Protection from Unfair Trading (Amendment) Regulations 2013 • Amendments to the 2008 regulations to allow consumers who have been victims of misleading or aggressive practices to seek redress. Covers three types of contract: – Sale or supply of a product to a consumer by a trader; – Sale or supply of a product to a trader by a consumer; – A payment by a consumer to a trader. • Need to show: – purchased a product from a trader; – trader engaged in behaviour that was either misleading under Regulation 5 or aggressive under Regulation 7. • Remedies - depending on the type of contract: – Unwind the contract and get a refund; – Discount on the product; – Damages for the breach.
  48. 48. The Consumer Protection from Unfair Trading (Amendment) Regulations 2013 • Misleading: includes – providing false information or information that could deceive the average consumer; – marketing a product which causes confusion with competitor’s products; – failing to comply with a Code of Practice when you say you do. • Aggressive: includes – Timing and location of the behaviour; – whether any threatening or abusive language is used or; – any exploitation by the trader of the consumer’s personal circumstances.
  49. 49. Other issues • Electoral register – Electoral Registration & Administration Act 2013 – introduction of individual electoral registration and system opened up for online application in 2014. – Edited version of register will be kept but issue on optouts. • Employment – TUPE – Government consultation on changes • Environment – Unaddressed mail preference service - awaiting DEFRA input
  50. 50. Other issues • Financial – FSA replaced by Financial Conduct Authority and Prudential Regulatory Authority on 1 April 2013 • New Vision – “To make relevant markets work well so consumers get a fair deal” • Consumers get financial services and products that meet their needs from firms they can trust • Markets and financial systems are sound and stable and resilient with transparent pricing information • Firms compete effectively with the interests of their consumers and the integrity of the market at the heart of how they run their business
  51. 51. Other issues • Postal – Postcode address file – Royal Mail consultation on proposed changes: simplify licensing process; change payment structure – DMA met with RM to express member concerns – RM have now responded to consultation • Telemarketing – – Culture, Media and Sport Commons Select Committee enquiry into unsolicited phone calls. Report published 5th December. – John Mitchison gave evidence on behalf of TPS and George Kidd on behalf of the Direct Marketing Commission. – The DMA also submitted written evidence. – Nuisance Calls All Party Parliamentary Group enquiry: TPS and DMA submitted written evidence.
  52. 52. Contacts Janine Paterson, Solicitor, DMA Legal Advice Helpline T - 020 7291 3360 52
  53. 53. Questions? Janine Paterson, Solicitor, DMA Caroline Roberts, Director of Public Affairs, DMA James Milligan, Solicitor, DMA
  54. 54. Thank you!