2. Connect with the DMA…
• The #tag for this event is: #dmalegal
• LinkedIn: DMA: Direct Marketing Association (UK)
Limited
• Twitter: @DMA_UK/ @DMANorth
• DMA Website: http://www.dma.org.uk
• Email: dma@dma.org.uk or events@dma.org.uk
• Phone: 020 7291 3300 or 0161 918 6780
3. Today’s agenda
• 09.00 – 09.30 Registration and Coffee
• 09.30 – 09.35 Welcome and Introduction
• 09.35 – 10.05 Data Protection Regulation
– Richard Parkinson, Legal Director Pinsent Masons and
Samantha Livesey, Partner, Pinsent Masons
• 10.05 – 10.35 Data Protection Regulation
– Caroline Roberts, Director of Public Affairs, DMA and James
Milligan, Solicitor, DMA
• 10.35 – 10.55 Refreshment Break
• 10.55 – 11.15 Cookies – New Privacy Regulations
– James Milligan, Solicitor, DMA
• 11.15– 11.30 Hot Industry Issues
– Caroline Roberts, Director of Public Affairs, DMA and James
Milligan, Solicitor, DMA
• 11.30 – 12.00 Panel Debate and Close
4. The Proposed New EU Data
Protection Regulation
Samantha Livesey and Richard Parkinson
5. Agenda
1. Introduction
2. Timescale
3. Headline proposed changes
4. Summary of main changes from current regime
5. Some specifics + considerations for compliance
8. From proposal to law: legislative process
to implementation
Committee stage:
Draft report published: Jan to April 2013
Nov 2012
Lead committee
Parliamentary
vote: April 2013
Hearings: amendments to text:
May to Nov 2012 Dec 2012
Q1. 2014?
May 2012 December 2012 April 2013 2014
10. Headline proposed changes
• Data processors directly covered
• Expanded definitions: “personal data” and “data subject”
• Explicit consent required
• Right to be forgotten
• Greater emphasis on accountability
• Notification of data security breaches
• More onerous sanctions for breach
11. Consent
Consent: Current Position Consent: Proposed Position
- Freely given, specific, informed -Freely given, specific, informed and explicit
indication of the data subject’s indication of data subject’s wishes
wishes
- Given either by a statement or a clear
- Explicit consent required for affirmative action
sensitive personal data only
- Data controller / data subject relationship to
be taken into account
- Burden of proof on controller to
demonstrate consent
12. Greater accountability
• Public bodies / companies <250 staff
• Appointment of DP officer
2 year appointment
independent reporting to board
inform
train
• Maintenance of documentation
• Data protection impact reports
13. Data security breach notification
• Mandatory notification
• Within 24 hours of becoming aware of breach
• Report to cover:
nature of breach
number of data subjects
categories of data
proposed mitigation
14. Data security breach roadmap
INCIDENT: NOTIFY: ALERT: INVESTIGATE
INVESTIGATE
A data security Notify Insurer Involve your : Find out what
Find out what
incident occurs immediately security breach happened
happened
response team
NOTIFY
ICO
WITHIN
24
HOURS
EVALUATE: RESPOND:
RESPOND: ASSESS:
ASSESS: CONTAIN:
CONTAIN:
How successful Complete your
Complete your What are the
What are the Prevent/limit any
Prevent/limit any
was the security breach
Incident potential
potential further data loss
further data loss
response? Response plan
response Plan consequences?
consequences?
15. Proposed enhanced sanctions
• Depend on:-
Size of organisation involved
Nature and gravity of breach
Whether intentional or negligent
Technical and organisational measures
Previous breaches
Co-operation with ICO
16. Proposed enhanced sanctions
• Up to €250k or 0.5% annual worldwide turnover
intentional or negligent failure to operate a proper subject
access request
• Up to €500k or 1% annual worldwide turnover intentional
or negligent failure to respond to subject access requests
in accordance with Regulation
• Up to €1m or 2% of annual worldwide turnover for other
compliance failures
17. Winners Losers
Data Protection Officers Data processors
Data subjects?
Genuinely better protection for them? Data subjects?
Multinational businesses seeking to Consumers: Increased burden and
operate in a genuinely single cost of compliance passed on
European market
The (few?) national supervisory Other national supervisory authorities:
authorities likely to receive increased increased duties; same resources
funding
Initiatives for information sharing on The many industries that operate
cyber/data security incidents: both using “indirectly identifiable data”
industry groups and government (or in the “grey zone”)
22. Draft EU Data Protection
Regulation
DMA View and Lobbying
Activity
Caroline Roberts James Milligan
Director of Public Affairs DMA Solicitor
23. Draft Regulation
- DMA View
• DMA welcomes the Commission’s aim to reduce red tape
and simplify bureaucracy – but proposals do not achieve
that: overly strict, bureaucratic and unworkable
• Needs to be a fair balance between privacy and legitimate
business interests
• Current proposals will stifle innovation, add considerably to
business costs and place unnecessary obstacle to e-
commerce jobs growth
• Will be particularly harmful to SMEs
• Hard to say how Commission’s estimate of 2.3 billion euros
saving to businesses was calculated
24. “The proposed EU Data Protection Regulation
could cost the UK £47 billion in lost sales
According to the businesses polled for the study,
the proposed EU legislation could cost UK each
an average of £76,000.
Crucially, if these results were representative of
the UK economy as a whole, this would translate
into a potential cost of £47 billion to UK
businesses, concentrated amongst mainly
SMEs.”
25. Key points in the draft Regulation
Opt-in and opt–out - obtaining consent
• General rule for direct marketing – “explicit consent by
clear statement or affirmative action” .
• Possible legitimate interests exemption ?
• Legacy databases – what about data collected under
current law?
• At odds with existing rules on voice calls, email and
SMS marketing
26. Key points in the draft Regulation
IP addresses and cookies
• Definition of personal data extended so could cover some IP
addresses and cookies
• But IP addresses identify a device not an individual + some
IPs are general
• Huge implications for digital marketers
• Web analytics & profiling made much more difficult, if not
impossible
• Interaction with new cookie rules
27. Key points in the draft Regulation
The right to be forgotten
• Right for individuals to request organisations to delete any
information held on them
• Drafted with social media in mind – but goes beyond this
• Problem of information which has already been passed on to
third parties
• Possibility of misleading consumers by raising unrealistic
expectations
• Suppression files.
28. Key points in the draft Regulation
Subject Access Requests
• Data subjects to be able to request full information on data
held on them free of any charge
• Currently can levy a £10 fee – doesn’t cover cost but deters
time-wasters, frivolous or vexatious requests.
• Costs organisations £50 million p.a. now to meet SARs
• Proposal that can provide data in electronic form if data
subject agrees to this
29. Key points in the draft Regulation
- Marketing to Children
• General rule – parental consent required for under 18’s
• Exception for online marketing to children above age of 13
• No flexibility – a risk-based approach would be better.
30. Key Points in the draft Regulation –Delegated
Acts
• A major concern is that much of the detail of the Regulation
will be implemented through additional delegated legislation –
some 45 Delegated Acts are mentioned.
• Details of this secondary legislation will not be clear until
Regulation passed
• These areas of secondary legislation will include:
• powers to specify further procedures
• technical standards for Privacy by Design/Default
• specification of lawful processing condition
• additional responsibilities for national data protection
authorities; etc.
• European Commission will be taking significant powers to
itself away from the national authorities - raises serious issues
of subsidiarity and accountability
31. Current position - UK
• Government reshuffle
• at MoJ Helen Grant replaces Lord McNally.
• MoJ Data Protection Advisory Panel
• DMA invited to join
• Justice Select Committee enquiry
• DMA submitted evidence
• 3 oral hearings ICO, Minister, FSB, Privacy
International, Microsoft, Which?
• Focus on bureaucratic burdens, benefits of
harmonisation, Right to be Forgotten
• Report in October to EU Scrutiny Committee
• Allies
• CBI; Federation of Small Business; Which? etc.
• DMA Research
• Data Privacy: What the Consumer Really Thinks and
on the economic value of the dm industry, Putting a
Price on Direct Marketing
32. Current position – UK Data Group
• DMA chairing industry group under Advertising Association
umbrella - to co-ordinate lobbying efforts
• + ISBA, IPA, MRS, IPM, Sky, ITV, Channel 4, Microsoft,
Google, Facebook
• Ministerial Round Table on 23rd October
• Set of draft amendments to propose
• Priorities agreed: definition of personal data; profiling; consent;
impact on small businesses; compliance costs
• Mapping exercise of key individuals to target – pooling of
intelligence on lobbying outcomes
33. Current position – Brussels –
Council of Ministers
• Council of Ministers Working Group meeting
monthly
• Initial reports indicate UK Government (and
others) taking a helpful and business-friendly
stance – many object to delegated acts; find it
too prescriptive and blunt in outlook on risk
and harm & would prefer a more principles-
based approach.
• UK pushing for Directive, rather than
Regulation – as is Germany
34. Current position – Brussels –
European Parliament
• Lead Committee = LIBE
• Civil Liberties, Justice & Home Affairs
• Rapporteur is German Green MEP
• Aiming for Draft Report for discussion in
December with vote in early 2013
• 4 other Committees will produce reports
• ITRE – industry & trade
• IMCO – Internal Market & Consumer Protection
• Juri – Legal
• Employment & Social Affairs
35. Current position – Brussels -
FEDMA
• FEDMA co-ordinating central European effort, a link point for
exchange of intelligence on lobbying outcomes in different
Member States
• Organising meetings in Brussels with key individuals in
Council, Commission and Parliament, e.g. Cypriot Presidency;
advisers to key MEPs; party group secretariats.
• Produced a FEDMA position paper on priorities for industry +
draft amendments to text
• Lobbying directly where there is no national DMA
• DMA participating in Europe-wide group, Data Industry
Platform – for collective lobbying + current research project by
KPMG on likely effect of Regulation on European industry
36. Next steps
• Industry Round Table with MoJ and DCMS Ministers –
23rd October
• Contact key UK MEPs
• Promote suggested amendments to Regulation – to UK
MEPs and via FEDMA to others
•
• Lobby UK political leaders to influence their MEPs in EU
Parliament
• Continue to engage with key Commission, Council and
Parliament civil servants and advisers
37. Timing
• Council Working Party meets on 25/26
September + 4 more meetings in 2012
• 6th December – Council Ministers meet
• LIBE lead EP Committee – meeting with
national parliaments on 9/10 October; will
produce working document in mid-October &
draft report in late November
• Other 4 Committees in parallel
• ???????? 2014.
44. What does the law require?
• The EU's revised privacy and
communications directive came into
force on 26 May 2011
• EU laws have been in place since 2003
clear information requirement.
• The changes in May dramatically
tightened the rules: clear information
and consent from users to store a
cookie on their device.
45. The law doesn’t just cover cookies
• The law isn’t actually about cookies, but because it affects
them so much people have started calling it the ‘Cookie
Law’
• The law covers all technologies which store information in
the “terminal equipment" of a user, and that includes so-
called Flash cookies (Locally Stored Objects), HTML5
Local Storage, web beacons or bugs…and more
• This applies to email and mobile marketing too!
46. In practice
Those setting cookies must:
• tell people that the cookies are there,
• explain what the cookies are doing, and
• obtain their consent to store a cookie on
their device.
47. Two exemptions from consent
requirement
• 1. “use of cookie is for the sole purpose of
carrying out the transmission of a
communication over an electronic
communications network“
• 2. “cookies that are strictly necessary for the
provision of a service”
– e.g. internet banking, online shopping
carts, website log-ins
48. What steps should you have been
taking?
Follow the ICO’s guidelines:
1. Check what type of cookies and similar technologies
you use and how you use them.
2. Assess how intrusive your use of cookies is.
3. Decide what solution to obtain consent will be best
in your circumstances.
49. Check what type of cookies you use
• This might have to be a comprehensive audit of your
website or it could be as simple as checking what data
files are placed on user terminals and why.
• You should analyse which cookies are strictly necessary
and might not need consent.
• You might also use this as an opportunity to ‘clean up’
your webpages and stop using any cookies that are
unnecessary or which have been superseded as your
site has evolved
• And also check that you have identified ALL your
websites.
50. Assess how intrusive your use of
cookies is
• ….It might be useful to think of this in terms of a
sliding scale, with privacy neutral cookies at one
end of the scale and more intrusive uses of the
technology at the other.
• You can then focus your efforts on achieving
compliance appropriately providing more
information and offering more detailed choices at
the intrusive end of the scale.
51. Decide how to obtain consent
• Once you know what you do, how you do it and for what
purpose, you need to think about the best method for
gaining consent.
• The more privacy intrusive your activity, the more you
will need to do to get meaningful consent….
– Pop-up box
– Splash page
– Landing page
– Webpage header, banner or scrolling text
– Through T&Cs for registered website users
• Cannot currently rely on users’ browser settings!
54. Hot Industry Topics
• Consumer Rights legislation
• Marketing to children
• Telemarketing
• Financial services
• Alcohol marketing
• Postal Affairs
• Environment
55. Consumer Law – all change
• UK consumer law is not fit for purpose.
• Outdated language and concepts not
appropriate in age of digital downloads
and international online retail.
• To help consolidate and simplify
consumer law for the benefit of
consumers and traders, the
Government has launched three
consultations.
56. 1. Consumer Rights Bill
• BIS consultation proposes a range of options to clarify the rights
and remedies for goods and services, including digital content,
including:
• Replace the current system of implied terms with a clear set
of statutory guarantees when purchasing goods
• Set a clear time limit for a short term right to reject
• Clarify the number of times a retailer can repair sub-
standard goods before being obliged to replace them
• Replace “reasonable care and skill” with statutory
guarantees for service levels
• Introduce statutory remedies for sub-standard services
• Clarify the rights and remedies available when buying digital
content.
• If implemented, these changes will see a complete change to how
consumer law protects people when buying goods and services, and
will introduce concepts that will allow for developments in
technology.
• This consultation closes on 5 October
57. 2. Unfair terms in consumer contracts: a
new approach
• Current law on unfair terms in consumer contracts
contained in two pieces of legislation which have their
own inconsistencies and overlapping provisions.
• As part of consultation on package of measures to
simplify and consolidate consumer law, the Law
Commissions asked to review and update 2005 report
in relation to its general consumer recommendations.
• Also asked to look at one specific issue: Which terms in
a contract should be excluded from any rules? (has
arisen from 2009 litigation over bank charges)
• Their advice to be published spring 2013.
• Consultation looks at recommendations in 2005 report
and updates some proposals in light of changes since.
• The consultation closes on 25 October.
58. 3. Implementation of the Consumer Rights
Directive
• Agreed by the European Commission in 2011 – into UK law
by April 2014.
• Focused on harmonising and simplifying rules in a few key
areas of consumer law:
• Information that must be given to a consumer before s/he
buys goods or services on a trader’s premises
• Information that must be given to a consumer before s/he
buys goods or services away from a trader’s premises, for
example a fair, or at a distance (eg online)
• Cancellation rights and responsibilities when a consumer
buys goods or services away from a trader’s business
premises or at a distance
• Delivery times for goods and where responsibility lies if
there is a problem
• Post-contract helplines – these now cannot be a premium
rate but can only be a basic rate call
• Additional payments – these are payments that are charged
on top of the price of the goods or services. They now need
to have active or express consent so pre-ticked boxes will
no longer be allowed
• Payment fees (eg credit card surcharges).
59. Consumer Rights Directive – UK implementation
• Payment fees are also subject to a separate consultation,
issued by the Department for Business Innovation and Skills
on 3 September
• Many of the provisions of the Consumer Rights Directive have
to be implemented as agreed in Europe but the consultation
looks at some areas where there is leeway in how the UK
Government implements the provisions. These include
applying the provisions to sectors exempted by the Directive,
for example healthcare and social services, setting a minimum
value for a transaction to be subject to the provisions and
dealing with emergency repairs in the home.
• Aims to put an end to certain bad business practices and help
consumers make well informed decisions when buying
products or services.
• Also to boost business confidence, setting out clearer rules
and responsibilities and cutting red tape by reducing
compliance costs.
• Consultation closes on 1 November.
60. Marketing to children
• General political concern about over-commercialisation
• Bailey Review on Commercialisation and Sexualisation of
Childhood – “Letting Children Be Children” - report
published 2011
• Says role and practice of advertising in broadly good
shape – praises industry initiatives, e.g. CHECK
• 5 key recommendations:
• Sexual imagery on billboards, magazine covers.
• No under-16 brand ambassadors & peer to peer
techniques
• Harmonisation of the age of a child at 16
• Website for parents to complain
• Improving industry and regulatory understanding of
parental concerns
61. Marketing to children – industry response
• Children’s Panel set up to monitor advertising to children and
take forward issues of concern
• Parent Port – gateway portal for parents for information,
advice, complaints, etc.
• Research - Credos, Advertising Association think tank
• UK Brand Ambassador and Peer-to-Peer Marketing Pledge:
• Agreed principle that
“ Young people under the age of 16 should not be
employed directly or indirectly paid or paid-in-kind to
actively promote brands, products, goods, services,
causes or ideas to their peers, associates or friends”
• 30+ national company signatories + 13 trade associations,
including DMA
• Industry awareness campaigns
62. Marketing to children- latest developments
• Consultation on extending age rating system to
music DVDs and Blu-rays
• Govt encouraging industry to introduce clear
warnings on explicit videos online
• Govt finalising legislation to implement the new
classification system for video games
• Govt asking ASA to consider whether more
should be done to spell out commercial intent of
advergames to young people and parents
63. Telemarketing
OFCOM issued consultation 4th April on Simplifying Non-
geographic Numbers - detailed proposals on the unbundled
tariff and Freephone
• Non-geographic numbers include 03, 080, 0845,0870, 083/4,
0871/2/3, 09 and 118 numbers.
• Used to call businesses and Government agencies, to get
information, make payments for services and vote on TV
shows. Nearly every consumer and every company in the
country uses these numbers in some way.
• Confusion about the price – even freephone not clear cut
• Concerns about revenue sharing.
64. Telemarketing
• Main proposals:
– Freephone: (080 and 116 numbers) to be free from all
telephones, landline and mobile;
– 03: to become the only non-geographic number range
linked to the price of a call to a geographic number (i.e.
the 01/02 number ranges);
– Revenue sharing ranges: (084, 087, 09 and 118
numbers -where a portion of the retail charge is passed
back to the receiver of the call) are to have a common
simplified structure.
• Consultation closed 27th June 2012 – now awaiting
Government’s response
65. Financial Services
• EU Gender Directive
– In force 21st December 2012
– ECJ ruled 1st March 2011 that gender sensitive pricing
is contrary to the principle of equal treatment in EU
law
– Therefore gender neutral pricing will become the norm
- Unisex premiums would see the lower-risk gender
paying more to subsidise the high-risk gender
66. Financial Services
• Re- architecture of financial services regulatory
environment
• Replacement of FSA by Financial Conduct
Authority and Prudential Regulatory Authority
• Banking Reform Bill – ring fencing of retail and
investment arms within banks included in
Queen’s Speech 2012.
67. Financial Services – consumer credit
• Consumer Credit in limbo- move to FCA?
– Investigations into payday loans and payment
protection insurance have raised the issue of
standards in the consumer credit market
– BIS Committee of MPs has called for tighter controls
on debt management companies and payday
lenders
• Charge higher licensing fees for higher risk
credit businesses
• Put in place a fast track procedure to suspend
credit licences
• Give the regulator the power to ban harmful
products
68. Financial Services – consumer credit
• BIS Consultation on the Early
Implementation of a Ban on Above Cost
Payment Surcharges
• Credit/Debit Card charges
• Consultation closes 15 October 2012.
69. Alcohol
• Government issued its Alcohol strategy on 23rd March
• Focus on pricing issues
• Minimum pricing in Scotland to be introduced –
implications for rest of UK?
• Positive comments on the work of self-regulation
• Commons Health Select Committee holding an inquiry
into the Governments’ proposals, looking at:
– effects of marketing on alcohol consumption, in particular
in relation to children and young people.
– international evidence of the most effective interventions
for reducing consumption of alcohol and evidence of any
successful programmes to reduce harmful drinking, such
as: education; reduction in strength; raising legal drinking
age; and plain packaging and marketing bans.
70. Postal issues
• Reversions issue with Royal Mail
• DMA in discussions with RM to secure a more
beneficial outcome – hosted summit in August
• Making progress
• VAT – single supply of services
71. Environment
• The DMA and Defra signed a Responsibility Deal in 2011.
• Part of this was the introduction of a new website where
householders can opt-out of receiving all types of advertising
mail.
• Aim to reduce the amount of unwanted advertising mail put
through the letterbox
• Doorstop Preference Service is ready to launch – awaiting
final Defra input and agreement with newspaper and
directories industries.
72. Queen’s Speech 2012
• DEFAMATION BILL – end to libel tourism and protection for
website operators for user generated content on their site
provided they comply with new dispute resolution procedures
to allow complainant to deal directly with the author
• ELECTORAL REGISTRATION AND ADMINISTRATION BILL
– introduction of individual electoral registration and system
opened up for digital application. - edited version of register
will be kept but issue on opt-outs.
• ENTERPRISE AND REGULATORY REFORM BILL – aims to
cut red tape
• PENSIONS BILL – creating a single tier pension and bringing
forward increases to the state pension age
• DRAFT COMMUNICATIONS DATA BILL – dubbed “The
Snoopers’ Charter”
73. Any Questions?
james.milligan@dma.org.uk caroline.roberts@dma.org.uk
020 7291 3347 020 7291 3346
DMA members can contact DMA Legal Department for free advice:
by email: legaladvice@dma.org.uk
or call: 020 7291 3360
74. Thank you…
Presentations will be emailed to you Monday
A final thank you to all of today’s speakers:
Richard Parkinson, Pinsent Masons
Samantha Livesey, Pinsent Masons
Caroline Roberts, DMA
James Milligan, DMA
75. Please return your completed
evaluation forms and badges to the
registration desk we look forward to
seeing you again!