19. (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data Difficult to imagine any action which is not processing
EC Directive on Privacy and Electronic Communications 2002 The EC Directive on Privacy and Electronic Communications 2002 was brought into force in the UK on 11 December 2003 under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the Regulations”). The Regulations set out requirements for EU Member States to introduce new laws regulating the use of: unsolicited commercial communications, which includes spam cookies location and traffic data, and publicly available directories. Those affected by the Regulations are: providers of public communications networks and services businesses operating their own web sites pure e-commerce companies. Breach of the Regulations can result in regulatory investigations, fines, civil damages actions and criminal liability. Criminal sanctions may be imposed on company directors , as well as the company. The Areas of concern for companies and entities active in the UK market are: 1. Unsolicited Communications & the Opting In The sending of unsolicited electronic commercial communications, such as email, SMS or MMS communications is prohibited under the Regulations if the recipient has not previously specifically “opted in” to receive such communications. Consent may be obtained by, for example, the ticking a box, clicking an icon during a registration process or by way of a specific email request for information. However, if there is a pre-existing customer relationship, the “opt in” requirement may be disregarded, provided that three criteria are filled: The sender has obtained contact details of the recipient in the course of sale or negotiations for the sale of a product or service to the individual. The communication is made regarding the sender’s similar products and services only. The recipient has access to a simple means of declining the use of their contact details for the purposes of sending such communications, both at the time of the initial collection of the details, and at the time of each subsequent communication. 2. Opting Out Individuals have a perpetual right to “opt out” of receiving further communications at any time. Senders of unsolicited commercial communications are under an obligation not to disguise their identity and to provide a valid contact address for the recipient to contact the sender. The process provided to do so must not be complicated. 3. Corporate Subscribers The Regulations aim to protect individuals from direct marketing and also seeks to a lesser extent corporate subscribers. Sole traders and non-limited liability partnerships fall within the definition of corporate subscribers. It is unclear whether the Regulations apply to individuals at corporate entities; it may be difficult to know whether an email address is that of an individual or a corporate subscriber. 4. Cookies The Regulations introduces controls on the use of cookies or similar devices on web sites and individuals must be: provided with clear information about the purposes of the specific information being collected; and is given the opportunity to refuse the storage of, to access to, that information. A guide for business can be found on http:// www.allaboutcookies.org / , and includes: a compliance statement template, a compliance checklist and a template to help web sites develop their statement on cookie policy. 5. Faxes There is a distinction between faxes to businesses and those to private members of the public. The Regulations give private individuals the right to opt in, and businesses the right to opt out. Contact details should be attached to each fax sent out. Unsolicited faxes may not be sent to those registered with OFCOM. 6. Telephone calls Private individuals and businesses are both given the option of opting-out. Caller details must be supplied each time a call is made; the name of the caller must be given and if the individual requests, the address of the caller of a free-phone telephone number. As with faxes, those registered with OFCOM cannot be contacted. 7. Automated calls and Dialling Machines The Regulations provide that the only permitted use of such systems is when the person called has previously notified the caller for consent to being called. The individual must be given the option of opting-out of such communications. Considerations for Business: Direct Marketing Businesses which participate in direct marketing must take into account: What activities they are undertaking and how information is obtained from customers The content of their privacy or data protection notices What information is obtained from and given to customers and potential customers via online registration forms, or arising from telephone or fax contact. Furthermore, they must consider whether the information has been fairly obtained, in accordance with the Data Protection Act 1998 . The provisions relating to the protection of personal data in the Data Protection Act have not been replaced by these Regulations, so direct marketing activities should be considered in light of both the Act and the Regulations. Whether the company are properly registered under the Data Protection Act 1998 . Whether the individuals contact details have been obtained from list renters. This is primarily a concern for unsolicited emails, and businesses must check that the individuals opted in to contact thorough such means, to prevent any unlawfulness. Checks should be made with the Mailing Preference Service, Telephone Preference Service, or Fax Preference Service, in order to establish whether the customer has registered with any of these services. The Privacy and Electronic Communications (EC Directive) Regulations 2003 are one of the sets regulations introduced to accommodate the expansion of the so called "Information Society". These Regulations are fundamental to conducting business in the online environment and with the use of telecommunications networks.
Case 43/75, Defrenne v. Sabena, 1976 E.C.R. 455. Facts : the applicant brought an action before the Tribunal du travail, in Brussels for compensation for the loss she had incurred in terms of salary, allowance on termination of contract and pension in comparison with male members of the crew performing identical duties. The Belgian appeal court referred the case to the ECJ Holding : The ECJ held that the equal pay provision of Article 119 had as its aims both economic and social functions. It ruled that article 119 EC "forms part for the social objectives of the Community, which is not merely an economic union, but at the same time intended, by common action, to ensure social progress and seek constant improvement of the living and working conditions". Reasoning : the principle of equal pay for equal work would be binding not only upon member states but also, directly, upon private employers. So an individual can rely on some Treaty articles to enforce rights against another individual in the national courts. Direct and overt discrimination can be identified by the criteria set out under Article 119 of equal pay for equal work, whereas indirect and covert discrimination can be identified by reference to more explicit implementing provisions of a Community or national character. Direct forms of discrimination included discrimination that had their origins in legislative provisions or collective labour agreements that can be detected on the basis of a purely legal analysis of the situation
See handout – Implementation and Text of EU Data Protection Directive
Section 1(1) DPA 1998
[Section 1(1) DPA 1998] [Schedule 2 DPA 1998]
NB – Names of business contacts are included in the definition
[EEA is EU Member States plus Iceland, Liechtenstein ad Norway]
Consumer Protection (Distance Selling) Regulations 2000 Information Requirements In good time prior to the conclusion of the contract the supplier shall – Provide to the consumer the following information- (i) the identity of the supplier and, where the contract requires payment in advance, the supplier’s address; (ii) a description of the main characteristics of the goods or services; (iii) the price of the goods or services including all taxes; (iv) delivery costs where appropriate; (v) the arrangement for payment, delivery or performance; (vi) the existence of a right of cancellation except in the cases referred to in regulation 13; (vii) the cost of using the means of distance communication where it is calculated other than at the basic rate; (viii) the period for which the offer or the price remains valid; and (ix) where appropriate, the minimum duration of the contract, in the case of contracts for the supply of goods or services to be performed or recurrently; Inform the consumer if he proposes, in the event of the goods or services ordered by the consumer being unavailable, to provide substitute goods or services 9as the case may be) of equivalent quality and price; and Inform the consumer that the cost of returning any substitute goods to the supplier in the event of cancellation by the consumer would be met by the supplier.
NB. This right is exercisable by any living individual NB. The need for CRM systems to be compliant
See Catherine Zeta Jones case (Hello Magazinne). Photographs are personal data. Data protection added as a cause of action. The Information Commissioner has to investigate every complaint.
Very high risk area from a compliance point of view
See British Gas example. Put a brochure in with customer bills. One person complained to Data Protection Registrar (Now Information Commissioner). Went to Data Protection Tribunal. Brochure stopped being put in with gas bill. British Gas had been relying on implied consent. British Gas was promoting third party goods and services.
Note: Personal Data is the oil of the 21 st Century.