Scotland legal update 25 sept


Published on

Changes to EU data protection legislation are imminent and could have potentially devastating consequences for your business. Don’t be caught by surprise!

The DMA is keeping in close touch with developments as the European Parliament and Council prepare to debate this business-critical piece of legislation this autumn.

Caroline Roberts, Director of Public Affairs at the DMA will provide an update on the draft EU Data Protection Regulation and the DMA's lobbying activity.

Kathryn Wynn, Senior Associate at Pinsent Masons will discuss Big Data: Identifying the Opportunities and Overcoming the Legal Obstacles

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Scotland legal update 25 sept

  1. 1. Data protection 2013 Friday 8 February #dmadata Supported by DMA Scotland legal update Wednesday 25 September 2013 #dmascotland
  2. 2. 8.30am Registration and breakfast 9.00am Welcome from the Chair 9.10am Kathryn Wynn, Senior Associate, Pinsent Masons 09.40am Caroline Roberts, Director of Public Affairs, DMA 10.10am Q&A 10.40am End Agenda
  3. 3. Big data: identifying the opportunities and overcoming the legal obstacles Kathryn Wynn, Senior Associate, Pinsent Masons
  4. 4. Big Data: Identifying the Opportunities and Overcoming the Legal Obstacles Kathryn Wynn Wednesday 25 September 2013
  5. 5. Outline • What is Big Data? • What is the Big Deal? • How is Big Data being used? • Big Data and legal risk: – Who owns the data? – Data Protection, privacy policies and gaining consent Develop your big data strategy, address legal risk early, focus on customer expectations
  6. 6. Managing the Risk Compliance Privacy by design Customers’ expectations and control
  7. 7. What is Big Data?
  8. 8. What is Big Data? “data sets that are too large and complex to manipulate or interrogate with standard methods or tools: much IT investment is going towards managing and maintaining big data”
  9. 9. What is the Big Deal?
  10. 10. Buying and Selling Big Data Source - Tata Consultancy Services
  11. 11. Buying and Selling Big Data Source: Financial Times, 13 June 2013
  12. 12. What is Your Big Data Strategy? • Strategy 1 - – “Why not just dump it in there and figure out what else you can do?” - Jill Dyché, SAS Institute Inc. • Strategy 2 – – What are our objectives? • Can I use more data to drive decisions? – What data do I have available? • From what sources are data available to me? – What infrastructure /platforms do I have available, can I use? • Proprietary, open source? • Shared infrastructure?
  13. 13. Big Data in use
  14. 14. Big Data in Insurance Nine out of 10 say big data will help price risk more accurately 82% say insurers that do not capture the potential of big data will become uncompetitive 96% say the digitally enabled world will see the emergence of new risk rating factors The Big Data Rush: How Data Analytics Can Yield Underwriting Gold Survey Ordnance Survey and the Chartered Insurance Institute
  15. 15. Big Data and Supply Chain Synergies “We can now store, share and allow our vendors to analyze data using a common platform – ultimately allowing us to better serve our customers” - Richard Angelillo A&P Head of IT Strategy & Delivery
  16. 16. Data Sharing in mHealth? “The next time you use your smartphone to inquire about migraine symptoms or to check out how many calories were in that cheeseburger, there is a chance that information could be passed on to insurance and pharmaceuticals companies.” - The Financial Times, 1 September 2013
  17. 17. Big Data and the question of ‘ownership’
  18. 18. Who Owns the Data? • No-one can own facts per se. (International law) • Data v ‘expressions of data’ (copyright) • Data and ‘database rights’ • Data v ‘content’ (Fairstar Heavy Transport [2012]) • Data and confidential information
  19. 19. Who Owns the Data? Ownership & related restrictions Database right Copyright Confidentiality restrictions No ownership restrictions Fact per se
  20. 20. Database Rights Restrictions What is a database? • "... a collection of independent works, data or other materials which are arranged in a systematic or methodical way ..." What is protected? • “... substantial investments in ‘obtaining, verifying or presenting content’ ...” • “... not the creation of facts.” What is restricted? • extraction or re-utilisation of a whole database or a substantial part of its content • systematic extraction or re-utilisation of insubstantial parts of a database
  21. 21. Who Owns the Data? Ownership & related restrictions Database right Copyright Confidentiality restriction No ownership restrictions Fact String of facts devoid of copyright, not taken from a database, not confidential
  22. 22. Big Data and data protection privacy, security, accuracy, legitimacy
  23. 23. Personal Data Restrictions What is personal data? • "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller ..." What are the restrictions on use? • legitimate use business purpose? • consent how obtained? • other restrictions What are the options? • anonymising data • privacy policies and terms of service • icons
  24. 24. Anonymisation Risks
  25. 25. Restrictions on Use Ownership & related restrictions Database right Copyright Confidentiality obligation Data protection laws No ownership restrictions Fact String of facts devoid of copyright, not taken from a database, not confidential Anonymised data Consent, legitimate interest, other; or licence
  26. 26. Big Data and data protection firming up consent and transparency
  27. 27. The Privacy Policy Problem
  28. 28. The Privacy Policy Problem • 36,275 wordsPAYPAL • 30,066 wordsHAMLET • 19,972 wordsAPPLE iTUNES • 18,110 wordsMACBETH • 14,714 wordsWINDOWS LIVE • 13,366 wordsAPPLE iOS 5 • 11,195 wordsFACEBOOK • 10,640 words GOOGLE ALL- INCLUSIVE Source - Which?
  29. 29. ICO Guide: Direct Marketing • ICO Enforcement – FOCUS: Organisations that generate highest number of complaints – £440,000 MPN for Tetrus Telecoms
  30. 30. Consent • CONSENT is necessary for data sharing of buying / selling databases • VALID CONSENT: – Freely given – Specific in the context of direct marketing – Informed – An indication signifying consent
  31. 31. Consent for SMS/EMAIL marketing • The recipient has notified the sender • For the time being • To such communications • Being sent by the sender
  32. 32. Implied Consent • Implied consent: Cannot rely on lengthy privacy policy • Clear and relevant information readily available to the customer • Implied consent can be valid BUT • Not a euphemism for ignoring the need for consent • Must include: – Positive action indicating consent – Understood what consenting to – Genuine choice • Sometimes providing data indicates consent BUT not when integral to the service
  33. 33. Indirect Third Party Consent • Consent extends to another organisation • Transparency requirements: clear that data would be passed on and how used? • Ensure that clear from outset that data will be shared for marketing purposes • Valid consent: Specifically name the organisation or refer to a category of organisation • Consent limited in time
  34. 34. Refresh and Review of Marketing Consents • Big Data: significantly and genuinely departs from marketing being carried out at the time of the opt in / opt out • Review existing consent mechanisms and privacy policies • Clear, succinct and prominent • Consider cookies consent mechanism • Are you doing what customer expects you to do? If so, would they still give consent?
  35. 35. Managing the Risk Compliance Privacy by design Customers’ expectations and control
  36. 36. Pinsent Masons LLP is a limited liability partnership registered in England & Wales (registered number: OC333653) authorised and regulated by the Solicitors Regulation Authority, and by the appropriate regulatory body in the other jurisdictions in which it operates. The word ‘partner’, used in relation to the LLP, refers to a member of the LLP or an employee or consultant of the LLP or any affiliated firm of equivalent standing. A list of the members of the LLP, and of those non-members who are designated as partners, is displayed at the LLP’s registered office: 30 Crown Place, London EC2A 4ES, United Kingdom. We use ‘Pinsent Masons’ to refer to Pinsent Masons LLP and affiliated entities that practise under the name ‘Pinsent Masons’ or a name that incorporates those words. Reference to ‘Pinsent Masons’ is to Pinsent Masons LLP and/or one or more of those affiliated entities as the context requires. © Pinsent Masons LLP 2013 For a full list of our locations around the globe please visit our websites:
  37. 37. The draft EU data protection regulations Caroline Roberts, Director of Public Affairs, DMA
  38. 38. Update on Draft EU Data Protection Regulation DMA Scotland 25th September 2013 Caroline Roberts Director of Public Affairs Direct Marketing Association (UK)
  39. 39. Context - why now? 1995 European Directive (implemented into UK by 1998 Data Protection Act) showing its age… 1) New technologies and more complex information networks 2) Lack of common European law and differences in national implementation 3) Consumer concern over privacy 4) Data protection now fundamental right under EU Charter of Fundamental Rights
  40. 40. Headline proposed changes • Expanded definitions: “personal data” and “data subject” • Explicit consent required • Right to be forgotten • Greater emphasis on accountability • Notification of data security breaches • More onerous sanctions for breaches • Data processors directly covered
  41. 41. Consent Consent: Current Position Consent: Proposed Position - Freely given, specific, informed indication of the data subject’s wishes - Explicit consent required for sensitive personal data only -Freely given, specific, informed and explicit indication of data subject’s wishes -Given either by a statement or a clear affirmative action - Data controller / data subject relationship to be taken into account - Burden of proof on controller to demonstrate consent
  42. 42. Introduction of opt-in/explicit consent • Review language used at point of data collection to ensure that consent is explicit /opt-in • Do people understand what they are agreeing to? • Think about how legacy databases will be updated
  43. 43. Key points in the draft Regulation IP addresses and cookies • Definition of personal data extended so could cover some IP addresses and cookies as “online identifiers” • But IP addresses identify a device not an individual + some IPs are general • Huge implications for digital marketers • Web analytics & profiling made much more difficult, if not impossible • Interaction with new cookie rules problematic
  44. 44. Key points in the draft Regulation The right to be forgotten • Right for individuals to request organisations to delete any information held on them • Drafted with social media in mind – but goes beyond this • Problem of information that has already been passed on to third parties • Possibility of misleading consumers by raising unrealistic expectations • Changes to current text likely
  45. 45. Key points in the draft Regulation Data Breach notification • Any data security breach to be notified to ICO and the individuals concerned within 24 hours • Report to cover: • nature of breach • number of data subjects • categories of data • proposed mitigation • Not always obvious if there has been a breach or how extensive it is • Problem of notification fatigue • No threshold level specified
  46. 46. Data security breach notification Companies need to: • Introduce breach notification detection procedures • Think about how to notify data protection authorities and affected individuals within whatever timescale is agreed • Develop/review data breach response plans
  47. 47. Key points in the draft Regulation Subject Access Requests (SARs) • Data subjects to be able to request full information on data held on them free of any charge • Currently can levy a £10 fee – doesn’t cover cost but deters time-wasters, frivolous or vexatious requests • Costs organisations £50 million p.a. now to meet SARs • Proposal that can provide data in electronic form if data subject agrees to this • Particular problem for financial services with mis-selling issues and claims management firms
  48. 48. Subject Access Rights • New Regulation may lead to increased public awareness of rights e.g., right to request information (data subject access requests, right to be forgotten) Companies need to: • Plan ahead for increase in queries from clients/public • Introduce appropriate training for client/customer service teams
  49. 49. Key points in the draft Regulation Compliance obligations • Data protection obligations now shared between agencies and clients, for example if holding client’s database • Privacy by Design/Privacy by Default • Appointment of DP officer (250+ employees) • 2 year appointment • Independent reporting to board • Information and training • Maintenance of documentation • Data protection impact reports • International transfers of data outside EEA – law would apply to any processing of data or EU citizens
  50. 50. Compliance obligations Action: • Review amount of data being processed, erasure policies and data retention policies • Requirement to demonstrate compliance will mean more documentation in respect of policies and procedures • Contact centres, mailing houses, email/SMS broadcasters will also be subject to these new obligations, especially in respect of data security • Review staff training in data protection. • Appointment of a data protection officer? • Risk- based approach to compliance and data protection impact assessments
  51. 51. Proposed enhanced sanctions • Up to €500k or 1% annual worldwide turnover intentional or negligent failure to respond to subject access requests in accordance with Regulation • Up to €1m or 2% of annual worldwide turnover for other compliance failures • Depends on:- • size of organisation involved • nature and gravity of breach • whether intentional or negligent • technical and organisational measures • previous breaches • co-operation with ICO
  52. 52. Key Points in the draft Regulation Delegated Acts • Many details to be implemented through additional delegated legislation – some 45 Delegated Acts mentioned. • Details will not be clear until Regulation is passed • These areas of secondary legislation will include: • powers to specify further procedures • technical standards for Privacy by Design/Default • specification of lawful processing condition • additional responsibilities for national data protection authorities; etc. • European Commission taking significant powers to itself away from the national authorities - raises serious issues of subsidiarity and accountability • National governments and Data Protection Authorities are concerned
  53. 53. Scope of the Draft Regulation • Main establishment/ one- stop shop provisions • Think about which country’s national data protection authority will be lead regulator • Possibility of changing country where head office is located • Review arrangements for transfers of data outside EEA (28 Member States of EU + Iceland, Liechtenstein, Norway) • Global group – application to EU citizens’ personal data.
  54. 54. Impact on direct marketing •Existing databases may not be usable: could decimate prospect lists. Legacy data? •No tracking data, profiling or segmentation without explicit consent – less targeted and more generic communication? •List broking severely restricted •New information requirements and rights of the data subject, e.g Right to be Forgotten •Increased costs - £76,000 per business to comply + possible £47 billion of lost sales in UK
  55. 55. Draft Regulation - DMA View • DMA welcomes the Commission’s aim to reduce red tape and simplify bureaucracy – but proposals do not achieve that: overly strict, bureaucratic and unworkable • Needs to be a fair balance between privacy and legitimate business interests • Current proposals will stifle innovation, add considerably to business costs and place unnecessary obstacles to e-commerce jobs growth • Will be particularly harmful to SMEs – MoJ says demonstrating compliance will cost £10m p.a. • Hard to say how Commission’s estimate of 2.3 billion euro saving to businesses was calculated
  56. 56. FEDERATION OF EUROPEAN DIRECT AND INTERACTIVE MARKETING Codecision Proposes Legislation Adoption Into National Law The process of EU decision-making
  57. 57. Current position – European Parliament • Civil Liberties Committee (LIBE) taking lead – Rapporteur: Jan Philipp Albrecht MEP (German Green) • His report published 9th January – in parts even tougher than Commission proposals • 4 other Committees gave Opinions – 3000+ amendments tabled • Vote to be taken in LIBE postponed from April to May to June to September to October ……. • Could run out of time – elections in June 2014
  58. 58. Current position – Council of Ministers • Council of Ministers Working Group (DAPIX) meeting monthly • Initial indications that UK Government (and others) taking helpful and business-friendly stance • Many object to delegated acts; find it too prescriptive and would prefer a more principles- based approach • UK pushing for a directive, rather than a regulation – as is Germany
  59. 59. EU Council latest • Irish Presidency revised draft on 31/5 on chapters 1-4. • A more business-friendly approach • Right to privacy not an absolute right but must be balanced with other fundamental rights • Legitimate interest specifically recognised as legal basis for processing • “Explicit” becomes “unambiguous” • Appointment of DPO discretionary • Breach notification and other obligations on risk based approach • Still a way to go…… • Lithuania took over Presidency on 1/7
  60. 60. Current position - Commission • Commissioner Viviane Reding has said that willing to look at: : • More risk-based approach with focus on type of data being processed • Less prescription – although no detail • Some exemptions for SMEs? • Overall principles must be same for both public and private sectors • Delegated and implementing acts –self- regulation perhaps for some?
  61. 61. Timing in the EU institutions •Commission proposal for a Regulation in January 2012 • Parliamentary lead committee draft report: 9 Jan 2013 •Deadline for tabling amendments: 27 Feb 2013 • Vote in leading committee: October 2013 •Trilogue with Council: October- December 2013 •Expected plenary vote (1st reading): End 2013 •Takes effect: 2 years after adoption – 2016?
  62. 62. Ministry of Justice • Disagrees with Commission’s 2.3bn Euro savings – burdens imposed will far outweigh net benefits: in UK cost @ £100-360 million • Many unintended consequences, esp for SMEs • Changes to consent, profiling & definition of personal data particularly costly to industry • Likely knock-on effects for growth in technological sector and internet economy • Regulatory Impact Assessment quotes DMA’s figures & examples • Impact on behavioural advertising • Creates unrealistic expectations for consumers – R2BF proposal is “unworkable” • Secretary of State Chris Grayling concerned about impact on economy and jobs
  63. 63. Information Commissioner • Proposals are “insufficiently risk-based and contain unrealistic time limits” • Very costly – who pays? • Would compromise independence of ICO • Role of ICO would change from giving advice and guidance to process-driven checks • UK could end up being a one-stop-shop magnet
  64. 64. Key lobbying messages • Data is essential for economic growth • UK has leading role in EU digital economy • SMEs particularly affected • Transparent and responsible use of data is a vital business practice • In industry’s interests to handle data with care • Self-regulation has valid role to play • Regulation will not stop bad players • The proposed regulation is bad for consumers • Would damage users’ online experience • Danger of tick-box culture & unrealistic expectations • Need a proportionate data regime that recognises that not all data is the same • Personal data, sensitive data, anonymous/pseudonymous data • Different levels of protection required
  65. 65. Lobbying activity • In Brussels with key individuals in Council, Commission & Parliament, e.g. MEPs & advisers; party groups • In UK, Ministers in MoJ, DCMS, BIS, HM Treasury + Opposition spokesmen • Alliance of interests – UK Data Group, FEDMA, CBI, etc. - for collective lobbying of Council and Parliament & lobbying directly where there is no national DMA • Position papers on priorities for industry + draft amendments to text • Research on consumer attitudes to privacy and on economic value of the dm industry
  66. 66. DMA lobbying toolkit
  67. 67. Any Questions? Caroline Roberts Director of Public Affairs 020 7291 3346 Free advice for DMA members from DMA’s Legal Department by email: or call: 020 7291 3360
  68. 68. Panel Discussion
  69. 69. Upcoming events Wednesday 23 October - Data protection compliance workshop London - Thursday 14 November - Content Marketing event - Thursday 21 November - Scotland Christmas Party -