The dma legal update summer 2014


Published on

Published in: Marketing, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The dma legal update summer 2014

  1. 1. Data protection 2013 Friday 8 February #dmadata Supported by The DMA Legal update: Summer 2014 Thursday 26 June 2014, DMA House #dmalegal
  2. 2. Welcome Mike Lordan, Director of external affairs, DMA #dmalegal
  3. 3. 8.30am Registration and breakfast 9.00am Welcome Mike Lordan, Director of external affairs, DMA 9.05am EU Draft Data Protection Regulation – The current position, potential changes and the impact on the industry James Milligan, Solicitor, DMA 9.35am Consumer rights bill and consumer rights directive Janine Paterson, Solicitor and legal manager, DMA 9.55am ICO Direct marketing guidance James Milligan, Solicitor, DMA Janine Paterson, Solicitor and legal manager, DMA 10.25am Q&A 11.00am Close Agenda
  4. 4. EU Draft Data Protection Regulation – the current position, potential changes and impact on the industry James Milligan, Solicitor, DMA #dmalegal
  5. 5. Impact of the new Data Protection Regulation – Why now? • Data Protection Directive 95/46/EC ("Directive") (implemented in UK by 1998 Data Protection Act) showing its age • New technologies and more complex information networks • Lack of common European law and differences in national implementation • Consumer concern over privacy • Data protection now a fundamental right under EU Charter of Fundamental Rights 5
  6. 6. EU data protection reform timeline • Jan 2012 -first draft Data Protection Regulation ("DPR") • December 2012-amendments suggested by the Rapporteur of EC Committee on Civil Liberties, Justice and Home Affairs ("LIBE Report") • February – May 2013 – Reported that 4000 amendments tabled • May 2013- partial "compromise" draft from Justice and Home Affairs Ministers ( "CD" ) • October 2013 -LIBE voted on amendments • October 2013 – Heads of Government meeting • December 2013 – Inconclusive Justice and Home Affairs Ministers meeting 6
  7. 7. EU data protection reform timeline • Jan 2014 Civil servants working group meetings continue • Mar 2014 Inconclusive Justice and Home Affairs Ministers meeting • Mar 2014 MEPs adopted LIBE report • May 2014 European Parliament elections • June 2014 Justice and Home Affairs Ministers Meeting • July 2014 Informal Justice and Home Affairs Meeting • Nov 2014 New European Justice Commissioner and other Commissioners take office?? • Dec 2014 Justice and Home Affairs Ministers agree position?? • 2015 Regulation is passed in Brussels?? • 2017 Implemented into UK law??
  8. 8. 8 8 • LIBE report adopted by all MEPs March 2014 • Proposes a number of changes to European Commission original text • Majority of changes favour consumer rather than businesses Changes proposed by the European Parliament to the draft Data Protection Regulation (LIBE Report)
  9. 9. The "compromise draft" agreed by EU Justice Ministers 2013-2014 • "More business friendly" compromise draft ("CD") is only partial: Chapters I-IV • More changes to Chapters I-IV may be needed once the remainder has been updated • Regulation or Directive? – wording proposed allows for Regulation to be transformed into a Directive (supported by 8 member states) • June 2014 Chapter V – international issues, transfers of data, applicability of Regulation 9
  10. 10. Headline proposed changes • Expanded definitions: “personal data” and “data subject” • Explicit consent required • Right to be forgotten • Greater emphasis on accountability • Notification of data security breaches • More onerous sanctions for breach • Data processors directly covered
  11. 11. Consent Consent: Current Position Consent: Proposed Position - Freely given, specific, informed indication of the data subject’s wishes - Explicit consent required for sensitive personal data only -Freely given, specific, informed and explicit indication of data subject’s wishes -Given either by a statement or a clear affirmative action - Data controller / data subject relationship to be taken into account - Burden of proof on controller to demonstrate consent
  12. 12. Introduction of opt-in/explicit consent • Review language used at point of data collection to ensure that consent is explicit /opt-in • Opt-in /explicit consent not required for postal marketing in European Parliament version of the text • Do people understand what they are agreeing to? – nation of liars • Think about how you will update legacy databases • Children – consent wording for under 13’s if offering them an information society service
  13. 13. Key points in the draft Regulation IP addresses and cookies • Definition of personal data extended so could cover some IP addresses and cookies as “online identifiers” • But IP addresses identify a device not an individual + some IPs are general • Huge implications for digital marketers • Web analytics & profiling made much more difficult, if not impossible • Interaction with new cookie rules problematic
  14. 14. IP addresses and cookies • Think about how you will deal with extension to Include location data, IP addresses, cookies, online identifiers • Pseudonymous/annonymous data – will you be able to take advantage of exceptions?
  15. 15. • Right for individuals to request organisations to delete any information held on them • Drafted with social media in mind – but goes beyond this • Problem of information that has already been passed on to third parties • Possibility of misleading consumers by raising unrealistic expectations • Changes to current text likely • European Court of Justice Google Spain case Key points in the draft Regulation - The right to be forgotten
  16. 16. The right to be forgotten • Prepare to respond to requests • Deletion/ suppression • Other legal requirements to keep information e.g. accounting, tax, money-laundering
  17. 17. Key points in the draft Regulation - Data Breach notification • Any data security breach to be notified to ICO and the individuals concerned within 24 hours • Report to cover: • nature of breach • number of data subjects • categories of data • proposed mitigation • Not always obvious if there has been a breach or how extensive it is • Problem of notification fatigue • No threshold level specified
  18. 18. Data security breach notification • Introduce breach notification detection procedures • Think about how you will notify data protection authorities and affected individuals within whatever timescale is agreed • Develop/review your data breach response plan
  19. 19. Key points in the draft Regulation - Subject Access Requests (SARs) • Data subjects to be able to request full information on data held on them free of any charge • Currently can levy a £10 fee – doesn’t cover cost but deters time-wasters, frivolous or vexatious requests • Costs organisations £50 million p.a. now to meet SARs • Proposal that can provide data in electronic form if data subject agrees to this • Particular problem for financial services with mis-selling issues and claims management firms
  20. 20. Subject Access Rights • New Regulation may lead to increased public awareness of rights e.g., right to request information ( Data Subject Access Requests, Right to be forgotten) • Plan ahead for increase in queries from clients/public • Training for client/customer service teams • Amend wording on privacy policies/data collection notices to take account of new rules on profiling.
  21. 21. Key points in the draft Regulation - Compliance obligations • Data protection obligations now shared between agencies and clients, for example if holding client’s database • Privacy by Design/Privacy by Default • Appointment of DP officer (250+ employees) - 2 year appointment - Independent reporting to board - Information and training - Maintenance of documentation - Data protection impact reports • International transfers of data outside EEA – law would apply to any processing of data or EU citizens
  22. 22. Compliance obligations • Review amount of data being processed, erasure policies and data retention policies • Requirement to demonstrate compliance will mean more documentation in respect of policies and procedures • Contact centres, mailing houses, email/SMS broadcasters will also be subject to these new obligations, especially in respect of data security • Review staff training in data protection. • Appointment of a data protection officer? • Risk- based approach to compliance and data protection impact assessments
  23. 23. Key points in the draft Regulation - Proposed enhanced sanctions • Up to €500k or 1% annual worldwide turnover intentional or negligent failure to respond to subject access requests in accordance with Regulation • Up to €1m or 2% of annual worldwide turnover for other compliance failures • Depends on:- - size of organisation involved - nature and gravity of breach - whether intentional or negligent - technical and organisational measures - previous breaches - co-operation with ICO
  24. 24. Enhanced sanctions/fines • Watch out if you get it wrong! • Increase focus on compliance – board level issue • Review internal policies and procedures
  25. 25. Key Points in the draft Regulation - Delegated Acts • Many details to be implemented through additional delegated legislation – some 45 Delegated Acts mentioned. • Details will not be clear until Regulation is passed • These areas of secondary legislation will include: - powers to specify further procedures - technical standards for Privacy by Design/Default - specification of lawful processing condition - additional responsibilities for national data protection authorities; etc. • European Commission taking significant powers to itself away from the national authorities - raises serious issues of subsidiarity and accountability • National governments and Data Protection Authorities are concerned
  26. 26. • Main establishment/ one- stop shop provisions • Think about which country’s national data protection authority will be lead regulator • Possibility of changing country where head office is located • Review arrangements for transfers of data outside EEA (28 Member States of EU + Iceland ,Liechtenstein, Norway) • Global group – application to EU citizens’ personal data. • European Court of Justice Google Spain right to be forgotten case - link between Google Spain and Google USA Key Points in the draft Regulation Cross – border issues
  27. 27. Impact on direct marketing •Existing databases may not be usable: could decimate prospect lists. Legacy data? •No tracking data, profiling or segmentation without explicit consent – less targeted and more generic communication? •List broking severely restricted •New information requirements and rights of the data subject, e.g Right to be Forgotten •Increased costs - £76,000 per business to comply + possible £47 billion of lost sales in UK
  28. 28. Draft Regulation - DMA View • DMA welcomes the Commission’s aim to reduce red tape and simplify bureaucracy – but proposals do not achieve that: overly strict, bureaucratic and unworkable • Needs to be a fair balance between privacy and legitimate business interests • Current proposals will stifle innovation, add considerably to business costs and place unnecessary obstacles to e- commerce jobs growth • Will be particularly harmful to SMEs – MoJ says demonstrating compliance will cost £10m p.a. • Hard to say how Commission’s estimate of 2.3 billion euro saving to businesses was calculated
  29. 29. Ministry of Justice • Disagrees with Commission’s 2.3bn Euro savings – burdens imposed will far outweigh net benefits: in UK cost @ £100- 360 million • Many unintended consequences, esp for SMEs • Changes to consent, profiling & definition of personal data particularly costly to industry • Likely knock-on effects for growth in technological sector and internet economy • Regulatory Impact Assessment quotes DMA’s figures & examples • Impact on behavioural advertising • Creates unrealistic expectations for consumers – R2BF proposal is “unworkable”
  30. 30. Key lobbying messages • Data is essential for economic growth - UK has leading role in EU digital economy - SMEs particularly affected • Transparent and responsible use of data is a vital business practice - In industry’s interests to handle data with care - Self-regulation has valid role to play - Regulation will not stop bad players • The proposed regulation is bad for consumers - Would damage users’ online experience - Danger of tick-box culture & unrealistic expectations • Need a proportionate data regime that recognises that not all data is the same - Personal data, sensitive data, anonymous/pseudonymous data - Different levels of protection required
  31. 31. Lobbying activity • In Brussels with key individuals in Council, Commission & Parliament, e.g. MEPs & advisers; party groups • In UK, Ministers in MoJ, DCMS, BIS, HM Treasury + Opposition spokesmen • Alliance of interests – UK Data Group, FEDMA, CBI, etc. - for collective lobbying of Council and Parliament & lobbying directly where there is no national DMA • Position papers on priorities for industry + draft amendments to text • Research on consumer attitudes to privacy and on economic value of the dm industry
  32. 32. DMA lobbying toolkit
  33. 33. Contacts James Milligan, Solicitor, DMA T – 020 7291 3347 Legal Advice Helpline T- 020 7291 3360
  34. 34. Consumer rights bill and consumer rights directive Janine Paterson, Solicitor and legal manager, DMA #dmalegal
  35. 35. What’s happening? • Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 • The Consumer Protection from Unfair Trading (Amendment) Regulations 2013 • Consumer Rights Bill
  36. 36. The Consumer Contracts (Information, Cancellation and Additional Payments) Regulations 2013 • Implementation of the rest of the EU Consumer Rights Directive which was passed in 2011 • Came into effect 13th June 2014. • Regulations deal with contracts between a trader and a consumer: – Made on-premises, ie a shop – Made off-premises, ie at consumer’s home or place of work, and – Made at a distance, ie telephone or over the internet. • Certain contracts are excluded including gambling, health services and services of banking and insurance.
  37. 37. Three main areas • Information – Depending on the type of contract, the trader must provide certain information. – Many provisions already exist but new ones are introduced especially around digital content, where information on what systems or hardware is compatible will need to be given. • Cancellation – consumers have 14 days to cancel off-premises and distance contracts – double current provision – Consumer have to return goods within 14 days notice cancellation – Traders can withhold refund until goods are returned – Traders can deduct from refund if the consumer has handled the goods more than expected.
  38. 38. Three main areas – cont. • Hidden costs and obligation to pay – Consumers will have to give active consent for all payments and the use of pre-ticked boxes for additional charges will not be allowed – Customer service telephone lines can only be charged at the basic rate – premium rate lines will be banned – Traders that operate an online retail site will need to ensure that consumers understand that there is an obligation to pay when placing an order. “Pay Now” not “Confirm your order”.
  39. 39. The Consumer Protection from Unfair Trading (Amendment) Regulations 2013 • Amendments to the 2008 regulations to allow consumers who have been victims of misleading or aggressive practices to seek redress. • Comes into effect 1st October 2014 • Covers three types of contract: – Sale or supply of a product to a consumer by a trader; – Sale or supply of a product to a trader by a consumer; – A payment by a consumer to a trader.
  40. 40. • Need to show: – purchased a product from a trader; – trader engaged in behaviour that was either misleading under Regulation 5 or aggressive under Regulation 7. • Remedies - depending on the type of contract: – Unwind the contract and get a refund; – Discount on the product; – Damages for the breach. The Consumer Protection from Unfair Trading (Amendment) Regulations 2013
  41. 41. The Consumer Protection from Unfair Trading (Amendment) Regulations 2013 • Misleading: includes – providing false information or information that could deceive the average consumer; – marketing a product which causes confusion with competitor’s products; – failing to comply with a Code of Practice when you say you do. • Aggressive: includes – Timing and location of the behaviour; – whether any threatening or abusive language is used or; – any exploitation by the trader of the consumer’s personal circumstances.
  42. 42. Consumer Rights Bill • Published in draft in June 2013. Will not come into force until late 2015/ early 2016. • A major overhaul of existing consumer rights legislation – consolidating 100+ consumer laws and introducing new rights for consumers and businesses. • Follows two consultations late last year by BIS on goods, services and digital content; and the Law Commission & Scottish Law Commission’s on unfair contract terms.
  43. 43. Consumer Rights Bill • Basic rights not changing • Aim to present rights and remedies in a simpler and clearer way to make consumers better informed and empowered • 3 parts: • Consumer contracts for goods, digital content and services – rights and remedies • Unfair terms in contracts • Miscellaneous: investigatory powers, enhanced consumer measures, enforcement, competition, etc.
  44. 44. Consumer Rights Bill Rights and remedies: • To receive some money back after one failed repair to faulty goods (or one faulty replacement) • To have substandard services redone or receive a price reduction • To receive a repair or replacement of faulty digital content such as film/music downloads, e-books and online games • To return faulty goods within 30 days and receive a refund • Collective redress allowing consumers and companies to challenge anti-competitive behaviour.
  45. 45. Consumer Rights Bill • Consolidates the law around unfair terms in contracts with consumers. • Fairness to be determined by taking into account: • The subject matter • All the circumstances existing when term was agreed • All the other terms of contract or any other contract on which it depends • Various terms listed that cannot be assessed for fairness
  46. 46. 46 Contacts Janine Paterson, Solicitor & Legal Manager, DMA T - 020 7291 3356 Legal Advice Helpline
  47. 47. ICO Direct marketing guidance James Milligan, Solicitor, DMA Janine Paterson, Solicitor and legal manager, DMA #dmalegal
  48. 48. Structure • What the Guidance consists of? • Status • Context • Buying and Selling data • Consent • DMA Clarification of ICO Guidance – Host contact and indirect third party consent – Time limits for indirect third party consent – Solicited/unsolicited marketing – Pre-ticked opt-in boxes – Win back campaigns
  49. 49. What the Guidance consists of • Direct Marketing Guidance • Direct Marketing Checklist • Guidance for organisations receiving unwanted marketing
  50. 50. Status • Not a code of practice • ICO not trying to rewrite the law • Reflects ICO evolving view of area • Future proofing against draft Data Protection regulation • Remember ICO enforcement is complaint driven – “Don’t annoy your customers” • New ICO Data Protection Enforcement Policy
  51. 51. Context • Consolidate all previous guidance • Focus on areas which come up in enforcement • Focus on areas of widespread abuse • Rebalancing towards customer consent and choice in the Big Data age • Data privacy now a brand differentiator – Customer Acquisition Barometer 2014 • List broking is the next big issue after nuisance calls -Which? Taskforce on consent
  52. 52. Buying and Selling Data • Boundaries on data chains • Better Together/Scottish referendum undertaking
  53. 53. Case study 1 – complex data sources and consent failures • Campaigning organisation • Mass unsolicited SMS marketing • Particular ICO concerns? • Outcome - undertaking
  54. 54. Case study 1 – the data chain Instigator Sender List broker List broker List broker List broker List broker Lead generation company Insurance broker List broker List broker Insurance company List broker Loan provider Price comparison website Mail order company List broker Publishing company Prize draw website Insurance broker Loan broker Lead generation company List broker Insurance company Publishing company Insurance broker Loan provider Debt manageme nt company List broker Debt manageme nt company Insurance broker Credit card provider Insurance company Price comparison website Loan broker List broker List broker List broker Travel company Travel company Prize draw website List broker Online retailer List broker List broker List broker List broker List broker List broker List broker List broker
  55. 55. Case study 1 – examples of ‘consent’ • ‘Archival personal injury leads’ • ‘…you also agree that we may disclose your information to […] (iii) other carefully selected product suppliers in the future with a view to them offering you products they feel may be of interest to you.’ • ‘We may share your information with our business partners for marketing purposes or we may send you information about other organisations’ goods and services. [ ] By providing us with your contact details you consent to being contacted…’ • ‘All information you supply will be kept confidential to [ ] and the insurers whom it deals, unless [ ] are required by law with subpoenas.’
  56. 56. Sourcing data/ Due diligence • Who compiled the list? When? Has it been amended or updated since? • When was consent obtained? • Who obtained consent and what was the context? • Was it opt-in or opt-out? • Was information provided clearly and intelligibly? How was it provided? • Did it list organisations by name, by description, or any third party?
  57. 57. Consent • Basic requirements under DPA 1998 • Additional requirements under PECR 2003 as amended • Age of consent • Context in which given • Nature of relationship
  58. 58. DMA Clarification of ICO Guidance • Host contact and indirect third party consent • Time limits for indirect third party consent • Solicited/unsolicited marketing • Pre-ticked opt-in boxes • Win back campaigns
  59. 59. Host contact • Host contact is the ICO and DMA preferred method of distributing third party offers via email, text and automated telephone calls • Host contact – how does it work • 1) where first party organisation collects the contact details of customers and customers subscribe/opt-in to receive third party offers • 2) First party organisation does not pass on contact details to third party • 3) First party will be the sender of the message
  60. 60. Host Contact • Host contact – how does it work • 4) First party rents body copy in the message to the third party • 5) Third party includes call to action in message • 6) Third party collects its own marketing consents when recipients respond to message • 7) Third party does not have access to data of those recipients who do not respond.
  61. 61. Indirect/ Third party consent • Where consent not given by individual to organisation sending out marketing message but given via third party e.g. list owner. • Host contact method is not considered by ICO and DMA to be indirect third party consent • Not valid for marketing channels under PECR, voice calls to telephones, email and mobile messaging
  62. 62. Indirect Third Party Consent • Exceptions • 1) First party collecting contact details specifically names third parties to which it will pass contact information on • Example of 1) in the context of booking a flight to New York with a UK based airline • “Please tick this box if you are happy for our partner airline xxxx Airlines to contact you by email/SMS with details of their US domestic flights
  63. 63. Indirect Third Party Consent • Exceptions • 2) Third party falls into a specific category of organisations which the first party included in a list of types of organisations which it obtained consent from the recipient when they collected the electronic marketing contact details • Example in the context of booking a flight to New York with a UK based airline • “Please tick this box if you are happy for our partner organisations to contact you by email or SMS with details of their promotions and offers in New York which you may find useful during your visit to New York.”
  64. 64. Indirect Third Party Consent -Time limits • Third party organisation making contact for the first time by electronic channels using indirect third party consent should not rely on consent given more than six months ago to the first party • General rule of thumb • Third party using contact details more than six months after first collected need to justify why using those contact details • Context is key – ICO accepts that third party can use contact details collected more than six months ago in the case of annual services – e.g. insurance, seasonal products.
  65. 65. Unsolicited/Solicited Marketing • ICO definition of solicited and unsolicited different from industry definition • ICO consider an unsolicited marketing message to be a marketing message which the recipient has not requested • If a consumer has subscribed/opted-in to receiving marketing messages and an organisation sends a marketing message then that message will be unsolicited • However will be compliant with PECR because consumer consented
  66. 66. Unsolicited/Solicited Marketing • Practical advice – follow PECR • Consumers must be clear about what they are signing up to. • Organisations pay attention to wording in data collection notices
  67. 67. Pre-Ticked Opt-In Boxes • ICO and DMA best practice do not use for consumers to subscribe/ opt-in to receiving unsolicited marketing messages via email and SMS • DPA/PECR rules - to subscribe/opt-in requires a positive action on the part of a consumer • Consumer leaving a pre-ticked opt-in box pre- ticked is not a positive action
  68. 68. Pre-Ticked Opt-In Boxes • Can be used in rare circumstances where another stage in the sign up process amounts to positive consent • Use of pre-ticked opt-in boxes as an unsubscribe /opt-out mechanism – consult with DMA Legal or other usual legal advisers
  69. 69. Win- back campaigns • ICO guidance unclear as to legality of win –back campaigns • ICO have confirmed to DMA that win – back campaigns are legal provided • 1) Consumer subscribed/opted-to to receive marketing messages or • 2) Consumer did not unsubscribe/opt-out if existing customer/ soft opt-in exemption rule applies and conditions met • Practical issue – confirm preferences when customer leaves/ cancel • Remember retention rules and accurate/ up –to date
  70. 70. 70 Contacts James Milligan, Solicitor, DMA T- 020 791 3347 Janine Paterson, Solicitor & Legal Manager, DMA T - 020 7291 3356 Legal Advice Helpline T – 020 7291 3360
  71. 71. Q&A #dmalegal
  72. 72. Useful links ICO Direct Marketing Guidance DMA Supplementary Note on ICO Guidance ICO Direct Marketing Checklist ICO Guidance for organisations receiving unwanted marketing Which? Taskforce on consent and lead generation in the direct marketing industry call for evidence
  73. 73. Upcoming events Introduction to data protection (Manchester) – 1 July 2014 – Book now Data works: connecting the data dots – 17 July 2014 – Register now A TV dinner (Manchester) – 15 July 2014 – Register now ZEDTalk 1: Creativity and ideas – 24 July 2014 – Register now