Category Archives: Legislation

Data protection self-defence

If you hadn’t noticed, domestic and international data protection laws are changing, consumers are getting greater protection and some of the proposals are causing concern in some industries.

The European Commission’s draft proposals for modernisation of the 1995 data protection rules are designed to improve trust between consumers and businesses in order to improve trade by building “a new gold standard of data protection” which the Commission hopes will become the international benchmark for data protection.

The draft regulations include:

  • Cross-border (international) spam enforcement
  • Simplification of rules, bringing together privacy and data-protection
  • Greater choice, privacy and protection for consumers
  • Strengthening of rules, closing loopholes which have been abused
  • Stronger enforcement with easier access to compensation claims

Why you need an international view of consent, privacy and data protection

Every email campaign is a multinational campaign
Many recipients use global ISPs, companies have international offices and hosting centres and email recipients travel. As a result almost every email campaign is a multinational campaign which could be subject to international regulations.

Rules are changing fast across the world
Even if you could map out every regulation for every country you knew you were going to hit, rules and regulations are currently in a state of flux, with changes somewhere every few months.

Look beyond the UK
New international regulations, dedicated enforcement teams and increased cross-border co-operation mean that marketers need to look beyond what is needed to work with the soft-touch enforcement in the UK and look at how to work with some of the more strict international regulations.

Why you need a defensive view of consent, privacy and data protection

Proposed EU regulations in the next couple of years are going to clarify, simplify and consolidate existing rules; but will also introduce a requirement for stronger enforcement AND a means of cross-border enforcement.

In the UK we have a largely self-regulating, laissez faire industry, but this is changing: earlier this year the ICO fined spammers £500,000 and a recent letter from the Information Commissioner to the Secretary of State warns of mandatory fines and suggests that more funding and stronger sanctions are necessary for enforcement.

However, I see biggest potential risk to most companies as professional or opportunistic claimants seeking out sites which have sign-up and marketing processes which are unclear or inadequate.

We need to change our data protection and privacy approach. Instead of making sure consumers rights are fulfilled, we need to be in a position to easily prove that consent has been obtained, so that opportunistic claims can be quashed immediately.

Simple Guidelines for Data Protection and Privacy Compliance

This is where things become simple! Focus on privacy, data protection, choice and transparency for your customers and subscribers and you will be adhering to the principles behind almost all international legislation.

Forget for a moment the legal standards and specific wording and look at these simple, small steps.

  • Review your own processes (or get an audit) to see what data you collect, how you collect and store it. Consider whether it is both appropriate and necessary and whether it fits with what your customers would expect.
  • Inform customers about what you do and why. Where possible, give them choices.
To review or audit your data collection and storage processes here are some starter questions:

When you collect data:

  • What data do you collect, where, when and how?
  • Is personal data collected which could be deemed excessive in relation to the purpose for which it was collected?
  • Is any personal data kept longer than necessary for the purpose for which it was collected?
  • Are your answers consistent with your customers’ expectations?

Once you understand your own data consider the following:

  • In your privacy policy include detail of what data you collect, how it is stored, how it is used to benefit your customers and what their options are for deleting their data.
  • When you create an account or someone signs up make it clear at that time why you collect information and explain clearly why it benefits them, providing a link to the detailed section in the privacy policy.
  • Allow people to purchase without creating an account – but give your customers compelling reasons to create an account by telling them the benefits they will get from having an account with you.
  • Provide customers with ‘the right to be forgotten’ by allow customers to delete/obfuscate (replace their customer details with dummy data) their account history – but give them reasons NOT to do this.
  • Give your customers a choice to NOT be tracked, recorded and profiled. But give them compelling reasons why trusting you with their data is good thing.

Be defensive by design:

  • Keep wording and processes simple and unambiguous
  • Collect basic audit information which shows what consent was provided and when
  • Where possible and appropriate, start collecting explicit consent where you currently rely on implied consent
  • Keep privacy policies up to date, making it easy for customers to see if anything has changed
  • Make sure you are in a position to easily prove that consent has been obtained

Links

European Commission data protection proposals 25th Jan 2012

European Commission Working Party update 27th Feb 2013

DMA – How the EU Data Protection Regulation could affect you and your business 30th Jan 2013

ICO Comment on EU data protection reforms 8th Apr 2013

The Draft EU Data Protection Regulations and the Other Compliance Obligations

As our series of blogs on the proposed EU Data Protection Regulation is almost at an end, I think it’s fair to say that they made for very informative reading. I hope you would agree with me that many marketers can learn something from them. A lot of the main topics within the proposal have been covered. But what are the changes to the compliance obligations which organisations need to consider in their day to day activities if the proposal was to be passed in its current version?

Data processing is featured heavily in the proposed Regulation. One of the changes is around notifying the relevant national data protection authority, in the case of the UK the Information Commissioner’s Office (ICO), of your organisation’s data processing activities. Currently, providing such notification to the ICO has been a matter of course, whereas the proposal states that full records of data processing activities must be kept by the organisation and only supplied to the relevant national data protection authority on request.

The use of data in many organisations is crucial for marketing purposes, as well as general interaction with customers. If you work client-side, just think of the number of email campaigns your organisation sends out to your customers, whether the customers are active, prospective, lapsed or otherwise. Your data would have had to be processed in some way before emailing, whether it’s cleaning or segmenting for a targeted campaign; therefore keeping a record each time the data is processed with specific information would add another compliance burden to the activity. The obligation to keep records of processing activities is also extended to agencies where dealing with data is an integral part of running of the organisation, such as list rental and lead generation activities. With this in mind, if you think of your own organisation’s activities as well as the number of organisations involved in a typical data processing chain, then the number of data processing activities that will need to be recorded is overwhelming. The ICO is concerned that there is a danger that organisations will focus on the ‘paperwork’ rather than on actual data protection compliance. The removal of the notification fee, which organisations currently pay to the ICO when they complete the notification form, does raise questions as to how the ICO will be adequately funded to carry out its data protection work effectively.

Another change in the proposal which will have a big impact is the requirement for organisations with 250 or more staff to have a designated independent data protection officer. Even though data is crucial to a lot of organisations, the size, reasons for its use and frequency the data is handled and processed amongst organisations varies. The ICO believes that “a simple head-count criterion for the designation of a data protection officer is not the best approach.” Some low head count organisations may process a large amount of information about a lot of people and are therefore high risk. On the other hand, large head count organisations may carry out relatively small –scale and low risk processing. Read the ICO’s report on the draft regulations here

The additional bureaucratic requirements relating to these proposed new compliance obligations will certainly create extra administrative costs, particularly for smaller organisations. As well as the increased documentation of all data processing activities, consider the revision and issue of new terms and conditions, and the amount of employee guidance and training around these changes.

These new compliance obligations , as well as implementing the right to be forgotten, and explicit consent for data processing will mean that all organisations will have to review their day to day activities.

Changes to the EU Data Protection Regulation: What are the penalties?

When the updated European Commission’s Draft Data Protection legislation was announced last year, a lot was made of the sweeping changes to the fundamental data principles. Many of the have already been covered in other blog posts but what I want to delve into here, are the changes in financial penalties involved for failure to comply with the rules. There are two separate provisions which could hit your corporate wallet. The first allows the regulators to levy a fine for breaches. While the other gives individuals the right to be awarded compensation for breaches.

Fines from Regulators

The original proposal gave regulators the power to levy a full €1m, or up to 2% of a business’s global turnover for breaches of the regulations. On the 20th of February, the Industry Committee of the European Parliament voted against mandatory fines and to give the power to set the size of the fine to the national regulators, which is in line with the current regulations. While many consumer and privacy advocates have said this will water down the new regulations, I for one applaud this move as it will allow fines to be in-line with local attitudes about data privacy and economic conditions.

Do not think that because the power to set mandatory fines has been taken away from Brussels and granted to the UK Information Commissioner that companies dealing in personal data will have an easy ride here in the UK. The ICO continues to lobby for greater enforcement powers and more importantly, greater budget to dedicate towards enforcement. The ICO’s office has also been using their current ability to assess financial penalties more over recent years with a two fold increase in the number of fines issued in 2012 over 2011 and a fourfold increase in the monetary penalty over the same period. The trend is clear the ICO is issuing more penalties and the fines are getting bigger.

Individuals Right to Compensation

The other potential hit to your corporate wallet is the new proposal giving individuals the right to compensation for breaches in the data protection regulations. This is worrying for a number of reasons. First, there are no guidelines around how a court or regulator would determine when personal compensation is warranted, how the compensation should be calculated or limits to the compensation award. A second concern is that this proposal will drive the EU to be more litigious.

The third and greatest worry for us as an industry is that this personal compensation can be sought from both the data owner and the data processor. Making data processors responsible for the actions of the data controllers is a new and very troubling concept which will significantly impact the email marketing industry.

Up till now, data processors primarily in the form of ESPs acted only on the instruction of the data controller and therefore were not required to ensure that the behaviour of the data controller was in fact legal. There is already an extra burden on our industry because as we all know we deal with the “second regulator” in the form of ISPs deciding whether to accept our email transmissions or not. Should this new provision go through, ESPs will not only have to ensure that their clients are following the best practices to optimise deliverability but they also have to get right under the skin of the client’s business to ensure that they are legally compliant with data protection regulations. This will be an intrusion that many client companies will not want, it is a process which ESPs are not currently structured to handle and one that will have to be funded in the form of higher send costs.

Should I Worry?

At the end of the day it is email marketing 101 type stuff. Any email marketing professional worth their salt, or any member of the DMA should be following the basics of best practice closely enough to not be doing anything wrong and should therefore have nothing to generally worry about. The worry comes as a result of simple human error which can cause a file to be corrupted, or a laptop left on a train or a password that is too easy to crack. These “simple human errors” could get to be very costly.

Take action now!

If you haven’t already, take time to read the DMA’s assessment of the impact of the new regulations Think about how this could hurt your business and then reach out to your MEP and make your voice heard.

Opt-In & Opt-Out – Definitions of Consent according to the draft EU Data Protection Regulations

As a consumer, I am always in favour of legislation which seeks to protect individual freedoms, and reduce ambiguity in what organisations can and cannot do with my personal information. As a marketer too, it is important that the availability and use of a consumer’s personal information be governed by clear guidelines, and ends in a mutually beneficial result – at the bare bones of it; providing a customer with timely, relevant communications based on the data they have provided, at the same time as (hopefully) making a profit for the organisation I am working for.

The real worry is that the current draft of the European Union Data Protection Regulation, does the opposite by introducing more complexity and ambiguity than already exists, and potentially creates further issues which would not have surfaced if the status quo were maintained.

The verbatim definition of consent within the Regulation is as follows:

“…’the data subject’s consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed…”
[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF Article 4 (8)]

Furthermore, the “Conditions for Consent” are laid out as follows:
1. “The controller shall bear the burden of proof for the data subject’s consent to the processing of their personal data for specified purposes.

2. If the data subject’s consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.”

[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF Article 7]

In the above, I have highlighted the key elements here – the Regulation is essentially saying that organisations need to obtain a clear and explicit statement/action by which a data subject provides consent. From an email permission-marketing best practice perspective, this is fine – however the Regulation does not address whether or not this would need to be retrospective for existing databases, and whether or not organisations would be able to contact customers with whom they have had previous interactions (as is currently permissible under the existing Privacy and Electronic Communications Directive – and, the majority of the time, expected by consumers).

This is completely disregarding whether or not those consumers actually want to be contacted, and if the “burden of proof” detailed above is an enforceable requirement (in a worse-case scenario) – then the Regulation is effectively saying organisations must delete said data if they cannot prove consent has been given explicitly! Then there’s the possibility of dispute over the meaning of “informed & explicit”… well, you can see where this is heading to – more ambiguity and less clarity.

Furthermore, there is an argument out there that this Regulation does not take into consideration the low risk use of Business-To-Business (B2B) data for marketing purposes – where, more often than not, a organisation would hold and process information on another organisation or group of members of staff, with perhaps multiple key decision makers – not an individual.

In summary, the intention is good but the detail is lacking – I strongly urge the legislators in Brussels to revise and alter the Regulation so that it can sit with the existing Privacy and Electronic Communications Directive They also need to focus on what the effect of the changes in the draft Regulation will be for both consumers and organisations.
To find out more about the consequences of this legislation passing unaltered, and the potential impact on your own business, take a look at http://dma.org.uk/eu-data-protection This site also provides information on how to take immediate action, by lobbying your regional MEPs.

What is “personal Information” according to the draft EU Data Protection Regulation?

In order to keep up with new technologies and addressing consumer concerns over privacy the 1995 European Data Protection Directive, which was implemented in UK in the 1998 Data Protection Act is in the process of being updated. This can be a good thing because aside from anything else it aims to reduce the red tape, and add more consistency across Europe. However, the draft proposals are missing the mark and not going to meet the objectives unless some additions and changes are made.

The definition of “personal data” is one example of this; it is proposed to be extended so it could cover some IP addresses and cookies;

“a natural person who can be identified, directly or indirectly by means likely to be used by the Data Controller……in particular by reference to an identification number, location data, online identifier…”

The definition makes no distinction between personal data which is not directly identifiable, such as an IP address identifying a device not a person and data which is, e.g. name and address. Furthermore an IP address only identifies a device not a person. This change would make profiling and web analytics much more difficult, if not impossible. This would change the whole way the internet and email marketing works. The easy user experiences and communications users are currently used to from talented marketers would be replaced with either nothing or un-targeted information, a backward step which will not benefit users or business. The updated European data protection legislative framework need to allow the commercial developments to continue, which will allow business to grow and users to have positive relevant information sent to them.

It is imperative that the definition of personal data is revised otherwise the online economy may be severely damaged.

Proposed EU Data Protection Regulation – Liability and right to compensation

We have been covering the proposed EU data legislation. The full changes to society and benefits from the internet are far from complete, but one thing is clear, in the future the strong countries and economies will be those that have the best digital capability. The EU Data Protection Regulation threatens to limit and slow the growth of the digital economy in Europe.
In this post we look at the changes to the rules as to when individuals can claim compensation if they have suffered damage due to non- compliance with the proposed Regulation.

The current data protection legislation, Article 23 of the 1995 EU Data Protection Directive (95/46/EC) allows for individuals to claim compensation for damage suffered due to non- compliance with the Directive .

The current article states:

1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.

2. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.

The proposed changes are in Article 77 of the draft Regulation and the current text would widen the rights of individuals to be able to claim compensation in the event of non- compliance with the Regulation as they would be able to make claims against data processors Iin the case of multiple controllers/processors they would be jointly liable for the full amount. The proposal in full is:

1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.

2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage.

3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.

The points of concern the proposed text raises are:
• Data processors located within the European Economic Area ( the 27 Member States of the EU plus Iceland, Lichtenstein and Norway) (EEA) could be liable for failings by data controllers outside of the European Economic Area (EEA)
• The definition of damage and the risk that it fosters a compensation claims culture

1) Liability between data controllers and data processors

If the data controller is located outside of the EEA then it brings a risk for any data processor located within the EU to deal with such a data controller. A data controller located outside the EEA may not be familiar with the EU data protection legislation, and under the draft Regulation the data processor located within the EEA could be liable for for the actions of the data controller in cases of non- compliance with the legislation. Such actions of the data controller could be outside the data processor’s control. This may stem the ability of data processors located within the EU to grow and deal internationally. This is not in the EU’s economic interest..
What is the benefit of adding liability to the data processor for the actions of data controllers? Data processors are required to have data processing agreements in place with the data controllers for whom they are processing personal data. Under such agreements a data processor should be liable to the relevant data controller for any breaches of data protection legislation. Giving individuals the right to claim compensation from data processors as well as data controllers may mean more disputes between data controllers and data processors as to which one should pay the compensation for damage caused by non-compliance with data protection legislation

2) The definition of damage

What is damage? The UK Information Commissioner’s Office believes it is the European Commissions’ intent for damage to include ‘damage or distress’ suffered. Given the historical difficulty and subjectiveness of establishing whether distress has been caused and the monetary value of that distress, this is bound to lead to expensive court cases to establish these parameters. The loser will be the consumer as increased risks and legal costs will be passed on by business and ultimately paid for by the consumer. The alternative is some data processors will be forced to go out of business. To avoid this, clarity as to the meaning of damage in the draft Regulation is needed- does this mean “quantifiable monetary damage” as is currently the case in UK law?

Overall this change appears to bring in unnecessary additional legal risk, the costs of which will ultimately land upon the consumer and will limit the growth of the European digital economy.

EU Draft Data Protection Regulation – Data Breach Notification

Anyone who is in the business of processing personal data will be aware of the proposed new EU Data Protection Regulation. It’s a pretty hot topic right now (as I’m sure you’d agree) as it represents the most significant global development in data protection law since the EU Data Protection Directive that was agreed over 17 years ago. This was clearly way before smartphones were in everyone’s pockets and internet access was in every household, so no one would deny the fact that in this age of mass information sharing, this piece of legislation is in need of some revision.

However, a common view amongst marketers and data owners is that the current draft of the Regulation doesn’t strike the right balance between a) protecting an individual’s right to data privacy, and b) allowing businesses to engage with consumers, using the data they have access to, to deliver really relevant content.

As part of the proposed new Regulation, the European Commission is widening the scope of data protection laws to include a requirement that any business that stores personal data will have to disclose the details of any data security breaches.

So what does this mean and how do data security breaches occur? They can happen in a vast majority of ways, which can include:
• Lost or stolen laptops, removable storage devices (USB sticks etc.) or paper records containing personal information
• Hard disk drives being disposed of or returned without the information being correctly erased
• Hacking
• Staff members accessing or disclosing personal information illicitly
• Unsecured recycling of confidential waste
• Sending sensitive information digitally without encrypting it properly first

According to the Information Commissioner’s Office (ICO) the definition of a personal data security breach is “a breach of security leading the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Under the draft Regulation, it’s proposed that any organisation that processes personal data will be required to inform the ICO if a personal data security breach occurs.

So what does this mean for us as Email Marketers?

Essentially it gives the consumer much more information and ultimately control. Yes, this is great for our customers, but not so wonderful for us as many organisations (especially those of us in the email industry who handle a large amount of data for our clients) have expressed concern about potential ‘over-disclosure’ opportunities that could arise thanks to the requirement to provide the necessary information within 24 hours of a data security breach, as envisaged in the draft Regulation. It could potentially force organisations to reveal more information than they need to (such as notifying every individual who might have been affected by the breach rather than those who definitely were). This concern is backed up by recent research from LogRhythm who found that 87% of UK businesses have admitted that they wouldn’t be able to identify individuals affected by a breach within this timeframe.

Another concern amongst email marketers is that this requirement to notify a data security breach within 24 hours doesn’t just apply to organisations based within the EU, but it includes those doing business in it, making the draft Regulation the first de facto global data breach law.

Finally, it could lead to ‘notification fatigue’. With the requirement for each and every breach to be notified, regardless of the severity, consumers could be inundated with breach notifications, which could lead to consumers tuning out.

The good news is that it could take another 3-4 years before the changes come into play, however many of our peers are expressing concern over the negative impact the new Regulation could have on email and direct marketing. The DMA (UK), with FEDMA, is lobbying the EU institutions in Brussels ,the Ministry of Justice and the Department of Culture Media and Sport here in London to try and achieve an outcome that is more business-friendly. We would like to see the requirement to notify regulators and individuals of a data security breach restricted to serious breaches and the 24 hour time limit to notify a breach to be extended. Whatever the outcome is, positive or otherwise, you can bet your bottom dollar that the data security breach notification requirement will remain in the Regulation in some form or other. Therefore, it’s absolutely imperative that you put in place or review clear and well-understood data security breach notification procedures.