legal update - leeds
TRANSCRIPT
Wednesday 8 September 2015
@DMA_UK #dmalegal
Legal update - Leeds
Agenda
2.00pm Registration
2.30pm EU Data Protection Regulation – What the future holds
James Milligan, Solicitor, DMA
3.15pm Break
3.30pm Buying and selling data
James Milligan, Solicitor, DMA
3.55pm Round up of other legal issues
James Milligan, Solicitor, DMA
4.20am Questions
4.30pm Close
EU Draft Data Protection Regulation –
What the future holdsJames Milligan, Solicitor, DMA
@DMA_UK #dmalegal
• Data Protection Directive 95/46/EC ("Directive")
(implemented in UK by 1998 Data Protection Act)
showing its age
• New technologies and more complex information
networks
• Lack of common European law and differences in
national implementation
• Consumer concern over privacy
• Data protection now a fundamental right under EU
Charter of Fundamental Rights
Future new Data Protection
Regulation – Why now?
EU Data Protection reform – where
are we?
• Jan 2012 – European Commission published first
draft Data Protection Regulation ("DPR")
• Very much an initial draft
• March 2014 - European Parliament in plenary
session adopted amendments it wanted to see to
Commission text
• Most of the amendments are pro – consumer
although some are good for business
• 15 June 2015 - Justice and Home Affairs Ministers
agreed their amendments to Commission text
• Still reservations and other issues in text
EU Data Protection reform – where
are we going?• June 2015 3 different versions of the text
European Commission Jan 2012
European Parliament Mar 2014
Justice and Home Affairs June 2015
• 24 June 2015 3 way negotiations (trilogue) between
representatives from European
Commission ,Parliament and Justice and
Home Affairs Minsters to agree final
version of the text began
• July – December 2015 Further trilogue negotiating meetings
• End of 2015/ early 2016 Regulation passed in Brussels
• End of 2017/early 2018 Regulation implemented into UK law
Impact on direct marketing
• Existing databases may not be usable: could
decimate prospect lists. Legacy data?
• No tracking data, profiling or segmentation without
explicit consent – less targeted and more generic
communication?
• List broking severely restricted
• New information requirements and rights of the data
subject, e.g Right to be forgotten/erasure
• Increased costs - £76,000 per business to comply +
possible £47 billion of lost sales in UK
Headline proposed changes
• Expanded definitions: “personal data” and “data
subject”
• Explicit consent required
• Right to be forgotten
• Greater emphasis on accountability
• Notification of data security breaches
• More onerous sanctions for breach
• Data processors directly covered
Consent
Consent: Current
Position
Consent: Proposed Position
- Freely given, specific,
informed indication of the
data subject’s wishes
- Explicit consent required
for sensitive personal data
only
-Freely given, specific, informed and
explicit indication of data subject’s
wishes
-Given either by a statement or a
clear affirmative action
- Data controller / data subject
relationship to be taken into account
- Burden of proof on controller to
demonstrate consent
Consent
• Previous slide reflects European Commission and
Parliament’s view
• Justice and Home Affairs Ministers went for
“unambiguous consent”
• Practical difference between “explicit "and
“unambiguous” consent
• View from Brussels is that Justice and Home Affairs
Ministers may accept “explicit” consent
Effect of change
• Postal and telephone marketing could become
opt-in/subscribe for first party and third party
marketing
• Current position
• Post and telephone marketing - opt-out
unsubscribe for first and third party marketing
• Email and SMS marketing – general rule opt-in/
subscribe for first and third party marketing with
soft opt-in exemption for first party marketing to
existing customers
• Remember that if you are processing data on
behalf of a client you are not a third party as
regards that client
Introduction of opt-in/explicit consent
• Review language used at point of data collection
and be prepared to move to explicit /opt-in
consent for first and third party marketing
• Opt-in /explicit consent not required for first party
postal marketing in European Parliament version
of the text
• Do people understand what they are agreeing to?
– nation of liars
• Think about how you will update legacy
databases
• How will you demonstrate proof of consent
• Preference centre – by brand/ channel?
Legitimate interests of data
controller
• Justice and Home Affairs Ministers text reintroduced
wording in current 1995 Directive/1998 Data
Protection Act allowing an organisation renting a list
(third party) to process the details on the list (personal
data) under the legitimate interest ground
• This could mean that first and third party postal and
telephone marketing could be done on an
unsubscribe/ opt-out basis as now.
• Article 6.4 Incompatible processing
• Recital stating that direct marketing is a legitimate
interest in both Parliament and Justice and Home
Affairs Ministers text.
• Key issue in three way negotiations
IP addresses and cookies
• Definition of personal data extended so could cover some IP addresses and cookies as “online identifiers”
• Justice and Home Affairs Ministers preserve flexibility in 1995 Directive
• But IP addresses identify a device not an individual + some IPs are general
• Huge implications for digital marketers
• Web analytics & profiling made much more difficult, if not impossible
• Interaction with new cookie rules problematic
• Profiling - European Commission and Justice and Home Affairs Ministers happy with wording from 1995 Directive v European Parliament want to introduce consent for all profiling
IP addresses and cookies
• Think about how you will deal with extension to
Include location data, IP addresses, cookies,
online identifiers
• Pseudonymous/anonymous data – will you be
able to take advantage of exceptions?
• Justice and Home Affairs Ministers –
pseudonymous data is a subset of personal data
• Amend wording on privacy policies/data collection
notices to take account of new rules on profiling.
Data Breach Notification
• Any data security breach to be notified to ICO and the individuals concerned within 24 hours /72 hours
• Report to cover:
• nature of breach
• number of data subjects
• categories of data
• proposed mitigation
• Not always obvious if there has been a breach or how extensive it is
• Problem of notification fatigue
• No threshold level specified in Commission and Parliament text
• Council of Ministers introduced a threshold of severe affect of the breach on individual’s rights and freedoms
Data security breach notification
• Introduce breach notification detection procedures
• Think about how you will notify data protection
authorities and affected individuals within
whatever timescale is agreed
• Develop/review your data breach response plan
Subject Access Requests (SARs)
• Data subjects to be able to request full information on data held on them free of any charge
• Currently can levy a £10 fee – doesn’t cover cost but deters time-wasters, frivolous or vexatious requests
• Costs organisations £50 million p.a. now to meet SARs
• Proposal that can provide data in electronic form if data subject agrees to this
• Particular problem for financial services with mis-selling issues and claims management firms
The right to be forgotten/erasure
• Google Spain case
• Prepare to respond to requests
• Deletion/ suppression
• Other legal requirements to keep information e.g. accounting, tax, money-laundering
• Justice and Home Affairs Ministers right to erasure only has to be passed on to third parties if technology allows and cost not prohibitive.
Access Rights and Right to Erasure
• New Regulation may lead to increased public awareness of rights e.g., right to request information ( Data Subject Access Requests, Right to be forgotten)
• Plan ahead for increase in queries from clients/public
• Training for client/customer service teams
Processor’s liability and other obligations
• Data protection obligations now shared between controllers and processors
• Processors subject to fines where not complied with processor obligations under Regulation or acted outside or contrary to lawful instructions of controller
• Privacy by Design/Privacy by Default
• Appointment of DP officer (250+ employees)
• Justice and Home Affairs Ministers only compulsory where high risk processing otherwise voluntary.
• European Parliament – based on number of employees and records processed
- 2 year appointment
- Independent reporting to board
- Information and training
- Maintenance of documentation
- Data protection impact reports
• International transfers of data outside EEA – law would apply to any processing of data or EU citizens
Compliance obligations
• Review amount of data being processed, erasure policies and
data retention policies
• Requirement to demonstrate compliance will mean more
documentation in respect of policies and procedures
• Contact centres, mailing houses, email/SMS broadcasters will
also be subject to these new obligations, especially in respect
of data security
• Review staff training in data protection.
• Appointment of a data protection officer?
• Risk- based approach to compliance and data protection
impact assessments
Proposed enhanced sanctions
• Up to €500k or 1% annual worldwide turnover intentional or
negligent failure to respond to subject access requests in
accordance with Regulation
• Up to €1m or 2% of annual worldwide turnover for other
compliance failures
• Depends on:-
- size of organisation involved
- nature and gravity of breach
- whether intentional or negligent
- technical and organisational measures
- previous breaches
- co-operation with ICO
Enhanced sanctions/fines
• Watch out if you get it wrong!
• Increase focus on compliance – board level issue
• Review internal policies and procedures
Cross – border issues
• Main establishment/ one- stop shop provisions
• Think about which country’s national data protection authority
will be lead regulator
• Possibility of changing country where head office is located
• Review arrangements for transfers of data outside EEA (28
Member States of EU + Iceland ,Liechtenstein, Norway)
• Application to EU citizens’ personal data no matter where it is
processed.
• European Court of Justice Google Spain right to be forgotten
case - link between Google Spain and Google USA
Three –way(Trilogue)negotiations
• Scope for lobbying limited as discussions take place
behind closed doors and are more like commercial
negotiations
• Meeting with Labour London MEP Claude Moraes,
Chair of European Parliament Justice (LIBE)
Committee?
• Continue to lobby MOJ on key issues
• More information may be available because of
Justice and Home Affairs Ministers continuing work
on text
Data protection toolkit
Buying & selling dataJames Milligan, Solicitor, DMA
@DMA_UK #dmalegal
A changing world
• Consumer attitudes are evolving.
• Openness and transparency.
• Trust in data is becoming a key brand differentiator.
PPI and accident claims
• Loss of confidence in the industry and marketers.
• Even more regulation.
• Self-regulation of the sector damaged.
Caveat emptor…
• When you buy or rent a marketing list you must
make rigorous checks to ensure that the
organisation selling the data obtained the personal
data fairly and lawfully, and that the individuals
understood their details would be passed on for
marketing purposes, and that they have provided
their consent.
Stories in the last two months
• List Brokers (Mail, radio )
• Charities (Mail, Sun, Times, multiple radio, TV )
• Royal Mail (Mail, Times, radio)
More, much more to come!
Royal Mailhttp://www.dailymail.co.uk/news/article-3133755/Millions-facing-junk-mail-deluge-Secret-Royal-Mail-plan-deliver-marketing-letters-shoppers-simply-click-product-online.html
Call Centrehttp://www.dailymail.co.uk/news/article-3113793/We-don-t-care-s-98-s-not-dead-cash-MoS-exposes-tactics-cynical-call-centre-used-Britain-s-biggest-charities-including-Oxfam-Cancer-Research-UK-RSPCA.html
Datahttp://www.dailymail.co.uk/news/article-3085699/Charities-using-dirty-tricks-details-Marie-Curie-RNIB-St-John-Ambulance-bought-lists-donors-using-unscrupulous-data-firm.html
Paddy Powerhttps://shkspr.mobi/blog/2015/04/dealing-with-sms-spam-from-paddypower/
B2C Pensionshttp://www.dailymail.co.uk/news/article-3017205/Your-pension-secrets-sold-conm
Pensionshttp://www.dailymail.co.uk/news/article-2998082/Beware-pension-sharks-Flood-spam-texts-cold-calls-create-PPI-scandal.html
Data Bubblehttp://www.dailymail.co.uk/news/article-3018659/Privacy-sale-s-health-secrets.html
Charities• http://www.dailymail.co.uk/news/article-3150115/Save-Children-BANS-cold-calling-following-death-92-year-old-poppy-
seller-Olive-Cooke-hounded-charities.html
• http://www.dailymail.co.uk/news/article-3151530/Shame-charity-cold-callers-Hit-like-sledgehammer-bosses-callous-
tips-trapping-vulnerable.html
• http://www.dailymail.co.uk/news/article-3151533/Shamed-charity-cold-call-sharks-Britain-s-biggest-charities-ruthlessly-
hound-vulnerable-cash-try-opt-receiving-calls.html
• http://www.dailymail.co.uk/news/article-3151570/I-m-bombarded-calls-s-taken-joy-giving-OAPs-say-threatened-homes-
charities.html
• http://www.dailymail.co.uk/debate/article-3151679/DAILY-MAIL-COMMENT-law-protect-cold-callers.html
• http://www.dailymail.co.uk/news/article-3152868/The-100-000-year-bosses-driving-cold-call-menace-charities-told-
stop-bullying-Big-four-savaged-phone-tactics.html
• http://www.dailymail.co.uk/debate/article-3152961/DAILY-MAIL-COMMENT-Charities-stop-punishing-generosity.html
• http://www.dailymail.co.uk/news/article-3154251/Now-charities-forced-action-cold-calling-Bosses-agree-clean-act-
boiler-room-tactics.html
• http://www.dailymail.co.uk/news/article-3155536/Charities-crisis-cold-call-menace-ministers-threaten-new-laws-crack-
grotesque-fundraising-practices.html
• http://www.dailymail.co.uk/news/article-3155574/Charities-kept-using-cold-calling-firm-knew-preyed-dementia-victims-
NSPCC-British-Red-Cross-Oxfam-Macmillan-pledge-review-practices-caught-out.html
• http://www.dailymail.co.uk/news/article-3156846/VICTORY-Mail-expose-reveals-shame-charity-cold-call-sharks-PM-
pledges-tough-new-laws-tackle-boiler-room-tactics-targeting-elderly-vulnerable.html
• http://www.dailymail.co.uk/debate/article-3156996/DAILY-MAIL-COMMENT-free-Press-laid-bare-charity-bullying.html
• http://www.dailymail.co.uk/news/article-3160092/Charity-curbs-law-end-year-victory-Mail-laid-Parliament-amendments-
Charities-Bill.html
• http://www.dailymail.co.uk/news/article-3221861/MPs-quiz-charity-bosses-trade-donor-s-details.htm
• http://www.dailymail.co.uk/news/article-3220921/Is-home-making-target-charity-money-grabbers-Firms-paid-scour-
house-price-data-bid-identify-millionaire-door-donors.html
• http://www.dailymail.co.uk/news/article-3218994/Our-trust-good-causes-abused-ESTHER-RANTZEN-disturbing-new-
twist-charities-scandal.html
• http://www.dailymail.co.uk/news/article-3218987/How-RSPCA-snoops-wills-donors-claimed-seen-walking-wallets-
charities.html
• http://www.dailymail.co.uk/debate/article-3217641/DAILY-MAIL-COMMENT-s-charity-exploiting-elderly.html
• http://www.dailymail.co.uk/news/article-3217506/New-shame-charities-Widower-s-details-passed-200-times-leading-
lose-35-000-getting-731-demands-cash.html
New rules on charity fundraising
• Changes introduced as amendments
to Charities Bill
• Charities and organisations involved
in fundraising will have to state how
vulnerable people will be protected
• Charities with income of over 1 million
pounds in each year will have to state
in Trustees Report their fundraising
approach
• Review to consider whether any
further action is required
New rules on charity fundraising
• Subscribe/opt-in system for passing
donor’s details to other charities
• Ban on small print –information for
donors same size type face as rest of
fundraising literature
• Ban on withholding telemarketing
numbers
• New independent charity watchdog
Charity fundraising reviews
• Etherington review - NCVO
• Similar review in Scotland SCVO
• Public Administration and
Constitutional Affairs Select
Committee
• ICO investigations following press
articles
DMA Code
• Benchmark for success and the restoration of
confidence.
Selling a Marketing List (1)
General rules per marketing channel for third party use
• Postal Mail – opt –out/unsubscribe and screen
against MPS
• Telephone – opt-out/unsubscribe and screen
against TPS and CTPS
• E mail, SMS and automated recorded calls– opt-
in/subscribe and
• 1) Either third party specifically named or third party
falls into a named sector and
• 2) Third party must use list for first contact within 6
months of purchase
Selling a marketing list (2)
• Remember that opt-out/unsubscribe or opt-
in/subscribe must be meaningful and informed.
• Need for record – keeping – date of collection and
generic data collection/privacy notice/privacy policy
using at that time.
• Consent – specific and informed to be valid.
• Positive action and pre- ticked opt-in boxes.
• Consent decays over time – Simon Rae case
• ICO Direct Marketing Guidance and DMA
Supplementary Note.
Selling a marketing list (3)
• Special rules apply when a business is being closed
down/insolvent. Customer database can be sold to
a third party without the consent of individual
customer provided:
• 1) Database only used for same purpose for which it
was collected by closed down business
• 2) Reasonable expectations of individual.
• If above conditions not met third party will have to
get fresh consent from customers of closed down
business.
Selling a marketing list (4)
• Be prepared to answer questions which buyer may
ask.
• Seller’s responsibility to check provenance of
marketing list.
• May have to check further down the data chain.
• Due diligence and contractual warranties/liabilities.
ICO Direct Marketing Guidance
Survey
• ICO wants your opinion on how useful its Direct Marketing
Guidance is in helping you comply with the law
• Survey closes 18 September
• https://ico.org.uk/about-the-ico/news-and-events/news-and-
blogs/2015/08/review-of-direct-marketing-guidance/
Further Reading
• ICO Direct Marketing Guidance
• https://ico.org.uk/media/for-
organisations/documents/1555/direct-marketing-guidance.pdf
• DMA Supplementary Note
• http://dma.org.uk/article/dma-clarifies-ico-guidance-on-direct-
marketing
• ICO Direct Marketing Checklist
• https://ico.org.uk/media/for-
organisations/documents/1551/direct-marketing-checklist.pdf
Round Up of Other Legal issuesJames Milligan, Solicitor, DMA
@DMA_UK #dmalegal
Digital Single Market
President Juncker
• “ensure that European citizens will soon be able to
use their mobile phones across Europe without
having to pay roaming fees”
• “ensure that consumers can access services,
music, movies and sports events on their electronic
devices wherever they are and regardless of
borders”
• “create a level playing field where all companies
offering goods and services in the EU are subject to
the same DP and consumer rules, regardless of
where their server is based”
Three pillars
1. Better online access.
2. Creating the right conditions and level playing field
for advanced digital networks and innovative
services.
3. Maximising the growth potential of the digital
economy.
Pillar 1: Better online access for consumers
and businesses across Europe
• Ecommerce rules.
• Parcel delivery.
• Unjustified geo-blocking.
• Better access to digital content.
• Reduce VAT related burdens.
Pillar 2: Creating the right conditions and level
playing field for advanced digital networks and
innovative services.
• Making telecom rules fit for purpose.
• Fit media framework.
• Fit for purpose regulatory environment for platforms
and intermediaries.
• Reinforcing trust and security in digital services and
handling of personal data.
Pillar 3: Maximising the growth potential of the
digital economy
• Building a data economy.
• Boosting competiveness through interoperability
and standardisation.
• E-inclusive society.
Why?
• €340 billion in additional growth.
• 3.8 million jobs created across Europe.
• Potential savings of €100 billion per annum if all
public procurement was online.
A mammoth task
• The digital single market is an extremely ambitious
project but a priority for this presidency.
• It will take years to fully realise the digital single
market.
• Labyrinth of differing national legislation.
• Many member states will be reluctant to cede
powers to Brussels.
Consumer Rights Act
Consumer Rights Act
• Draft published in June 2013.
• Received Royal Assent – 26th March 2015
• Majority will come into force October 2015
• A major overhaul of existing consumer rights
legislation – consolidating 100+ consumer laws and
introducing new rights for consumers and
businesses.
• Follows two consultations by BIS on goods,
services and digital content; and the Law
Commission & Scottish Law Commission’s on unfair
contract terms.
Consumer Rights Act
• Basic rights not changing
• Aim to present rights and remedies in a simpler and clearer
way to make consumers better informed and empowered
• 3 parts:
• Consumer contracts for goods, digital content and
services – rights and remedies
• Unfair terms in contracts
• Miscellaneous: investigatory powers, enhanced
consumer measures, enforcement, competition, etc.
Sale and supply of goods
• Rights
– Satisfactory quality
• Fit for all purposes for which goods usually supplied
• Appearance and finish
• Freedom from minor defects
• Safety
• Durability
– Fit for a particular purpose
– Match the description, sample or model
– Installed correctly
Sale and supply of goods
• Remedies
– Short term right to reject – 30 days
– Repair or replacement
• Only 1 opportunity
• At no cost to consumer
• Within reasonable time
• Without significant inconvenience
• Price reduction or final right to reject
– If repair/replacement fails or not done within reasonable
time or without significant inconvenience, consumer
choose:
• Keep goods and claim price reduction or
• Return goods and claim refund
Sale and supply of goods
• Deduction for use
– Trader can make deduction from refund for use
consumer has had
– No deduction where goods rejected within 6
months except where goods are a motor vehicle
• Compensation
– Damaged caused by goods
– Damages for personal injury
– Additional cost to buy goods elsewhere
The supply of services
• Rights
– Carried out reasonable care and skill
– Information said or in writing to consumer binding
if consumer relies on it
– Carried out for a reasonable price
– Carried out within a reasonable time
The supply of services
• Remedies
– Repeat performance
• At no cost
• Within reasonable time
• Without significant inconvenience
– Price reduction
• Where repeat performance impossible
• Cannot do within reasonable time
• Cannot do without significant inconvenience
• Amount depends seriousness of the breach
Digital content
• First time specific rights
• Rights
– Of satisfactory quality
• Satisfactory – consider description, price paid and
other relevant circumstances, in particular
statements in advertising and labelling
• Quality – same as for goods except appearance
and finish
– Fit for a particular purpose
– As described
– Pre contract information
– Right to supply
Digital content
• Digital content supplied free
– If completely free, statutory rights do not apply –
negligence
– If supplied as part of a contract that consumer
has paid for, statutory rights do apply to all
elements including the free content.
Digital content
• Remedies
– No short term right to reject
– Repair or replacement
• Within a reasonable time
• Without significant inconvenience
• Bear any costs associated
– Price reduction
• If repair/replacement impossible/ time/
inconvenience
• Amount could be 100%
• Where breach right to supply – full refund unless
only affects part of the content
Digital content
• Supply of goods and digital content
– Mixed contract
– If digital content fails meet quality requirements – whole
contract fails and remedies are those available for goods
• Damage caused by digital content
– Available where
• Damages device or other digital content
• Consumer owns damaged device/content
• Damage – not happen if trader exercised reasonable
care and skill
• Remedies
– Repair
– Compensation
Unfair contract terms
• Consolidates the law around unfair terms in contracts
with consumers.
• Fairness to be determined by taking into account:
• The subject matter
• All the circumstances existing when term was
agreed
• All the other terms of contract or any other
contract on which it depends
• Various terms listed that cannot be assessed for fairness
0800 and non-
geographic numbers
Freephone numbers
• Currently calls from landlines free
• Calls from mobiles charged between 14 and 40
pence a minute
• 1st July 2015 – all calls from consumers to 0800,
0808 and 116 numbers be free from mobiles
• Calls from business mobiles will still be charged
• Businesses that offer Freephone numbers have to
pick up cost calls from mobiles.
• Company that provides the telephone number
should have confirmed the cost to you to accept
calls from 0800 numbers from consumer mobiles.
Non-geographic numbers
• Confusion over the cost to call non-geographic numbers –
those beginning 08, 09 and 118.
• Numbers used by Government agencies and charities
• Only aware cost if calling from BT line
• From 1st July 2015, cost call broken down
– Access charges – charge from phone company and
– Service charge – charge set by company being contacted
• Cap on premium rate 09 call charges
• Will apply to 0845 numbers as well.
• Need communicate charges clearly where you advertise or
promote these services
• “Calls will cost Xp (or Yp per minute) plus your phone
company’s access charge
Access charge
• Phone companies have complete freedom to set the
access charge
• Highest Vodafone – from mobiles 23p from 1st July
but rise to 45p from 10th August
More information
• www.ukcallinginfo
• www.ofcom.org.uk
Contacts
James Milligan
Solicitor, DMA
T - 020 7291 3347
Legal Advice Helpline
An introduction to data protection – Leeds
Thursday 5 November 2015
90% of the world’s data was made over the last two years. Concerned
with the speed it’s multiplying? Today will be the slowest day, in your life,
of new data generation.
Prepare for it. Know what you need to know under data legislation with
the help of a DMA solicitor.
This half-day workshop will equip you with the relevant compliance
knowledge plus crucial practical skills to make sure your business isn’t
caught off guard by the changes.
This is the right course for marketing practitioners with a limited
knowledge of data protection looking to get up to date with current
practices, professionals new to data and compliance roles and small or
medium-sized enterprises.
More info: http://dma.org.uk/event/an-introduction-to-data-protection-
leeds-1
Questions?