The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
DMA Legal update: autumn 2013 - Tuesday 1 October
1. Data protection 2013
Friday 8 February
#dmadata
Supported by
DMA Legal update: autumn 2013
Tuesday 1 October
#dmalegal
2. 8.30am - Registration and breakfast
9.00am - Welcome
9.05am - Data Protection Regulation
The current position, potential changes and the impact on the industry
James Milligan, Solicitor, DMA
Sue Gold, Partner, Osborne Clarke
9.55am - Questions
10.05am - Round up
Consumer rights bill and consumer rights directive
Janine Paterson, Solicitor, DMA
10.35am - Questions
11.00am - Close
Agenda
3. EU Draft Data
Protection Regulation
The current position, potential
changes and the impact on the
industry
Sue Gold, Partner, Osborne Clarke
James Milligan, Solicitor, DMA
4. Impact of the new Data Protection
Regulation – Why now?
• Data Protection Directive 95/46/EC ("Directive") (implemented
in UK by 1998 Data Protection Act) showing its age
• New technologies and more complex information networks
• Lack of common European law and differences in national
implementation
• Consumer concern over privacy
• Data protection now a fundamental right under EU Charter of
Fundamental Rights
4
5. EU data protection reform
timeline
• Jan 2012 -first draft Data Protection Regulation ("DPR")
• December 2012-amendments suggested by the
Rapporteur of EC Committee on Civil Liberties, Justice and
Home Affairs ("LIBE Report")
• February – May 2013 – Reported that 4000 amendments
tabled
• May 2013- partial "compromise" draft from EU Council (
"CD" )
• October 2013 -LIBE votes on amendments
• November-December 2013 (?) –"trilogue" negotiations
between EC, Council of Ministers and Euro MPs
• March 2014 (?) -plenary vote (1st reading)
• Spring 2016 (?) - in force
5
6. 6
6
Changes proposed by the European
Parliament to the draft Data Protection
Regulation (LIBE Report)
• The European Parliament published a Draft Report dated 17
December on 8 January 2013 and supplemental changes on 9
January 2013. 350 changes are proposed in 215 page report
• Delegated Acts – the number of delegated acts has been
reduced and are either covered in the Regulation or the
European Data Protection Board can specify
• Lead Authority – the one stop shop concept has been limited
in scope and appears to merely appoint a lead authority as the
single point of contact
7. The "compromise draft" agreed by
EU Justice Ministers 31 May 2013
• "More business friendly" compromise draft ("CD") is only
partial: Chapters I-IV
• More changes to Chapters I-IV may be needed once the
remainder has been updated
• Regulation or Directive? – wording proposed allows for
Regulation to be transformed into a Directive (supported by
8 member states)
• CD already criticised by Commissioner Reding, France and
Germany as a backward step
7
8. Headline proposed changes
• Expanded definitions: “personal data” and “data subject”
• Explicit consent required
• Right to be forgotten
• Greater emphasis on accountability
• Notification of data security breaches
• More onerous sanctions for breach
• Data processors directly covered
9. Consent
Consent: Current Position Consent: Proposed Position
- Freely given, specific,
informed indication of the
data subject’s wishes
- Explicit consent required
for sensitive personal data
only
-Freely given, specific, informed and
explicit indication of data subject’s
wishes
-Given either by a statement or a
clear affirmative action
- Data controller / data subject
relationship to be taken into
account
- Burden of proof on controller to
demonstrate consent
10. Introduction of opt-in/explicit consent
• Review language used at point of data collection to ensure
that consent is explicit /opt-in
• Do people understand what they are agreeing to? – nation
of liars
• Think about how you will update legacy databases
• Children – consent wording for under 13’s if offering them
an information society service
11. Key points in the draft Regulation
IP addresses and cookies
• Definition of personal data extended so could cover some
IP addresses and cookies as “online identifiers”
• But IP addresses identify a device not an individual + some
IPs are general
• Huge implications for digital marketers
• Web analytics & profiling made much more difficult, if not
impossible
• Interaction with new cookie rules problematic
12. IP addresses and cookies
• Think about how you will deal with extension to Include
location data, IP addresses, cookies, online identifiers
• Pseudonymous/annonymous data – will you be able to
take advantage of exceptions?
13. Key points in the draft Regulation
The right to be forgotten
• Right for individuals to request organisations to delete any
information held on them
• Drafted with social media in mind – but goes beyond this
• Problem of information that has already been passed on to
third parties
• Possibility of misleading consumers by raising unrealistic
expectations
• Changes to current text likely
14. The right to be forgotten
• Prepare to respond to requests
• Deletion/ suppression
• Other legal requirements to keep information e.g.
accounting, tax, money-laundering
15. Key points in the draft Regulation
Data Breach notification
• Any data security breach to be notified to ICO and the
individuals concerned within 24 hours
• Report to cover:
• nature of breach
• number of data subjects
• categories of data
• proposed mitigation
• Not always obvious if there has been a breach or how
extensive it is
• Problem of notification fatigue
• No threshold level specified
16. Data security breach notification
• Introduce breach notification detection procedures
• Think about how you will notify data protection authorities
and affected individuals within whatever timescale is
agreed
• Develop/review your data breach response plan
17. Key points in the draft Regulation
Subject Access Requests (SARs)
• Data subjects to be able to request full information on data
held on them free of any charge
• Currently can levy a £10 fee – doesn’t cover cost but deters
time-wasters, frivolous or vexatious requests
• Costs organisations £50 million p.a. now to meet SARs
• Proposal that can provide data in electronic form if data
subject agrees to this
• Particular problem for financial services with mis-selling
issues and claims management firms
18. Subject Access Rights
• New Regulation may lead to increased public awareness of
rights e.g., right to request information ( Data Subject Access
Requests, Right to be forgotten)
• Plan ahead for increase in queries from clients/public
• Training for client/customer service teams
• Amend wording on privacy policies/data collection notices to
take account of new rules on profiling.
19. Key points in the draft Regulation
Compliance obligations
• Data protection obligations now shared between agencies and
clients, for example if holding client’s database
• Privacy by Design/Privacy by Default
• Appointment of DP officer (250+ employees)
• 2 year appointment
• Independent reporting to board
• Information and training
• Maintenance of documentation
• Data protection impact reports
• International transfers of data outside EEA – law would
apply to any processing of data or EU citizens
20. Compliance obligations
• Review amount of data being processed, erasure policies
and data retention policies
• Requirement to demonstrate compliance will mean more
documentation in respect of policies and procedures
• Contact centres, mailing houses, email/SMS broadcasters
will also be subject to these new obligations, especially in
respect of data security
• Review staff training in data protection.
• Appointment of a data protection officer?
• Risk- based approach to compliance and data protection
impact assessments
21. Proposed enhanced sanctions
• Up to €500k or 1% annual worldwide turnover intentional or
negligent failure to respond to subject access requests in
accordance with Regulation
• Up to €1m or 2% of annual worldwide turnover for other
compliance failures
• Depends on:-
• size of organisation involved
• nature and gravity of breach
• whether intentional or negligent
• technical and organisational measures
• previous breaches
• co-operation with ICO
22. Enhanced sanctions/fines
• Watch out if you get it wrong!
• Increase focus on compliance – board level issue
• Review internal policies and procedures
23. Key Points in the draft Regulation
Delegated Acts
• Many details to be implemented through additional delegated
legislation – some 45 Delegated Acts mentioned.
• Details will not be clear until Regulation is passed
• These areas of secondary legislation will include:
• powers to specify further procedures
• technical standards for Privacy by Design/Default
• specification of lawful processing condition
• additional responsibilities for national data protection
authorities; etc.
• European Commission taking significant powers to itself away
from the national authorities - raises serious issues of
subsidiarity and accountability
• National governments and Data Protection Authorities are
concerned
24. Cross – border issues
• Main establishment/ one- stop shop provisions
• Think about which country’s national data protection
authority will be lead regulator
• Possibility of changing country where head office is located
• Review arrangements for transfers of data outside EEA (28
Member States of EU + Iceland ,Liechtenstein, Norway)
• Global group – application to EU citizens’ personal data.
25. Impact on direct marketing
• Existing databases may not be usable: could decimate
prospect lists. Legacy data?
• No tracking data, profiling or segmentation without explicit
consent – less targeted and more generic communication?
• List broking severely restricted
• New information requirements and rights of the data
subject, e.g Right to be Forgotten
• Increased costs - £76,000 per business to comply +
possible £47 billion of lost sales in UK
26. Draft Regulation - DMA View
• DMA welcomes the Commission’s aim to reduce red tape
and simplify bureaucracy – but proposals do not achieve
that: overly strict, bureaucratic and unworkable
• Needs to be a fair balance between privacy and
legitimate business interests
• Current proposals will stifle innovation, add considerably
to business costs and place unnecessary obstacles to e-
commerce jobs growth
• Will be particularly harmful to SMEs – MoJ says
demonstrating compliance will cost £10m p.a.
• Hard to say how Commission’s estimate of 2.3 billion
euro saving to businesses was calculated
27. Ministry of Justice
• Disagrees with Commission’s 2.3bn Euro savings – burdens
imposed will far outweigh net benefits: in UK cost @ £100-
360 million
• Many unintended consequences, esp for SMEs
• Changes to consent, profiling & definition of personal data
particularly costly to industry
• Likely knock-on effects for growth in technological sector and
internet economy
• Regulatory Impact Assessment quotes DMA’s figures &
examples
• Impact on behavioural advertising
• Creates unrealistic expectations for consumers – R2BF
proposal is “unworkable”
28. Key lobbying messages
• Data is essential for economic growth
• UK has leading role in EU digital economy
• SMEs particularly affected
• Transparent and responsible use of data is a vital business
practice
• In industry’s interests to handle data with care
• Self-regulation has valid role to play
• Regulation will not stop bad players
• The proposed regulation is bad for consumers
• Would damage users’ online experience
• Danger of tick-box culture & unrealistic expectations
• Need a proportionate data regime that recognises that not all
data is the same
• Personal data, sensitive data,
anonymous/pseudonymous data
• Different levels of protection required
29. Lobbying activity
• In Brussels with key individuals in Council, Commission &
Parliament, e.g. MEPs & advisers; party groups
• In UK, Ministers in MoJ, DCMS, BIS, HM Treasury + Opposition
spokesmen
• Alliance of interests – UK Data Group, FEDMA, CBI, etc. - for
collective lobbying of Council and Parliament & lobbying directly
where there is no national DMA
• Position papers on priorities for industry + draft amendments to
text
• Research on consumer attitudes to privacy and on economic
value of the dm industry
31. Current UK ICO issues
Privacy impact assessments
Annonymisation code
Direct marketing guidance
32. Direct marketing guidance
• ICO interpretation does not change law
• Issued 9 September
• Retrospective , transitional period
• Respect consumer expectations and preferences
• Tightening up of third party consent for digital marketing
• Time limits for consent
• Proof of consent
33. Privacy Impact Assessment
• Consultation ends 5 November 2013
• Proportionate approach
• Process (identify the need, information flows, risks,
solutions, record, integrate and consult)
• Part of normal project management
• Annex 1 – PIA screening questions
• Annex 2 – PIA template
• Annex 3 – PIA and data protection principles
34. Anonymisation
• Issued 20 November 2012
• Re-identification – "motivated intruder" test and risk
assessment of future identification
• Consent – "legitimate interests"
• Spatial information e.g. postcodes –consider using
'replacement' post codes?
• But – is true anonymisation of data possible?
35. 35
Contacts
James Milligan, Solicitor, DMA
T - 020 7291 3347
james.milligan@dma.org.uk
Legal Advice Helpline
T - 020 7291 3360
legaladvice@dma.org.uk
Sue Gold, Partner, Osborne Clarke
T - 020 7105 7338
M - 07880 006 934
Sue.Gold@osborneclarke.com
37. Consumer Law and other key
issues
Janine Paterson, Solicitor, DMA
38. Consumer Rights Bill
• Published in draft in June 2013. Will not come into force until
2015.
• A major overhaul of existing consumer rights legislation –
consolidating 100+ consumer laws and introducing new
rights for consumers and businesses.
• Follows two consultations late last year by BIS on goods,
services and digital content; and the Law Commission &
Scottish Law Commission’s on unfair contract terms.
39. Consumer Rights Bill
• Basic rights not changing
• Aim to present rights and remedies in a simpler and clearer
way to make consumers better informed and empowered
• 3 parts:
• Consumer contracts for goods, digital content and
services – rights and remedies
• Unfair terms in contracts
• Miscellaneous: investigatory powers, enhanced
consumer measures, enforcement, competition, etc.
40. Consumer Rights Bill
Rights and remedies:
• To receive some money back after one failed repair to faulty
goods (or one faulty replacement)
• To have substandard services redone or receive a price
reduction
• To receive a repair or replacement of faulty digital content
such as film/music downloads, e-books and online games
• To return faulty goods within 30 days and receive a refund
• Collective redress allowing consumers and companies to
challenge anti-competitive behaviour.
41. Consumer Rights Bill
• Consolidates the law around unfair terms in contracts with
consumers.
• Fairness to be determined by taking into account:
• The subject matter
• All the circumstances existing when term was agreed
• All the other terms of contract or any other contract
on which it depends
• Various terms listed that cannot be assessed for fairness
42. The Consumer Contracts (Information,
Cancellation and Additional Payments)
Regulations 2013
• Implementation of some of the EU Consumer Rights
Directive which was passed in 2011
• In most areas, implementation will follow the Directive.
• Regulations deal with contracts between a trader and a
consumer:
– Made on-premises, ie a shop
– Made off-premises, ie at consumer’s home or place of
work, and
– Made at a distance, ie telephone or over the internet.
• Certain contracts are excluded including gambling, health
services and services of banking and insurance.
43. Three main areas
• Information
– Depending on the type of contract, the trader must
provide certain information.
– Many provisions already exist but new ones are
introduced especially around digital content, where
information on what systems or hardware is compatible
will need to be given.
• Cancellation
– consumers have 14 days to cancel off-premises and
distance contracts – double current provision
– Consumer have to return goods
– Traders can withhold refund until goods are returned
– Traders can deduct from refund where the consumer has
handled the goods more than expected.
44. Three main areas – cont.
• Hidden costs
– Consumers will have to give active consent for all
payments and the use of pre-ticked boxes for additional
charges will not be allowed
– Customer service telephone lines can only be charged at
the basic rate – premium rate lines will be banned
45. • Amendments to the 2008 regulations to allow consumers
who have been victims of misleading or aggressive practices
to seek redress. Covers three types of contract:
– Sale or supply of a product to a consumer by a trader;
– Sale or supply of a product to a trader by a consumer;
– A payment by a consumer to a trader.
• Need to show:
– purchased a product from a trader;
– trader engaged in behaviour that was either misleading
under Regulation 5 or aggressive under Regulation 7.
• Remedies - depending on the type of contract:
– Unwind the contract and get a refund;
– Discount on the product;
– Damages for the breach.
The Consumer Protection from Unfair
Trading (Amendment) Regulations
2013
46. The Consumer Protection from Unfair
Trading (Amendment) Regulations
2013
• Misleading: includes
– providing false information or information that could
deceive the average consumer;
– marketing a product which causes confusion with
competitor’s products;
– failing to comply with a Code of Practice when you say
you do.
• Aggressive: includes
– Timing and location of the behaviour;
– whether any threatening or abusive language is used or;
– any exploitation by the trader of the consumer’s
personal circumstances.
47. Other issues
• Electoral register
– Electoral Registration & Administration Bill – introduction
of individual electoral registration and system opened up
for digital application.
– Edited version of register will be kept but issue on opt-
outs.
• Employment
– TUPE – Government consultation on changes
• Environment
– Unaddressed mail preference service - awaiting DEFRA
input
48. Other issues
• Financial
– FSA replaced by Financial Conduct Authority and
Prudential Regulatory Authority on 1 April 2013
• New Vision – “To make relevant markets work well
so consumers get a fair deal”
• Consumers get financial services and products that
meet their needs from firms they can trust
• Markets and financial systems are sound and stable
and resilient with transparent pricing information
• Firms compete effectively with the interests of their
consumers and the integrity of the market at the
heart of how they run their business
• ICO Strategy Plan 2013-16
– New website
– Modernise ICO notification system
– Simplify guidance
– Policy challenges
– Strategic review
49. Other issues
• Postal
– Postcode address file – consultation just closed on
changes.
– Simplify licensing process
– Change payment structure
• Telemarketing –
– Culture, Media and Sport Commons Select Committee
enquiry into unsolicited phone calls. Finished hearing
oral evidence – awaiting its report.
– John Mitchison gave evidence on behalf of TPS and
George Kidd on behalf of the Direct Marketing
Commission.
– The DMA also submitted written evidence.
– Nuisance Calls All Party Parliamentary Group enquiry:
TPS and DMA submitted written evidence.
52. Data Protection Compliance
Workshop
23 October 2013
If you are interested in attending please speak to
the girls at the registration desk.
Today is the last day you will benefit from the early
bird price!