3. 8.30am Registration and breakfast
9.00am Welcome
Mike Lordan, Director of external affairs, DMA
9.05am EU Draft Data Protection Regulation – The current position, potential
changes and the impact on the industry
James Milligan, Solicitor, DMA
9.35am Consumer rights bill and consumer rights directive
Janine Paterson, Solicitor and legal manager, DMA
9.55am ICO Direct marketing guidance
James Milligan, Solicitor, DMA
Janine Paterson, Solicitor and legal manager, DMA
10.25am Q&A
11.00am Close
Agenda
4. EU Draft Data Protection Regulation –
the current position, potential changes
and impact on the industry
James Milligan, Solicitor, DMA
#dmalegal
5. Impact of the new Data Protection
Regulation – Why now?
• Data Protection Directive 95/46/EC ("Directive") (implemented
in UK by 1998 Data Protection Act) showing its age
• New technologies and more complex information networks
• Lack of common European law and differences in national
implementation
• Consumer concern over privacy
• Data protection now a fundamental right under EU Charter of
Fundamental Rights
5
6. EU data protection reform timeline
• Jan 2012 -first draft Data Protection Regulation ("DPR")
• December 2012-amendments suggested by the
Rapporteur of EC Committee on Civil Liberties, Justice and
Home Affairs ("LIBE Report")
• February – May 2013 – Reported that 4000 amendments
tabled
• May 2013- partial "compromise" draft from Justice and
Home Affairs Ministers ( "CD" )
• October 2013 -LIBE voted on amendments
• October 2013 – Heads of Government meeting
• December 2013 – Inconclusive Justice and Home Affairs
Ministers meeting
6
7. EU data protection reform timeline
• Jan 2014 Civil servants working group meetings
continue
• Mar 2014 Inconclusive Justice and Home Affairs
Ministers meeting
• Mar 2014 MEPs adopted LIBE report
• May 2014 European Parliament elections
• June 2014 Justice and Home Affairs Ministers
Meeting
• July 2014 Informal Justice and Home Affairs
Meeting
• Nov 2014 New European Justice Commissioner and
other Commissioners take office??
• Dec 2014 Justice and Home Affairs Ministers agree
position??
• 2015 Regulation is passed in Brussels??
• 2017 Implemented into UK law??
8. 8
8
• LIBE report adopted by all MEPs March 2014
• Proposes a number of changes to European Commission
original text
• Majority of changes favour consumer rather than businesses
Changes proposed by the European
Parliament to the draft Data Protection
Regulation (LIBE Report)
9. The "compromise draft" agreed by
EU Justice Ministers 2013-2014
• "More business friendly" compromise draft ("CD") is only
partial: Chapters I-IV
• More changes to Chapters I-IV may be needed once the
remainder has been updated
• Regulation or Directive? – wording proposed allows for
Regulation to be transformed into a Directive (supported by
8 member states)
• June 2014 Chapter V – international issues, transfers of data,
applicability of Regulation
9
10. Headline proposed changes
• Expanded definitions: “personal data” and “data subject”
• Explicit consent required
• Right to be forgotten
• Greater emphasis on accountability
• Notification of data security breaches
• More onerous sanctions for breach
• Data processors directly covered
11. Consent
Consent: Current Position Consent: Proposed Position
- Freely given, specific,
informed indication of the
data subject’s wishes
- Explicit consent required
for sensitive personal data
only
-Freely given, specific, informed and
explicit indication of data subject’s
wishes
-Given either by a statement or a
clear affirmative action
- Data controller / data subject
relationship to be taken into
account
- Burden of proof on controller to
demonstrate consent
12. Introduction of opt-in/explicit consent
• Review language used at point of data collection to ensure
that consent is explicit /opt-in
• Opt-in /explicit consent not required for postal marketing
in European Parliament version of the text
• Do people understand what they are agreeing to? – nation
of liars
• Think about how you will update legacy databases
• Children – consent wording for under 13’s if offering them
an information society service
13. Key points in the draft Regulation
IP addresses and cookies
• Definition of personal data extended so could cover some
IP addresses and cookies as “online identifiers”
• But IP addresses identify a device not an individual + some
IPs are general
• Huge implications for digital marketers
• Web analytics & profiling made much more difficult, if not
impossible
• Interaction with new cookie rules problematic
14. IP addresses and cookies
• Think about how you will deal with extension to Include
location data, IP addresses, cookies, online identifiers
• Pseudonymous/annonymous data – will you be able to
take advantage of exceptions?
15. • Right for individuals to request organisations to delete any
information held on them
• Drafted with social media in mind – but goes beyond this
• Problem of information that has already been passed on to
third parties
• Possibility of misleading consumers by raising unrealistic
expectations
• Changes to current text likely
• European Court of Justice Google Spain case
Key points in the draft Regulation -
The right to be forgotten
16. The right to be forgotten
• Prepare to respond to requests
• Deletion/ suppression
• Other legal requirements to keep information e.g.
accounting, tax, money-laundering
17. Key points in the draft Regulation -
Data Breach notification
• Any data security breach to be notified to ICO and the
individuals concerned within 24 hours
• Report to cover:
• nature of breach
• number of data subjects
• categories of data
• proposed mitigation
• Not always obvious if there has been a breach or how
extensive it is
• Problem of notification fatigue
• No threshold level specified
18. Data security breach notification
• Introduce breach notification detection procedures
• Think about how you will notify data protection authorities
and affected individuals within whatever timescale is
agreed
• Develop/review your data breach response plan
19. Key points in the draft Regulation -
Subject Access Requests (SARs)
• Data subjects to be able to request full information on data
held on them free of any charge
• Currently can levy a £10 fee – doesn’t cover cost but deters
time-wasters, frivolous or vexatious requests
• Costs organisations £50 million p.a. now to meet SARs
• Proposal that can provide data in electronic form if data
subject agrees to this
• Particular problem for financial services with mis-selling
issues and claims management firms
20. Subject Access Rights
• New Regulation may lead to increased public awareness of
rights e.g., right to request information ( Data Subject Access
Requests, Right to be forgotten)
• Plan ahead for increase in queries from clients/public
• Training for client/customer service teams
• Amend wording on privacy policies/data collection notices to
take account of new rules on profiling.
21. Key points in the draft Regulation -
Compliance obligations
• Data protection obligations now shared between agencies and
clients, for example if holding client’s database
• Privacy by Design/Privacy by Default
• Appointment of DP officer (250+ employees)
- 2 year appointment
- Independent reporting to board
- Information and training
- Maintenance of documentation
- Data protection impact reports
• International transfers of data outside EEA – law would
apply to any processing of data or EU citizens
22. Compliance obligations
• Review amount of data being processed, erasure policies
and data retention policies
• Requirement to demonstrate compliance will mean more
documentation in respect of policies and procedures
• Contact centres, mailing houses, email/SMS broadcasters
will also be subject to these new obligations, especially in
respect of data security
• Review staff training in data protection.
• Appointment of a data protection officer?
• Risk- based approach to compliance and data protection
impact assessments
23. Key points in the draft Regulation -
Proposed enhanced sanctions
• Up to €500k or 1% annual worldwide turnover intentional or
negligent failure to respond to subject access requests in
accordance with Regulation
• Up to €1m or 2% of annual worldwide turnover for other
compliance failures
• Depends on:-
- size of organisation involved
- nature and gravity of breach
- whether intentional or negligent
- technical and organisational measures
- previous breaches
- co-operation with ICO
24. Enhanced sanctions/fines
• Watch out if you get it wrong!
• Increase focus on compliance – board level issue
• Review internal policies and procedures
25. Key Points in the draft Regulation -
Delegated Acts
• Many details to be implemented through additional delegated
legislation – some 45 Delegated Acts mentioned.
• Details will not be clear until Regulation is passed
• These areas of secondary legislation will include:
- powers to specify further procedures
- technical standards for Privacy by Design/Default
- specification of lawful processing condition
- additional responsibilities for national data protection
authorities; etc.
• European Commission taking significant powers to itself away
from the national authorities - raises serious issues of
subsidiarity and accountability
• National governments and Data Protection Authorities are
concerned
26. • Main establishment/ one- stop shop provisions
• Think about which country’s national data protection
authority will be lead regulator
• Possibility of changing country where head office is located
• Review arrangements for transfers of data outside EEA (28
Member States of EU + Iceland ,Liechtenstein, Norway)
• Global group – application to EU citizens’ personal data.
• European Court of Justice Google Spain right to be forgotten
case - link between Google Spain and Google USA
Key Points in the draft Regulation
Cross – border issues
27. Impact on direct marketing
•Existing databases may not be usable: could decimate
prospect lists. Legacy data?
•No tracking data, profiling or segmentation without explicit
consent – less targeted and more generic communication?
•List broking severely restricted
•New information requirements and rights of the data
subject, e.g Right to be Forgotten
•Increased costs - £76,000 per business to comply + possible
£47 billion of lost sales in UK
28. Draft Regulation - DMA View
• DMA welcomes the Commission’s aim to reduce red tape
and simplify bureaucracy – but proposals do not achieve
that: overly strict, bureaucratic and unworkable
• Needs to be a fair balance between privacy and
legitimate business interests
• Current proposals will stifle innovation, add considerably
to business costs and place unnecessary obstacles to e-
commerce jobs growth
• Will be particularly harmful to SMEs – MoJ says
demonstrating compliance will cost £10m p.a.
• Hard to say how Commission’s estimate of 2.3 billion
euro saving to businesses was calculated
29. Ministry of Justice
• Disagrees with Commission’s 2.3bn Euro savings – burdens
imposed will far outweigh net benefits: in UK cost @ £100-
360 million
• Many unintended consequences, esp for SMEs
• Changes to consent, profiling & definition of personal data
particularly costly to industry
• Likely knock-on effects for growth in technological sector and
internet economy
• Regulatory Impact Assessment quotes DMA’s figures &
examples
• Impact on behavioural advertising
• Creates unrealistic expectations for consumers – R2BF
proposal is “unworkable”
30. Key lobbying messages
• Data is essential for economic growth
- UK has leading role in EU digital economy
- SMEs particularly affected
• Transparent and responsible use of data is a vital business
practice
- In industry’s interests to handle data with care
- Self-regulation has valid role to play
- Regulation will not stop bad players
• The proposed regulation is bad for consumers
- Would damage users’ online experience
- Danger of tick-box culture & unrealistic expectations
• Need a proportionate data regime that recognises that not all
data is the same
- Personal data, sensitive data, anonymous/pseudonymous
data
- Different levels of protection required
31. Lobbying activity
• In Brussels with key individuals in Council, Commission &
Parliament, e.g. MEPs & advisers; party groups
• In UK, Ministers in MoJ, DCMS, BIS, HM Treasury + Opposition
spokesmen
• Alliance of interests – UK Data Group, FEDMA, CBI, etc. - for
collective lobbying of Council and Parliament & lobbying directly
where there is no national DMA
• Position papers on priorities for industry + draft amendments to
text
• Research on consumer attitudes to privacy and on economic
value of the dm industry
33. Contacts
James Milligan, Solicitor, DMA
T – 020 7291 3347
James.milligan@dma.org.uk
Legal Advice Helpline
T- 020 7291 3360
legaladvice@dma.org.uk
34. Consumer rights bill and consumer
rights directive
Janine Paterson, Solicitor and legal manager, DMA
#dmalegal
35. What’s happening?
• Consumer Contracts (Information, Cancellation and
Additional Charges) Regulations 2013
• The Consumer Protection from Unfair Trading (Amendment)
Regulations 2013
• Consumer Rights Bill
36. The Consumer Contracts (Information,
Cancellation and Additional Payments)
Regulations 2013
• Implementation of the rest of the EU Consumer Rights
Directive which was passed in 2011
• Came into effect 13th June 2014.
• Regulations deal with contracts between a trader and a
consumer:
– Made on-premises, ie a shop
– Made off-premises, ie at consumer’s home or place of
work, and
– Made at a distance, ie telephone or over the internet.
• Certain contracts are excluded including gambling, health
services and services of banking and insurance.
37. Three main areas
• Information
– Depending on the type of contract, the trader must
provide certain information.
– Many provisions already exist but new ones are
introduced especially around digital content, where
information on what systems or hardware is compatible
will need to be given.
• Cancellation
– consumers have 14 days to cancel off-premises and
distance contracts – double current provision
– Consumer have to return goods within 14 days notice
cancellation
– Traders can withhold refund until goods are returned
– Traders can deduct from refund if the consumer has
handled the goods more than expected.
38. Three main areas – cont.
• Hidden costs and obligation to pay
– Consumers will have to give active consent for all
payments and the use of pre-ticked boxes for additional
charges will not be allowed
– Customer service telephone lines can only be charged at
the basic rate – premium rate lines will be banned
– Traders that operate an online retail site will need to
ensure that consumers understand that there is an
obligation to pay when placing an order. “Pay Now” not
“Confirm your order”.
39. The Consumer Protection from Unfair
Trading (Amendment) Regulations 2013
• Amendments to the 2008 regulations to allow consumers
who have been victims of misleading or aggressive practices
to seek redress.
• Comes into effect 1st October 2014
• Covers three types of contract:
– Sale or supply of a product to a consumer by a trader;
– Sale or supply of a product to a trader by a consumer;
– A payment by a consumer to a trader.
40. • Need to show:
– purchased a product from a trader;
– trader engaged in behaviour that was either misleading
under Regulation 5 or aggressive under Regulation 7.
• Remedies - depending on the type of contract:
– Unwind the contract and get a refund;
– Discount on the product;
– Damages for the breach.
The Consumer Protection from Unfair
Trading (Amendment) Regulations 2013
41. The Consumer Protection from Unfair
Trading (Amendment) Regulations 2013
• Misleading: includes
– providing false information or information that could
deceive the average consumer;
– marketing a product which causes confusion with
competitor’s products;
– failing to comply with a Code of Practice when you say
you do.
• Aggressive: includes
– Timing and location of the behaviour;
– whether any threatening or abusive language is used or;
– any exploitation by the trader of the consumer’s
personal circumstances.
42. Consumer Rights Bill
• Published in draft in June 2013. Will not come into force until
late 2015/ early 2016.
• A major overhaul of existing consumer rights legislation –
consolidating 100+ consumer laws and introducing new
rights for consumers and businesses.
• Follows two consultations late last year by BIS on goods,
services and digital content; and the Law Commission &
Scottish Law Commission’s on unfair contract terms.
43. Consumer Rights Bill
• Basic rights not changing
• Aim to present rights and remedies in a simpler and clearer
way to make consumers better informed and empowered
• 3 parts:
• Consumer contracts for goods, digital content and
services – rights and remedies
• Unfair terms in contracts
• Miscellaneous: investigatory powers, enhanced
consumer measures, enforcement, competition, etc.
44. Consumer Rights Bill
Rights and remedies:
• To receive some money back after one failed repair to faulty
goods (or one faulty replacement)
• To have substandard services redone or receive a price
reduction
• To receive a repair or replacement of faulty digital content
such as film/music downloads, e-books and online games
• To return faulty goods within 30 days and receive a refund
• Collective redress allowing consumers and companies to
challenge anti-competitive behaviour.
45. Consumer Rights Bill
• Consolidates the law around unfair terms in contracts with
consumers.
• Fairness to be determined by taking into account:
• The subject matter
• All the circumstances existing when term was agreed
• All the other terms of contract or any other contract
on which it depends
• Various terms listed that cannot be assessed for fairness
47. ICO Direct marketing guidance
James Milligan, Solicitor, DMA
Janine Paterson, Solicitor and legal manager, DMA
#dmalegal
48. Structure
• What the Guidance consists of?
• Status
• Context
• Buying and Selling data
• Consent
• DMA Clarification of ICO Guidance
– Host contact and indirect third party consent
– Time limits for indirect third party consent
– Solicited/unsolicited marketing
– Pre-ticked opt-in boxes
– Win back campaigns
49. What the Guidance consists of
• Direct Marketing Guidance
• Direct Marketing Checklist
• Guidance for organisations receiving unwanted marketing
50. Status
• Not a code of practice
• ICO not trying to rewrite the law
• Reflects ICO evolving view of area
• Future proofing against draft Data Protection regulation
• Remember ICO enforcement is complaint driven – “Don’t
annoy your customers”
• New ICO Data Protection Enforcement Policy
51. Context
• Consolidate all previous guidance
• Focus on areas which come up in enforcement
• Focus on areas of widespread abuse
• Rebalancing towards customer consent and choice in the Big
Data age
• Data privacy now a brand differentiator – Customer
Acquisition Barometer 2014
• List broking is the next big issue after nuisance calls -Which?
Taskforce on consent
52. Buying and Selling Data
• Boundaries on data chains
• Better Together/Scottish referendum undertaking
53. Case study 1 – complex data sources
and consent failures
• Campaigning organisation
• Mass unsolicited SMS marketing
• Particular ICO concerns?
• Outcome - undertaking
54. Case study 1 –
the data chain
Instigator
Sender
List broker
List broker List broker
List
broker
List broker
Lead
generation
company
Insurance
broker
List
broker
List
broker
Insurance
company
List
broker
Loan
provider
Price
comparison
website
Mail order
company
List
broker
Publishing
company
Prize draw
website
Insurance
broker
Loan
broker
Lead
generation
company
List
broker
Insurance
company
Publishing
company
Insurance
broker
Loan
provider
Debt
manageme
nt company
List
broker
Debt
manageme
nt company
Insurance
broker
Credit
card
provider
Insurance
company
Price
comparison
website
Loan
broker
List broker
List broker List broker
Travel
company
Travel
company
Prize draw
website
List broker
Online
retailer
List broker
List broker List broker
List
broker
List
broker
List
broker
List
broker
List
broker
55. Case study 1 – examples of ‘consent’
• ‘Archival personal injury leads’
• ‘…you also agree that we may disclose your information to […]
(iii) other carefully selected product suppliers in the future with
a view to them offering you products they feel may be of
interest to you.’
• ‘We may share your information with our business partners for
marketing purposes or we may send you information about
other organisations’ goods and services. [ ] By providing us
with your contact details you consent to being contacted…’
• ‘All information you supply will be kept confidential to [ ] and
the insurers whom it deals, unless [ ] are required by law with
subpoenas.’
56. Sourcing data/ Due diligence
• Who compiled the list? When? Has it been amended or
updated since?
• When was consent obtained?
• Who obtained consent and what was the context?
• Was it opt-in or opt-out?
• Was information provided clearly and intelligibly? How was
it provided?
• Did it list organisations by name, by description, or any third
party?
57. Consent
• Basic requirements under DPA 1998
• Additional requirements under PECR 2003 as amended
• Age of consent
• Context in which given
• Nature of relationship
58. DMA Clarification of ICO Guidance
• Host contact and indirect third party consent
• Time limits for indirect third party consent
• Solicited/unsolicited marketing
• Pre-ticked opt-in boxes
• Win back campaigns
59. Host contact
• Host contact is the ICO and DMA preferred method of
distributing third party offers via email, text and automated
telephone calls
• Host contact – how does it work
• 1) where first party organisation collects the contact details
of customers and customers subscribe/opt-in to receive
third party offers
• 2) First party organisation does not pass on contact details to
third party
• 3) First party will be the sender of the message
60. Host Contact
• Host contact – how does it work
• 4) First party rents body copy in the message to the third
party
• 5) Third party includes call to action in message
• 6) Third party collects its own marketing consents when
recipients respond to message
• 7) Third party does not have access to data of those
recipients who do not respond.
61. Indirect/ Third party consent
• Where consent not given by individual to organisation
sending out marketing message but given via third party e.g.
list owner.
• Host contact method is not considered by ICO and DMA to
be indirect third party consent
• Not valid for marketing channels under PECR, voice calls to
telephones, email and mobile messaging
62. Indirect Third Party Consent
• Exceptions
• 1) First party collecting contact details specifically names
third parties to which it will pass contact information on
• Example of 1) in the context of booking a flight to New York
with a UK based airline
• “Please tick this box if you are happy for our partner airline
xxxx Airlines to contact you by email/SMS with details of
their US domestic flights
63. Indirect Third Party Consent
• Exceptions
• 2) Third party falls into a specific category of organisations
which the first party included in a list of types of
organisations which it obtained consent from the recipient
when they collected the electronic marketing contact details
• Example in the context of booking a flight to New York with a
UK based airline
• “Please tick this box if you are happy for our partner
organisations to contact you by email or SMS with details of
their promotions and offers in New York which you may find
useful during your visit to New York.”
64. Indirect Third Party Consent -Time
limits
• Third party organisation making contact for the first time by
electronic channels using indirect third party consent should
not rely on consent given more than six months ago to the
first party
• General rule of thumb
• Third party using contact details more than six months after
first collected need to justify why using those contact details
• Context is key – ICO accepts that third party can use contact
details collected more than six months ago in the case of
annual services – e.g. insurance, seasonal products.
65. Unsolicited/Solicited Marketing
• ICO definition of solicited and unsolicited different from
industry definition
• ICO consider an unsolicited marketing message to be a
marketing message which the recipient has not requested
• If a consumer has subscribed/opted-in to receiving
marketing messages and an organisation sends a marketing
message then that message will be unsolicited
• However will be compliant with PECR because consumer
consented
66. Unsolicited/Solicited Marketing
• Practical advice – follow PECR
• Consumers must be clear about what they are signing up to.
• Organisations pay attention to wording in data collection
notices
67. Pre-Ticked Opt-In Boxes
• ICO and DMA best practice do not use for consumers to
subscribe/ opt-in to receiving unsolicited marketing
messages via email and SMS
• DPA/PECR rules - to subscribe/opt-in requires a positive
action on the part of a consumer
• Consumer leaving a pre-ticked opt-in box pre- ticked is not a
positive action
68. Pre-Ticked Opt-In Boxes
• Can be used in rare circumstances where another stage in
the sign up process amounts to positive consent
• Use of pre-ticked opt-in boxes as an unsubscribe /opt-out
mechanism – consult with DMA Legal or other usual legal
advisers
69. Win- back campaigns
• ICO guidance unclear as to legality of win –back campaigns
• ICO have confirmed to DMA that win – back campaigns are
legal provided
• 1) Consumer subscribed/opted-to to receive marketing
messages or
• 2) Consumer did not unsubscribe/opt-out if existing
customer/ soft opt-in exemption rule applies and conditions
met
• Practical issue – confirm preferences when customer leaves/
cancel
• Remember retention rules and accurate/ up –to date
72. Useful links
ICO Direct Marketing Guidance
DMA Supplementary Note on ICO Guidance
ICO Direct Marketing Checklist
ICO Guidance for organisations receiving unwanted marketing
Which? Taskforce on consent and lead generation in the direct
marketing industry call for evidence
73. Upcoming events
Introduction to data protection (Manchester) –
1 July 2014 – Book now
Data works: connecting the data dots –
17 July 2014 – Register now
A TV dinner (Manchester) –
15 July 2014 – Register now
ZEDTalk 1: Creativity and ideas –
24 July 2014 – Register now