Legal update - 1 July
77
Wednesday 1 July 2015, DMA House @DMA_UK #dmalegal Legal update
-
Upload
rachel-aldighieri -
Category
Documents
-
view
114 -
download
3
Transcript of Legal update - 1 July
Wednesday 1 July 2015, DMA House
@DMA_UK #dmalegal
Legal update
Welcome & introductionMike Lordan, Director of External Affairs, DMA
@DMA_UK #dmalegal
Agenda8.30am Registration and breakfast
9.00am Welcome & introduction
Mike Lordan, Director of External Affairs, DMA
9.05am EU Draft Data Protection Regulation – What the future may hold
James Milligan, Solicitor, DMA
10.00am Digital single market
Zach Thornton, External Affairs Executive, DMA
10.20am Buying & selling data
Mike Lordan, Director of External Affairs, DMA
James Milligan, Solicitor, DMA
10.50am Consumer Rights Act
Janine Paterson, Solicitor & Legal Manager, DMA
11.10am 0800 numbers
Janine Paterson, Solicitor & Legal Manager, DMA
11.25am Closing comments
Mike Lordan, Director of External Affairs, DMA
EU Draft Data Protection Regulation –
What the future may holdJames Milligan, Solicitor, DMA
@DMA_UK #dmalegal
• Data Protection Directive 95/46/EC ("Directive")
(implemented in UK by 1998 Data Protection Act)
showing its age
• New technologies and more complex information
networks
• Lack of common European law and differences in
national implementation
• Consumer concern over privacy
• Data protection now a fundamental right under EU
Charter of Fundamental Rights
Future new Data Protection
Regulation – Why now?
EU Data Protection reform – where
are we?
• Jan 2012 – European Commission published first
draft Data Protection Regulation ("DPR")
• Very much an initial draft
• March 2014 - European Parliament in plenary
session adopted amendments it wanted to see to
Commission text
• Most of the amendments are pro – consumer
although some are good for business
• 15 June 2015 - Justice and Home Affairs Ministers
agreed their amendments to Commission text
• Still reservations and other issues in text
EU Data Protection reform – where
are we going?• June 2015 3 different versions of the text
European Commission Jan 2012
European Parliament Mar 2014
Justice and Home Affairs June 2015
• 24 June 2015 3 way negotiations (trilogue) between
representatives from European
Commission ,Parliament and Justice and
Home Affairs Minsters to agree final
version of the text begin
• July – December 2015 Further trilogue negotiating meetings
scheduled
• End of 2015/ early 2016 Regulation passed in Brussels
• End of 2017/early 2018 Regulation implemented into UK law
Impact on direct marketing
• Existing databases may not be usable: could
decimate prospect lists. Legacy data?
• No tracking data, profiling or segmentation without
explicit consent – less targeted and more generic
communication?
• List broking severely restricted
• New information requirements and rights of the data
subject, e.g Right to be forgotten/erasure
• Increased costs - £76,000 per business to comply +
possible £47 billion of lost sales in UK
Headline proposed changes
• Expanded definitions: “personal data” and “data
subject”
• Explicit consent required
• Right to be forgotten
• Greater emphasis on accountability
• Notification of data security breaches
• More onerous sanctions for breach
• Data processors directly covered
Consent
Consent: Current
Position
Consent: Proposed Position
- Freely given, specific,
informed indication of the
data subject’s wishes
- Explicit consent required
for sensitive personal data
only
-Freely given, specific, informed and
explicit indication of data subject’s
wishes
-Given either by a statement or a
clear affirmative action
- Data controller / data subject
relationship to be taken into account
- Burden of proof on controller to
demonstrate consent
Consent
• Previous slide reflects European Commission and
Parliament’s view
• Justice and Home Affairs Ministers went for
“unambiguous consent”
• Practical difference between “explicit "and
“unambiguous” consent
• View from Brussels is that Justice and Home Affairs
Ministers may accept “explicit” consent
Effect of change
• Postal and telephone marketing could become
opt-in/subscribe for first party and third party
marketing
• Current position
• Post and telephone marketing - opt-out
unsubscribe for first and third party marketing
• Email and SMS marketing – general rule opt-in/
subscribe for first and third party marketing with
soft opt-in exemption for first party marketing to
existing customers
• Remember that if you are processing data on
behalf of a client you are not a third party as
regards that client
Introduction of opt-in/explicit consent
• Review language used at point of data collection
and be prepared to move to explicit /opt-in
consent for first and third party marketing
• Opt-in /explicit consent not required for first party
postal marketing in European Parliament version
of the text
• Do people understand what they are agreeing to?
– nation of liars
• Think about how you will update legacy
databases
• How will you demonstrate proof of consent
• Preference centre – by brand/ channel?
Legitimate interests of data
controller
• Justice and Home Affairs Ministers text reintroduced
wording in current 1995 Directive/1998 Data
Protection Act allowing an organisation renting a list
(third party) to process the details on the list (personal
data) under the legitimate interest ground
• This could mean that first and third party postal and
telephone marketing could be done on an
unsubscribe/ opt-out basis as now.
• Article 6.4 Incompatible processing
• Recital stating that direct marketing is a legitimate
interest in both Parliament and Justice and Home
Affairs Ministers text.
• Key issue in three way negotiations
IP addresses and cookies
• Definition of personal data extended so could cover some IP addresses and cookies as “online identifiers”
• Justice and Home Affairs Ministers preserve flexibility in 1995 Directive
• But IP addresses identify a device not an individual + some IPs are general
• Huge implications for digital marketers
• Web analytics & profiling made much more difficult, if not impossible
• Interaction with new cookie rules problematic
• Profiling - European Commission and Justice and Home Affairs Ministers happy with wording from 1995 Directive v European Parliament want to introduce consent for all profiling
IP addresses and cookies
• Think about how you will deal with extension to
Include location data, IP addresses, cookies,
online identifiers
• Pseudonymous/anonymous data – will you be
able to take advantage of exceptions?
• Justice and Home Affairs Ministers –
pseudonymous data is a subset of personal data
• Amend wording on privacy policies/data collection
notices to take account of new rules on profiling.
Data Breach Notification
• Any data security breach to be notified to ICO and the individuals concerned within 24 hours /72 hours
• Report to cover:
• nature of breach
• number of data subjects
• categories of data
• proposed mitigation
• Not always obvious if there has been a breach or how extensive it is
• Problem of notification fatigue
• No threshold level specified in Commission and Parliament text
• Council of Ministers introduced a threshold of severe affect of the breach on individual’s rights and freedoms
Data security breach notification
• Introduce breach notification detection procedures
• Think about how you will notify data protection
authorities and affected individuals within
whatever timescale is agreed
• Develop/review your data breach response plan
Subject Access Requests (SARs)
• Data subjects to be able to request full information on data held on them free of any charge
• Currently can levy a £10 fee – doesn’t cover cost but deters time-wasters, frivolous or vexatious requests
• Costs organisations £50 million p.a. now to meet SARs
• Proposal that can provide data in electronic form if data subject agrees to this
• Particular problem for financial services with mis-selling issues and claims management firms
The right to be forgotten/erasure
• Google Spain case
• Prepare to respond to requests
• Deletion/ suppression
• Other legal requirements to keep information e.g. accounting, tax, money-laundering
• Justice and Home Affairs Ministers right to erasure only has to be passed on to third parties if technology allows and cost not prohibitive.
Access Rights and Right to Erasure
• New Regulation may lead to increased public awareness of rights e.g., right to request information ( Data Subject Access Requests, Right to be forgotten)
• Plan ahead for increase in queries from clients/public
• Training for client/customer service teams
Processor’s liability and other obligations
• Data protection obligations now shared between controllers and processors
• Processors subject to fines where not complied with processor obligations under Regulation or acted outside or contrary to lawful instructions of controller
• Privacy by Design/Privacy by Default
• Appointment of DP officer (250+ employees)
• Justice and Home Affairs Ministers only compulsory where high risk processing otherwise voluntary.
• European Parliament – based on number of employees and records processed
- 2 year appointment
- Independent reporting to board
- Information and training
- Maintenance of documentation
- Data protection impact reports
• International transfers of data outside EEA – law would apply to any processing of data or EU citizens
Compliance obligations
• Review amount of data being processed, erasure
policies and data retention policies
• Requirement to demonstrate compliance will mean
more documentation in respect of policies and
procedures
• Contact centres, mailing houses, email/SMS
broadcasters will also be subject to these new
obligations, especially in respect of data security
• Review staff training in data protection.
• Appointment of a data protection officer?
• Risk- based approach to compliance and data
protection impact assessments
Proposed enhanced sanctions
• Up to €500k or 1% annual worldwide turnover intentional or
negligent failure to respond to subject access requests in
accordance with Regulation
• Up to €1m or 2% of annual worldwide turnover for other
compliance failures
• Depends on:-
- size of organisation involved
- nature and gravity of breach
- whether intentional or negligent
- technical and organisational measures
- previous breaches
- co-operation with ICO
Enhanced sanctions/fines
• Watch out if you get it wrong!
• Increase focus on compliance – board level issue
• Review internal policies and procedures
Cross – border issues
• Main establishment/ one- stop shop provisions
• Think about which country’s national data protection
authority will be lead regulator
• Possibility of changing country where head office is
located
• Review arrangements for transfers of data outside
EEA (28 Member States of EU + Iceland
,Liechtenstein, Norway)
• Application to EU citizens’ personal data no matter
where it is processed.
• European Court of Justice Google Spain right to be
forgotten case - link between Google Spain and
Google USA
Draft Regulation – DMA view
• DMA welcomes the Commission’s aim to reduce red tape and simplify bureaucracy – but proposals do not achieve that: overly strict, bureaucratic and unworkable
• Needs to be a fair balance between privacy and legitimate business interests
• Current proposals will stifle innovation, add considerably to business costs and place unnecessary obstacles to e-commerce jobs growth
• Will be particularly harmful to SMEs – MoJ says demonstrating compliance will cost £10m p.a.
• Hard to say how Commission’s estimate of 2.3 billion euro saving to businesses was calculated
Lobbying activity
• In Brussels with key individuals in Council,
Commission & Parliament, e.g. MEPs & advisers;
party groups
• In UK, Ministers in MoJ, DCMS, BIS, HM Treasury +
Opposition spokesmen
• Alliance of interests – UK Data Group, FEDMA, CBI,
etc. - for collective lobbying of Council and
Parliament & lobbying directly where there is no
national DMA
• Position papers on priorities for industry + draft
amendments to text
• Research on consumer attitudes to privacy and on
economic value of the DM industry
Three –way(Trilogue)negotiations
• Scope for lobbying limited as discussions take place
behind closed doors and are more like commercial
negotiations
• Meeting with Labour London MEP Claude Moraes,
Chair of European Parliament Justice (LIBE)
Committee?
• Continue to lobby MOJ on key issues
• More information may be available because of
Justice and Home Affairs Ministers continuing work
on text
Data protection toolkit
Contacts
James Milligan
Solicitor, DMA
T - 020 7291 3347
Legal Advice Helpline
Digital single marketingZach Thornton, External Affairs Executive, DMA
@DMA_UK #dmalegal
President Juncker
• “ensure that European citizens will soon be able to
use their mobile phones across Europe without
having to pay roaming fees”
• “ensure that consumers can access services,
music, movies and sports events on their electronic
devices wherever they are and regardless of
borders”
• “create a level playing field where all companies
offering goods and services in the EU are subject to
the same DP and consumer rules, regardless of
where their server is based”
Three pillars
1. Better online access.
2. Creating the right conditions and level playing field
for advanced digital networks and innovative
services.
3. Maximising the growth potential of the digital
economy.
Pillar 1: Better online access for consumers
and businesses across Europe
• Ecommerce rules.
• Parcel delivery.
• Unjustified geo-blocking.
• Better access to digital content.
• Reduce VAT related burdens.
Pillar 2: Creating the right conditions and level
playing field for advanced digital networks and
innovative services.
• Making telecom rules fit for purpose.
• Fit media framework.
• Fit for purpose regulatory environment for platforms
and intermediaries.
• Reinforcing trust and security in digital services and
handling of personal data.
Pillar 3: Maximising the growth potential of the
digital economy
• Building a data economy.
• Boosting competiveness through interoperability
and standardisation.
• E-inclusive society.
Why?
• €340 billion in additional growth.
• 3.8 million jobs created across Europe.
• Potential savings of €100 billion per annum if all
public procurement was online.
A mammoth task
• The digital single market is an extremely ambitious
project but a priority for this presidency.
• It will take years to fully realise the digital single
market.
• Labyrinth of differing national legislation.
• Many member states will be reluctant to cede
powers to Brussels.
Buying & selling dataMike Lordan, Director of External Affairs, DMA
James Milligan, Solicitor, DMA
@DMA_UK #dmalegal
A changing world
• Consumer attitudes are evolving.
• Openness and transparency.
• Trust in data is becoming a key brand differentiator.
PPI and accident claims
• Loss of confidence in the industry and marketers.
• Even more regulation.
• Self-regulation of the sector damaged.
Caveat emptor…
• When you buy or rent a marketing list you must
make rigorous checks to ensure that the
organisation selling the data obtained the personal
data fairly and lawfully, and that the individuals
understood their details would be passed on for
marketing purposes, and that they have provided
their consent.
Stories in the last two months
• List Brokers (Mail, radio )
• Charities (Mail, Sun, Times, multiple radio, TV )
• Royal Mail (Mail, Times, radio)
More, much more to come!
Royal Mailhttp://www.dailymail.co.uk/news/article-3133755/Millions-facing-junk-mail-deluge-Secret-Royal-Mail-plan-deliver-marketing-letters-shoppers-simply-click-product-online.html
Call Centrehttp://www.dailymail.co.uk/news/article-3113793/We-don-t-care-s-98-s-not-dead-cash-MoS-exposes-tactics-cynical-call-centre-used-Britain-s-biggest-charities-including-Oxfam-Cancer-Research-UK-RSPCA.html
Datahttp://www.dailymail.co.uk/news/article-3085699/Charities-using-dirty-tricks-details-Marie-Curie-RNIB-St-John-Ambulance-bought-lists-donors-using-unscrupulous-data-firm.html
Olive Cookhttp://www.dailymail.co.uk/news/article-3083859/Shame-charities-drove-Olive-death-Organisations-exploited-pensioner-s-kind-heart-admit-sending-begging-letters.html
Olive Cook – sharing datahttp://www.dailymail.co.uk/news/article-3081294/Britain-s-oldest-poppy-seller-dead-Avon-Gorge-aged-92.html
Paddy Powerhttps://shkspr.mobi/blog/2015/04/dealing-with-sms-spam-from-paddypower/
B2C Pensionshttp://www.dailymail.co.uk/news/article-3017205/Your-pension-secrets-sold-conm
Pensionshttp://www.dailymail.co.uk/news/article-2998082/Beware-pension-sharks-Flood-spam-texts-cold-calls-create-PPI-scandal.html
Data Bubblehttp://www.dailymail.co.uk/news/article-3018659/Privacy-sale-s-health-secrets.html
DMA Code
• Benchmark for success and the restoration of
confidence.
Selling a Marketing List (1)
General rules per marketing channel for third party use
• Postal Mail – opt –out/unsubscribe and screen
against MPS
• Telephone – opt-out/unsubscribe and screen
against TPS and CTPS
• E mail, SMS and automated recorded calls– opt-
in/subscribe and
• 1) Either third party specifically named or third party
falls into a named sector and
• 2) Third party must use list for first contact within 6
months of purchase
Selling a marketing list (2)
• Remember that opt-out/unsubscribe or opt-
in/subscribe must be meaningful and informed.
• Need for record – keeping – date of collection and
generic data collection/privacy notice/privacy policy
using at that time.
• Consent – specific and informed to be valid.
• Positive action and pre- ticked opt-in boxes.
• Consent decays over time.
• ICO Direct Marketing Guidance and DMA
Supplementary Note.
Selling a marketing list (3)
• Special rules apply when a business is being closed
down/insolvent. Customer database can be sold to
a third party without the consent of individual
customer provided:
• 1) Database only used for same purpose for which it
was collected by closed down business
• 2) Reasonable expectations of individual.
• If above conditions not met third party will have to
get fresh consent from customers of closed down
business.
Selling a marketing list (4)
• Be prepared to answer questions which buyer may
ask.
• Seller’s responsibility to check provenance of
marketing list.
• May have to check further down the data chain.
• Due diligence and contractual warranties/liabilities.
Further Reading
• ICO Direct Marketing Guidance
• https://ico.org.uk/media/for-
organisations/documents/1555/direct-marketing-guidance.pdf
• DMA Supplementary Note
• http://dma.org.uk/article/dma-clarifies-ico-guidance-on-direct-
marketing
• ICO Direct Marketing Checklist
• https://ico.org.uk/media/for-
organisations/documents/1551/direct-marketing-checklist.pdf
Contacts
Mike Lordan
Director of External Affairs, DMA
T - 020 7291 3318
James Milligan
Solicitor, DMA
T - 020 7291 3347
Legal Advice Helpline
Consumer Rights ActJanine Paterson, Solicitor & Legal Manager, DMA
@DMA_UK #dmalegal
Consumer Rights Act
• Draft published in June 2013.
• Received Royal Assent – 26th March 2015
• Majority will come into force
• A major overhaul of existing consumer rights
legislation – consolidating 100+ consumer laws and
introducing new rights for consumers and
businesses.
• Follows two consultations late last year by BIS on
goods, services and digital content; and the Law
Commission & Scottish Law Commission’s on unfair
contract terms.
Consumer Rights Act
• Basic rights not changing
• Aim to present rights and remedies in a simpler and clearer
way to make consumers better informed and empowered
• 3 parts:
• Consumer contracts for goods, digital content and
services – rights and remedies
• Unfair terms in contracts
• Miscellaneous: investigatory powers, enhanced
consumer measures, enforcement, competition, etc.
Sale and supply of goods
• Rights
– Satisfactory quality
• Fit for all purposes for which goods usually supplied
• Appearance and finish
• Freedom from minor defects
• Safety
• Durability
– Fit for a particular purpose
– Match the description, sample or model
– Installed correctly
Sale and supply of goods
• Remedies
– Short term right to reject – 30 days
– Repair or replacement
• Only 1 opportunity
• At no cost to consumer
• Within reasonable time
• Without significant inconvenience
• Price reduction or final right to reject
– If repair/replacement fails or not done within reasonable
time or without significant inconvenience, consumer
choose:
• Keep goods and claim price reduction or
• Return goods and claim refund
Sale and supply of goods
• Deduction for use
– Trader can make deduction from refund for use
consumer has had
– No deduction where goods rejected within 6
months except where goods are a motor vehicle
• Compensation
– Damaged caused by goods
– Damages for personal injury
– Additional cost to buy goods elsewhere
The supply of services
• Rights
– Carried out reasonable care and skill
– Information said or in writing to consumer binding
if consumer relies on it
– Carried out for a reasonable price
– Carried out within a reasonable time
The supply of services
• Remedies
– Repeat performance
• At no cost
• Within reasonable time
• Without significant inconvenience
– Price reduction
• Where repeat performance impossible
• Cannot do within reasonable time
• Cannot do without significant inconvenience
• Amount depends seriousness of the breach
Digital content
• First time specific rights
• Rights
– Of satisfactory quality
• Satisfactory – consider description, price paid and
other relevant circumstances, in particular
statements in advertising and labelling
• Quality – same as for goods except appearance
and finish
– Fit for a particular purpose
– As described
– Pre contract information
– Right to supply
Digital content
• Digital content supplied free
– If completely free, statutory rights do not apply –
negligence
– If supplied as part of a contract that consumer
has paid for, statutory rights do apply to all
elements including the free content.
Digital content
• Remedies
– No short term right to reject
– Repair or replacement
• Within a reasonable time
• Without significant inconvenience
• Bear any costs associated
– Price reduction
• If repair/replacement impossible/ time/
inconvenience
• Amount could be 100%
• Where breach right to supply – full refund unless
only affects part of the content
Digital content
• Supply of goods and digital content
– Mixed contract
– If digital content fails meet quality requirements – whole
contract fails and remedies are those available for goods
• Damage caused by digital content
– Available where
• Damages device or other digital content
• Consumer owns damaged device/content
• Damage – not happen if trader exercised reasonable
care and skill
• Remedies
– Repair
– Compensation
Unfair contract terms
• Consolidates the law around unfair terms in contracts
with consumers.
• Fairness to be determined by taking into account:
• The subject matter
• All the circumstances existing when term was
agreed
• All the other terms of contract or any other
contract on which it depends
• Various terms listed that cannot be assessed for fairness
Contacts
Janine Paterson
Solicitor & Legal Manager
T - 020 791 3356
Legal Advice Helpline
0800 and non-geographic numbersJanine Paterson, Solicitor & Legal Manager, DMA
@DMA_UK #dmalegal
Freephone numbers
• Currently calls from landlines free
• Calls from mobiles charged between 14 and 40
pence a minute
• 1st July 2015 – all calls from consumers to 0800,
0808 and 116 numbers will be free from mobiles
• Calls from business mobiles will still be charged
• Businesses that offer Freephone numbers will have
to pick up cost calls from mobiles.
• Company that provides the telephone number
should have confirmed the cost to you to accept
calls from 0800 numbers from consumer mobiles.
Non-geographic numbers
• Confusion over the cost to call non-geographic numbers –
those beginning 08, 09 and 118.
• Numbers used by Government agencies and charities
• Only aware cost if calling from BT line
• From 1st July 2015, cost call broken down
– Access charges – charge from phone company and
– Service charge – charge set by company being contacted
• Cap on premium rate 09 call charges
• Will apply to 0845 numbers as well.
• Need communicate charges clearly where you advertise or
promote these services
• “Calls will cost Xp (or Yp per minute) plus your phone
company’s access charge
Access charge
• Phone companies have complete freedom to set the
access charge
• Highest Vodafone – from mobiles 23p from 1st July
but rise to 45p from 10th August
More information
• www.ukcallinginfo
• www.ofcom.org.uk
Contacts
Janine Paterson
Solicitor & Legal Manager
T - 020 791 3356
Legal Advice Helpline
Closing commentsMike Lordan, Director of External Affairs, DMA
@DMA_UK #dmalegal
Data detailed: how to buy and sell
information responsiblyWednesday 8 July 2015
Come along for insights on data acquisition, compilation, management
and buying data. Professionals on agency and client side will offer advice
on how to respect consumer information while still making the most out
of marketing opportunities.
A panel discussion will conclude the event. You’ll have the opportunity to
ask pressing questions. Answers will undoubtedly help you improve your
customers experience.
Keynote speakers include Rosemary Smith (Opt 4), Tim Drye (chair of
the DMA’s governance committee) and Fedelma Good (Barclays).
Closing comments will be followed by a complimentary lunch and the
opportunity to network.
More info: http://www.dma.org.uk/event/data-detailed-how-to-buy-and-
sell-information-responsibly
Legal updateTuesday 20 October 2015
Come along to a free legal update where a DMA solicitor will depart their
wisdom. The session will cover upcoming changes to the law, as well as
advice on how to adjust your practices. Stay compliant across all
marketing aspects of your business.
Our solicitors work closely with the Information Commissioner’s Office
and are engaged with legislation affecting data protection, big data,
nuisance calls and contentious issues associated with one-to-one
marketing.
You’ll have the opportunity to ask questions specific to your business.
This update is appropriate for professionals in compliance roles,
business owners and marketers who take best practice seriously.
More info: http://www.dma.org.uk/event/legal-update-3
