EU data protection reform: business interests gain ground over marketing consent

Commercial interests appear to be gaining ground in EU data protection reform negotiations. Justice Commissioner, Viviane Reding, has confirmed that under the draft Data Protection Regulation businesses can use the ‘legitimate interest’ ground to process personal information for direct marketing without getting the individual’s consent.

Speaking at a cloud computing conference in Brussels in March, Reding said: “At the moment… a business can process personal data for commercial purposes so long as it does not have a significant effect on the rights of the person concerned. This is called the ‘legitimate interests’ ground. The Commission has not proposed to change this. ‘Legitimate interests’ is the ground that is currently used by the marketing industry. It will continue to be used by the marketing industry.”

Consent and legitimate interest: what the law says
Under the current 1995 Data Protection Directive and the draft Data Protection Regulation an organisation must have a legal ground for processing personal information. Businesses tend to either obtain the consent of the person receiving the direct marketing (consent ground) or use the legitimate interest ground. The legitimate interest ground enables businesses to process personal information for direct marketing and other activities without getting the individual’s consent provided they respect the legal rights and freedoms of individuals, such as the right to say no to direct marketing.

Unambiguous consent to become explicit consent
The 1995 Directive requires consent to be unambiguous – the Commission wants to change the word “unambiguous” to “explicit” so that it is clear that staying silent is not the same as saying yes. “Explicit opt-in consent will be required when the processing of personal information becomes more intrusive,” says Reding. However, this doesn’t mean that there will hundreds of pop-up boxes spoiling the user experience, says Reding. This is just scaremongering by certain lobbyists.

While the DMA is pleased with Reding’s comments regarding explicit opt-in consent, it is not clear whether the current text of the draft Regulation actually reflects Reding’s view and the text will need to be amended/clarified on this point. For instance: when will direct marketing organisations have to use explicit consent? Will explicit consent be required if profiling activity is carried out?

Pseudonymous data
Reding clarified that the Commission was happy to work with the European Parliament and the Council of Ministers on drawing up a definition of pseudonymous data. However, the definition must recognise that pseudonymous data is personal information and not be used to exclude pseudonymous data from the scope of the Regulation.

Timing
Regarding the timing of negotiations on the draft Regulation, Reding said that both the EU Council of Minsters and the European Parliament were working hard on the draft text and she wanted a deal in this session of the European Parliament, which expires in May 2014. However, Reding accepted that it would take until then to reach a deal with the European Parliament and the Council of Ministers.

European Parliament vote delayed
Over in the European Parliament, the Civil Liberties, Justice and Home Affairs Committee (LIBE) has postponed its orientation vote on the draft Regulation from the end of April to the end of May. This is due to the 3,000 amendments tabled by MEPs. The representatives from each of the political groupings in the European Parliament are meeting regularly to try and agree compromise amendments which can then be voted on by LIBE when it meets at the end of May. FEDMA has produced a new position paper and the UK Data Industry Group is working on a new position paper for circulation to MEPs at this point in the process.

The DMA will keep members updated of the progress of the Draft Data Protection Regulation through this newsletter.

James Milligan, Solicitor, Direct Marketing Association