EU DPR agreed
16 Dec 2015
The EU trilogue negotiations concluded on 15 December 2015. The EU Commission and Parliament agreed a Data Protection Regulation text. This is significant because this text defines the legal boundaries not just for all digital marketing, but any marketing in any medium that uses consumer data.
New legislation could allow fines of up to 4% of global turnover and create the post of data protection officer to police companies' use of personal data. In addition, the legal minimum age to register with social networking sites could rise from 13 up to 16, depending on the discretion of particular member states.
Five points to consider
Direct marketing as a legitimate interest.
The text recognises that the processing of personal information for marketing purposes may be regarded as carried out for a legitimate interest. While processing for direct marketing purposes is considered a legitimate interest, if an organisation relies on legitimate interest for its processing then it needs to make a careful assessment of the relationship between it and the individual.
Definition of personal data
Personal data is any information relating to an identified or identifiable person. How companies interact with personal data is the focus for the legislation. An identifiable person is somebody who can be identified directly or indirectly, particularly by reference to a name, identification number, location data or online identifier.
Whether or not online identifiers such as cookies fall into the definition of 'personal data' will depend on where they are placed in the online ecosystem. For example, a cookie placed by my internet service provider will be classified as personal data as it could identify me, whereas a cookie placed by an advertiser lower down the online ecosystem and cannot be linked to my email address or anything else which could identify me, is unlikely to be considered as personal data.
This represents a sensible compromise as it was feared that all online identifiers would be considered as personal data. This separation means non-identifiable, 'blind' data can be more widely used than identifiable personal data.
The text refers to 'unambiguous' consent rather than 'explicit’ consent, which is a stricter definition. Under unambiguous consent, consent for postal and telephone marketing can still be given on an unsubscribe or opt-out basis.
Either way, marketing organisations should bear in mind that the rules on consent will tighten up. Information must be provided concisely, in a transparent and intelligible way, and be easily accessible using clear and plain language.
Days when the consent could be buried in lengthy terms and conditions are numbered.
Right to object (unsubscribe/opt-out)
Under the new Regulation, individuals will have the right to object to any processing of their personal information, including profiling, at any time and free of charge. If individuals object, then their personal information can no longer be processed for marketing purposes.
Most marketers will use the legitimate interest grounds for processing personal information (see above) if they are using an unsubscribe/opt-out methods. But the right to unsubscribe/opt-out must be brought to the attention of the individual in the first communication and be clearly and separately stated.
Again, existing unsubscribe/opt-out language will need to be revised.
Profiling has now been included under the label 'automated decision making'. Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him/her or otherwise significantly affects them. So, individuals can opt out of profiling.
But, individuals have no right to opt-out of profiling if they have already explicitly consented to it, or if profiling is necessary under a contract between an organisation and an individual, or if profiling is authorised by EU or Member State Law.
Negotiations, described as a 'strong compromise' by the EU Parliament, agreed two separate pieces of legislation which together reform the way personal data is used, handled and policed in the EU, but it's the first of these two pieces that are most relevant for marketers:
The General Data Protection Regulation will enable people to better control their personal data. Modernised and unified rules are designed to allow businesses to make the most of the opportunities of the digital single market by cutting red tape and increased consumer trust.
The Data Protection Directive for the police and criminal justice sector will ensure that the data of victims, witnesses, and suspects of crimes, is duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.
German MEP and the EU Parliament's lead on the regulation, Jan Philipp Albrecht, said, "Today's [15 December] negotiations hopefully have cleared the way for a final agreement. In future, firms breaching EU data protection rules could be fined as much as 4% of annual turnover - for global internet companies in particular, this could amount to billions. In addition, companies will also have to appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers.
"The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data. Unfortunately, member states could not agree to set a 13-year age limit for parental consent for children to use social media such as Facebook or Instagram. Instead, member states will now be free to set their own limits between 13 and 16 years", he said.
The package is partially designed to allow consumers to have more control of their personal data. According to Eurobarometer, two-thirds (67%) of Europeans are 'concerned' about not having complete control over the information they provide online. Seven out of ten Europeans worry about how businesses may use their personal data. These reforms are designed to allow consumers to take back more control and to have greater trust in businesses when they do permit control.
Andrus Ansip, vice-president for the Digital Single Market, said: "Today's agreement is a major step towards a Digital Single Market. It will remove barriers and unlock opportunities. The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information. And they can enjoy all the services and opportunities of a Digital Single Market.
"We should not see privacy and data protection as holding back economic activities. They are, in fact, an essential competitive advantage. Today's agreement builds a strong basis to help Europe develop innovative digital services. Our next step is now to remove unjustified barriers which limit cross-border data flow: local practice and sometimes national law, limiting storage and processing of certain data outside national territory. So let us move ahead and build an open and thriving data economy in the EU – based on the highest data protection standards and without unjustified barriers," he said.
While this agreement is a huge step forward, it is not the end of the road for the legislation. The Civil Liberties Committee of the EU Parliament approved the Regulation on Thursday 17 December in Strasbourg, with 44 votes in favour with 4 votes against and 4 abstentions.
The deal will be put to a vote by all of the EU Parliament and separtaely in the EU Council of Ministers in the new year , after which member states will have two years to transpose the provisions of the regulation into their national laws. The regulation, which will apply directly in all member states, will also take effect after two years.