EU watchdog turns its attention to privacy policies and data notices

UK businesses need to take a long, hard look at their data collection notices and privacy policies to ensure they comply with EU data protection laws, an EU privacy watchdog warns. Vague and general phrases such as "improving users' experience", "marketing purposes", and "IT security purposes" are not acceptable reasons, the Article 29 Working Party said in a recent opinion paper.

The Article 29 Working Party, which is made up of the heads of the national data protection authorities in EU Member States, believes that such general statements need further explanation if they are to comply with EU data protection laws. Organisations are required to identify the purpose for which they are collecting personal data, clearly and specifically.

Big data vs simple data
Businesses should almost always seek consent when using personal data in complex analytics and big data projects: for example, for tracking and profiling for purposes of direct marketing, online behavioural advertising, data-brokering, location-based advertising or tracking-based digital marketing research.

The good news for small businesses is that the Article 29 Working Party recognises that there is a huge difference between a local firm gathering simple data from local people and multinationals using complex analytics to target and profile large numbers of consumers throughout Europe.

This means that a local shop selling to local people which collects limited information about its customers may be allowed to use a general statement about how it will process the customers’ personal information.

However, a large retail company selling goods via a website across all European countries and using complex analytics to send personalised offers and targeted advertisements will not be able to use vague and general statements as to how it will process its customers' personal information in data collection notices and its privacy policy.

User-friendly privacy policies/data notices
The Working Party also warns against the use of complicated disclaimers written in legalese which data subjects find hard to decipher. It recommends a layered notice that allows data subjects to read key information in a concise, user-friendly manner. This could include a link to a more detailed description of how data will be processed.

Access to data profiles
Individuals and customers should have access to their profiles as well as to the logic of the decision-making (algorithm) that led to the development of the profile. Organisations should also disclose their decisional criteria. (In this case the Working Party is overstepping the mark and going beyond what is currently legally required.)

Privacy risks of anonymised data
Organisations should be aware of the problem of re-identification in the case of pseudonymous or annoymised data. (Annoymised or pseudonymous data is where an organisation scrambles information to make the data record less identifying.) However, in certain cases because of the uniqueness of an individual’s information, it may still be possible to re-identify an individual.

Why the opinion of the Article 29 Working Party matters
This Working Party paper is important in the context of the negotiations over the draft Data Protection Regulation. Although the Article 29 Working Party does not have a formal role in the legislative process, it is an influential lobbying organisation given its composition. Some of the issues raised in the paper relate to the issues of profiling of individuals and anonymous/pseudonymous data, which are contentious issues in the draft Data Protection Regulation.

The draft Data Protection Regulation also requires organisations to focus more on their compliance obligations and to be able to demonstrate to the national data protection authority (the Information Commissioner’s Office in the case of the UK) that they are complying with the legal requirements.

What the current law says
Current UK and EU Data protection law requires that:

Personal information must be collected for specified explicit and legitimate purposes (purpose specification) and it is not to be further processed in a way incompatible with those purposes (compatible use).

The paper suggests that in order to determine whether further processing is compatible with the original purpose(s) there is a need for a compatibility assessment/test.

The assessment/test should take account of the following key factors:

• The relationship between the purposes for which the personal information was originally collected and the further processing
• The context in which the personal information was collected and the reasonable expectations of individuals’ as to its further use
• The nature of the personal information and the impact of the further processing on individuals’
• The safeguards adopted by the organisation to ensure fair processing and to prevent any undue impact on individuals.

The paper contains examples as to how this test works in practice. The DMA will continue to monitor developments in this area and will keep members updated in this newsletter.

James Milligan, Solicitor, Direct Marketing Association