MEPs' data protection proposals a threat to direct marketing

Businesses will have to gain explicit consent to use an individual’s data under changes proposed by the European Parliament. It is one of a number of amendments to the draft EU Data Protection Directive that pose a threat to direct marketing as well as the wider business community. The proposals appear in a report published by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) in January 2013 and will determine the European Parliament’s position on the draft Regulation.

7 proposals that all direct marketers need to know about

1. Profiling restrictions
Businesses would only be allowed to gather individuals’ data for profiling with their explicit consent. And even if an individual did give consent, he/she would still be able to ask whether the organisation was carrying out any profiling and what actions it would take in connection with the individual based on the results of such profiling. This would make profiling for advertising and marketing too burdensome for many businesses.

2. Opt-in and opt-out consent
Businesses would only be allowed to contact individuals without their prior consent if they are existing customers and the marketing communication only relates to similar products and services. Postal and telephone marketing would be subject to the same rules as email and SMS marketing under the existing customer (soft opt-in) exemption in the Privacy and Electronic Communications Directive.

3. Definition of personal data
The definition of personal data would be extended to include unique identifiers such as cookies, data used in online behavioural advertising and pseudonymous data (where an organisation scrambles information to make the data record less identifying). Although anonymous data is exempt, the definition of anonymous data severely limits its application to marketing data.

4. Right to be forgotten
The draft report does not address calls by other European Parliamentary Committees to change this back to the right to erasure. If a consumer sends a request to a data controller to have his/her data erased, the data controller is under an obligation to pass on this request to any third parties who have received the data from the data controller. However, it is not clear whether the data controller is responsible for ensuring that the third party carries out the consumer’s request.

5. Data security breach notification
The European Commission had proposed that all breaches should be notified to national data protection authorities and all affected individuals within 24 hours of the data controller becoming aware of the breach. The report proposes that this should be extended to 72 hours. The report also recommends that the requirement to notify should only apply in the case of serious breaches. Both of these are welcome changes.

6. Sanctions
The report proposes to give national data protection authorities more discretion in this area. This is a welcome change as the original text states the level of fine for each specific breach of the Regulation and gives no discretion to national data protection authorities.

7. Delegated Acts
The original text gave the European Commission powers to make secondary legislation at the European level, which would have created legal uncertainty over key parts of the draft Regulation. It is welcome that the draft report opposes this. However, it proposes that the European Data Protection Board, made up of the heads of the data protection authorities in the Member States, should be given a greater role in this area. This may mean that a stricter interpretation of the draft regulation becomes the norm, as other national data protection authorities do not necessarily share the UK’s more business-friendly approach.

Next Steps
More amendments to the draft report are likely from the European Parliament Justice and Home Affairs Committee and the other committees interested in the proposals.

All MEPs will vote on the proposals in the early summer. The national governments of the 27 Member States will also consider the proposals in the Council of Ministers meeting.

Several months of negotiations between the European Commission, the European Parliament and the Council of Minsters will follow, lasting until late this year or early next year (2014) before all three parties agree on a final version of the Regulation.

Member States will then have two years from the date the Regulation is agreed to implement the final text into national law so the changes will not come into effect until late 2015 or early 2016.

The DMA will continue to lobby UK MEPs and minsters to ensure that the final text represents a better and fairer balance between the economic interest of business and the privacy rights of consumers. It will also work closely with FEDMA on lobbying activities in Brussels and other Member States.

James Milligan, DMA Solicitor, 020 7291 3360.