Post on 16-Nov-2014
description
transcript
Legal Update: Data Protection
Connect with the DMA…
• The #tag for this event is: #dmalegal
• LinkedIn: DMA: Direct Marketing Association (UK) Limited
• Twitter: @DMA_UK/ @DMANorth
• DMA Website: http://www.dma.org.uk
• Email: dma@dma.org.uk or events@dma.org.uk
• Phone: 020 7291 3300 or 0161 918 6780
Today’s agenda • 09.00 – 09.30 Registration and Coffee
• 09.30 – 09.35 Welcome and Introduction
• 09.35 – 10.05 Data Protection Regulation – Richard Parkinson, Legal Director Pinsent Masons and
Samantha Livesey, Partner, Pinsent Masons
• 10.05 – 10.35 Data Protection Regulation– Caroline Roberts, Director of Public Affairs, DMA and James
Milligan, Solicitor, DMA
• 10.35 – 10.55 Refreshment Break
• 10.55 – 11.15 Cookies – New Privacy Regulations– James Milligan, Solicitor, DMA
• 11.15– 11.30 Hot Industry Issues– Caroline Roberts, Director of Public Affairs, DMA and James
Milligan, Solicitor, DMA
• 11.30 – 12.00 Panel Debate and Close
Samantha Livesey and Richard Parkinson
The Proposed New EU Data Protection Regulation
Agenda
1. Introduction
2. Timescale
3. Headline proposed changes
4. Summary of main changes from current regime
5. Some specifics + considerations for compliance
Retailers: gaining competitive advantage from customer insights
Lead committee vote: April 2013
May 2012 April 2013December 2012
Hearings: May to Nov 2012
Parliamentary amendments to text: Dec 2012
Committee stage: Jan to April 2013Draft report published:
Nov 2012
2014
Q1. 2014?
From proposal to law: legislative process to implementation
Regulation directly applies across EU
Headline proposed changes
• Data processors directly covered• Expanded definitions: “personal data” and “data subject”• Explicit consent required• Right to be forgotten• Greater emphasis on accountability• Notification of data security breaches• More onerous sanctions for breach
Consent
Consent: Current Position Consent: Proposed Position
- Freely given, specific, informed indication of the data subject’s wishes
- Explicit consent required for sensitive personal data only
-Freely given, specific, informed and explicit indication of data subject’s wishes
- Given either by a statement or a clear affirmative action
- Data controller / data subject relationship to be taken into account
- Burden of proof on controller to demonstrate consent
Greater accountability
• Public bodies / companies <250 staff• Appointment of DP officer
2 year appointment independent reporting to board inform train
• Maintenance of documentation• Data protection impact reports
Data security breach notification
• Mandatory notification• Within 24 hours of becoming aware of breach• Report to cover:
nature of breach number of data subjects categories of data proposed mitigation
Data security breach roadmap
NOTIFY:Notify Insurer immediately
ALERT:Involve your
security breach response team
INVESTIGATE: Find out what
happened
EVALUATE:How successful
was the response?
RESPOND:Complete your
Incident Response Plan
ASSESS: What are the
potential consequences?
CONTAIN: Prevent/limit any further data loss
INCIDENT:A data security incident occurs
NOTIFY ICO WITHIN 24 HOURS
INVESTIGATE: Find out what
happened
RESPOND:Complete your security breach response plan
ASSESS: What are the
potential consequences?
CONTAIN: Prevent/limit any further data loss
Proposed enhanced sanctions
• Depend on:- Size of organisation involved Nature and gravity of breach Whether intentional or negligent Technical and organisational measures Previous breaches Co-operation with ICO
Proposed enhanced sanctions
• Up to €250k or 0.5% annual worldwide turnover intentional or negligent failure to operate a proper subject access request
• Up to €500k or 1% annual worldwide turnover intentional or negligent failure to respond to subject access requests in accordance with Regulation
• Up to €1m or 2% of annual worldwide turnover for other compliance failures
Winners Losers
Data Protection Officers Data processors
Data subjects? Genuinely better protection for them? Data subjects?
Multinational businesses seeking to operate in a genuinely single European market
Consumers: Increased burden and cost of compliance passed on
The (few?) national supervisory authorities likely to receive increased funding
Other national supervisory authorities: increased duties; same resources
Initiatives for information sharing on cyber/data security incidents: both industry groups and government
The many industries that operate using “indirectly identifiable data” (or in the “grey zone”)
Use your time wisely
Any Questions?
Contact details
Samantha Livesey
Partner
Pinsent Masons LLP
3 Hardman Street
Manchester M3 3AU
Tel: 0161 234 8327
samantha.livesey@pinsentmasons.com
Richard Parkinson
Legal Director
Pinsent Masons LLP
3 Hardman Street
Manchester M3 3AU
Tel: 0161 234 8434
richard.parkinson@pinsentmasons.com
Combining the experience, resources and international reachof McGrigors and Pinsent Masons
Pinsent Masons LLP is a limited liability partnership registered in England & Wales (registered number: OC333653) authorised and regulated by the Solicitors Regulation Authority, and by the appropriate regulatory body in the other jurisdictions in which it operates. The word ‘partner’, used in
relation to the LLP, refers to a member of the LLP or an employee or consultant of the LLP or any affiliated firm who is a lawyer with equivalent standing and qualifications. A list of the members of the LLP, and of those non-members who are designated as partners, is displayed at the LLP’s
registered office: 30 Crown Place, London EC2A 4ES, United Kingdom. We use ‘Pinsent Masons’ to refer to Pinsent Masons LLP and affiliated entities that practise under the name ‘Pinsent Masons’ or a name that incorporates those words. Reference to ‘Pinsent Masons’ is to Pinsent
Masons LLP and/or one or more of those affiliated entities as the context requires. © Pinsent Masons LLP 2012
For a full list of our locations around the globe please visit our websites:
www.pinsentmasons.com www.Out-Law.com
Draft EU Data Protection Regulation
DMA View and Lobbying Activity
Caroline Roberts James Milligan
Director of Public Affairs DMA Solicitor
Draft Regulation - DMA View
• DMA welcomes the Commission’s aim to reduce red tape and simplify bureaucracy – but proposals do not achieve that: overly strict, bureaucratic and unworkable
• Needs to be a fair balance between privacy and legitimate business interests
• Current proposals will stifle innovation, add considerably to business costs and place unnecessary obstacle to e-commerce jobs growth
• Will be particularly harmful to SMEs
• Hard to say how Commission’s estimate of 2.3 billion euros saving to businesses was calculated
“The proposed EU Data Protection Regulation could cost the UK £47 billion in lost sales
According to the businesses polled for the study, the proposed EU legislation could cost UK each an average of £76,000.
Crucially, if these results were representative of the UK economy as a whole, this would translate into a potential cost of £47 billion to UK businesses, concentrated amongst mainly SMEs.”
Key points in the draft RegulationOpt-in and opt–out - obtaining consent
• General rule for direct marketing – “explicit consent by clear statement or affirmative action” .
• Possible legitimate interests exemption ? • Legacy databases – what about data collected under
current law? • At odds with existing rules on voice calls, email and
SMS marketing
Key points in the draft RegulationIP addresses and cookies
• Definition of personal data extended so could cover some IP addresses and cookies
• But IP addresses identify a device not an individual + some IPs are general
• Huge implications for digital marketers
• Web analytics & profiling made much more difficult, if not impossible
• Interaction with new cookie rules
Key points in the draft RegulationThe right to be forgotten
• Right for individuals to request organisations to delete any information held on them
• Drafted with social media in mind – but goes beyond this
• Problem of information which has already been passed on to third parties
• Possibility of misleading consumers by raising unrealistic expectations
• Suppression files.
Key points in the draft Regulation Subject Access Requests
• Data subjects to be able to request full information on data held on them free of any charge
• Currently can levy a £10 fee – doesn’t cover cost but deters time-wasters, frivolous or vexatious requests.
• Costs organisations £50 million p.a. now to meet SARs
• Proposal that can provide data in electronic form if data subject agrees to this
Key points in the draft Regulation - Marketing to Children
• General rule – parental consent required for under 18’s
• Exception for online marketing to children above age of 13
• No flexibility – a risk-based approach would be better.
Key Points in the draft Regulation –Delegated Acts
• A major concern is that much of the detail of the Regulation will be implemented through additional delegated legislation – some 45 Delegated Acts are mentioned.
• Details of this secondary legislation will not be clear until Regulation passed
• These areas of secondary legislation will include:• powers to specify further procedures• technical standards for Privacy by Design/Default• specification of lawful processing condition• additional responsibilities for national data protection
authorities; etc. • European Commission will be taking significant powers to
itself away from the national authorities - raises serious issues of subsidiarity and accountability
Current position - UK• Government reshuffle
• at MoJ Helen Grant replaces Lord McNally.
• MoJ Data Protection Advisory Panel• DMA invited to join
• Justice Select Committee enquiry• DMA submitted evidence • 3 oral hearings ICO, Minister, FSB, Privacy
International, Microsoft, Which? • Focus on bureaucratic burdens, benefits of
harmonisation, Right to be Forgotten • Report in October to EU Scrutiny Committee
• Allies• CBI; Federation of Small Business; Which? etc.
• DMA Research • Data Privacy: What the Consumer Really Thinks and
on the economic value of the dm industry, Putting a Price on Direct Marketing
Current position – UK Data Group
• DMA chairing industry group under Advertising Association umbrella - to co-ordinate lobbying efforts
• + ISBA, IPA, MRS, IPM, Sky, ITV, Channel 4, Microsoft, Google, Facebook
• Ministerial Round Table on 23rd October
• Set of draft amendments to propose
• Priorities agreed: definition of personal data; profiling; consent; impact on small businesses; compliance costs
• Mapping exercise of key individuals to target – pooling of intelligence on lobbying outcomes
Current position – Brussels – Council of Ministers
• Council of Ministers Working Group meeting monthly
• Initial reports indicate UK Government (and others) taking a helpful and business-friendly stance – many object to delegated acts; find it too prescriptive and blunt in outlook on risk and harm & would prefer a more principles- based approach.
• UK pushing for Directive, rather than Regulation – as is Germany
Current position – Brussels – European Parliament
• Lead Committee = LIBE• Civil Liberties, Justice & Home Affairs • Rapporteur is German Green MEP• Aiming for Draft Report for discussion in
December with vote in early 2013
• 4 other Committees will produce reports • ITRE – industry & trade • IMCO – Internal Market & Consumer Protection • Juri – Legal • Employment & Social Affairs
Current position – Brussels - FEDMA
• FEDMA co-ordinating central European effort, a link point for exchange of intelligence on lobbying outcomes in different Member States
• Organising meetings in Brussels with key individuals in Council, Commission and Parliament, e.g. Cypriot Presidency; advisers to key MEPs; party group secretariats.
• Produced a FEDMA position paper on priorities for industry + draft amendments to text
• Lobbying directly where there is no national DMA
• DMA participating in Europe-wide group, Data Industry Platform – for collective lobbying + current research project by KPMG on likely effect of Regulation on European industry
Next steps • Industry Round Table with MoJ and DCMS Ministers –
23rd October
• Contact key UK MEPs
• Promote suggested amendments to Regulation – to UK MEPs and via FEDMA to others
• • Lobby UK political leaders to influence their MEPs in EU
Parliament
• Continue to engage with key Commission, Council and Parliament civil servants and advisers
Timing
• Council Working Party meets on 25/26 September + 4 more meetings in 2012
• 6th December – Council Ministers meet
• LIBE lead EP Committee – meeting with national parliaments on 9/10 October; will produce working document in mid-October & draft report in late November
• Other 4 Committees in parallel
• ???????? 2014.
Coffee break…
The next session starts at 10.55am
Cookies – 6 months on
James Milligan
DMA Solicitor
Covering:
• 26th May?
• Current developments
• What does the law require?
• Practical Guidance
26th May
• Online world did not end
• ICO issued revised guidance
• Implied consent = shared understanding.
• www.silktide.com
Current Developments
ICO reporting tool
What does the law require?
• The EU's revised privacy and communications directive came into force on 26 May 2011
• EU laws have been in place since 2003 clear information requirement.
• The changes in May dramatically tightened the rules: clear information and consent from users to store a cookie on their device.
The law doesn’t just cover cookies
• The law isn’t actually about cookies, but because it affects them so much people have started calling it the ‘Cookie Law’
• The law covers all technologies which store information in the “terminal equipment" of a user, and that includes so-called Flash cookies (Locally Stored Objects), HTML5 Local Storage, web beacons or bugs…and more
• This applies to email and mobile marketing too!
In practice
Those setting cookies must:
• tell people that the cookies are there, • explain what the cookies are doing, and • obtain their consent to store a cookie on
their device.
Two exemptions from consent requirement
• 1. “use of cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network“
• 2. “cookies that are strictly necessary for the provision of a service”
– e.g. internet banking, online shopping carts, website log-ins
What steps should you have been taking?
Follow the ICO’s guidelines:
1. Check what type of cookies and similar technologies you use and how you use them.
2. Assess how intrusive your use of cookies is.
3. Decide what solution to obtain consent will be best in your circumstances.
Check what type of cookies you use
• This might have to be a comprehensive audit of your website or it could be as simple as checking what data files are placed on user terminals and why.
• You should analyse which cookies are strictly necessary and might not need consent.
• You might also use this as an opportunity to ‘clean up’ your webpages and stop using any cookies that are unnecessary or which have been superseded as your site has evolved
• And also check that you have identified ALL your websites.
Assess how intrusive your use of cookies is
• ….It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other.
• You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.
Decide how to obtain consent
• Once you know what you do, how you do it and for what purpose, you need to think about the best method for gaining consent.
• The more privacy intrusive your activity, the more you will need to do to get meaningful consent….
– Pop-up box– Splash page– Landing page– Webpage header, banner or scrolling text– Through T&Cs for registered website users
• Cannot currently rely on users’ browser settings!
Thank you and Questions
DMA Cookie Watchhttp://www.dma.org.uk/toolkit/cookie-watch
Tel: 020 7291 3347Email: james.milligan@dma.org.uk
DMA Legal AdviceTel: 020 7291 3360Email: legaladvice@dma.org.uk
Hot Industry Topics
Caroline Roberts James Milligan
Director of Public Affairs DMA Solicitor
Hot Industry Topics
• Consumer Rights legislation
• Marketing to children
• Telemarketing
• Financial services
• Alcohol marketing
• Postal Affairs
• Environment
Consumer Law – all change
• UK consumer law is not fit for purpose. • Outdated language and concepts not
appropriate in age of digital downloads and international online retail.
• To help consolidate and simplify consumer law for the benefit of consumers and traders, the Government has launched three consultations.
1. Consumer Rights Bill • BIS consultation proposes a range of options to clarify the rights
and remedies for goods and services, including digital content, including:
• Replace the current system of implied terms with a clear set of statutory guarantees when purchasing goods
• Set a clear time limit for a short term right to reject• Clarify the number of times a retailer can repair sub-
standard goods before being obliged to replace them • Replace “reasonable care and skill” with statutory
guarantees for service levels• Introduce statutory remedies for sub-standard services• Clarify the rights and remedies available when buying digital
content.
• If implemented, these changes will see a complete change to how consumer law protects people when buying goods and services, and will introduce concepts that will allow for developments in technology.
• This consultation closes on 5 October
2. Unfair terms in consumer contracts: a new approach
• Current law on unfair terms in consumer contracts contained in two pieces of legislation which have their own inconsistencies and overlapping provisions.
• As part of consultation on package of measures to simplify and consolidate consumer law, the Law Commissions asked to review and update 2005 report in relation to its general consumer recommendations.
• Also asked to look at one specific issue: Which terms in a contract should be excluded from any rules? (has arisen from 2009 litigation over bank charges)
• Their advice to be published spring 2013.• Consultation looks at recommendations in 2005 report
and updates some proposals in light of changes since.• The consultation closes on 25 October.
3. Implementation of the Consumer Rights Directive
• Agreed by the European Commission in 2011 – into UK law by April 2014.
• Focused on harmonising and simplifying rules in a few key areas of consumer law:
• Information that must be given to a consumer before s/he buys goods or services on a trader’s premises
• Information that must be given to a consumer before s/he buys goods or services away from a trader’s premises, for example a fair, or at a distance (eg online)
• Cancellation rights and responsibilities when a consumer buys goods or services away from a trader’s business premises or at a distance
• Delivery times for goods and where responsibility lies if there is a problem
• Post-contract helplines – these now cannot be a premium rate but can only be a basic rate call
• Additional payments – these are payments that are charged on top of the price of the goods or services. They now need to have active or express consent so pre-ticked boxes will no longer be allowed
• Payment fees (eg credit card surcharges).
Consumer Rights Directive – UK implementation
• Payment fees are also subject to a separate consultation, issued by the Department for Business Innovation and Skills on 3 September
• Many of the provisions of the Consumer Rights Directive have to be implemented as agreed in Europe but the consultation looks at some areas where there is leeway in how the UK Government implements the provisions. These include applying the provisions to sectors exempted by the Directive, for example healthcare and social services, setting a minimum value for a transaction to be subject to the provisions and dealing with emergency repairs in the home.
• Aims to put an end to certain bad business practices and help consumers make well informed decisions when buying products or services.
• Also to boost business confidence, setting out clearer rules and responsibilities and cutting red tape by reducing compliance costs.
• Consultation closes on 1 November.
Marketing to children
• General political concern about over-commercialisation • Bailey Review on Commercialisation and Sexualisation of
Childhood – “Letting Children Be Children” - report published 2011
• Says role and practice of advertising in broadly good shape – praises industry initiatives, e.g. CHECK
• 5 key recommendations:• Sexual imagery on billboards, magazine covers.• No under-16 brand ambassadors & peer to peer
techniques• Harmonisation of the age of a child at 16• Website for parents to complain • Improving industry and regulatory understanding of
parental concerns
Marketing to children – industry response
• Children’s Panel set up to monitor advertising to children and take forward issues of concern
• Parent Port – gateway portal for parents for information, advice, complaints, etc.
• Research - Credos, Advertising Association think tank• UK Brand Ambassador and Peer-to-Peer Marketing Pledge: • Agreed principle that
“ Young people under the age of 16 should not be employed directly or indirectly paid or paid-in-kind to actively promote brands, products, goods, services, causes or ideas to their peers, associates or friends”
• 30+ national company signatories + 13 trade associations, including DMA
• Industry awareness campaigns
Marketing to children- latest developments
• Consultation on extending age rating system to music DVDs and Blu-rays
• Govt encouraging industry to introduce clear warnings on explicit videos online
• Govt finalising legislation to implement the new classification system for video games
• Govt asking ASA to consider whether more should be done to spell out commercial intent of advergames to young people and parents
Telemarketing
OFCOM issued consultation 4th April on Simplifying Non-geographic Numbers - detailed proposals on the unbundled tariff and Freephone
• Non-geographic numbers include 03, 080, 0845,0870, 083/4, 0871/2/3, 09 and 118 numbers.
• Used to call businesses and Government agencies, to get information, make payments for services and vote on TV shows. Nearly every consumer and every company in the country uses these numbers in some way.
• Confusion about the price – even freephone not clear cut
• Concerns about revenue sharing.
Telemarketing
• Main proposals:
– Freephone: (080 and 116 numbers) to be free from all telephones, landline and mobile;
– 03: to become the only non-geographic number range linked to the price of a call to a geographic number (i.e. the 01/02 number ranges);
– Revenue sharing ranges: (084, 087, 09 and 118 numbers -where a portion of the retail charge is passed back to the receiver of the call) are to have a common simplified structure.
• Consultation closed 27th June 2012 – now awaiting Government’s response
Financial Services
• EU Gender Directive– In force 21st December 2012– ECJ ruled 1st March 2011 that gender sensitive pricing
is contrary to the principle of equal treatment in EU law
– Therefore gender neutral pricing will become the norm- Unisex premiums would see the lower-risk gender
paying more to subsidise the high-risk gender
Financial Services
• Re- architecture of financial services regulatory environment
• Replacement of FSA by Financial Conduct Authority and Prudential Regulatory Authority
• Banking Reform Bill – ring fencing of retail and investment arms within banks included in Queen’s Speech 2012.
Financial Services – consumer credit
• Consumer Credit in limbo- move to FCA?
– Investigations into payday loans and payment protection insurance have raised the issue of standards in the consumer credit market
– BIS Committee of MPs has called for tighter controls on debt management companies and payday lenders
• Charge higher licensing fees for higher risk credit businesses
• Put in place a fast track procedure to suspend credit licences
• Give the regulator the power to ban harmful products
Financial Services – consumer credit
• BIS Consultation on the Early Implementation of a Ban on Above Cost Payment Surcharges
• Credit/Debit Card charges • Consultation closes 15 October 2012.
Alcohol• Government issued its Alcohol strategy on 23rd March
• Focus on pricing issues
• Minimum pricing in Scotland to be introduced –implications for rest of UK?
• Positive comments on the work of self-regulation
• Commons Health Select Committee holding an inquiry into the Governments’ proposals, looking at:
– effects of marketing on alcohol consumption, in particular in relation to children and young people.
– international evidence of the most effective interventions for reducing consumption of alcohol and evidence of any successful programmes to reduce harmful drinking, such as: education; reduction in strength; raising legal drinking age; and plain packaging and marketing bans.
Postal issues
• Reversions issue with Royal Mail • DMA in discussions with RM to secure a more
beneficial outcome – hosted summit in August • Making progress
• VAT – single supply of services
Environment
• The DMA and Defra signed a Responsibility Deal in 2011.
• Part of this was the introduction of a new website where householders can opt-out of receiving all types of advertising mail.
• Aim to reduce the amount of unwanted advertising mail put through the letterbox
• Doorstop Preference Service is ready to launch – awaiting final Defra input and agreement with newspaper and directories industries.
Queen’s Speech 2012
• DEFAMATION BILL – end to libel tourism and protection for website operators for user generated content on their site provided they comply with new dispute resolution procedures to allow complainant to deal directly with the author
• ELECTORAL REGISTRATION AND ADMINISTRATION BILL – introduction of individual electoral registration and system opened up for digital application. - edited version of register will be kept but issue on opt-outs.
• ENTERPRISE AND REGULATORY REFORM BILL – aims to cut red tape
• PENSIONS BILL – creating a single tier pension and bringing forward increases to the state pension age
• DRAFT COMMUNICATIONS DATA BILL – dubbed “The Snoopers’ Charter”
Any Questions?
james.milligan@dma.org.uk caroline.roberts@dma.org.uk
020 7291 3347 020 7291 3346
DMA members can contact DMA Legal Department for free advice:
by email: legaladvice@dma.org.uk
or call: 020 7291 3360
Thank you…
Presentations will be emailed to you Monday
A final thank you to all of today’s speakers:
Richard Parkinson, Pinsent Masons
Samantha Livesey, Pinsent Masons
Caroline Roberts, DMA
James Milligan, DMA
Please return your completed evaluation forms and badges to the registration desk we look forward to
seeing you again!