New EU data regulations - five points to consider
The EU Parliament and Commission agreed a text for the EU Data Protection Regulations overnight, paving the way for new rules which will govern the boundaries not just for all digital marketing, but any marketing in any medium that uses consumer data.
Laws are built around protecting consumer rights, and groups including the DMA have lobbied hard to make the regulations good for business too.
DMA Group CEO Chris Combemale said, “The text is better than we thought in five key areas – specifically the definition of personal data, the definition of consent, the consumer right to object, profiling and what are the ‘legitimate interest’ of businesses to process consumer data.
“These areas will be the concern of digital and data-driven marketers for the foreseeable future, and we are pleased that the agreed text will allow the continued development of the data-driven sector. Companies that already adhere to the DMA Code will find that they are mostly compliant already, and have a head-start with two years to go before implementation, but there will still be some work to do. The principles of openness and responsible marketing underlie this new text."
In light of the new text, here are five points all marketers now need to consider in the build-up to new regulations becoming a reality:
- Direct marketing as a legitimate interest.
The text recognises that the processing of personal information for marketing purposes may be regarded as carried out for a legitimate interest. While processing for direct marketing purposes is considered a legitimate interest, if an organisation relies on legitimate interest for its processing then it needs to make a careful assessment of the relationship between it and the individual.
- Definition of personal data
Personal data is any information relating to an identified or identifiable person. How companies interact with personal data is the focus for the legislation. An identifiable person is somebody who can be identified directly or indirectly, particularly by reference to a name, identification number, location data or online identifier.
Whether or not online identifiers such as cookies fall into the definition of 'personal data' will depend on where they are placed in the online ecosystem. For example, a cookie placed by my internet service provider will be classified as personal data as it could identify me, whereas a cookie placed by an advertiser lower down the online ecosystem and cannot be linked to my email address or anything else which could identify me, is unlikely to be considered as personal data.
This represents a sensible compromise as it was feared that all online identifiers would be considered as personal data. This separation means non-identifiable, 'blind' data can be more widely used than identifiable personal data.
The text refers to 'unambiguous' consent rather than 'explicit’ consent, which is a stricter definition. Under unambiguous consent, consent for postal and telephone marketing can still be given on an unsubscribe or opt-out basis.
Either way, marketing organisations should bear in mind that the rules on consent will tighten up. Information must be provided concisely, in a transparent and intelligible way, and be easily accessible using clear and plain language.
Days when the consent could be buried in lengthy terms and conditions are numbered.
- Right to object (unsubscribe/opt-out)
Under the new Regulation, individuals will have the right to object to any processing of their personal information, including profiling, at any time and free of charge. If individuals object, then their personal information can no longer be processed for marketing purposes.
Most marketers will use the legitimate interest grounds for processing personal information (see above) if they are using an unsubscribe/opt-out methods. But the right to unsubscribe/opt-out must be brought to the attention of the individual in the first communication and be clearly and separately stated.
Again, existing unsubscribe/opt-out language will need to be revised.
Profiling has now been included under the label 'automated decision making'. Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him/her or otherwise significantly affects them. So, individuals can opt out of profiling.
But, individuals have no right to opt-out of profiling if they have already explicitly consented to it, or if profiling is necessary under a contract between an organisation and an individual, or if profiling is authorised by EU or Member State Law.
From the text we know so far that:
- Fines for companies that breach the new regulations could run to 4% of global turnover – vast when you consider the size of some digital giants
- Creation of a Data Protection Officer within businesses involved with ‘high risk processing’ whose job it is to make sure the business is compliant with the new rules
- The minimum age for registering with digital services could rise from 13 up to 16, but this would be at the discretion of member states
- Single ‘one stop shop’ to police data businesses regardless of where they are in the EU
- Rules for businesses will be proportional to the risk those businesses could present to individuals
- Data protection safeguards should be built into products from the earliest stages
- Pseudonomysation and other privacy-friendly techniques will be encouraged
James Milligan is Legal and Public Affairs Adviser at the Direct Marketing Association