News - Fresh Data Archive Article

Return to Fresh Data Blog
Return to Fresh Data Archive

Data Privacy Series #4 – The New Normal for EU Data Marketing

Date: October, 2013 --


For any company who currently does business in Europe, or are considered doing so, one of the major issues that must be faced is the seriousness with which European legislatures take the concept of “data protection”. And while it seems to mean “privacy”, it does not. It means “protecting” personal information and using that information within the very strict limits set by European law makers over the last twenty years. 

            The law-makers are still going strong in the face of the digital challenge and the Internet space, and the pending Data Protection Regulation, now under study and debate in the European Parliament and within the European Commission, will set new standards for data protection in the new “big data” world that is inter-wired and always “on”. 

            There are new elements being introduced, some of which are radically different and may be surprising to marketers used to doing business in countries like the United States, and one would do well to be aware of them in order to comply with the Regulation even in cases where your company does not have a physical presence in the EU.

            One of the first is “data portability”, which gives individuals the right to an electronic copy of the data a company holds on them. “The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.”  There are no exceptions as to what must be disclosed. If it is about the data subject, such as credit information, he/she is entitled to it.

            Another major change giving many companies pause is the “right to be forgotten”.  Article 17 of the Regulation, “Right to be Forgotten and Erasure”, gives individuals the right to demand that entities holding their personal information destroy/erase it when it has fulfilled its purpose in the hands of the holder.  Moreover, if the holder of the information has transferred it, as a direct marketer or data aggregator might do, then he has to take steps to see the recipients comply with the wishes of the individual. He must “inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data.”  In layman’s terms, this translates to “opt-out on steroids”. 

            The implications and complexity of this requirement is not under-appreciated in Europe, and the concept of being “forgotten” and the technical complexities have been studied and researched by the authoritative European Union Agency for Network and Information Security, ENISA.  This agency, sometimes referred to as the European “cyber-security agency” has advised that technology and information systems play a critical role in enforcing this right. Their recent report identifies technical limitations and a further need for clear definitions and legal clarifications before appropriate technical means to enforce this right can be properly implemented. Rest assured, strict interpretation of this “right to be forgotten” will be a very, very long time coming.

            A third change is a stricter interpretation of “consent” in the context of someone collecting and using an individual’s personal information. There are two justifications for collecting personal information-consent by that individual or one’s own “legitimate interests”. These are refined and restricted.

The existing Directive has a large hole in the “consent” category because data collection may be legitimate without an individual’s explicit consent if processing the information is necessary for the “legitimate interests” of a collector, whose interest might simply be to sell it, and who gets “consent” by a 20 page privacy policy and an opt-out button. 

Basically, “silence is consent” is being phased out as the Regulation redefines consent, which now must also be “explicit”, in addition to “freely given, specific and informed”.  Consent must be proved by “a statement or by a clear affirmative action”. Sounds like “opt-in” (or “double opt-in” to be on the safe side!).  

Moreover, it must be “explicit”, which is code for “specific”.  In short, the consent must specifically apply to the types of information, the purposes to which it may be put and even the countries to which it may go.

Finally, the “legitimate interests” justification for collection and use of personal data (a justification for collection of data apart from “consent”) is restricted. Currently, a data collector could rely on the “legitimate interests” of his clients on whose behalf he was acting, thus accommodating list creation and data gathering. Going forward, the collector may only rely on his own “legitimate interests” in collecting names, addresses and purchase preferences, not those of potential buyers of his customer list. In addition, the new transparency requirements require the data controller to inform people of the legitimate interest(s) on which he is relying in collecting information, presumably in a privacy policy or a transaction-related terms of service or other document. 

Business has actually had a fairly easy time of it under the Data Protection Directive and there were few real obstacles to collecting personal information for legitimate business purposes, although over time and experience the exchange and deployment of that information became increasingly difficult, and compliance a complex matter. In many respects, the law-makers watched how business and interpretations have evolved and have become increasingly conscious that concepts needed revision, and a new emphasis and discipline be imposed in a new technological era. 

This is nowhere more clear than in the penalty section of the Regulation, which provides for fines from €250,000 up to €1 million or, in the case of a company, up to 2% of its world-wide annual revenues for violations. We’ll review the three tier hierarchy of penalties in our next issue.

In the meantime, be aware that the experts at Data Services are well-briefed on legal compliance and will treat your data with the professional compliance and attention it needs, as well as help you reach your business goals and objectives. As long-standing members of the DMA Safe Harbor Program, Data Services is legally able to, and does on a daily basis, receive, house and process data from anywhere in the world, including the EU. For more information on the Safe Harbor program, please visit http://www.dmaresponsibility.org/SafeHarbor/