EU Data Protection / Privacy Update: Marketers Can Breathe Easier … for a While

EU Data Protection / Privacy Update: Marketers Can Breathe Easier … for a While

EU flagsOn Monday, 21 October 2013, direct marketers who do business in the European Union were granted a small relief from the gathering storm known as the EU Data Protection Regulation.

The reason? Politics, of course.

What you need to know:  Passage of the EU-wide Regulation might be delayed until early 2015, a full 18 months later than originally anticipated. If the delay happens, the Law won’t come into force until early 2017.

If there isn’t a delay and the vote proceeds on its former trajectory, passage won’t happen until December 2013 (at the earliest) or, more likely, mid-2014. Full implementation kicks in two years after passage. Thus, marketers still have some wiggle room.

Are you breathing? Good.

If you read my earlier post on the new U.K.-specific privacy guidance, this is somewhat related, albeit much larger because the potential delay encompasses the entire EU. (Effectively that’s 31 countries – 28 member states plus Iceland, Lichtenstein, and Norway.)

You can read the long-form overview of the update here, but for your convenience, below is a synopsis of the key takeaways.

What is the EU Data Protection Regulation?

If you’ve had the luxury of not tuning into the news or reading a business page these past nine months, first of all … well done. And second, here’s a quick level-setting of what you’ve missed:

On 25 January 2012, the European Commission (EC) published a proposal for a new EU Data Protection Regulation to replace the existing EU Data Protection Directive, which is a fragmented patchwork of laws that are implemented inconsistently across the EU member states. (Note, this inconsistency is precisely why the U.K. implemented the afore-mentioned guidance pointed out in my earlier blog post.)

The proposed new Regulation will be an EU-wide Law, meaning each EU member state will be required to (1) adopt all parts of it and (2) implement all parts of it in the exact same way. Piecemeal be gone.

Why the possible delay?

According to the latest information, there are three key reasons. Briefly:

If you were to guess the U.S. Secret Service monitoring snafu was one of them, you’d be right, though it didn’t factor overtly. However, since you mentioned it …

U.K. Prime Minister David Cameron and German Chancellor Angela Merkel were instrumental in pushing for the delay in voting, with Merkel specifically discussing the U.S. wire-tapping issue. Each provided different reasons, but essentially Cameron and Merkel posited the same general opinion, which can be summarized thusly: We need more time to ensure the Regulation is thoroughly thought through, that it fairly accounts for the concerns of each EU member state, and that it gives EU citizens more rights against unwarranted data collection and monitoring. Read into that what you will.

Another reason was disagreement about the penalties for breaching the Regulation. The European Parliament’s Civil Liberties Justice and Home Affairs (LIBE) Committee wants to implement fines to up to 5% of a company’s annual revenue. The original proposal text calls for penalties of up to 2%.

Finally, the Council of Ministers is still making amendments to the Proposal’s text. The possible delay until 2015 will give the Council more time to consider the Proposal in full detail.

What are the key issues of concern for marketers?

There are eight areas of particular concern, most stemming from vague or conflicting language. THESE ARE NOT YET DECIDED. Ironing out these issues will be essential to passage of the Regulation into EU Law, and will also impact direct marketers who do business in the EU.

  1. Fines of up to 5% of annual worldwide turnover. Essentially it’s a 5% hit against a business’ 12-month revenue, up from 2%.
  2. The right to erasure/right to be forgotten. An individual will have the right to have their personal data erased if they request it. This strengthens the original text’s “right to be forgotten” amendment.
  3. Direct marketing as a legitimate business interest. This says, “The legitimate business interests case for collecting and processing of data will be restricted to direct marketing by post or where the direct marketing relates to similar products and services. Opt-in consent will be required for all other direct marketing channels.” It is a severe restriction on direct marketing and, by many accounts, a major step backwards. The EU advertising and marketing industry successfully lobbied for a more balanced approach. The extent to which it is included into the final Regulation text is as yet unknown.
  4. Consent. LIBE amendments would expand the explicit consent requirement for gathering and using data. They call for “explicit indication of the individual’s wishes” in the form of “clear affirmative action that is the result of choice” by the individual. Meaning consent cannot be inferred from silence, mere use of a service, or inactivity.
  5. Profiling. There are several proposed amendments that limit the ability for marketers to profile; that is, analyze/mine collected data for purposes of segmentation and targeting. Where profiling may include the analysis of sensitive personal information (e.g., race, religion, union membership), some amendments go as far as prohibiting profiling altogether.
  6. Data security breach notification. This is a welcome change. Rather than the imposed 24-hour time limit on notification of data breaches, the new amendment simply says, “without undue delay.”
  7. Requirement to appoint a data protection officer. Any organisation that processes personal information of 5,000 individuals in a 12-month period must appoint a data protection officer. So effectively, the majority of businesses will need to do this.
  8. The individual’s right to claim compensation. This says that individuals who have suffered damage (including non-financial) can claim compensation for breaches of the Regulation. This means, for example, that a person could sue for damages if she was woken up at 3 a.m. by a telemarketer.

Prepare, prepare, prepare

Regardless of whether the new EU Data Protection Regulation passes in December 2013 (highly unlikely) or 2015, it behooves all direct marketers to stay on top of the latest information and prepare for the worst. Hopefully the approved Regulation will be a pleasant surprise, but let’s not count on it.

Disclaimer: This information is provided as a discussion of how the EU Data Protection Regulation may affect marketers, and is not to be considered or perceived as legal advice. Every organization may be affected differently; we encourage you to seek legal counsel before taking action.

Helpful links

###


About