Data Protection:Marketing & the GDPR - What you need to know

Christian RoccaMichael Adamberry

ISOLAS LLPwww.gibraltarlawyers.com

General overview

PRIMARY LEGISLATION

• Data Protection Act 2004 (“DPA 2004”)

• Implements Directive 95/46/EC (“Data Protection Directive”/ “DPD1”)

• Communications Act 2006 (“Comms Act”)

• Implements Directive 2002/58/EC (“e-Privacy Directive”/ “e-PrivD”) (amongst others)

SUBSIDIARY LEGISLATION

• Data Protection (Search And Seizure) Regulations 2006 (“DPSS Regs 2006”)

• Data Protection (Police and Judicial Cooperation in Criminal Matters) Regulations 2014(“DPPJCCM Regs 2014”)

• Communications (Personal Data and Privacy) Regulations 2006 (“CPDP Regs 2006”)

Current Legislative Landscape:(Outline)

Data Protection Commissioner – GRA as Supervisory Authority

• Issues Guidance

• Maintains Data Protection Register - http://www.gra.gi/data-protection/rights-register-search

• Implementation date is 25 May 2018

• As a Regulation it means it is directly applicable

• BREXIT unlikely to have an impact – UK likely to go with EU on this

• You can view the clock and obtain further information on the current status

of GDPR at http://www.eugdpr.org/

• GDPR - Regulation (EU) 2016/679

General Data Protection Regulation (“GDPR”)The clock is literally ticking!

• Current definition in DPA 2004 – ““personal data” means anyinformation relation to a data subject”

• “Data” means both “automated” and “manual” data

• essentially means “information”

• Art 4(1) GDPR 'personal data' means any information relating toan identified or identifiable natural person ('data subject'); anidentifiable natural person is one who can be identified, directly orindirectly, in particular by reference to an identifier such as aname, an identification number, location data, an online identifieror to one or more factors specific to the physical, physiological,genetic, mental, economic, cultural or social identity of thatnatural person;

Outline of key terminologyDefinition of personal data

• general prohibition on processing the following

• data revealing racial or ethnic origin

• data revealing political opinions

• data revealing religious or philosophical beliefs

• data revealing trade union membership

• genetic data

• biometric data for the purpose of uniquely identifying a natural person

• data concerning health

• data concerning a natural person's sex life or sexual orientation

• Currently, under DPA this is known as “sensitive personal data” (s.8) and alsoincludes data concerning commission of offences / proceedings for anyoffence committed or alleged to have been committed by the data subject –which is still covered in GDPR but not under “special categories”

Outline of key terminology“Special Categories” of data (aka sensitive data)

• “Controller” means the natural or legal person, public authority, agency or other bodywhich, alone or jointly with others, determines the purposes and means of the processingof personal data

• “Processor” means a natural or legal person, public authority, agency or other body whichprocesses personal data on behalf of the controller

• {NOTE} In DPA 2004 – “not being a data controller, or employee of a data controller”

• {NOTE} In UK (DPA 1998) - “other than an employee of the data controller”

• {NEW} – under GDPR - data processors will be placed under a direct obligation to comply withcertain data protection requirements which previously only applied to data controllers

• “Processing” means any operation or set of operations which is performed on personaldata or on sets of personal data, whether or not by automated means such as:

• collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval,consultation, use, disclosure by transmission, dissemination or otherwise making available,alignment or combination, restriction, erasure or destruction

Outline of key terminologyControllers & Processors

Outline of key terminologyThe Eight Data Protection Rules

Source:http://www.gra.gi/data-protection/individuals/privacy-and-data-protection-overview-data-protection-day-2017

Outline of key terminologyThe Six Data Protection Rights

Source:http://www.gra.gi/data-protection/individuals/privacy-and-data-protection-overview-data-protection-day-2017

The processing is lawful if it is:

• By consent

• Necessary for performance of a contract

• Necessary for compliance with legal obligation

• Necessary to protect the vital interests of the DS or other person

• Necessary for the performance of a task carried out in the publicinterest or in the exercise of official authority

• Necessary for purposes of legitimate interests pursued bycontroller or third party, in particular where data subject is a child

• “Further processing” – factors to be taken into account

• What this means for you!

Lawful processingArticle 6 (GDPR) and DPA 2004 Section 7

• Data subjects rights have been strengthened by GDPR

• More information now needs to be provided

• Consent will be most commonly relied on exception to achieve “lawfulprocessing”, but obtaining that consent is tricky – it must be “informed consent”

• What does this mean for DCs – ENHANCE/CREATE YOUR PRIVACY POLICY (andCOOKIE POLICY)

Outline of key terminologyConsent of (and communicating with) data subjects

• Communications (Personal Data and Privacy) Regulations 2006

• Directive 2002/58/EC (“e-Privacy Directive”/ “e-PrivD”)

• Directive 2009/136/EC (the “Cookie Directive”)

• From “opt-out” “opt-in”

So how do they work?

• user's browser loads a particular website.

• website sends information to the browser which then creates a text file.

• Every time the user goes back to the same website, the browser retrieves and sends this file to the website's server.

• Cookies can be used for authentication (e.g. login details) or as “bookmarks” within a site

• Cookies can be “persistent” “tracking” or “tracing”

• Notviruses (not self-executing / capable of making copies of themselves)

• Canbe malicious “spyware”

Cookies: NOT the edible kind!

Source: http://www.allaboutcookies.org/

• Use the warning on your website(s)

• Ensure users MUST “opt-in”

• Enhance your privacy policy / cookie policy

• Let people know why / how you are using them

• Don’t have a cookie policy? – ISOLAS LLP can assist!

Cookies: Use warnings!

Cookie Name Purpose

ASP.NET_SessionId

A cookie generated by our ASP .NET development platform to

allow our website to display properly.

allow visitors to view the website without logging in as a

registered user. Once you close your browser, the cookie is

deactivated.

• Currently in proposal phase – Jan 2017

• Will be “lex specialis” to the GDPR

• does not include any specific provisions in the

field of data retention

• public consultation between 12 April and

5 July 2016 received 421 replies

• Provides a [Option 3] “Measured reinforcement of privacy/confidentiality and simplification”

E-Privacy Regulation

• Application of the Regulations extends to EU Data Subjects evenif controller or processor is not in EU.

• This applies where processing activities are related to:

The offering of goods and services to EU Data Subjects

Monitoring behaviour of EU Data Subjects

• In practice, the GDPR will now extend to a company outside the EU targeting consumers in the EU.

Increased Territorial ScopeWho is affected?

Direct (and abusive) Marketing: what is it?• Under Section 2 (Definitions) – DPA 2004 “direct marketing” means the

• communication

• by whatever means

• of any advertising or marketing material

• which is directed to particular individuals

• and includes direct mailing other than direct mailing carried out in the course of politicalactivities by a political party or its members, or a body established by or under statute ora candidate for election to, or a holder of, elective political office;

• Abusive Marketing - No definition in law BUT Certain practices can be deemed abusive(e.g. constant “cold calling”)

• see ICO Guidance, as definition goes further

e.g. Bank calling to enquire about Bank account but then outlining mortgage products

• Application of the Regulations extends to EU Data Subjects evenif controller or processor is not in EU.

• This applies where processing activities are related to:

The offering of goods and services to EU Data Subjects

Monitoring behaviour of EU Data Subjects

• In practice, the GDPR will now extend to a company outside the EU targeting consumers in the EU.

Increased Territorial ScopeWho is affected?

Direct Marketing: under s.17 DPA 2004…• Individuals have “right to object” (and right to complain to the [GRA])

• Exercisable “at any time”

• 28 days to comply with request for DC to “cease” or “not begin” processingpersonal data for purposes of Direct Marketing. If cannot comply must informwithin 35 days of action taken (and why cannot comply)

• If data kept solely for purpose of direct marketing, then “right to erasure” mustbe respected – also 28 days. Can only keep the written request to erase

• [if anticipate PD will be used for DM] the data controller shall inform the individuals to whom the data relates that they may object to such processing free of charge, by means of a request in writing to the data controller.

• Application of the Regulations extends to EU Data Subjects evenif controller or processor is not in EU.

• This applies where processing activities are related to:

The offering of goods and services to EU Data Subjects

Monitoring behaviour of EU Data Subjects

• In practice, the GDPR will now extend to a company outside the EU targeting consumers in the EU.

Increased Territorial ScopeWho is affected?

The Opt-Out Register• GRA maintains this – they can also provide copy of Register on request (privacy@gra.gi)

• Service provided for fixed line and mobile subscribers who do not want to receiveunsolicited direct marketing calls / faxes

• Governed under the CPDP Regs 2006

• Need prior consent

• If opted-out cannot contact

• Free service

• 28 day period to opt-out, then no unsolicited DM calls/faxes should be received

• GRA can prosecute companies who do not comply

• Doesn’t apply to businesses; only to individuals (unless “home office” fax/phoneprovided)

• Can register by filing out official application form on GRA website (can email a scannedcopy, signed and dated to opt-out@gra.gi) – going ex-directory is not enough!

• Application of the Regulations extends to EU Data Subjects evenif controller or processor is not in EU.

• This applies where processing activities are related to:

The offering of goods and services to EU Data Subjects

Monitoring behaviour of EU Data Subjects

• In practice, the GDPR will now extend to a company outside the EU targeting consumers in the EU.

Increased Territorial ScopeWho is affected?

Children & MarketingMajor concerns around disclosure of personal data to strangers

by children include

• Threat of child abuse

• Potential for direct marketers to exploit vulnerable class of people

• Disclosure by children of personal data relating to their families/others, and exploitation ofsuch data for marketing purposes

• Processing must be “Fair & Lawful” (Principle 1 - Fairness)

• “Children/child” not mentioned in DPA 2004, but GDPR does. Section 5 DPA 2004 mentions consentcan be given by parent / legal guardian if “individual” under the age of 16. GDPR “parentalresponsibility”

• Activities addressed specifically to children shall receive specific attention of the Regulator underGDPR (Art 57)

• Substantial guidance in UK on this from Information Commissioner’s Office (ICO), Advertising Code,TrustUK, Mobile Marketing Association

• Application of the Regulations extends to EU Data Subjects evenif controller or processor is not in EU.

• This applies where processing activities are related to:

The offering of goods and services to EU Data Subjects

Monitoring behaviour of EU Data Subjects

• In practice, the GDPR will now extend to a company outside the EU targeting consumers in the EU.

Increased Territorial ScopeWho is affected?

Sensitive Personal Data & Marketing• Under the DPA 2004, sensitive personal data includes both: (i) the standard types of

sensitive personal data; and (ii) information about criminal offences or criminalproceedings. This will be widened by GDPR

• Low threshold - In Murray v Big Pictures [2008] EWCA Civ 446, the High Court held thata photo could be sensitive personal data if it revealed the ethnic origin of the persons inthe picture.

• Two aspects of “SPD” (1) a blanket prohibition and (2) additional layer

• Section 8 DPA 2004 - processing of sensitive personal data is prohibited save where • sections 6 and 11 on data quality and data security are satisfied AND• at least one of the conditions in section 7(1) is met; AND• at least one of the [the] conditions [in section 8(2)] are met

e.g. “Legitimate activities” condition – BUT the sensitive data CANNOT be disclosed to third parties without the [“explicit”] consent of the data subject

• Application of the Regulations extends to EU Data Subjects evenif controller or processor is not in EU.

• This applies where processing activities are related to:

The offering of goods and services to EU Data Subjects

Monitoring behaviour of EU Data Subjects

• In practice, the GDPR will now extend to a company outside the EU targeting consumers in the EU.

Increased Territorial ScopeWho is affected?Note: Penalties under GDPRA tiered approach

• Up to 20,000,000 EUR or 4% of total worldwide turnover(whichever is the higher) for breaches as to:

Principles relating to processing of personal data

Lawfulness of processing and Consent

Processing of special categories of personal data

Rights of the Data Subject

And more!

• Up to 10,000,000 EUR or 2% of total worldwide turnover(whichever is the higher) for other specified breaches

Thank you for your time

Questions?

Michael Adamberry Christian Rocca

Trainee Lawyer PartnerMichael.Adamberry@isolas.gi Christian.Rocca@isolas.gi

This presentation has been prepared for general information purposes only and is not legal advice, is not to be acted on as such, and is current only as at 25 July 2017. No reliance should be placed on its contents and the views expressed therein are those of the authors and may not reflect those of ISOLAS LLP. interpretation of how the relevant legislation could be applied is ultimately a matter for the courts and/or applicable regulatory authorities and/or law enforcement agencies to determine. Should you require legal advice on this subject ISOLAS LLP would be pleased to assist.

Contact us: info@isolas.gi / Tel +350 2000 1892 / Portland House, Glacis Road, PO Box 204, GX11 1AA, Gibraltar