ddma data driven monday: privacy law for data driven marketing and the regulatory challenges ahead

Sirius LegalData Driven Marketing and the EU: the Regulatory challenges aheadData Driven Monday, 13 April 2015

Data Driven Marketing and the EUData Driven Monday, 13 April 2015

Privacy means many different things


The right to privacy between individuals

Nosy neighboursEU Privacy law does not deal with this aspect of privacyNational (civil) law


The right to privacy in relationship to the government

NSAPoliceTax authoritiesSpecific rules and regulations on international and national level


Electronic processing of personal data

Electronic processingPersonal dataUsually for commercial purposesEU Data Protection Directive 95/46/ECE-privacy Directive 2002/58


New balls, please…

EU Data Protection Directive 95/46/ECE-privacy Directive 2002/58Have been around for 20 yearsPrinciples no longer fit economical and technical reality


New balls, please…

EU is working on new set of rulesWork in progress since 2012End is not in sight…Uniform rules based on EU Regulation (as opposed to Directive)ETA: 2016 - 2017


Current Privacy Law

Based on EU RegulationTransferred into national law by each member stateSet of rules dates back to ninetiesBased on location of company and/or serverAt the time most elaborate and progressive set of rules in the world


Current Privacy Law

“Right to privacy” >< data processingDefinition of personal data is very largeECJ 2015: Even IP address – browser historyImpact on data collection and big data is considerable


Current Privacy Law

Straight and simple:Prior “opt-in” for all processingOr implicite opt-in if “justified reasons” for processing“Free and informed” opt-inTransfer of data to third party = additionnal opt-in

Cfr. Analytics tools, apps, cookies, database enrichment through mailings and actions, …: always opt-inCfr. also social media content


Current Privacy Law

Rightsopposition – access – correction - information

ObligationsInformation – opt-in – data security – (export)


New regulation

2016 – 2017

Regulation in stead of DirectiveWork in pogress since 2012Complex procedure in European InstitutionsHeavy lobbyingPolitical slow down


New regulation

How the EU legislative process works…

2012 Proposal European Commission (Reding)2012-2015 Parallel track in European Parliament and European Council2014 Proposal Parliament accepted (Amendements “Michel”)2015 Parallel proposal Council Work in progress2016 Both proposals have to be merged into one final text…


Commission Proposal

Heavily influenced by consumer protection activists in EPLIBE Committee (protection of civil liberties)

Result:Consumer friendly, but unrealistic for direct marketing sector, e-commerce sector, …


Commission Proposal

For all services offered in EU (even free services)Personal data = also online identifiers, “pseudonymous data”Explicite opt-inInformation obligation (icons)Right not to be submitted to profilingWarning obligations in case of data breach“Data protection by design”“Data protection officer” Sanctions: LIBE: up to 5% of yearly turnover or 100 million euro


Council Proposal

Work in progressLast ammendments made in March 2015Much more industry focusedInfluence of direct marketing (through eg BDMA - FEDMA) is bigger


Council Proposal

Explicite opt-in But opt-out or implicite opt-in has been put back in if “legitimate interest”

Next chapters discussed in upcoming months

To be expected:Lower penalties and less strict obligationsData protection officers obligation tuned downSofter rules on profiling prohibition


What should you do in the meantime?

Follow up on discussion (eg through our website www.siriuslegal.be)Start review vendor contracts (in view of data security obligation) Start to prepare for full update of policies, contracts, business processesPut in place data breach notification procedureAppoint (temporary) data security officerPut in place impact assessment and/or risk analyses policyCreate compliance statements for annual business reportsTrain staffSit back and wait for final text of regulation for final details…


And now for something completely different…Cookies


Cookies

EU e-privacy directive 2002/58/ECBelgium: new article 129 in Telecom law since October 2012


Cookies

Always opt-in

Except for purely functional cookies:Absolutely needed for technical reasonsAbsolutely needed for communication


Cookies

Law is vague, unclear and leaves too much room for interpretation

Sector is still waiting for clarifications by Privacy commission, BIPT/IBPT or FOD Economy…


Cookies

EU point of view however is very clear“Working Party 29”Rules in neighbouring countries are clear(Netherlands begin 2015 tuned down for Google Analytics)


Cookies

Opt-in should be:Free (i.e. website visit possible without opt-in)Explicit (requires active deed by visitor)Informed (prior info)Prior to placing cookiesRevocable


Cookies

2015Netherlands tune down lawFrance holds giant “cookie sweep”Spain inflicts high penaltiesItaly imposes use of overlaysBelgium…?

Legal update in e-commerce E-shop Expo, Brussels, 18 March 2015

Cookies

2016-2017Juncker commission announces reviewStreamlining with Privacy regulation Also: technical evolution (fingerprinting, etc…)Absolutely unclear what is going to happen in upcoming 2 to 3 years…

Media & advertisement lawCopyright - trademarks - datebase - software - knowhowTravel & consumer protectionTax & tax planningIT, Internet & e-commercePrivacy & cookiesGambling & gaming

Sirius Legal

www.websitecertifier.bewww.campaignchecker.be

[email protected]@BartVdBrandeLinkedin.com/in/bartvdb

Sirius Legal