Respecting the Consumer – the Data Protection Perspective

Billy HawkesData Protection Commissioner

Association of Advertisers in Ireland3 June 2009

Presentation Outline• Marketing – what do people think? • Data Protection – what is it?• Direct Marketing – the Rules• Best Practice

Very Important

A good health service * 89% Crime prevention 87% Privacy of personal information 84% Protection of consumer rights 77% Ethics in public office 77%

(new question in 2008)

Importance of key issues affecting the general public (2008)

Eurobarometer 2008

Individual (DS) Concern about Data Protection

EU Average%

Ireland %

Concerned 63.8 70.5

Not Concerned 34.8 28.2

Don’t know / no answer 1.4 1.3

50

35

28

20

20

14

11

10

10

Personal Experience of Privacy Invasion

Received unsolicited post, addressedto you personally

Yes%

Received unsolicited text messages fromcommercial organisations

Received unsolicited emails from commercialorganisations

Had excessive personal information soughtfrom business/public sector organisations

Had a virus/spyware on personal computer

Disclosures of your personal informationto others without your agreement

Had information, images or footage of youposted on the internet without your consent

Had personal information being withheldfrom you without explanation

Inappropriate access to personal informationheld about you within an organisation

Any experience

65%

35

29

28

23

27

21

28

23

41

45

43

43

33

34

46

52

12

14

9

9

8

6

8

7

4

4

4

3

2

2

4

2

20082005

Not at all happy

(1)

The post

E-mail/the internet

The telephone to your home

SMS/Text messages(to your mobile phone)

Not very happy

(2)

Very happy

(4)

Fairly happy

(3)

8 9

16 22

30 37

13 16

Don’t Know‘08 ‘05

Attitude Towards Unsolicited Mail or Offers…

% %

Unhappy

(%)

Unsolicited mail via telephone or post remain the approaches the public most dislike. However, irritation with text or e-mail contact has significantly increased since 2005.

76

74

71

66

60

55

74

75

No notEntitled

%

6

6

5

6

7

21

46

71

71

71

70

58

40

22

YesEntitled

%

Don’tKnow

%

To get a copy of any information about you heldby any organisation

To have any inaccurate information aboutyou corrected/deleted

To have your name removedfrom junk mail lists

To have your telephone number removedfrom direct marketing lists

To have any of your medical records deleted

To claim compensation through the courts ifpersonal information held about you is misused

To get personal information about other people

23

23

23

24

35

39

32

Q.7 – Awareness of Rights

Complaints to DPC 2008

• 1031 formal complaints• Many more enquiries dealt with informally

* Mainly electronic (SMS etc). Direct Marketing accounted for 57% of complaints in 2007

TYPE %

Direct Marketing*

35

Access Rights 30

Disclosure 16

Accuracy 2

Other 17

Unsolicited Marketing – DPC Annual Report Case Studies• Unsolicited Text Messages (12/2005;

5/2006 – deletion of database ordered)• Unsolicited Faxes (20/2008)• Unsolicited e-mails (8/2008; 17/2008 –

database deleted and marketing suspended)

• “Cold-Calling”/Failing to respect right to “opt-out” including via NDD (11/2005 (prosecution); 1/2006; 2/2006; 4/2007 – order to suspend marketing; 11/2008)

• Postal Marketing (15/2007: supermarket)

Case Studies 2008 : Direct Marketing• 123.1e (insurance)• Interactive Voice Technologies• Buy-as-you-Fly• Celtic Water Solutions• Matrix Internet• Dell • 2 Cases where we found in favour of DC

Presentation Outline•Marketing – what do people

think? •Data Protection – what is it?

•Direct Marketing – the Rules•Best Practice

Data Protection: a Human Right

• Part of Right to Personal Privacy• Personal Privacy: necessary in a

Democratic Society (but not absolute)• Un-enumerated right under Irish

Constitution• Explicit right under European

Convention on Human Rights: ECHR Act 2003

EU Charter of Fundamental Rights: Article 8• Protection of personal data• 1. Everyone has the right to the protection of personal data

concerning him or her.2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.3. Compliance with these rules shall be subject to control by an independent authority.

Lisbon TreatyArticle 16 Treaty on the Functioning of the Union• 1. Everyone has the right to the protection of personal data

concerning them.• 2. The European Parliament and the Council, acting in

accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data.

• Compliance with these rules shall be subject to the control of independent authorities.

EU & Irish Legislation• Data Protection

Directive 95/46/EC• Electronic Privacy

Directive 2002/58/EC

• EUROPOL etc

• Data Protection Acts 1988 & 2003

• EC Electronic Privacy Regulations 2003 (SI 535/2003) and 2008 (SI 526/2008)

• Corresponding Acts• Good Friday Agreement• Disability Act 2005

Rights and Obligations• Rights of “data subject” (= identifiable,

living individual) to control the use of their “personal data” (very broad definition)

• Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)

The Data Protection Rules1. Fair obtaining &

processing• Consent

2. Specified purpose3. No disclosure

• unless “compatible”

4. Safe and secure

5. Accurate, up-to-date6. Relevant, not

excessive7. Retention period8. Right of access

Sensitive Data (special protection)• Physical or mental health• Racial origin• Political opinions• Religious or other beliefs• Sexual life• Criminal convictions• Alleged commission of offence• Trade Union membership

Obtain & Process Fairly I• Data controller must give full

information about identity purposes disclosees any other data necessary for “fairness”

• Third party data controllers must contact data subject to provide

these details must give name of original data

controller

Rule 1

Obtain & Process Fairly II One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function

(Justice) necessary for ‘legitimate interests’

Processing Sensitive DataOne of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Process the data of members/clients of

non-profit orgs. Legal advice For Medical Purposes Statutory function

Specified Purpose

• Part of obligations when obtaining to specify purpose

• Cannot expand purpose without reverting to individual

Rule 2

Disclose only if compatible • General rule – no

disclosure for different purpose

• Exceptions made, to balance other interests of society

• Section 8 exceptions Investigation of crime Collection of taxes Security of the State Protect life & limb Law or court order Legal advice and legal

proceedings

• No general “public interest” test

Rule 3

Presentation Outline•Marketing – what do people

think? •Data Protection – what is it?•Direct Marketing – the Rules

•Best Practice

Direct Marketing Legislation

• The Data Protection Acts 1988 and 2003 Mainly Section 2

• SI 535 of 2003 European Communities (Electronic Communications Networks and Services) Data Protection and Privacy) Regulations as amended by SI 526 of 2008 Mainly Regulation 13 (Unsolicited

Communications)

• Other Legislation: Consumer Protection, E-Commerce, Financial Regulation etc

Direct Marketing Definition• “direct marketing” includes direct mailing

other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office;

Direct Marketing – the Golden Rule of Consent• Only market willing customers• Strong Irish customer resistance to “junk

mail” or “spam”• Failure to respect consumer choice is

against the law Criminal offence where electronic means

used

Mailing lists

• Legal Right to opt-out of direct marketing Delete data subject from mailing list Notify the data subject within 40 days

• Failure is breach of Data Protection Acts (S. 2(7)) Complaint to Commissioner Enforcement Action (e.g. delete database)

SMS and email• Non- Customers (Individuals)

Must Opt-in Must include the name of sender Must include valid address for opt-

out Opt-in must be in the last 12 Months

SMS/e-mail Continued• Customer (Individuals)

Opportunity to object at point of collection

Must include identity of sender Valid opt out instructions Only Similar and Related Services

SMS/email Continued• Businesses

Do not need opt-in consent Must respect any opt-out request Must include valid instructions on opt-out Must include name of sender

Phone• Non-customers

All marketing calls must be screened against the National Directory Database opt-out list (NDD)

marketing calls made to numbers recorded on the NDD opt-out list are an offence

Company must record any individual opt-out requests

All marketing calls must be screened against internal do not call list

Phone Continued

• Customers Provide an opt-out at time of

collection Must respect any opt-out request Can only market them for related or

similar products

Faxes• Individuals

Must receive prior consent Must respect any opt-out received

• Businesses Must respect any preference on the NDD opt-

out list Must respect any opt-out given directly to the

company

Penalties

• Postal Enforcement action by Data Protection

Commissioner (deletion of database etc)

• Electronic Criminal Offence: €5,000 per message,

up to 10% of turnover 350 prosecutions going through Courts

Presentation Outline•Marketing – what do people

think? •Data Protection – what is it?•Direct Marketing – the Rules•Best Practice

Best Practice (1)• Treat Consumer with Respect

Respect their right to be “let alone”

• Marketing that respects the Consumer’s preferences is more likely to be successful

• The more intrusive the marketing, the more likely Consumer will be upset

• Don’t abuse public information (electoral register etc)

Best Practice (2)• IDMA Consumer Guide (www.idma.ie)• FEDMA Direct Marketing Guide

(www.fedma.org) Approved at EU level On-Line Annex in preparation

• Irish DPA Guidance (www.dataprotection.ie)

DPC Contact DetailsOffice of the Data Protection CommissionerCanal HouseStation RoadPortarlingtonCo LaoisPhone: LoCall 1890 252231

057 8684800Fax: 057 8684757Email: info@dataprotection.ieWebsite: www.dataprotection.ie