When: December 2016
Law stated as at: 16 December 2016
2016 will go down in history for several reasons: from political upsets (depending on your point of view); to sporting successes (all hail Andy Murray).
For those of us who eat, sleep and breathe all things data protection and privacy, including in the marketing and advertising sector, there is no doubt that 2016 has been fairly momentous. To say that the European Commission and regulators have been busy would be an understatement.
In Europe alone:
- the Privacy Shield replaced the ill-fated Safe Harbor;
- the General Data Protection Regulation was finally approved; and
- regulators across Europe exercised some serious muscle in their enforcement actions.
In the UK, we had:
- the “B” word (otherwise known as Brexit) and (on-going) consideration of how that may impact data protection and privacy laws in the UK;
- a new Information Commissioner in the form of Elizabeth Denham; and
- (perhaps as a result of having a new leader and the approval of the GDPR), what feels like a shift-change in the ICO’s approach, to focus more than it may have done previously on: new technologies, transparency and giving back control to individuals. Nonetheless, breaches of the direct marketing provisions continue to attract significant attention (and fines).
December has been no different:
- Digital Economy Bill:
The Bill is making fairly swift progress through Parliament. It is now at the Committee Stage (a line-by-line examination of the Bill) in the House of Lords.
The Bill proposes to put the ICO’s direct marketing guidance on a statutory footing, by amending the Data Protection Act 1998 to give the guidance the status of a code of practice (similar to the ICO’s data sharing code of practice). That means that the guidance would have to be approved by the Secretary of State and laid before Parliament.
Once approved, what would (by then) be the direct marketing code of practice could be used as evidence in the courts and tribunals, and would be taken into account by the ICO in exercising its functions. The code would not impose additional legal obligations, nor would it constitute an authoritative statement of the law.
- Leaked copy of the e-Privacy Directive reform proposal:
A draft of the European Commission’s proposal for reform of the e-Privacy Directive, in the form of a Regulation (rather than a Directive), was leaked earlier in the month. We will be summarising the implications for online advertising and direct marketing in a separate update, so keep an eye out for that.
In the meantime, to highlight two particular points of interest, it would seem that:
- messages sent via over-the-top (OTT) services (e.g. in-app notifications) will be caught by the direct marketing provisions (not only those which are sent over a telecommunications network); and
- an opt-in will be required for live marketing calls (albeit that Member States may legislate to allow for those calls to be made on an opt-out basis instead).
- A final version of the proposal is expected in early January 2017.
- Yet more fines from the ICO:
An ICO investigation into the fundraising activities of two charities resulted in fines of £25,000 and £18,000 each.
Why this matters:
2016 has been a busy year. 2017 (and beyond) will continue to bring great change to the regulatory framework for data protection and privacy in the UK and in Europe. It seems almost certain that the rules – and enforcement of the rules – will get stricter. Businesses (including marketers) have to be ready (and willing) to adapt.