The Ministry of Justice has opened a consultation seeking views on the recently published EU draft Data Protection Regulation. The UK’s Direct Marketing Association, Europe’s largest trade body representing the direct marketing industry, has submitted its views to the MoJ and they are far from all favourable, reports Ciaran Price.
Topic: Privacy
Who: Direct Marketing Association
Where: London
When: March 2012
Law stated as at: 29 March 2012
What happened:
Background
As readers of Marketinglaw will be aware, on 25th January 2012 the European Commission published its working draft of the proposed new Data Protection Regulation. The Regulation is designed to replace outdated legislation which currently deals with data protection in the EU, and looks set to raise both the burden on organisations regarding their processing of data, and the potential for non-compliance. In response to the Regulation's publication the UK's Ministry of Justice issued a Call for Evidence, requesting responses from a variety of interested parties and their views on the proposals.
Response:
The Direct Marketing Association ("DMA"), having consulted with their members, has now published its response to the Ministry's request, giving its view of the Regulation and its effects on the industry. In general, the DMA's response is less than enthusiastic. While recognising the need for an update to the legislation in this area, the DMA does not believe that the proposed Regulation will achieve the Commission's aims of reducing bureaucracy and simplifying data compliance.
On the contrary, the DMA's view is that the regulatory burden on businesses (particularly small and medium-sized organisations) would in fact be increased rather than alleviated. The costs of compliance, both in terms of additional administration and potential lost sales, mean that serious questions must be raised about the Commission's claim that the Regulation could save European businesses 2.3 billion euros. The DMA believes the effect is likely to be felt particularly acutely by online business models reliant on processing user data, and the DMA is concerned that additional regulation will be a significant deterrent to business start-ups and development in this area.
The DMA's response to the main aspects of the Regulation can be summarised as follows:
Opt-out and 'explicit consent' – Organisations would have to obtain explicit consent to process users' data, or rely on the 'balance of interests' exception. However, it is unclear how one would satisfy this 'balance of interests', leaving the risk that contact details would have been obtained without the necessary consent and that contact database may then have to be destroyed.
Definition of 'personal data' – It is possible that under the draft Regulation an IP address would count as personal data. Being unable to capture or process this data without consent would have a catastrophic effect on business models which rely on profiling, and would certainly impair customer experience online. The DMA also point out that an IP address does not in fact reveal the behaviour of an individual but merely the behaviour of a device, which might be used my multiple users. Classing an IP address as personal data would therefore seem inappropriate.
The right to be forgotten – The DMA is of the opinion that this proposal is aimed at social media operators, and would have a serious detrimental impact on such platforms. The requirement that an organisation not only ensure that it deletes all data held about a subject, but procures that third parties do too, is unworkable and will result in vastly increased administration costs.
Subject access requests – The Commission's proposals to scrap the current £10 fee which can be charged for answering subject access requests will mean that administration costs will be an even heavier burden on businesses than currently. It may also result in an increase in frivolous or vexatious requests.
Data breach notifications – The requirement to inform the ICO and the individuals concerned of any and every data security breach within 24 hours will lead to enormous administrative costs, a burden on ICO and the danger of causing 'notification fatigue' for consumers, meaning that they ignore important notifications in future. The DMA recommends that a minimum threshold of severity of breach be set for notification.
International transfers outside the EEA – The DMA welcomes the proposals to make transfers out of the EEA more business-friendly, but has concerns about the law also applying to any organisation in the world which handles information about EU citizens. The proposal as it stands, the DMA says, is not workable in a modern digital world.
Sanctions – The DMA considers that the proposal to impose fines of up to 2% of businesses' global turnover for non-compliance with the Regulation is disproportionate and inappropriate, and more likely to cause businesses to move offshore than to actually resolve problems.
Why this matters:
The Commission is currently consulting on the draft of the Regulation, and taking opinions from across the EU. As a major representative of the marketing industry, the DMA (in conjunction with the ICO and the Ministry of Justice) is in a position to influence the development of the legislation at this crucial stage. Marketinglaw will of course be covering the evolution of the Regulation on an on-going basis.