Data protection 2013

Friday 8 February

#dmadata

Supported by

DMA Scotland legal updateWednesday 25 September 2013#dmascotland

8.30am Registration and breakfast

9.00am Welcome from the Chair

9.10am Kathryn Wynn, Senior Associate, Pinsent Masons

09.40am Caroline Roberts, Director of Public Affairs, DMA

10.10am Q&A

10.40am End

Agenda

Big data: identifying the opportunities and overcoming the legal obstacles

Kathryn Wynn, Senior Associate, Pinsent Masons

Big Data: Identifying the

Opportunities and Overcoming the

Legal Obstacles

Kathryn Wynn

Wednesday 25 September 2013

Outline

• What is Big Data?

• What is the Big Deal?

• How is Big Data being used?

• Big Data and legal risk:

– Who owns the data?

– Data Protection, privacy policies and gaining consent

Develop your big data strategy, address legal risk early,

focus on customer expectations

Managing the Risk

Compliance

Privacy by design

Customers’ expectations and

control

What is Big Data?

What is Big Data?

“data sets that are too large and complex to

manipulate or interrogate with standard methods or

tools:

much IT investment is going towards managing and

maintaining big data”

What is the Big Deal?

Buying and Selling Big Data

Source - Tata Consultancy Services

Buying and Selling Big Data

Source: Financial Times, 13 June 2013

What is Your Big Data Strategy?

• Strategy 1 -

– “Why not just dump it in there and figure out what else you can

do?”

- Jill Dyché, SAS Institute Inc.

• Strategy 2 –

– What are our objectives?

• Can I use more data to drive decisions?

– What data do I have available?

• From what sources are data available to me?

– What infrastructure /platforms do I have available, can I use?

• Proprietary, open source?

• Shared infrastructure?

Big Data in use

Big Data in Insurance

Nine out of 10 say big data will help price risk

more accurately

82% say insurers that do not capture the potential of big

data will become

uncompetitive

96% say the digitally enabled world will see the

emergence of new risk rating factors

The Big Data Rush: How Data Analytics Can Yield

Underwriting Gold Survey

Ordnance Survey and the Chartered Insurance

Institute

Big Data and Supply Chain Synergies

“We can now store, share

and allow our vendors to

analyze data using a

common platform – ultimately

allowing us to better serve

our customers”

- Richard Angelillo

A&P Head of IT Strategy & Delivery

Data Sharing in mHealth?

“The next time you use your

smartphone to inquire about

migraine symptoms or to check

out how many calories were in

that cheeseburger, there is a

chance that information could

be passed on to insurance and

pharmaceuticals companies.”

- The Financial Times, 1

September 2013

Big Data and the question of ‘ownership’

Who Owns the Data?

• No-one can own facts per se.

(International law)

• Data v ‘expressions of data’

(copyright)

• Data and ‘database rights’

• Data v ‘content’

(Fairstar Heavy Transport [2012])

• Data and confidential information

Who Owns the Data?

Ownership & related

restrictions

Database right

Copyright

Confidentiality restrictions

No ownership restrictions

Fact per se

Database Rights Restrictions

What is a database?

• "... a collection of independent works, data or other materials which are arranged in a systematic or methodical way ..."

What is protected?

• “... substantial investments in ‘obtaining, verifying or presenting content’ ...”

• “... not the creation of facts.”

What is restricted?

• extraction or re-utilisation of a whole database or a substantial part of its content

• systematic extraction or re-utilisation of insubstantial parts of a database

Who Owns the Data?

Ownership & related

restrictions

Database right

Copyright

Confidentiality restriction

No ownership restrictions

Fact

String of facts devoid of copyright,

not taken from a database, not confidential

Big Data and data protection

privacy, security, accuracy, legitimacy

Personal Data Restrictions

What is personal data?

• "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller ..."

What are the restrictions on

use?

• legitimate use business purpose?

• consent how obtained?

• other restrictions

What are the options?

• anonymising data

• privacy policies and terms of service

• icons

Anonymisation Risks

Restrictions on Use

Ownership & related

restrictions

Database right

Copyright

Confidentiality obligation

Data protection laws

No ownership restrictions

Fact

String of facts devoid of copyright,

not taken from a database, not confidential

Anonymised data

Consent, legitimate interest, other; or

licence

Big Data and data protection

firming up consent and transparency

The Privacy Policy Problem

The Privacy Policy Problem

• 36,275 wordsPAYPAL

• 30,066 wordsHAMLET

• 19,972 wordsAPPLE iTUNES

• 18,110 wordsMACBETH

• 14,714 wordsWINDOWS LIVE

• 13,366 wordsAPPLE iOS 5

• 11,195 wordsFACEBOOK

• 10,640 wordsGOOGLE ALL-

INCLUSIVESource - Which?

ICO Guide: Direct Marketing

• ICO Enforcement

– FOCUS: Organisations that generate highest number

of complaints

– £440,000 MPN for Tetrus Telecoms

Consent

• CONSENT is necessary for data sharing of buying /

selling databases

• VALID CONSENT:

– Freely given

– Specific in the context of direct marketing

– Informed

– An indication signifying consent

Consent for SMS/EMAIL marketing

• The recipient has notified the sender

• For the time being

• To such communications

• Being sent by the sender

Implied Consent

• Implied consent: Cannot rely on lengthy privacy policy

• Clear and relevant information readily available to the

customer

• Implied consent can be valid BUT

• Not a euphemism for ignoring the need for consent

• Must include:

– Positive action indicating consent

– Understood what consenting to

– Genuine choice

• Sometimes providing data indicates consent BUT not when

integral to the service

Indirect Third Party Consent

• Consent extends to another organisation

• Transparency requirements: clear that data would be passed on

and how used?

• Ensure that clear from outset that data will be shared for

marketing purposes

• Valid consent: Specifically name the organisation or refer to a

category of organisation

• Consent limited in time

Refresh and Review of Marketing

Consents

• Big Data: significantly and genuinely departs

from marketing being carried out at the time of

the opt in / opt out

• Review existing consent mechanisms and

privacy policies

• Clear, succinct and prominent

• Consider cookies consent mechanism

• Are you doing what customer expects you to

do? If so, would they still give consent?

Managing the Risk

Compliance

Privacy by design

Customers’ expectations and

control

Pinsent Masons LLP is a limited liability partnership registered in England & Wales (registered number: OC333653) authorised and regulated by

the Solicitors Regulation Authority, and by the appropriate regulatory body in the other jurisdictions in which it operates. The word ‘partner’, used in

relation to the LLP, refers to a member of the LLP or an employee or consultant of the LLP or any affiliated firm of equivalent standing. A list of the

members of the LLP, and of those non-members who are designated as partners, is displayed at the LLP’s registered office: 30 Crown Place,

London EC2A 4ES, United Kingdom. We use ‘Pinsent Masons’ to refer to Pinsent Masons LLP and affiliated entities that practise under the name

‘Pinsent Masons’ or a name that incorporates those words. Reference to ‘Pinsent Masons’ is to Pinsent Masons LLP and/or one or more of those

affiliated entities as the context requires. © Pinsent Masons LLP 2013

For a full list of our locations around the globe please visit our websites:

www.pinsentmasons.com www.Out-Law.com

The draft EU data protection regulations

Caroline Roberts, Director of Public Affairs, DMA

Update on Draft EU Data

Protection Regulation

DMA Scotland

25th September 2013

Caroline Roberts

Director of Public Affairs

Direct Marketing Association (UK)

Context - why now?

1995 European Directive (implemented into UK by

1998 Data Protection Act) showing its age…

1) New technologies and more complex

information networks

2) Lack of common European law and differences

in national implementation

3) Consumer concern over privacy

4) Data protection now fundamental right under EU

Charter of Fundamental Rights

Headline proposed changes

• Expanded definitions: “personal data” and

“data subject”

• Explicit consent required

• Right to be forgotten

• Greater emphasis on accountability

• Notification of data security breaches

• More onerous sanctions for breaches

• Data processors directly covered

Consent

Consent: Current

Position

Consent: Proposed

Position

- Freely given,

specific, informed

indication of the

data subject’s

wishes

- Explicit consent

required for

sensitive personal

data only

-Freely given, specific, informed

and explicit indication of data

subject’s wishes

-Given either by a statement or

a clear affirmative action

- Data controller / data subject

relationship to be taken into

account

- Burden of proof on controller to

demonstrate consent

Introduction of opt-in/explicit

consent

• Review language used at point of data

collection to ensure that consent is explicit

/opt-in

• Do people understand what they are

agreeing to?

• Think about how legacy databases will be

updated

Key points in the draft Regulation

IP addresses and cookies

• Definition of personal data extended so could cover some IP addresses and cookies as “online identifiers”

• But IP addresses identify a device not an individual + some IPs are general

• Huge implications for digital marketers

• Web analytics & profiling made much more difficult, if not impossible

• Interaction with new cookie rules problematic

Key points in the draft Regulation

The right to be forgotten

• Right for individuals to request organisations to delete any information held on them

• Drafted with social media in mind – but goes beyond this

• Problem of information that has already been passed on to third parties

• Possibility of misleading consumers by raising unrealistic expectations

• Changes to current text likely

Key points in the draft Regulation

Data Breach notification

• Any data security breach to be notified to ICO and the individuals concerned within 24 hours

• Report to cover:

• nature of breach

• number of data subjects

• categories of data

• proposed mitigation

• Not always obvious if there has been a breach or how extensive it is

• Problem of notification fatigue

• No threshold level specified

Data security breach notification

Companies need to:

• Introduce breach notification detection

procedures

• Think about how to notify data protection

authorities and affected individuals within

whatever timescale is agreed

• Develop/review data breach response plans

Key points in the draft Regulation

Subject Access Requests

(SARs)

• Data subjects to be able to request full information on data held on them free of any charge

• Currently can levy a £10 fee – doesn’t cover cost but deters time-wasters, frivolous or vexatious requests

• Costs organisations £50 million p.a. now to meet SARs

• Proposal that can provide data in electronic form if data subject agrees to this

• Particular problem for financial services with mis-selling issues and claims management firms

Subject Access Rights

• New Regulation may lead to increased public awareness of rights e.g., right to request information (data subject access requests, right to be forgotten)

Companies need to:

• Plan ahead for increase in queries from clients/public

• Introduce appropriate training for client/customer service teams

Key points in the draft Regulation

Compliance obligations

• Data protection obligations now shared between agencies and clients, for example if holding client’s database

• Privacy by Design/Privacy by Default

• Appointment of DP officer (250+ employees)• 2 year appointment

• Independent reporting to board

• Information and training

• Maintenance of documentation

• Data protection impact reports

• International transfers of data outside EEA – law would apply to any processing of data or EU citizens

Compliance obligations

Action:

• Review amount of data being processed, erasure

policies and data retention policies

• Requirement to demonstrate compliance will

mean more documentation in respect of policies

and procedures

• Contact centres, mailing houses, email/SMS

broadcasters will also be subject to these new

obligations, especially in respect of data security

• Review staff training in data protection.

• Appointment of a data protection officer?

• Risk- based approach to compliance and data

protection impact assessments

Proposed enhanced sanctions

• Up to €500k or 1% annual worldwide turnover

intentional or negligent failure to respond to

subject access requests in accordance with

Regulation

• Up to €1m or 2% of annual worldwide turnover

for other compliance failures

• Depends on:-

• size of organisation involved

• nature and gravity of breach

• whether intentional or negligent

• technical and organisational measures

• previous breaches

• co-operation with ICO

Key Points in the draft Regulation

Delegated Acts

• Many details to be implemented through additional delegated legislation – some 45 Delegated Acts mentioned.

• Details will not be clear until Regulation is passed

• These areas of secondary legislation will include:

• powers to specify further procedures

• technical standards for Privacy by Design/Default

• specification of lawful processing condition

• additional responsibilities for national data protection authorities; etc.

• European Commission taking significant powers to itself away from the national authorities - raises serious issues of subsidiarity and accountability

• National governments and Data Protection Authorities are concerned

Scope of the Draft Regulation

• Main establishment/ one- stop shop

provisions

• Think about which country’s national data

protection authority will be lead regulator

• Possibility of changing country where head

office is located

• Review arrangements for transfers of data

outside EEA (28 Member States of EU +

Iceland, Liechtenstein, Norway)

• Global group – application to EU citizens’

personal data.

Impact on direct marketing

•Existing databases may not be usable: could decimate

prospect lists. Legacy data?

•No tracking data, profiling or segmentation without

explicit consent – less targeted and more generic

communication?

•List broking severely restricted

•New information requirements and rights of the data

subject, e.g Right to be Forgotten

•Increased costs - £76,000 per business to comply +

possible £47 billion of lost sales in UK

Draft Regulation - DMA View

• DMA welcomes the Commission’s aim to reduce red tape and simplify bureaucracy – but proposals do not achieve that: overly strict, bureaucratic and unworkable

• Needs to be a fair balance between privacy and legitimate business interests

• Current proposals will stifle innovation, add considerably to business costs and place unnecessary obstacles to e-commerce jobs growth

• Will be particularly harmful to SMEs – MoJ says demonstrating compliance will cost £10m p.a.

• Hard to say how Commission’s estimate of 2.3 billion euro saving to businesses was calculated

FEDERATION OF EUROPEAN DIRECT AND INTERACTIVE

MARKETING

Codecision

Proposes

Legislation

Adoption

Into National Law

The process of EU decision-making

Current position – European

Parliament

• Civil Liberties Committee (LIBE) taking lead –Rapporteur: Jan Philipp Albrecht MEP (German Green)

• His report published 9th January – in parts even tougher than Commission proposals

• 4 other Committees gave Opinions – 3000+ amendments tabled

• Vote to be taken in LIBE postponed from April to May to June to September to October …….

• Could run out of time – elections in June 2014

Current position

– Council of Ministers

• Council of Ministers Working Group (DAPIX)

meeting monthly

• Initial indications that UK Government (and

others) taking helpful and business-friendly stance

• Many object to delegated acts; find it too

prescriptive and would prefer a more principles-

based approach

• UK pushing for a directive, rather than a

regulation – as is Germany

EU Council latest

• Irish Presidency revised draft on 31/5 on

chapters 1-4.

• A more business-friendly approach • Right to privacy not an absolute right but must be

balanced with other fundamental rights

• Legitimate interest specifically recognised as legal

basis for processing

• “Explicit” becomes “unambiguous”

• Appointment of DPO discretionary

• Breach notification and other obligations on risk

based approach

• Still a way to go……

• Lithuania took over Presidency on 1/7

Current position

- Commission

• Commissioner Viviane Reding has said that

willing to look at: :

• More risk-based approach with focus on

type of data being processed

• Less prescription – although no detail

• Some exemptions for SMEs?

• Overall principles must be same for both

public and private sectors

• Delegated and implementing acts –self-

regulation perhaps for some?

Timing in the EU institutions

•Commission proposal for a Regulation inJanuary 2012

• Parliamentary lead committee draft report: 9 Jan 2013

•Deadline for tabling amendments: 27 Feb 2013

• Vote in leading committee: October 2013

•Trilogue with Council: October- December 2013

•Expected plenary vote (1st reading): End 2013

•Takes effect: 2 years after adoption – 2016?

Ministry of Justice

• Disagrees with Commission’s 2.3bn Euro savings –

burdens imposed will far outweigh net benefits: in UK

cost @ £100-360 million

• Many unintended consequences, esp for SMEs

• Changes to consent, profiling & definition of personal

data particularly costly to industry

• Likely knock-on effects for growth in technological sector

and internet economy

• Regulatory Impact Assessment quotes DMA’s figures &

examples

• Impact on behavioural advertising

• Creates unrealistic expectations for consumers – R2BF

proposal is “unworkable”

• Secretary of State Chris Grayling concerned about

impact on economy and jobs

Information Commissioner

• Proposals are “insufficiently risk-based

and contain unrealistic time limits”

• Very costly – who pays?

• Would compromise independence of

ICO

• Role of ICO would change from giving

advice and guidance to process-driven

checks

• UK could end up being a one-stop-shop

magnet

Key lobbying messages

• Data is essential for economic growth• UK has leading role in EU digital economy

• SMEs particularly affected

• Transparent and responsible use of data is a vital business practice

• In industry’s interests to handle data with care

• Self-regulation has valid role to play

• Regulation will not stop bad players

• The proposed regulation is bad for consumers• Would damage users’ online experience

• Danger of tick-box culture & unrealistic expectations

• Need a proportionate data regime that recognises that not all data is the same

• Personal data, sensitive data, anonymous/pseudonymous data

• Different levels of protection required

Lobbying activity

• In Brussels with key individuals in Council, Commission &

Parliament, e.g. MEPs & advisers; party groups

• In UK, Ministers in MoJ, DCMS, BIS, HM Treasury +

Opposition spokesmen

• Alliance of interests – UK Data Group, FEDMA, CBI, etc. -

for collective lobbying of Council and Parliament & lobbying

directly where there is no national DMA

• Position papers on priorities for industry + draft

amendments to text

• Research on consumer attitudes to privacy and on

economic value of the dm industry

DMA lobbying toolkit

www.dma.org.uk

Any Questions?

Caroline Roberts

Director of Public Affairs

caroline.roberts@dma.org.uk

020 7291 3346

Free advice for DMA members from

DMA’s Legal Department

by email: legaladvice@dma.org.uk

or call: 020 7291 3360

Panel Discussion

Upcoming events

Wednesday 23 October - Data protection compliance workshop London - http://dma.org.uk/civicrm/event/info?reset=1&id=251

Thursday 14 November - Content Marketing event -http://dma.org.uk/civicrm/event/info?reset=1&id=268

Thursday 21 November - Scotland Christmas Party -http://dma.org.uk/civicrm/event/info?id=255&reset=1