Data Protection

Background

 
The Data Protection Directive (Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and the Free Movement of such Data) was adopted in October 1995 with the aim of guaranteeing the free flow of personal data between the EU Member States.

It provides, in particular, the obligation for direct marketers to inform subjects that their data may be collected and used for direct marketing, and to give them the right to object to this (the so called “opt-out” regime). However, some Member States have been adopting provisions which are contradictory to the Directive, by introducing laws which go beyond the requirements of the Directive (e.g. the Italian law requires opt in before any form of direct marketing can be sent to a consumer).

Current Status

On 7 March 2007 the EC issued a Communication on the follow-up of the Work Programme for better implementation of the Data Protection Directive. The document followed up on the analysis provided by the 2004 First Report on the Implementation of the Data Protection Directive (see below).

The Communication points out the main problems as being:

·     Failure of some MS to fully and adequately implement the Directive’s provisions;

·     Divergences in MS laws within the margin of manoeuvre of the Directive

·     Adaptation to evolution in technology;

·     Consideration of requirements imposed by public interests such as public security, defense, State Security and activities of the State in areas of criminal law.

With this situation as the background, the Commission then expressed its intention of pursuing a policy taking into consideration the following elements:

• The possible ratification of the Constitutional Treaty, which would create a “specific and self-standing legal basis” for Data Protection in the EU;
• The maintenance of the status quo – the EC does not envisage submitting any legislative proposal to amend the Directive;
• The pursuit of proper implementation at both national and international levels;
• The production of interpretative communications on some provisions.

In the three years since the last report was published not much has happened. The Article 29 Working Party has come out with a few recommendations of relevance to direct marketing, and has adopted the Model Contract (see below). A second co-regulatory code is believed to be near completion, and FEDMA is working with the Working Party on an "online annex" to its code.

FEDMA's Involvement

FEDMA will remain in close touch with the Data Protection Unit in the Commission, in order to help it develop its work plan. The new draft of the “online annex” was sent to the Article 29 Working Party in early June 2007, and the first sub-group meeting to discuss this draft is due to take place sometime in September.

Links

 
Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and the Free Movement of such Data

Report on the Implementation of the Data Protection Directive (95/46/EC)

FEDMA Code of Practice for the Use of Personal Data in Direct Marketing (also available in French)

Article 29 Working Party Opinion 4/07

Comment: The Article 29 Working Party has produced a number of opinions, which are advisory in nature but not binding. The last one published was Opinion 4/07 on the “concept of personal data”.

Background
In early 2007 the EC released a Communication on Privacy Enhancing Technologies which also followed on from the First Report on the Implementation of the Data Protection Directive. It has recognized that the system in place with regards to the European legal framework on the protection of personal data may prove insufficient when dealing with the worldwide dissemination of personal data through ICT networks and different jurisdictions.

In order to surpass difficulties in technology used in different locations, by different actors, the EC considers that PETs might be an important measure to ensure the appropriate level of security laid down in Article 17 of the Data Protection Directive, and also reinforced the idea that the use of these tools would be merely complementary to the existing legal framework and enforcement mechanisms.

The Communication contains a brief explanation on what PETs are, as a “coherent system of ICT measures that protects privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system” and refers to different types of PETs such as:

The following activities will be conducted by the Commission in order to increase the level of privacy and data protection in the Community.

Comment: Although FEDMA foresees that standardization and the encouragement of the use of privacy seals might pose a problem for direct marketers, the EC has promised to investigate their feasibility thoroughly and analyse their economic and societal impact.

Links

Communication on Promoting Data Protection by Privacy Enhancing Technologies (PETs)

 Privacy and Electronic Communications

Background
In 1997 Directive 97/66/EC on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector (the so-called ISDN Directive) was adopted. Among other things, this called for opt-in for fax marketing to consumers. The Commission then decided to revise the Directive to cover more comprehensively the issue of electronic communications, and the final version of the Privacy Electronic Communications Directive (2002/58/EC) was adopted in May 2002. It should have been implemented by all the Member States by October 2003.

One of the main reasons for the existence of this directive is the problem of Spam. Spam poses an extremely serious threat to direct and interactive marketing, as it reduces consumer confidence in e-mail marketing as a medium and e-commerce in general. 

The directive calls for “soft opt-in” on unsolicited commercial communications. Soft opt-in means that a legal (company) or natural person cannot contact (send an unsolicited commercial communication to) a potential customer via electronic means (e.g. e-mail, SMS), unless the customer has given their consent to receive such marketing messages. However, marketers may contact a customer whose contact details (e.g. e-mail address/mobile phone number) have been obtained in the context of a sale, as long as the costumer has the opportunity to opt-out from further contact. The word “purchase” was used in the first draft instead of the word “sale”, but was deemed to be too hard and “sale” was used instead.

The directive also regulates the use of cookies on websites. Websites must inform the user of what a cookie is and how it is going to be used. This can be done via a link on the website to a cookie policy or by referring to the IAB Cookie project.

In February 2004 the Article 29 Working Party issued an Opinion on how it felt the Directive should be interpreted. Worryingly, it called for an extremely strict interpretation of what were already strict rules. Some points from the opinion which are of particular concern to FEDMA members include:

Current Status

• E-mail or other e-communication lists which have not been gathered via opt-in may not be used, even if they were put together before opt-in became law.
• Consumers should be offered the chance to opt-out on every message, and the opt-out should be possible by using the same medium as the message. Obviously this is difficult with SMS marketing, where the number of characters which can be used is extremely limited.
• According to the Directive, consent is needed unless the data was collected in the context of the sale of a similar product or service. Here the Working Party tries to redefine the wording by stating that this exemption should be interpreted “restrictively”, and raises the question of how long the period of consent might be said to last. FEDMA has discussed this with the Data Protection Authorities (the Article 29 working Party), and they have recognised the problems of imposing time limits on the retention of data (products have widely varying lifetimes), and the impact this has on long term customer retention and CRM;
• The opinion also says that subsidiaries of a single company and parent companies should not be considered as the same company. This has huge implications for large organisations such as banks which have several divisions with one central database.

This Directive is part of the so-called 'Telecoms package' which the European Union passed over a decade ago. In 2006 the Commission announced its intention to revise the whole package. There have been various statements suggesting stiffer rules against spam (see below) but so far the Commission had expressed no intention of issuing a revision to the directive. In Autumn 2007 the Commission will issue a Commission Communication on the Regulatory Framework. The Commission's revised draft directives will be decided upon through co-decision procedure and negotiations between European Parliament and Council are expected to take up to two years, until 2009.

When the directive was first proposed the Commissioner responsible claimed it was the "silver bullet" which would kill spam in the EU.

He was proven wrong. Spam has grown, and has developed a number of increasingly dangerous aspects - viruses, trojan horses, malware, phishing etc.

Prosecuting real spammers is difficult because most are located in countries where there are either no spam laws or very weak enforcement. In fact there is no single “silver bullet” which can solve the problem of Spam once and for all. FEDMA favours the creation of a “toolbox”, which could include the following elements:

• Legislation – Many countries around the world now have anti-spam legislation. However, it is important that this be enforced. Furthermore, it should not be forgotten that many spam e-mails are fraudulent, and much of the money that is made from spam is channelled into illegal activities. All of this should be borne in mind when spammers are prosecuted.
• Technical solutions – Many internet service providers (ISPs) and software providers are working on technical ways to stop spam in its tracks, but care must be taken that legitimate commercial e-mails are not incorrectly blocked (as often happens at the moment).
• Education – Businesses and consumers must be made aware of their role in the fight against spam, by making sure their computers cannot be hijacked by spammers, and by ensuring that they do not reply to spammers or hand over any money or personal details to them.
• Best Practice – Legitimate marketers must follow best practice in their e-mail marketing campaigns to ensure that consumers (and legislators) are able to identify them as legal e-mails, and not spam.
• International cooperation – As most spam comes from abroad, it is vital that law enforcement authorities work together to bring spammers to justice.

There are a number of excellent initiatives aimed at combating Spam, and other related dangers, such as spyware, botnets, etc, on websites. The OECD produced a toolkit which took much of FEDMA's proposals on board. The European Commission has set up a group of national regulators and enforcement agencies; and a group of regulators, enforcers and industry have started an informal cooperation called the London Action Plan (LAP), of which FEDMA is a member.

In November 2006 FEDMA adopted a code on Spyware (link), and a New Media Council is being set up. There is a FEDMA e-mail Marketing Council which works with the List Council.

Directive 97/66/EC on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector

Directive 2002/58/EC on Privacy and Electronic Communications Article 29 Working Party’s Opinion on unsolicited communications for marketing purposes under Article 13 of Directive 2002/58/EC

The IAB Cookie Project

For more information on the New Media or E-mail Marketing Councils, contact Jorgen N. Andreassen (Tel: +32 2 778 99 28, E-mail jandreassen@fedma.org).  

FEDMA’s Code of Practice