GDPR and the UK Data Protection Act were implemented in May 2018 following more than six years discussions in the EU legislative processes and a further two years implementation period for companies and governments. The update to Data Protection Legislation was the first since 1995/1998 and had two clear purposes: to modernise data protection legislation in view of digital transformation, especially the explosion of data. And also to harmonise the approach across Europe by shifting from a Directive to a Regulation for consistency. Harmonisation should still be the aim, despite Brexit, to enable companies to trade coherently across Europe.
Since 2018 the aim of harmonisation has been put at severe risk by Data Protection Authorities across Europe who are applying the legislation in radically different ways in each country. In regards to the Data and Marketing sector this manifests itself in two fundamental aspects that threaten customer trust, economic growth and job creation: firstly the legitimate interest grounds for processing and secondly the processing necessary to know customers better in order to serve them better with relevant products and services.
Interpretations of the applicability of LI to normal processing activities vary from the Dutch who say no commercial activity is a legitimate interest to Austria and Italy who have approved Codes of Conduct under GDPR that reflect Legitimate Interest as a valid grounds for some activities, especially those that benefit customers. DPAs should apply the law as it is written which was reinforced on Monday when a Dutch court ruled comprehensively that commercial interests, including data and marketing, were indeed legitimate interests:
“The fact that the legitimate interest must be viewed through a negative test is also in line with recital 47 of the GDPR, which mentions ‘direct marketing’ as an example of a possible legitimate interest…….. As the court has already considered in paragraph 17, it is up to the processor of the personal data to establish a legitimate interest…………The Data Protection Authority has therefore not interpreted the legitimate interest in an open and flexible manner…….In summary, the court comes to the conclusion that the DPA’s assessment in this case is based on a misinterpretation of the concept of ‘legitimate interest’ and is therefore contrary to Article 6 of the GDPR……The fine cannot therefore be maintained…… the fine is completely off the table.”
Customers value receiving offers that are relevant to them, which is highlighted by the DMA’s ‘Customer Engagement – How to win Trust & Loyalty 2020’ research. But in order for businesses to provide a personalised experience for customers, they must have access to insights gained from their own first-hand knowledge of customers, as well as additional insights. Organisations that communicate the right products and services to customers create a more efficient economy, reduce wasteful spending and are valued by customers. Such legitimate economic activity is an example of the normal, beneficial processing that was anticipated by the legitimate interest basis.
This brings us to the role of Codes of Conduct under GDPR which were intended to interpret GDPR for particular sectors and to achieve harmonisation across Europe through co-regulation, the first time ever that co-regulation has been enabled by data protection legislation.
The logic is that a GDPR Code of Conduct operated consistently across 27 or 28 countries via an Industry Monitoring Body can provide a consistent interpretation of key aspects of GDPR within an industry sector, particularly as it is not realistic to expect 27 or 28 DPA’s across Europe to have the expertise in every sector from medical research to travel to ecommerce and also every business function from HR to accounting to marketing.
In particular, Article 40 specifies the role of Codes of Conduct as follows:
The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
Associations and other bodies representing categories of controllers or processors may prepare codes of conduct …. for the purpose of specifying the application of this Regulation, such as with regard to:
a) fair and transparent processing;
(c) the collection of personal data;
(d) the pseudonymisation of personal data;
(e) the information provided to the public and to data subjects;
(f) the exercise of the rights of data subjects;
(g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32
The data and marketing industry has been working hard to achieve consistent interpretation of GDPR across Europe through a combination of an EU Code of Conduct and National Codes of Conduct. A European Code for Data and Marketing is well advanced under the leadership of Fedma, which I co-chair, working with the CNIL in France. The text is currently being revised based on initial input from the CNIL and should hopefully be presented to the EDPB by April.
At a local level, the Austrian DPA has approved a very specific Code of Conduct for the use of third party data for advertising mail developed by the Austrian DMA. The Austrian DPA also recently approved the Austrian Standards Institute as the monitoring body with complaints about companies who have been audited passed from the DPA to the Industry Monitoring Body. The Italian DPA has approved a specific Code of Conduct for use of Business Information Services which is closely connected to the business insights needed to serve people in their professional capacity. Again, complaints about companies under this Code will be passed to the IMB which is in the process of being approved. Here in the UK the DMA is working closely with the ICO to approve a data and marketing Code of Conduct including recognition of the existing Data and Marketing Commission as the IMB
Critically, Article 40 also specifies that an EU level industry Code of Conduct can be a basis for international data transfers between the EU and third countries, a significant prize worth playing for in the wake of Schrems 2 and the additional risk that UK might not be granted Data Adequacy following Brexit.
All of these Codes of Conduct must reflect GDPR text in the way it was written and applied through the lens of sector knowledge and expertise. In this regard, clause 40 (b) stating: the legitimate interests pursued by controllers in specific contexts is particularly crucial
Other countries have moved to clarify the scope of legitimate business interests such as 2 November 2020 Amendment to Singapore’s Data Protection act. This amendment created a very clear and specific Business Improvement Exception to the consent requirements. Specifically, the Bill permits the use of personal data without consent for the following purposes:
Improving or enhancing any goods or services provided, or developing new goods or services to be provided;
Improving or enhancing the methods or processes, or developing new methods or processes, for operations;
Learning about and understanding the behavior and preferences of the individual or another individual, in relation to the offered goods or services;
Identifying any goods or services provided that may be suitable for the individual or another individual, or personalizing or customizing any such goods or services for the individual or another individual.
This Business Improvement Amendment is very similar to what the Data and Marketing sector understands the objective of Legitimate Interest is within the text of GDPR as it applies to our sector.
We will work hard, using our sector expertise, to ensure all approved data and marketing Codes of Conduct across Europe for our industry reflect this in order to establish the harmonization and consistency that was intended by GDPR being a Regulation rather than a Directive, and to ensure that UK is a part of this system even after Brexit. If in a worst case scenario the UK is denied Data Adequacy then the industry Code of Conduct can provide a new basis of international data transfers between the UK and the EU in addition to Standard Contractual Clauses and Binding Corporate Rules.