This document provides an agenda and summaries for a legal update event on data protection hosted by Pinsent Masons. The event will cover the current position of the EU Draft Data Protection Regulation and potential changes, consumer rights legislation, and ICO guidance on direct marketing. Speakers will discuss the impact of these regulations and guidance on businesses, including increased compliance obligations, sanctions for non-compliance, and restrictions on data processing and direct marketing. The event aims to help businesses understand and prepare for new data protection laws and regulations.

1. Data protection 2013
Friday 8 February
#dmadata
Supported by
Legal update –Leeds
Autumn 2014
Tuesday 7 October 2014, Pinsent Masons
#dmalegal

2. Welcome
James Milligan , DMA Solicitor
#dmalegal

3. 2.00pm Registration
2.30pm Welcome
James Milligan, DMA Solicitor
2. 35pm EU DraftData Protection Regulation –The current position, potential changes and the impact on the industry
James Milligan, DMA Solicitor
3.05pm Consumer rights bill and consumer rights directive
James Milligan, DMA Solicitor
3.25pm ICO Direct marketing guidance
James Milligan, DMA Solicitor
3.55pm Q&A
4.30pmm Close
Agenda

4. EU Draft Data Protection Regulation – The current position, potential changes and impact on the industry
James Milligan, DMA Solicitor
#dmalegal

5. Impact of the new Data Protection Regulation –Why now?
•Data Protection Directive 95/46/EC ("Directive") (implemented in UK by 1998 Data Protection Act) showing its age
•New technologies and more complex information networks
•Lack of common European law and differences in national implementation
•Consumer concern over privacy
•Data protection now a fundamental right under EU Charter of Fundamental Rights
5

6. EU data protection reform timeline
•Jan 2012 -first draft Data Protection Regulation ("DPR")
•December 2012-amendments suggested by the Rapporteur of EC Committee on Civil Liberties, Justice and Home Affairs ("LIBE Report")
•February –May 2013 –Reported that 4000 amendments tabled
•May 2013-partial "compromise" draft from Justice and Home Affairs Ministers ( "CD" )
•October 2013 -LIBE voted on amendments
•October 2013 –Heads of Government meeting
•December 2013 –Inconclusive Justice and Home Affairs Ministers meeting
6

7. EU data protection reform timeline
•Jan 2014 Civil servants working group meetings continue
•Mar 2014 MEPs adopted LIBE report
•May 2014European Parliament elections
•June 2014Justice and Home Affairs Ministers “agree chapter on international data transfers
•Oct 2014Justice and Home Affairs Ministers “agree” chapter on general obligations of data controllers and processors
•Nov 2014New European Justice Commissioner and other Commissioners take office??
•June 2015 Justice and Home Affairs Ministers agree position??
•Late 2015 Regulation is passed in Brussels??
•Late 2017 Implemented into UK law??

8. 8
8
•LIBE report adopted by all MEPs March 2014
•Proposes a number of changes to European Commission original text
•Majority of changes favour consumer rather than businesses
Changes proposed by the European Parliament to the draft Data Protection Regulation (LIBE Report)

9. The "compromise draft" agreed by EU Justice Ministers 2013-2014
•"More business friendly" compromise draft ("CD") is only partial: Chapters I-IV
•More changes to Chapters I-IV may be needed once the remainder has been updated
•Regulation or Directive? –wording proposed allows for Regulation to be transformed into a Directive (supported by 8 member states)
•June 2014 Chapter V –international issues, transfers of data, applicability of Regulation
9

10. Headline proposed changes
•Expanded definitions: “personal data” and “data subject”
•Explicit consent required
•Right to be forgotten
•Greater emphasis on accountability
•Notification of data security breaches
•More onerous sanctions for breach
•Data processors directly covered

11. Consent
Consent: Current Position
Consent: Proposed Position
-Freely given, specific, informed indication of the data subject’s wishes
-Explicit consent required for sensitive personal data only
-Freely given, specific, informed and explicitindication of data subject’s wishes
-Given either by a statement or a clear affirmative action
-Data controller / data subject relationship to be taken into account
-Burden of proof on controller to demonstrate consent

12. Introduction of opt-in/explicit consent
•Review language used at point of data collection to ensure that consent is explicit /opt-in
•Opt-in /explicit consent not required for postal marketing in European Parliament version of the text
•Do people understand what they are agreeing to? –nation of liars
•Think about how you will update legacy databases
•Children –consent wording for under 13’s if offering them an information society service

13. Key points in the draft RegulationIP addresses and cookies
•Definition of personal data extended so could cover some IP addresses and cookies as “online identifiers”
•But IP addresses identify a device not an individual + some IPs are general
•Huge implications for digital marketers
•Web analytics & profiling made much more difficult, if not impossible
•Interaction with new cookie rules problematic

14. IP addresses and cookies
•Think about how you will deal with extension to Include location data, IP addresses, cookies, online identifiers
•Pseudonymous/annonymous data –will you be able to take advantage of exceptions?

15. •Right for individuals to request organisations to delete any information held on them
•Drafted with social media in mind –but goes beyond this
•Problem of information that has already been passed on to third parties
•Possibility of misleading consumers by raising unrealistic expectations
•Changes to current text likely
•European Court of Justice Google Spain case
Key points in the draft Regulation - The right to be forgotten

16. The right to be forgotten
•Prepare to respond to requests
•Deletion/ suppression
•Other legal requirements to keep information e.g. accounting, tax, money-laundering

17. Key points in the draft Regulation - Data Breach notification
•Any data security breach to be notified to ICO and the individuals concerned within 24/72 hours
•Report to cover:
•nature of breach
•number of data subjects
•categories of data
•proposed mitigation
•Not always obvious if there has been a breach or how extensive it is
•Problem of notification fatigue
•No threshold level specified

18. Data security breach notification
•Introduce breach notification detection procedures
•Think about how you will notify data protection authorities and affected individuals within whatever timescale is agreed
•Develop/review your data breach response plan

19. Key points in the draft Regulation - Subject Access Requests (SARs)
•Data subjects to be able to request full information on data held on them free of any charge
•Currently can levy a £10 fee –doesn’t cover cost but deters time-wasters, frivolous or vexatious requests
•Costs organisations £50 million p.a. now to meet SARs
•Proposal that can provide data in electronic form if data subject agrees to this
•Particular problem for financial services with mis-selling issues and claims management firms

20. Subject Access Rights
•New Regulation may lead to increased public awareness of rights e.g., right to request information ( Data Subject Access Requests, Right to be forgotten)
•Plan ahead for increase in queries from clients/public
•Training for client/customer service teams
•Amend wording on privacy policies/data collection notices to take account of new rules on profiling.

21. Key points in the draft Regulation - Compliance obligations
•Data protection obligations now shared between agencies and clients, for example if holding client’s database
•Privacy by Design/Privacy by Default
•Appointment of DP officer (250+ employees)
-2 year appointment
-Independent reporting to board
-Information and training
-Maintenance of documentation
-Data protection impact reports
•International transfers of data outside EEA –law would apply to any processing of data or EU citizens

22. Compliance obligations
•Review amount of data being processed, erasure policies and data retention policies
•Requirement to demonstrate compliance will mean more documentation in respect of policies and procedures
•Contact centres, mailing houses, email/SMS broadcasters will also be subject to these new obligations, especially in respect of data security
•Review staff training in data protection.
•Appointment of a data protection officer?
•Risk-based approach to compliance and data protection impact assessments

23. Key points in the draft Regulation - Proposed enhanced sanctions
•Up to €500k or 1% annual worldwide turnover intentional or negligent failure to respond to subject access requests in accordance with Regulation
•Up to €1m or 2% of annual worldwide turnover for other compliance failures
•Depends on:-
-size of organisation involved
-nature and gravity of breach
-whether intentional or negligent
-technical and organisational measures
-previous breaches
-co-operation with ICO

24. Enhanced sanctions/fines
•Watch out if you get it wrong!
•Increase focus on compliance –board level issue
•Review internal policies and procedures

25. •Main establishment/ one-stop shop provisions
•Think about which country’s national data protection authority will be lead regulator
•Possibility of changing country where head office is located
•Review arrangements for transfers of data outside EEA (28 Member States of EU + Iceland ,Liechtenstein, Norway)
•Global group –application to EU citizens’ personal data.
•European Court of Justice Google Spain right to be forgotten case -link between Google Spain and Google USA
Key Points in the draft RegulationCross –border issues

26. •Existing databases may not be usable: could decimate prospect lists. Legacy data?
•No tracking data, profiling or segmentation without explicit consent –less targeted and more generic communication?
•List broking severely restricted
•New information requirements and rights of the data subject, e.g Right to be Forgotten
•Increased costs -£76,000 per business to comply + possible £47 billion of lost sales in UK
Impact on direct marketing

27. Draft Regulation -DMA View
•DMA welcomes the Commission’s aim to reduce red tape and simplify bureaucracy –but proposals do not achieve that: overly strict, bureaucratic and unworkable
•Needs to be a fair balance between privacy and legitimate business interests
•Current proposals will stifle innovation, add considerably to business costs and place unnecessary obstacles to e- commerce jobs growth
•Will be particularly harmful to SMEs –MoJ says demonstrating compliance will cost £10m p.a.
•Hard to say how Commission’s estimate of 2.3 billion euro saving to businesses was calculated

28. Ministry of Justice
•Disagrees with Commission’s 2.3bn Euro savings –burdens imposed will far outweigh net benefits: in UK cost @ £100- 360 million
•Many unintended consequences, esp for SMEs
•Changes to consent, profiling & definition of personal data particularly costly to industry
•Likely knock-on effects for growth in technological sector and internet economy
•Regulatory Impact Assessment quotes DMA’s figures & examples
•Impact on behavioural advertising
•Creates unrealistic expectations for consumers –R2BF proposal is “unworkable”

29. Key lobbying messages
•Data is essential for economic growth
-UK has leading role in EU digital economy
-SMEs particularly affected
•Transparent and responsible use of data is a vital business practice
-In industry’s interests to handle data with care
-Self-regulation has valid role to play
-Regulation will not stop bad players
•The proposed regulation is bad for consumers
-Would damage users’ online experience
-Danger of tick-box culture & unrealistic expectations
•Need a proportionate data regime that recognises that not all data is the same
-Personal data, sensitive data, anonymous/pseudonymous data
-Different levels of protection required

30. Lobbying activity
•In Brussels with key individuals in Council, Commission & Parliament, e.g. MEPs & advisers; party groups
•In UK, Ministers in MoJ, DCMS, BIS, HM Treasury + Opposition spokesmen
•Alliance of interests –UK Data Group, FEDMA, CBI, etc. -for collective lobbying of Council and Parliament & lobbying directly where there is no national DMA
•Position papers on priorities for industry + draft amendments to text
•Research on consumer attitudes to privacy and on economic value of the dm industry

31. Data protection toolkit
www.dma.org.uk/product/data-protection-toolkit

32. Consumer rights bill and consumer rights directive
James Milligan, DMA Solicitor
#dmalegal

33. What’s happening?
•Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013
•The Consumer Protection (Amendment) Regulations 2014
•Consumer Rights Bill

34. The Consumer Contracts (Information, Cancellation and Additional Payments) Regulations 2013
•Implementation of the rest of the EU Consumer Rights Directive which was passed in 2011
•Came into effect 13thJune 2014.
•Regulations deal with contracts between a trader and a consumer:
–Made on-premises, ie a shop
–Made off-premises, ie at consumer’s home or place of work, and
–Made at a distance, ie telephone or over the internet.
•Certain contracts are excluded including gambling, health services and services of banking and insurance.

35. Three main areas
•Information
–Depending on the type of contract, the trader must provide certain information.
–Many provisions already exist but new ones are introduced especially around digital content, where information on what systems or hardware is compatible will need to be given.
•Cancellation
–consumers have 14 days to cancel off-premises and distance contracts –double current provision
–Consumer have to return goods within 14 days notice cancellation
–Traders can withhold refund until goods are returned
–Traders can deduct from refund if the consumer has handled the goods more than expected.

36. Three main areas –cont.
•Hidden costs and obligation to pay
–Consumers will have to give active consent for all payments and the use of pre-ticked boxes for additional charges will not be allowed
–Customer service telephone lines can only be charged at the basic rate –premium rate lines will be banned
–Traders that operate an online retail site will need to ensure that consumers understand that there is an obligation to pay when placing an order. “Pay Now” not “Confirm your order”.

37. The Consumer Protection (Amendment) Regulations 2014
•Amendments to the 2008 regulations to allow consumers who have been victims of misleading or aggressive practices to seek redress.
•Came fully into effect 1stOctober 2014
•Covers three types of contract:
–Sale or supply of a product to a consumer by a trader;
–Sale or supply of a product to a trader by a consumer;
–A payment by a consumer to a trader.

38. •Need to show:
–purchased a product from a trader;
–trader engaged in behaviour that was either misleading under Regulation 5 or aggressive under Regulation 7.
•Remedies -depending on the type of contract:
–Unwind the contract and get a refund;
–Discount on the product;
–Damages for the breach.
The Consumer Protection from Unfair Trading (Amendment) Regulations 2013

39. The Consumer Protection from Unfair Trading (Amendment) Regulations 2013
•Misleading: includes
–providing false information or information that could deceive the average consumer;
–marketing a product which causes confusion with competitor’s products;
–failing to comply with a Code of Practice when you say you do.
•Aggressive: includes
–Timing and location of the behaviour;
–whether any threatening or abusive language is used or;
–any exploitation by the trader of the consumer’s personal circumstances.

40. Consumer Rights Bill
•Published in draft in June 2013. Introduced into House of Commons Jan 2014 House of Lords Committee Stage begins 13 October 2014
•Will not come into force until late 2015/ early 2016.
•A major overhaul of existing consumer rights legislation – consolidating 100+ consumer laws and introducing new rights for consumers and businesses.
•Follows two consultations in 2012 by BIS on goods, services and digital content; and the Law Commission & Scottish Law Commission’s on unfair contract terms.

41. Consumer Rights Bill
•Basic rights not changing
•Aim to present rights and remedies in a simpler and clearer way to make consumers better informed and empowered
•3 parts:
•Consumercontracts for goods, digital content and services –rights and remedies
•Unfair terms in contracts
•Miscellaneous: investigatory powers, enhanced consumer measures, enforcement, competition, etc.

42. Consumer Rights Bill
Rights and remedies:
•To receive some money back after one failed repair to faulty goods (or one faulty replacement)
•To have substandard services redone or receive a price reduction
•To receive a repair or replacement of faulty digital content such as film/music downloads, e-books and online games
•To return faulty goods within 30 days and receive a refund
•Collective redress allowing consumers and companies to challenge anti-competitive behaviour.

43. Consumer Rights Bill
•Consolidates the law around unfair terms in contracts with consumers.
•Fairness to be determined by taking into account:
•The subject matter
•All the circumstances existing when term was agreed
•All the other terms of contract or any other contract on which it depends
•Various terms listed that cannot be assessed for fairness

44. ICO Direct marketing guidance
James Milligan, DMA Solicitor
#dmalegal

45. Structure
•What the Guidance consists of?
•Status
•Context
•Buying and Selling data
•Consent
•DMA Clarification of ICO Guidance
–Host contact and indirect third party consent
–Time limits for indirect third party consent
–Solicited/unsolicited marketing
–Pre-ticked opt-in boxes
–Win back campaigns

46. What the Guidance consists of
•Direct Marketing Guidance
•Direct Marketing Checklist
•Guidance for organisations receiving unwanted marketing

47. Status
•Not a code of practice
•ICO not trying to rewrite the law
•Reflects ICO evolving view of area
•Future proofing against draft Data Protection regulation
•Remember ICO enforcement is complaint driven –“Don’t annoy your customers”
•New ICO Data Protection Enforcement Policy

48. Context
•Consolidate all previous guidance
•Focus on areas which come up in enforcement
•Focus on areas of widespread abuse
•Rebalancing towards customer consent and choice in the Big Data age
•Data privacy now a brand differentiator –Customer Acquisition Barometer 2014
•List broking is the next big issue after nuisance calls -Which? Taskforce on consent

49. Buying and Selling Data
•Boundaries on data chains
•Better Together/Scottish referendum undertaking

50. Case study 1 –complex data sources and consent failures
•Campaigning organisation
•Mass unsolicited SMS marketing
•Particular ICO concerns?
•Outcome -undertaking

51. Case study 1 – the data chain
Instigator
Sender
List broker
List broker
List broker
List broker
List broker
Lead generation company
Insurance broker
List broker
List broker
Insurance company
List broker
Loan provider
Price comparison website
Mail order company
List broker
Publishing company
Prize draw website
Insurance broker
Loan broker
Lead generation company
List broker
Insurance company
Publishing company
Insurance broker
Loan provider
Debt management company
List broker
Debt management company
Insurance broker
Credit card provider
Insurance company
Price comparison website
Loan broker
List broker
List broker
List broker
Travel company
Travel company
Prize draw website
List broker
Online retailer
List broker
List broker
List broker
List broker
List broker
List broker
List broker
List broker

52. Case study 1 –examples of ‘consent’
•‘Archival personal injury leads’
•‘…you also agree that we may disclose your information to […] (iii) other carefully selected product suppliers in the future with a view to them offering you products they feel may be of interest to you.’
•‘We may share your information with our business partners for marketing purposes or we may send you information about other organisations’ goods and services. [ ] By providing us with your contact details you consent to being contacted…’
•‘All information you supply will be kept confidential to [ ] and the insurers whom it deals, unless [ ] are required by law with subpoenas.’

53. Sourcing data/ Due diligence
•Who compiled the list? When? Has it been amended or updated since?
•When was consent obtained?
•Who obtained consent and what was the context?
•Was it opt-in or opt-out?
•Was information provided clearly and intelligibly? How was it provided?
•Did it list organisations by name, by description, or any third party?

54. Consent
•Basic requirements under DPA 1998
•Additional requirements under PECR 2003 as amended
•Age of consent
•Context in which given
•Nature of relationship

55. DMA Clarification of ICO Guidance
•Host contact and indirect third party consent
•Time limits for indirect third party consent
•Solicited/unsolicited marketing
•Pre-ticked opt-in boxes
•Win back campaigns

56. Host contact
•Host contact is the ICO and DMA preferred method of distributing third party offers via email, text and automated telephone calls
•Host contact –how does it work
•1) where first party organisation collects the contact details of customers and customers subscribe/opt-in to receive third party offers
•2) First party organisation does not pass on contact details to third party
•3) First party will be the sender of the message

57. Host Contact
•Host contact –how does it work
•4) First party rents body copy in the message to the third party
•5) Third party includes call to action in message
•6) Third party collects its own marketing consents when recipients respond to message
•7) Third party does not have access to data of those recipients who do not respond.

58. Indirect Third Party Consent
•Where consent not given by individual to organisation sending out marketing message but given via third party e.g. list owner.
•Host contact method is not considered by ICO and DMA to be indirect third party consent
•Not valid for marketing channels under PECR, automated recorded calls to telephones, email and mobile messaging

59. Indirect Third Party Consent
•Exceptions
•1) First party collecting contact details specifically names third parties to which it will pass contact information on
•Example of 1) in the context of booking a flight to New York with a UK based airline
•“Please tick this box if you are happy for our partner airline xxxx Airlines to contact you by email/SMS with details of their US domestic flights

60. Indirect Third Party Consent
•Exceptions
•2) Third party falls into a specific category of organisations which the first party included in a list of types of organisations which it obtained consent from the recipient when they collected the electronic marketing contact details
•Example in the context of booking a flight to New York with a UK based airline
•“Please tick this box if you are happy for our partner organisations to contact you by email or SMS with details of their promotions and offers in New York which you may find useful during your visit to New York.”

61. Indirect Third Party Consent -time limits
•Third party organisation making contact for the first time by electronic channels using indirect third party consent should not rely on consent given more than six months ago to the first party
•General rule of thumb
•Third party using contact details more than six months after first collected need to justify why using those contact details
•Context is key –ICO accepts that third party can use contact details collected more than six months ago in the case of annual services –e.g. insurance, seasonal products.

62. Unsolicited/Solicited Marketing
•ICO definition of solicited and unsolicited different from industry definition
•ICO consider an unsolicited marketing message to be a marketing message which the recipient has not requested
•If a consumer has subscribed/opted-in to receiving marketing messages and an organisation sends a marketing message then that message will be unsolicited
•However will be compliant with PECR because consumer consented

63. Unsolicited/Solicited Marketing
•Practical advice –follow PECR
•Consumers must be clear about what they are signing up to.
•Organisations pay attention to wording in data collection notices

64. Pre-Ticked Opt-In Boxes
•ICO and DMA best practice do not use for consumers to subscribe/ opt-in to receiving unsolicited marketing messages via email and SMS
•DPA/PECR rules -to subscribe/opt-in requires a positive action on the part of a consumer
•Consumer leaving a pre-ticked opt-in box pre-ticked is not a positive action

65. Pre-Ticked Opt-In Boxes
•Can be used in rare circumstances where another stage in the sign up process amounts to positive consent
•Use of pre-ticked opt-in boxes as an unsubscribe /opt-out mechanism –consult with DMA Legal or other usual legal advisers

66. Win-back campaigns
•ICO guidance unclear as to legality of win –back campaigns
•ICO have confirmed to DMA that win –back campaigns are legal provided
•1) Consumer subscribed/opted-to to receive marketing messages or
•2) Consumer did not unsubscribe/opt-out if existing customer/ soft opt-in exemption rule applies and conditions met
•Practical issue –confirm preferences when customer leaves/ cancel
•Remember retention rules and accurate/ up –to date

67. 67
Contacts
James Milligan, Solicitor, DMA
T-020 791 3347
James.milligan@dma.org.uk
Legal Advice Helpline
legaladvice@dma.org.uk

68. Q&A
#dmalegal

69. Useful links
ICO Direct Marketing Guidance
DMA Supplementary Note on ICO Guidance
ICO Direct Marketing ChecklistICOGuidance for organisations receiving unwanted marketingWhich? Taskforce on consent and lead generation in the direct marketing industry call for evidence