|
Data protection
is a very important topic for this audience, in an industry which makes
use of personal data about individuals.
Data protection is not the most exciting topic, so the person who
ends up doing the work might do so unwillingly, perhaps doing the minimum
to meet compliance, though not very wholeheartedly.
Data protection needs to be seen in the context of obligations of
confidentiality, human rights, contractual requirements, and restrictions
on monitoring. All these
factors combine to control the use that anyone can make of information
about individuals.
There is a
certain level of complexity around data protection rules, which are very
tough and could have an adverse effect on how you do business.
Some people see the rules, decide that proper compliance is
impossible, and do the best to ignore the rules.
That is a mistake.
Data protection
rules regulate the use that can be made of identifiable individuals, not
corporations. However, any
database of corporations probably refers to the individuals within those
corporations, so data protection rules still apply.
Many countries
have recently implemented new rules; the concepts of data protection are
spreading rapidly. With the
arrival of new media and the internet, the US suddenly realised the power
that people had over individuals’ lives.
Hence, the US saw the need for these rules, as did Japan, which has
implemented data protection rules; a growing number of countries are
applying rules which deal with similar issues – in slightly different
ways, unfortunately.
Unfortunately,
the laws intended to facilitate business more easily across Europe and
elsewhere, with the same rules for all Member States, do not seem that way
when actually implemented. Other
rules include sector‑specific legislation and the Electronic
Communications Data Protection Directive, which addresses what you can do
online.
Most
importantly, you need to tell people what you are going to do with the
data you hold about them. By
doing that, you reduce your chance of encountering problems commercially
because people are less likely to complain.
You will certainly not encounter problems with the regulators
because they will not have the grounds to take action against you.
When you
collect and process data, you must do so fairly.
Then you must actually do what you told people you will do with the
data. There are difficulties associated with the rapidly expanding
methods of doing business, including new ways of exploiting databases
online.
The best way to
secure the right to do things with data is to gain consent; that can be
difficult. When you built
your databases, did you gain the right consent to using the information
online in a mobile context? Think
about what you are doing – in the future as well as now.
Generally, you need to be particularly careful with sensitive data,
including: health, trade union memberships, and sexuality.
You need to be
careful when transferring data out of the European Union.
Outsourcing key functions is creating more problems in recent
years: are you sending data to other countries?
If that is not factored into the building of your database, you are
probably breaching data protection laws.
You probably
need to register with the data protection authority in your country.
You need to be aware of security obligations. You need to adhere to the organisational and technical
measures these laws impose on your organisation: ensure that nobody gains
unauthorised access to the data you hold, and that there is no accidental
loss or damage done to the data. Remember
the other restrictions.
Is the law ever
enforced? Historically,
different countries have adopted different approaches: France has been
more keen on enforcement than the UK.
However, there has not generally been much enforcement, in terms of
the regulator telling you to stop your outlawed activity and demanding to
know how you process data.
However, it is
changing. In the UK, the
Information Commissioner (who used to work at Clifford Chance) has
revealed he intends to increase enforcement and prosecutions.
He probably does not want to get into mass policing but wants to be
taken seriously; he will probably launch some high‑profile
investigations to ensure people take note.
Similarly, the Dutch Commissioner has revealed that he is going to
begin random checks on insurers, municipalities, and direct marketing
companies. The risks will not go away.
Regulators
could impose fines on you; that could lead third parties who discover what
you are doing to seek damages against you.
In Greece, you go to prison for breaching these laws.
You need to take these matters seriously.
You need to
take targeted steps now to move towards good compliance – whilst keeping
the bigger picture and your commercial objectives in sight.
It is much easier to comply before, rather than after, you have
incurred the regulator’s interest, when you would be required to ensure
total compliance. If you are
mostly compliant, and unless the regulator’s attention is drawn to you,
they may target elsewhere.
§
comply with the law when you gather data;
§
bring together your data compliance, product development, and
marketing people;
§
build your databases such that you can do what you want to do with
them;
§
ensure the disclosures are consistent with what people were told at
the time; and
§
obtain consent wherever possible.
We get issues
in employment – this is relevant to this audience as employers and
publishers of information about other people’s employees.
Myths and difficult practices have arisen in this area.
It is difficult to obtain freely‑given consent from an
employee: the consent has to be specific, informed, and genuine. If your employer asks for your consent to being placed in a
directory – and if you say ‘no’, it may affect your career prospects
– you would probably say ‘yes.’
English regulators have said they do not believe in
freely‑given consent for employees, except at the time when they
sign on.
Other methods
of making processes fair include a balance of interests test: is it in the
interests of the employer or is it contractual necessity?
With sensitive data, it is more complicated.
You need to tell employees what you will do with their data, and
gain consent both from new employees and for the use of sensitive data,
depending on other conditions. Our
clients get into problems in this area; they face employment tribunals and
claims where questions are raised about data; and employees use data
protection laws to gain access to their records.
These include:
-
marketing;
-
retention of data;
-
how long you keep data;
-
how accurate it is;
-
freedom of information;
-
international transfer; and
-
monitoring what your sales staff are doing – are they employing
underhand tactics to get people into your directories?
Another myth:
you need consent to send out direct marketing materials.
That is generally not the case.
Simply inform people of intended purposes, offer an opt‑out,
and apply the opt‑out. Many
people create problems in applying the opt‑out incorrectly.
Sending by post to corporate and existing customers is generally
not a problem. We have an
issue with electronic marketing – by email or by fax – under this new
Directive on Privacy and Electronic Communications.
This Directive is due to be implemented by Member States by 31 October 2003
– it will not be in most places, but it is coming soon.
You need to build compliance with this Directive into your data
gathering.
Prior
opt‑in consent is required for new individual subscriber email
marketing – ‘subscriber’ does not mean every individual you market
to, but the person who has the contract.
Consent is not required for marketing to my mobile phone because my
employer provides the phone. However, no‑one can direct‑market to me on the
mobile which I pay for myself – unless I have provided consent.
Making that distinction is difficult. There is some freedom for people under corporate subscription
contracts. Additionally, no
prior consent is required for all mail marketing to existing customers,
provided they are offered the opportunity to opt‑out; that applies
to marketing similar products and services and your own products and
services.
Member States
have the freedom to protect the legitimate interests of subscribers other
than an actual person. I have
very little idea what that means or how it is going to be implemented.
However, Member States are adopting different rules as they start
implementing their legislation. There
is a failure of harmonisation; there will be a patchwork of rules applying
to how you can direct‑market via fax and email to corporations.
We always need to consider the bigger picture.
Most countries
have got nowhere in even publishing draft legislation; we still do not
know exactly what will happen. Regulatory
groups are gathering to discuss these issues, determining how to get good,
harmonised compliance. However,
a great deal of debate still takes place.
What kind of
consent do you need? ‘Opt‑in’
and ‘opt‑out’ are not legal terms; they do not appear in the
Directive. People think that
opt‑in is prior consent, but what is an opt‑in?
Is asking, ‘do you wish to receive marketing material?’ an
opt‑in or an opt‑out? ‘Unless
you tick the following box, you will receive marketing material’ is
probably an opt‑out. ‘If
you would like to receive marketing materials, tick the box the following
box’ is probably an opt‑in. What
about an electronic form where the box is pre‑ticked for you, to
save you having to click your mouse?
Another example: ‘by receiving this service, you agree to receive
marketing material unless you tick the following box.’
We see all the
above strategies. When we
review different organisations’ collection methods, we see tension
between the marketing department, which wants to make it as easy as
possible, pushing towards obtaining consent without really making people
do anything; and the legal and compliance department, which wants things
to be absolutely clear. You
determine where you want to place yourself on that scale.
In addition to
direct marketing, this Directive also deals with white pages and yellow
pages directories of subscribers. Before
obtaining subscribers’ consent for being entered into a directory, you
need to explain – free of charge – the purposes of the directory and
the further usage possibilities. If
the directory will have reverse search functionality, SMS functionality,
or something unexpected, you have to properly inform the subscribers.
They then decide whether to be included or not, and hold the right
to verify, correct, or withdraw themselves from that directory.
It is not quite clear whether the law requires opt‑in or
opt‑out, or what approach Member States will take.
Member States have the option to protect the legitimate interests
of corporates.
The rules also
control the use of location data. When
creating new services involving location data coming from mobile phones,
think carefully and gain consent for the use of that location data from
the individuals concerned. You
will also have to assemble your service such that individuals have the
ability to opt out of receiving location‑based services, both
permanently and temporarily. You
need good, strong contractual arrangements in place to control the use of
data.
Retention is an
increasingly important subject, regarding controls on how long you can
keep data – no longer than is necessary, under data protection rules.
I cannot confirm what that means, but regulators and Member States
are looking at retention periods. Specific
rules emerge from the electronic data communications directive for data
gathered in a telecommunications context – be particularly careful
there. A problem with data
and communications retention is that there is a huge nexus of other rules;
this is a great problem in the US, following scandals such as Enron.
US authorities used to demand all data be destroyed, but now demand
the retention of vast amounts of data.
This will be an increasingly important area for all US‑listed
companies.
This is also
important. Perfect compliance
with data protection is impossible. As
an extreme example of where total compliance is not required, any CCTV
system filming everyone entering and leaving a building is gathering
sensitive data: it is creating a record of people’s race.
Theoretically, those people should give consent for storage of that
data, but no‑one actually gains that consent.
However, in
monitoring your staff, your sales force, the full effect of the rules
takes effect. Be careful to
ensure a balance – in this case, balancing the need for privacy with
your legitimate business interests to find out what people are doing.
Generally, monitoring is permitted but there are local differences:
in France, you need consent or a court order to monitor your employees.
That can be difficult: if you give them an email account which you
allow them to use for personal emails, you cannot check it.
In Italy, you require works council approval.
Should you
prohibit personal use? Probably
not – you do not want staff running off for personal phone calls and
emails. You need to consider
what staff are told about how their data is processed, and what your IT
staff are told about policing this. You
need to prepare the notices; consider the other requirements; and remember
that failure to do so may result in data protection problems; breach of
employment contracts; breach of human rights laws; fines; regulatory
intervention; and employee claims.
Transferring
data outside the European Economic Area (EEA: the European Union plus a
few countries) is generally prohibited unless you have prior consent or
unless there are adequate safeguards.
That rule encompasses outsourcing functions or having directories
printed outside the EEA.
What adequate
safeguards exist? You could
create a contract between you and whomever you are transferring the data
to. You could use the model
contract the European Union has approved; the ICC and others have
suggested terms. The Safe
Harbour Rules in the US are effectively a self‑regulatory mechanism
whereby US corporations can elect to adopt a certain regime which deems
them to have adequate safeguards in place.
That safeguard is dead in the water: fewer than 100 US corporations
have adopted that regime.
A working party
within the Commission has looked at preparing binding corporate rules for
international transfer. These
policies provide adequate protection for your organisation, and are easier
than implementing contracts. Certain
countries – Guernsey, Argentina, Switzerland, Hungary, and Canada –
have been deemed adequate all on their own.
If you transfer data outside the EEA, do you have the necessary
systems in place? Organisations are implementing systems; having those means
you can answer the regulator’s questions.
All the options
have downsides. The model
contracts are very onerous. Clifford
Chance has adapted a model contract to include limitations of liability,
which better balance the provisions.
Our risk is that we are not applying the model contract as it was
adopted. Our view is that we
have slightly increased our risk profile, but have greatly reduced our
commercial risk by having those contracts in place.
Additionally, be very careful what you tell people.
Regarding outsourcing, if you have told people at the outset that
their data may be transferred to India for processing into a database,
they have fewer grounds for complaint.
Consider all
the implications of gathering, handling, and processing personal data.
Look at other rules, beyond the data protection rules, which impact
your use of data. Look at
your commercial imperatives, and at what you will be doing.
Ensure the other functions within your organisation, including the
commercial, technical, and legal and compliance people, talk with each
other. It is much easier to
deal with compliance implications sooner rather than later.
Those remarks
will assist us in how we can continue working with the Public Affairs
Committee in transposing to international law.
Nick, what chances do European regulators have in influencing
Member States in the transposition process?
Anders, should public sector bodies determine which documents
should be published?
Participant
Regarding
direct marketing and data protection, many people receive spam and many
organisations have discovered they are on ‘black lists’, which are
commercially maintained, not officially maintained.
Yet, nobody seems to know how to be removed from a black list.
Participant
Nick, if you
were asked to provide the names of your partners and associates to a
publisher of directories in various countries, and did so, the publisher
would not know whether you had the right to give that consent, or whether
consent was required from the individuals.
If those details then appeared on a website, which could be
downloaded or purchased anywhere in the world, you would not know the
location of the person downloading.
Nick Elverston
Transposition
should happen in October. Some
States have produced bits and pieces, but we are running behind; there is
still some time but I suspect people know what they will do.
There are two levels: what the law states, and what happens in
practice. There is a balance.
Regulators understand the need to strike the right balance: they do
not want to damage business in their own countries.
Regulators are interested in some enforcement to push people
towards compliance, but there is room for influence in discussions between
regulators, creating ways of dealing within the strict letter of the law.
From knowing the UK Information Commissioner, I know he is open to
hearing from business what is, and is not, practical.
People are very
concerned about spam. I agree
with the EADP that these laws will not halt spam, which mostly comes from
the US or from Russia. No‑one
in Russia will care whether they ought to have opt‑in or
opt‑out. It is
concerning when a legitimate business finds its materials hitting
firewalls. Clifford
Chance’s firewalls are very tightly set; some clients recently asked why
their emails were being returned marked ‘spam’ by our server – not
great marketing on our part! There
is an unofficial system, and it is difficult to be removed from black
lists because spam filters are set at individual corporation level and at
ISP level. AOL has been
trying to combat spam for a long time.
You need to adopt some kind of piecemeal solution towards this; I
do not have a solution.
Regarding
passing on colleagues’ details, consent is not always required: direct
marketing does not require consent in many situations.
You can rely on another solution: the balance of interests test or
a contract between you and another organisation.
Ensure you do what you can to be compliant.
I am probably quite safe accepting a list of all the partners and
their activities, from Clifford Chance’s Marketing Officer.
That we try to
gain consent from organisations on individuals’ behalf has long been a
problem with electronic activities, but you can implement warranties.
You can get whomever you deal with to contractually confirm they
have the necessary consent. If
you receive information by email, you should probably get the sender to
confirm they have gained consent. You
want to protect your own self, so that you only receive a slap on the
wrist rather than a fine, or worse.
Anders Gjoen
Regarding
granting of access to documents, it depends at which level the grants are
issued States used to have national access regimes; the alternative is a harmonised
access regime in Europe. There
are movements in specific areas such as harmonising rules on access to
environmental information, but it remains to be seen whether we can more
broadly harmonise access rules. That
poses a challenge for the Treaty, which lists what the EU can and cannot
do. Innovation is required to
fully harmonise access regimes; that can be
achieved with environmental rules, but is difficult to do more broadly.
|