Businesses are being put on red alert as an update in the latest EU data law reform draft proposals have come to light, revealing measures which, should they be passed, could hinder big data strategies and bread-and-butter marketing activity such as prospecting, segmentation and tracking data.
The current EU Data Protection Directive, now two decades old, has been in the midst of being reshaped to cater for today’s data-driven business landscape since 2012 when an initial draft was released by the European Commission.
Industry bodies including the Direct Marketing Association (DMA) and Internet Advertising Bureau (IAB) have since been lobbying for certain amendments to ensure there are more clear distinctions - and therefore different rules - for the definition of “personal data”, with the most prominent argument being that people’s medical data should come under different sanctions to data businesses may use for marketing purposes for example.
However, The Drum understands the latest update of the draft proposals, currently being worked on by the Ministry of Justice, detail a range of proposed amendments which could have severe repercussions for digital marketers or any company using customer data, should they be sanctioned.
Data use restrictions - single purpose
One of the core areas is understood to centre on restricting companies’ use of people’s data to a single purpose, meaning they can only use a piece of data once – if an ancillary purpose later arises to reuse that data the company will be required to regain consent from the consumer. This could significantly hamper common marketing activities such as profiling.
Meanwhile, businesses will not be permitted to use tracking data or segmentation without explicit consent, which could lead to a more generic form of communication. List broking could also be “severely restricted” according to the DMA.
DMA lawyer James Milligan told The Drum some of the changes are “quite fundamental” and dwarf those implemented around the EU Cookie Directive adopted in 2011.
“There will be an impact on direct marketing. This is a doomsday scenario – I hope this won’t happen but there is a small percentage chance it could – Existing databases may not be usable, it could decimate prospect lists. We are still not sure what will happen to legacy data – the personal information you have collected under the current legislation. Hopefully there will be some grandfathering provisions where you can use data you have collected under the old act for a period of time, until you have been brought up to speed with the new legislation,” said Milligan.
Explicit vs ambiguous consent
The current EU data law dictates that consumer consent must be “explicit” – including health and medical data. “The original Commission’s proposal talked of freely given and explicit consent given by the data subjects, where consumers would have to opt in or subscribe," he added.
"But the council text may well change back to 'unambiguous'. There is a very interesting legal discussion between what is the distinction between explicit and unambiguous. I don't think there is much difference though unambiguous means can do it on unsubscribe opt-out basis, as long as you ensure you are telling customers exactly what will happen to their personal information. Postal and telemarketing are currently run in the UK on opt out unsubscribe basis, though so this would affect that area massively."
However, although this is an area that has been signed off the text “isn’t set in stone” and therefore can be subject to change, according to Milligan.
Fines for security breaches - fallout from Sony hack attack
Elsewhere, there are also proposals for more “onerous” sanctions for security breaches – an area the justice and home affairs ministers are understood to be reviewing currently. This includes “mouth-watering” penalties for companies which suffer major security breaches, which has become a major area of concern over the last few years, magnified by large-scale hack attacks such as that suffered by Sony earlier this year.
“That’s something that will almost certainly come in,” added Milligan. "Although there is likely to be a range of penalties dependant on the circumstances of the breach. It will be for very severe breaches. The sanctions will need to be proportionate, and legitimate…”
“Marketers should have this on their radars as something that is going to happen. It will go through,” he continued.
Amendments are also being proposed on the Right To Be Forgotten case, which flared up last year with Google receiving the brunt of requests from members of the public to have content removed. However, the forthcoming proposals will cover the topic as a whole – not just the role of search engines in people’s right to erase their digital footprints.
Next steps: trilogue
The Ministry of ministers are understood to be making final adjustments to the text, and are expected to finalise their amendments by this June. The proposals will then enter a negotiation period in the second half of this year, between the European Commission, the European Parliament and the Ministry of Justice and Affairs – a process called a “tri-logue” in “Brussels speak”, according to Milligan.
There will then be three versions of the regulations – the original proposed by the European Commission in 2012, the one put forward by the European Parliament in March 2014, and the one the Justice and Home affairs ministers will have formulated by June.
“The way to view it is that the European Commission is the government, the EU Parliament is the equivalent of the House of Commons, and the Justice and Home Affairs ministers are very much working like the House of Lords – they have legislative roles,” said Milligan.
All 28 EU member states will then be granted a two-year implementation period in which they can bed in the new regulations, but the Direct Marketing Association (DMA), has called for companies to begin putting in place measures now.
Marketers must ready themselves
“The earliest implementation will be at the end of 2017 to the start of 2018, but don’t think that’s a long way off – some of the changes are quite fundamental and you need to start doing preliminary work now.”
IAB’s senior regulatory manager Yves said: “It is fundamental that digital advertising can operate in an EU regulatory framework that allows companies to deliver relevant and meaningful marketing to consumers in a responsible way, not least so that the very same consumers can continue to enjoy the plethora of ad-funded content and services they engage with every day.
“As the Member States put the final touches on their amendments to the reforms, the IAB will therefore continue to advocate proportionate and workable future data protection rules – an aim that we share with the UK Government and one that will hopefully be achieved during the upcoming trilogue negotiations.”
The Ministy of Justice declined to comment.
The news comes as the EU Commission passed its strategy for a Digital Single Market, a 16-part pledge aiming to unify the EU’s digital markets to promote areas such as cross border e-commerce,