Tag: Data Protection Reform (page 2 of 2)

♫ I just call to say…la la la ♪: The unromantic side of telemarketing

Not another one!

Not another one!1)Copyright by methodshop .com under the Creative Commons Licence – Attribution-ShareAlike 2.0 Generic.

Missed anonymous calls that leave you wondering who it may have been… Calls from unknown numbers at the most inconvenient moment… Wasting money in returning the call… The displeasure of discovering, mainly if we were expecting a specific important call, that it is only a marketing communication… The frustration of spending long and precious minutes repeating that we are not interested in whatever product the interlocutor is trying to sell…

It most certainly sounds familiar…

Out of my personal experience I can refer quite a few examples of unsolicited marketing, some of which actually could have been qualified as marketing harassment. Not the best publicity, if you ask me…

From evening calls, to anytime calls, from participating in a raffle only to be attacked by unwanted marketing initiatives, from registering in an online shopping website only to be contacted by financial institutions intending to sell you some credit card, from ordering a body lotion only to start receiving advertising of completely unrelated products…

I am specifically referring to business-to-consumer (B2C) advertising and marketing, through all the channels technologically available to promote companies’ commercial campaigns of products and services among individual buyers.

However, telemarketing is, in my very personal opinion, among the most annoying direct marketing initiatives. It gets worse when calls are repetitive, insistent, and even aggressive, as many of them usually are.

Worse than that? Well, I can easily point out having a salesperson ringing on your bell door right before or, even worst, during dinner time…

If the assumption that consumers purchases are usually based on personal emotions is correct, despite not being a marketing genius myself, I am pretty sure that bothering potential clients is never (ever!) the way to go when it comes to attract consumers. As a matter of fact, I am certain that it can actually lead to the opposite effect. So, if you own a business and somehow your marketing campaign is not working, you might want to check this criterion.

Nevertheless, it is astonishing how abusive and unlawful marketing initiatives frequently are. It never ceases to amaze me the number of businesses that seem to be completely unaware of their responsibilities as data controllers. I always fail to understand if they actually ignore their duties or if they just pretend so in order to take advantage of the data subject most likely ingenuousness on the matter.

Legal requirements, as those foreseen in the E-Privacy Directive, i.e., the Directive on privacy and electronic communications and the Directive 95/46, which is applicable as direct marketing requires personal data processing, are not suitably taken into consideration. It is like some companies do not acknowledge that individuals have any rights over their personal data, including the absolute right to object to their personal data being used for marketing purposes.

However, while it is merely an inconvenience for me, as I know which reasoning I shall refer to and which means are required in order to cease any further annoyance quickly, not everybody does. Sometimes it takes people months before being able to get definitely rid of any undesirable contact.

The very basic requirement that is applicable to direct marketing – the prior consent of the data subject – seems to be easily overlooked as many companies sell or share data from customers without their authorisation. Most of the time, individuals do not even fully appreciate that they giving their consent or what they are consenting to or are not even given the possibility to refuse such use of their personal data.

This is particularly worrying considering all the changes which are on the way. If businesses keep ignoring or refusing to acknowledge the requirements they owe to comply with, they will commit the offences and suffer the sanctions which most likely will be foreseen, for instance, in the future EU General Regulation on Data Protection.

I already had the opportunity to address some of those forthcoming changes here. However, these are particularly restrictive regarding marketing initiatives.

All forms of marketing communications, including telemarketing and direct mail, will be subjected to the individual’s consent. Indeed, the current ‘opt-out’ checkboxes system will be replaced by an ‘opt in’ permission method. This means that any communication which hasn’t been the object of a previous, free, explicit and informed consent of the data subject will therefore be forbidden.

The criterion of explicit consent requires a clear statement or an affirmative action. In this context, companies collecting information will have to ensure that the data subject is well aware of the specific purposes of the data collection, namely for marketing purposes.

In parallel, the data subject would be able to access the data collected without being charged any fee. Moreover, if a data subject decides to opt out of marketing communications, marketers will have to delete any records they hold, if requested. Marketers won’t be able to retain, in that case, any detail, unless they can show legitimate grounds for retaining the data.

As a direct result, if companies cannot demonstrate that consent has been previously explicitly given to marketing purposes, they will have to delete it. Databases and contacts lists will most certainly be severely reduced.

The forthcoming changes will obviously make the conducting of marketing campaigns more difficult and, consequently, will require a shift in the marketing strategies in order to be compliant with the law.

As a consumer, I am always favourable of legislation which protects individuals regarding ambiguities related to the use of their personal information.

As lawyer, I can only provide timely and relevant information that will help my clients to comply with the law while (hopefully) simultaneously making a profit for their company.

The unpleasant side of non compliance with the rules on direct marketing does not limit itself to bad publicity or reputation. Fines, legal action and financial damages also have strikingly negative effects on businesses. For this reason, companies should start preparing for the forthcoming changes in advance in order to avoid any surprises, save time and money and make the most out of a new situation.

References   [ + ]

1. Copyright by methodshop .com under the Creative Commons Licence – Attribution-ShareAlike 2.0 Generic.

The match of the year: Right to be Forgotten vs Right to know

Round 1, Fight!

Round 1, Fight!

As it is well-known, the ‘right to be forgotten’ ruling extended the possibilities foreseen under the current EU Data Protection Directive for data subjects to exercise their rights to erasure of data and to object to personal data processing with regard to search engine services providers, which were deemed as controllers.

Therefore, facing a deletion request, search engines will have to decide on the balance of the rights at stake, namely freedom of expression and right to privacy, weighing up whether it is in the public interest for the information indexed in its search results to remain.

From the very beginning, the public opinion thrived both with enthusiasm and concern. The main question was: how would the decision be enforced? Isn’t the removal of links to legal and accurate information damaging for freedom of speech and right to access to the information? The debate was mostly vivacious between free speech advocates and privacy campaigners and hasn’t faded away with the course of time. The firsts insist that it will lead to a whitewashing of the past, whereas the latter uphold that it will enable individuals to limit the visibility of some personal information.

Google, despite affirming that the enforcement of the ruling could hamper free speech, alerting for the potential abuse of those looking for the deletion of important information and complaining that the ruling requirements for conformity were vague and subjective, started dealing (efficiently?) with the astonishing amount of requests for suppression of links received, rejecting some and admitting others.

In fact, Google says it has received approximately 143,000 requests, related to 491,000 links, to take down links in the last five months, involving everything from serious criminal records to embarrassing photos and negative press stories. Considering the data revealed by Google itself, the company has refused about 30 per cent of demands and about 50 per cent were taken down. According to its online transparency report, Google has removed more links to content on Facebook from its search results than from any other site. In this regard, Reputation VIP — the company that provided Forget.me, the first “Right To Be Forgotten” Removal Service – outlined that, ironically, most requests do not refer to unflattering or inaccurate web pages written by third parties, but, instead, to content authored by the requestor.

Google even set up an advisory committee to handle the requests. This council is headed by the company’s executive chairman, Eric Schmidt, and chief legal officer, David Drummond, and includes academics, technologists, legal experts and a journalist.

Most recently, Google decided to launch a public debate regarding the balance to be achieved between a person’s right to be forgotten and the public’s right to information. To that end, it organized a grand tour of hearings across Europe and has been on the road for about a month now.

The good intentions beneath this initiative failed to convince everyone. For instance, Isabelle Falque-Pierrotin, who heads the Article 29 Working Party, which gathers all 28 EU national data protection authorities, didn’t hesitate to share her scepticism about the Google initiative, which she described as part of a “PR war”:

Google is trying to set the terms of the debate. They want to be seen as being open and virtuous, but they handpicked the members of the council, will control who is in the audience, and what comes out of the meetings.

Although I do not share such a pessimist viewpoint of the initiative, I actually also have some doubts regarding the openness and transparency that it is intended. Indeed, when the public debate was firstly announced, I expected that it would allow for a better understanding Google’s current processes for dealing with requests. But, as far as I am aware, hearings have centred themselves in abstract and rather philosophical discussions.

Considering the ongoing negotiations regarding the EU data protection reform, already well advanced, the question which should be asked is: how much could the ruling and Google’s efforts in fact influence the direction of the discussions?

According to the European Commission’s initial proposal, the right to be forgotten would be built on the right to erasure of personal data and the right to object to data processing operations, which already exist under the current Data Protection Directive. Therefore, the data subject could exercise the right against the original data controller when and if: the data is no longer necessary; consent is withdrawn or when the storage period has expired; the data subject objects to the processing on specified grounds; or the processing is no longer valid on some other ground. Freedom of expression was among the exemptions foreseen.

The European Parliament was quite favourable to this proposal, having voted its opinion  last spring. However, it ensured that the right could also be exercised directly against third parties and the possibility to exercise the right following an order by a court or regulatory authority.

The Council of the European Union had already discussed the issue before but decided to suspend the respective debates in order to wait for the CJEU’s ruling. However, negotiations regarding other issues of the reform kept going and Member States even agreed on partial general approach since then.

An afterwards statement issued by the Italian Presidency made clear that the provision concerning the right to erasure would take into account principles set out by the CJEU. Indeed, the revised version issued recently left no doubt about it.

I thought this utterly confusing as it is for the Council of the European Union and for the European Parliament, as co-legislators, to make the law as it will stand in the future and for the CJEU to interpret the law as it exists. To take into account the judicial interpretation of the law that we are about to replace for the definition of the upcoming legislation is, in my opinion, quite puzzling. The ruling should not dictate the content or drafting of the future Regulation.

Nevertheless, something has to be done regarding the enforcement of the ruling. As things stand at the moment, it has been up to Google to determine the balance between the conflicting interests at stake. The criteria as defined by the CJEU are undoubtedly insufficient.

And if the ruling shall be taken into account regarding the upcoming legislation regarding anything, it most certainly has to address the scope of the right to be forgotten, the grounds on which it can be exercised and the need to balance this right with the freedom of information, as the judgement itself doesn’t establish with rigour how it shall be applied in practice.

In this context, it must be noted that the regulation has a horizontal nature and, thus, is intended to be applied to all controllers, independently of their nature. Search engines are not the specific aim of the future legislation although, as controllers, they are covered by its scope.

Regarding the scope, one may wonder if the distinction made by the European Commission between personal data which have been initially disclosed or uploaded by the data subject and the personal data which have been disclosed by third-parties will be kept.

Moreover, as it seems that there is no doubt that search engines – now considered as controllers – may receive deletion requests, it is important to clarify what about providers of social media, as Facebook, for instance, where it is possible to argue that the processing is based on consent or a contract.

As for the grounds on which the right can be exercised, I think it won’t be easy to determine who will be required to conduct the assessment in order to consider if the initially lawful processing of accurate data became unnecessary, inadequate, irrelevant or no longer relevant, or excessive in the light of the purposes for which they were collected or processed and of the time it has elapsed. Who is better suited for that role: search engines or the first controller?

In this context, one cannot assume that, if the initial processing is lawful, that the second processing is also legal. There might be cases where both might have reached different outcomes of lawfulness. What then?

Furthermore, should requests for deletion be addressed directly to the controller? Should they be addressed, instead, to the supervisory authority? Or to the competent courts? And if so, which court would be the competent one?

In addition, should the data subject have the right to choose any of the controllers to exercise the right to be forgotten and erasure? I believe that, at least theoretically, it should be possible for the data subject to exercise the rights against the processing carried out by the search engine before, after or independently from exercising the same or other rights against the original controller. But one should bear in mind that it is quite unrealistic to ask operators of search engines to track information and replication of data across the web.

As we can see, many questions are yet to find their answers.

The most popular is:

How will be the right to the protection or personal data fairly articulated with the right to freedom of expression?

Understandably, certain Member States have shown legitimate concerns regarding the freedom of expression and the interest of the public at large to have access to information, which may end up being underweight in the balancing process. So the debates are currently ongoing.

One of the big issues at stake is that, according to the spirit of the founding treaties, the conciliation of the right to the protection of personal data and the freedom of expression should remain in Member States’ legislative power. This implies that the European co-legislative institutions, the Council of the European Union and the European Parliament, are not entitled to regulate in detail this matter. However, if it is up to Member States to reconcile the two potentially conflicting rights, nor harmonization nor a unified application of law is ensured.

In this context, it will be important to delineate the concept of ‘public interest’ and ‘public figure’, which scope is not satisfactorily developed in data protection due to the swiftly evolved digital era.

Moreover, it will be important to establish that bloggers and individuals generally expressing themselves online fall within the scope of the ‘freedom of expression’ exception, even if they are not professional journalists. After all, article 11 of the Charter of Fundamental Rights of the European Union establishes that everyone has the right to freedom of expression, including the freedom to hold opinions and to receive and impart information and ideas, establishing the freedom and pluralism of the media.

On another level, and as it is well-known, Google has been systematically alerting websites when it cuts links to their pages from results presented based on searches for a person’s name, which is in line with the European Commission’s proposal. But should search engines be barred to inform publishers, as Google has been doing, when articles have been delisted from search results? Are they cases where it would be appropriate to involve a publisher? Which ones?

These notifications are mostly problematical due to the possibility of republication, which could cause additional harm or distress for the data subject. And indeed, it often leads to a republication of a version which indicates what URLs are being removed from the search index.

In my opinion, it is preferable for the data subject that the search engine, as a second controller, contacts the controller which has firstly published the information (preliminary controller), as, otherwise, it might not be always easy to establish the correct balance.

In parallel, Google has unilaterally restricted the deletion of internet links to European websites only, for instance Google.es, Google.de, Google.uk… Well, you get the idea… But shouldn’t the removal be global, considering the very nature of Internet? Shouldn’t links be removed from all versions of Google, such as Google.com? This is particularly important considering that most of European users of the search engine use local domains, rather than referring to google.com.

The Justice and Home Affairs Council gathered in Luxembourg, on the 10th of October, to discuss the regulation and directive. A partial general approach on chapter IV of the general data protection regulation, which deals with the obligations for data controllers and processors, was agreed. There is, nevertheless, still plenty to be agreed on, so one may wonder if the deadline established by the incoming European Commission President Jean-Claude Juncker for the end of negotiations – within six months of the commission starting work – will be enforceable.

Meanwhile, the Article 29 Working Party is preparing some guidelines which will set out a common record to deal with different types of appeals coming in from citizens. To that end, it has met with media and search engine companies, Google, Microsoft and Yahoo, to gather their views on how to strike a balance between the freedom of information and privacy. The guidelines are expected to be finalized by the end of November.

Considering the current state of play, let’s hope that some thorny questions would have been answered by then…

Data Protection Reform: Change is coming… slowly

EU Data Protection Reform is about to happen... eventually.

EU Data Protection Reform is about to happen… eventually.

Although subjected to the well-known saying ‘nothing is agreed until everything is agreed’, data protection reform is slowly taking shape and businesses should prepare themselves for what is coming, as activities which involve the processing of personal data will have to comply with the new data protections laws.

In June, the Council’s Justice and Home Affairs Committee reached  an agreement on the rules concerning data transfers and on the territorial scope of the future new Regulation.

In the last meeting held in Luxembourg, earlier this month, Justice and Home Justice Ministers have reached a broader partial agreement regarding the wording of chapter IV of the draft General Data Protection Regulation, which includes new rules on personal data breach notifications that businesses operating in the European Union will have to comply with.

Therefore, in the light of the new approach, contractual freedom regarding the content of contracts will be restricted and the liability of processors regarding controllers over subcontracting activities will be further elaborated.

Addittionnally, pseudonymisation of personal data will be included as a  technical and organisational measure to ensure an appropriate level of security.

In this context, businesses will have 72 hours to notify regulators as soon as they become aware that they have suffered a personal data breach that “may result in physical, material or moral damage” to individuals. This will include disparate situations such as loss of confidentiality of the data, damage to the data’s subject reputation and identity theft.

Moreover, although businesses will have to inform without undue delay data subjects in case of a data security breach which could affect severely their rights and freedoms, they will be exonerated of this obligation when appropriate technological protection measures have been implemented to protect its access, even if lost or stolen, namely through encryption.

Furthermore, the processing of personal data which is likely to represent a high risk for the rights and freedoms of individuals, such as health data or personal data which can be used for profiling, will have to carry out a data protection impact assessment.

If businesses based outside the European Union process personal data of citizens of the European Union, they will have to appoint a representative based in the European Union, except if the processing is occasional and unlikely to result in a risk for their rights and freedoms.

Of course, negotiations with the European Parliament and the European Commission in order to finalize the instrument will only begin once a consensus on the whole draft has been reached within the Council.

If slowly is the best way to go further, we will get there… eventually.

Newer posts

© 2018 The Public Privacy

Theme by Anders NorenUp ↑