Privacy and data protection - Presentation for Bdma real time and trigger based marketing session II

Sirius LegalReal Time and Trigger Based Marketing, Session II6 September 2016

Real Time Marketing!

Trigger Based

Marketing!

2016’s Marketing buzz…

Personalisation!

Real Time and Trigger Based Marketing, Session II6 September 2016

2016’s Marketing buzz…

“dynamic, personalized content delivered across channels.”

“dynamic personalization”

“commercial and communication activities based upon the measurement of relevant and identifiable changes in a customer's individual needs”

“trigger or event is defined as a detectable change in an Individual’s circumstances


Translated into Legal Speak

Measuring and defining triggers requires data

Gathering data = privacy law and cookie law

In the words of the European Commission: “data has become a currency” (cfr. Draft Directive 2015/0287 on digital content delivery contracts)


Current Privacy Law

Based on EU Directive 95/46/ECTransferred –differently- into national law by each member stateSet of rules dates back to ninetiesBased on location of company and/or serverAt the time most elaborate and progressive set of rules in the worldWe discussed this in session I


Current Privacy Law

Definition of personal data is very largeCfr B2B vs B2CECJ May 2016: Even dynamic IP address Browser history –information on social media – payment history…

Impact on data collection for personalised action is considerable

Definition will be ever broader under new EU law (art. 4 GDPR)


Impact on Personalisation, Real Time ad Trigger Based

All personalised, real time or trigger based action is based on data and profiling

Data collection is core – Same discussion as “previous” hype Big data

Considerable impact of privacy lawAlmost all available data is ‘personal data’


Impact on Personalisation, Real Time and Trigger Based

Almost all available data is ‘personal data’Classic data sources: “public data” – statistical data – private dataFact that data is publicly available or accessible does not in itself justify collection & treatmentCfr: data available online remains “personal” dataEven at first sight “statistical” info (cfr heatmapping) can be “personal” data


Impact on Personalisation, Real Time and Trigger Based

Birthday – marriage – major life eventOrder history – content of basket – heatmapping on sitePayment historyBrowser historyDemographic dataInfo on hobbies, preferences, interests, …

if linked, even indirectly, to individual = Are all –protected- personal data


Current Privacy Law

Actually straight and simple:

Basic rule = prior “opt-in” for all processingOr implicite opt-in if “legitimate grounds” for processing“Free and informed” opt-inTransfer of data to third party = additionnal opt-in

Cfr. Analytics tools, apps, cookies, database enrichment through mailings and actions, …: always opt-inCfr. also social media content



Prior opt-in is not always presentExisting client relationship vs. Prospects

“Legitimate grounds”Law does not define “legitimate grounds” (Privacy Commission: “cfr CRM”)Justification for profiling = compare interests of profiler and data subject

Information duty: client should know what data is being processed and why


Current Privacy Law

Rights of data subjectsopposition – access – correction – information

Obligations of data processorInformation – opt-in – data security – (export)

Information duty: client should know what data is being processed and why


Future Privacy Law

General Data Protection Regulation 2016/679 (GDPR/AVGB)

Regulation instead of Directive – 1 law for 28 states

Agreement reached last December 2015

Enters into force on 1 May 2018 (without grace period!)


General Data Protection Regulation

Heavily influenced by consumer protection activists in EPResult:Consumer friendly, but serious restraints for direct marketing sector, e-commerce sector and especially personalisation, real time and trigger based marketing and (big) data processingApplicable on ALL data processing, except personal (private) contact lists (e.g. private Outlook account)



Lawfulness of processing (“on which grounds can I proces data?”) (art. 6 GDPR)

Prior opt-in remains the basic rule (+ proof required)“Processing is required for the execution of a contract”

“Legitimate grounds”DM “may be considered” legitimate, but “Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means”If existing client relationship: OK, otherwise not so evidently OK



Processing of data belonging to minor (-13 Y/O, -16 Y/O) (art. 8 GDPR)

Always requires explicit authorisation by parents!

“Reasonable efforts” to check age and obtain authorisation

eID?, Facebook login?, credit card data?, live chat, …?



Information obligations

Obligation to notify data subject of the fact that his data is being / has been collected without his explicit consent (art. 14 GDPR)

Within 30 days or upon first contact

= Data obtained from data brokers, partner organisations, online collection…



Information obligations

Information to be provided:

ID and contact, means, ID of third recipients, safeguards in case of data export outside EU, duration of data retention, source of data (with ID), rights to access, correct, delete, opose to profiling, etc…, right to file complaint, the existence of automatical decision making + the “logic” behind this decision making + the right to oppose, …



Information obligations (art. 14 GDPR)

Obligation to notify data subject of the fact that his data is being / has been transfered to a third party…

Within 30 days of transfer

= Data obtained from data brokers, partner organisations, online collection…



Information obligations (art. 14 GDPR)

Obligation falls if

Data subject already knowsorInformation provision requires disproportionate effort (= open door to creativity…)



Right not to be submitted to profiling (art. 21 GDPR)

Any form o automated processingPersonal dataFor evaluation of personal aspects of a person

Examples:To analyze and predict aspects concerningPerformance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements,…


Impact on Personalisation, Real Time ad Trigger BasedRight not to be submitted to profiling (art. 21 GDPR)

Personalized products and servicesIndividualized shopping experienceOnline Behavioral AdvertisingTrigger-based AdvertisingOnline credit evaluationLead GenerationGeo-blockingPrice differentiationTracking / Fingerprinting



Right to object against

Processing/profiling based onpublic interest / official authorityorlegitimate interest

Processing/profiling for direct marketing purposes



If the person has a legitimate interest to do so, he has a right to object against

Processing/profiling based onpublic interest / official authorityorlegitimate interest

Processing/profiling for direct marketing purposes is always possible


Impact on Personalisation, Real Time ad Trigger BasedRight to object to automatic decision taking (art. 22 GDPR)

RightNot to be subject to a decision (or profiling)Producing legal effects / significantly affects Solely based on automated processing of dataIntended to evaluate certain personal aspects

ExamplesPerformance of work, creditworthiness reliability and conductAlso applies to DM “decisions” (e.g. send offer or not)



Avoiding qualification as AP / Profiling ?

No decision taking based on algorithmNo “personal” dataNo legal effects for the subject (or effects “similar to legal effects”)(contract, liability, claims,…)Not “significantly affecting” the subject(accept/reject < > premium settings)



Protection not applicable to decisions

Necessary for entering into a or performance of contractAuthorized by law (e.g. investor risk assessment)With the subject’s explicit consentConditions: appropriate safeguards(at least human intervention, response and contest possibilities, mathematical and statistical procedures, limit errors, limit discriminatory effects, secure data, data minimization/anonymization/pseudonymization)



Right to be forgotten (art. 17)

Upon request by data subject, processor has to take all reasonable measures to permantently delete data

+ to ensure that third parties that have copies of or links to data are warned of the request and are asked to do the same.



Remember

Evaluate if provisions on profiling are applicable? Workaround? Make assessment of impact on data protectionTake specific measures (information, access, ways to object, contest, respond, human intervention)Abide by general legal provisions (information requirements, privacy principles, rights of subjects, obligations of controller,…)



Remember

Art. 11: “Pseudonymous data”

If data is not coupled to identity, subject has no right of access, correction, etc…

Eases e.g. analytics, but quit possibly also certain online marketing techniques


Prepare for the new Regulation

Apart from user rights

Data breach risk analysesData breach emergency planData protection officerStandard clauses with subcontractorsPrivacy by designPrivacy by default…



Sanctions

Provisions of highest importance (cfr. profiling = high risk processing)Fines up to 20 million euroFines up to 4% of worldwide annual turnover (for undertakings)

Remedies for data subject…



Follow up on discussion (e.g. through our website www.siriuslegal.be)Start review vendor contracts (in view of data security obligation) Start to prepare for full update of policies, contracts, business processesPut in place data breach notification procedureAppoint (temporary) data security officerPut in place impact assessment and/or risk analyses policyCreate compliance statements for annual business reportsTrain staffSit back and wait for final text of regulation for final details…


Sirius LegalMedia & advertisement lawIP lawInternet & e-commercePrivacy & cookiesGambling lawTravel & consumer protectionCommercial contractsCorporate tax labour real estate

[email protected]@BartVdBrandeLinkedin.com/in/bartvdb