Transcript Data Protection - Association of Advertisers in Ireland

Respecting the
Consumer – the Data
Protection
Perspective
Billy Hawkes
Data Protection Commissioner
Association of Advertisers in Ireland
3 June 2009
Presentation Outline
•
•
•
•
Marketing – what do people think?
Data Protection – what is it?
Direct Marketing – the Rules
Best Practice
Importance of key issues
affecting the general public
(2008)
Very Important





A good health service *
Crime prevention
Privacy of personal information
Protection of consumer rights
Ethics in public office
(new question in 2008)
89%
87%
84%
77%
77%
Eurobarometer 2008
Individual (DS) Concern about Data
Protection
EU Average
Ireland
%
%
Concerned
63.8
70.5
Not Concerned
34.8
28.2
Don’t know / no answer
1.4
1.3
Personal Experience of Privacy Invasion
Yes
%
Received unsolicited post, addressed
to you personally
50
Received unsolicited text messages from
commercial organisations
35
Received unsolicited emails from commercial
organisations
28
Had excessive personal information sought
from business/public sector organisations
20
Had a virus/spyware on personal computer
20
Disclosures of your personal information
to others without your agreement
Had information, images or footage of you
posted on the internet without your consent
Any experience
14
11
Had personal information being withheld
from you without explanation
10
Inappropriate access to personal information
held about you within an organisation
10
65%
2008
2005
Attitude Towards Unsolicited Mail or Offers…
Unhappy
(%)
The post
SMS/Text messages
(to your mobile phone)
76
74
Not at all
happy
(1)
Not very
happy
(2)
41
35
45
66
43
29
14
28
9 4
60
55
23
33
27
34
The telephone to your home
12
Don’t Know
‘08
‘05
%
%
4
4
8
9
16
22
30
37
13
16
71
43
E-mail/the internet
Fairly Very
happy happy
(3)
(4)
74
75
46
52
21
28
23
9 3
8 2
62
8 4
7 2
Unsolicited mail via telephone or post remain the approaches the public most dislike.
However, irritation with text or e-mail contact has significantly increased since 2005.
Q.7 – Awareness of Rights
No not
Entitled
%
Yes
Entitled
%
Don’t
Know
%
To have your name removed
from junk mail lists
6
71
23
To have your telephone number removed
from direct marketing lists
6
71
23
To have any inaccurate information about
you corrected/deleted
5
71
23
To get a copy of any information about you held
by any organisation
6
70
24
To claim compensation through the courts if
personal information held about you is misused
7
21
To have any of your medical records deleted
To get personal information about other people
58
46
40
22
35
39
32
Complaints to DPC 2008
•
1031 formal
complaints
• Many more enquiries
dealt with informally
TYPE
Direct Marketing*
Access Rights
Disclosure
Accuracy
Other
%
35
30
16
2
17
* Mainly electronic (SMS etc). Direct Marketing accounted for 57% of
complaints in 2007
Unsolicited Marketing – DPC
Annual Report Case Studies
• Unsolicited Text Messages (12/2005; 5/2006 –
deletion of database ordered)
• Unsolicited Faxes (20/2008)
• Unsolicited e-mails (8/2008; 17/2008 –
database deleted and marketing suspended)
• “Cold-Calling”/Failing to respect right to “optout” including via NDD (11/2005 (prosecution);
1/2006; 2/2006; 4/2007 – order to suspend
marketing; 11/2008)
• Postal Marketing (15/2007: supermarket)
Case Studies 2008 : Direct
Marketing
•
•
•
•
•
•
•
123.1e (insurance)
Interactive Voice Technologies
Buy-as-you-Fly
Celtic Water Solutions
Matrix Internet
Dell
2 Cases where we found in favour of DC
Presentation Outline
• Marketing – what do people
think?
• Data Protection – what is it?
• Direct Marketing – the Rules
• Best Practice
Data Protection: a Human Right
• Part of Right to Personal Privacy
• Personal Privacy: necessary in a
Democratic Society (but not absolute)
• Un-enumerated right under Irish
Constitution
• Explicit right under European Convention
on Human Rights:
ECHR Act 2003
EU Charter of Fundamental
Rights: Article 8
•
•
Protection of personal data
1. Everyone has the right to the protection of personal data concerning
him or her.
2. Such data must be processed fairly for specified purposes and on
the basis of the consent of the person concerned or some other
legitimate basis laid down by law. Everyone has the right of access to
data which has been collected concerning him or her, and the right to
have it rectified.
3. Compliance with these rules shall be subject to control by an
independent authority.
Lisbon Treaty
Article 16 Treaty on the Functioning of the Union
• 1. Everyone has the right to the protection of personal data
concerning them.
• 2. The European Parliament and the Council, acting in accordance
with the ordinary legislative procedure, shall lay down the rules
relating to the protection of individuals with regard to the processing
of personal data by Union institutions, bodies, offices and agencies,
and by the Member States when carrying out activities which fall
within the scope of Union law, and the rules relating to the free
movement of such data.
• Compliance with these rules shall be subject to the control of
independent authorities.
EU & Irish Legislation
• Data Protection Directive
95/46/EC
• Electronic Privacy
Directive 2002/58/EC
• EUROPOL etc
• Data Protection Acts
1988 & 2003
• EC Electronic Privacy
Regulations 2003 (SI
535/2003) and 2008 (SI
526/2008)
• Corresponding Acts
• Good Friday Agreement
• Disability Act 2005
Rights and Obligations
•
•
Rights of “data subject” (= identifiable,
living individual) to control the use of their
“personal data” (very broad definition)
Obligations on “data controllers” (“a person
who controls the contents and use of personal
data”) and “data processors” (“A person
who processes personal data on behalf of a
data controller”)
The Data Protection Rules
1. Fair obtaining &
processing
•
Consent
2. Specified purpose
3. No disclosure
•
unless “compatible”
4. Safe and secure
5.
6.
7.
8.
Accurate, up-to-date
Relevant, not excessive
Retention period
Right of access
Sensitive Data (special
protection)
•
•
•
•
•
•
•
•
Physical or mental health
Racial origin
Political opinions
Religious or other beliefs
Sexual life
Criminal convictions
Alleged commission of offence
Trade Union membership
Rule 1
Obtain & Process Fairly I
• Data controller must give full information
about
identity
 purposes
 disclosees
 any other data necessary for “fairness”

• Third party data controllers
must contact data subject to provide these
details
 must give name of original data controller

Obtain & Process Fairly II
One of these conditions required:
 Consent
 Legal obligation
 Contract with individual
 Necessary to protect vital interests
 Necessary for a public function
(Justice)
 necessary for ‘legitimate interests’
Processing Sensitive Data
One of these additional conditions is required
 Explicit consent
 Necessary under employment law
 To prevent injury or protect vital interests
 Process the data of members/clients of nonprofit orgs.
 Legal advice
 For Medical Purposes
 Statutory function
Rule 2
Specified Purpose
• Part of obligations when obtaining
to specify purpose
• Cannot expand purpose without
reverting to individual
Rule 3
Disclose only if compatible
• General rule – no
disclosure for
different purpose
• Exceptions made, to
balance other
interests of society
• Section 8 exceptions






Investigation of crime
Collection of taxes
Security of the State
Protect life & limb
Law or court order
Legal advice and legal
proceedings
• No general “public
interest” test
Presentation Outline
• Marketing – what do people
think?
• Data Protection – what is it?
• Direct Marketing – the Rules
• Best Practice
Direct Marketing Legislation
• The Data Protection Acts 1988 and 2003

Mainly Section 2
• SI 535 of 2003 European Communities
(Electronic Communications Networks and
Services) Data Protection and Privacy)
Regulations as amended by SI 526 of 2008

Mainly Regulation 13 (Unsolicited Communications)
• Other Legislation: Consumer Protection, ECommerce, Financial Regulation etc
Direct Marketing
Definition
• “direct marketing” includes direct mailing
other than direct mailing carried out in the
course of political activities by a political party
or its members, or a body established by or
under statute or a candidate for election to, or
a holder of, elective political office;
Direct Marketing – the
Golden Rule of Consent
• Only market willing customers
• Strong Irish customer resistance to “junk mail”
or “spam”
• Failure to respect consumer choice is against
the law

Criminal offence where electronic means used
Mailing lists
• Legal Right to opt-out of direct marketing
 Delete
data subject from mailing list
 Notify the data subject within 40 days
• Failure is breach of Data Protection Acts (S.
2(7))
 Complaint
to Commissioner
 Enforcement Action (e.g. delete database)
SMS and email
• Non- Customers (Individuals)
 Must Opt-in
 Must include the name of sender
 Must include valid address for opt-out
 Opt-in must be in the last 12 Months
SMS/e-mail Continued
• Customer (Individuals)
 Opportunity to object at point of
collection
 Must include identity of sender
 Valid opt out instructions
 Only Similar and Related Services
SMS/email Continued
• Businesses
 Do not need opt-in consent
 Must respect any opt-out request
 Must include valid instructions on opt-out
 Must include name of sender
Phone
• Non-customers




All marketing calls must be screened against
the National Directory Database opt-out list
(NDD)
marketing calls made to numbers recorded on
the NDD opt-out list are an offence
Company must record any individual opt-out
requests
All marketing calls must be screened against
internal do not call list
Phone Continued
• Customers
 Provide an opt-out at time of collection
 Must respect any opt-out request
 Can only market them for related or
similar products
Faxes
• Individuals


Must receive prior consent
Must respect any opt-out received
• Businesses


Must respect any preference on the NDD opt-out list
Must respect any opt-out given directly to the
company
Penalties
• Postal
 Enforcement
action by Data Protection
Commissioner (deletion of database etc)
• Electronic
 Criminal
Offence: €5,000 per message, up to
10% of turnover
 350 prosecutions going through Courts
Presentation Outline
• Marketing – what do people
think?
• Data Protection – what is it?
• Direct Marketing – the Rules
• Best Practice
Best Practice (1)
• Treat Consumer with Respect

Respect their right to be “let alone”
• Marketing that respects the Consumer’s
preferences is more likely to be successful
• The more intrusive the marketing, the more
likely Consumer will be upset
• Don’t abuse public information (electoral
register etc)
Best Practice (2)
• IDMA Consumer Guide (www.idma.ie)
• FEDMA Direct Marketing Guide
(www.fedma.org)
 Approved
at EU level
 On-Line Annex in preparation
• Irish DPA Guidance
(www.dataprotection.ie)
DPC Contact Details
Office of the Data Protection Commissioner
Canal House
Station Road
Portarlington
Co Laois
Phone: LoCall 1890 252231
057 8684800
Fax:
057 8684757
Email:
[email protected]
Website: www.dataprotection.ie