Justice CommitteeWritten evidence from the Direct Marketing Association (UK) Limited

EUROPEAN UNION DATA PROTECTION FRAMEWORK PROPOSALS

Summary

1. Current text of the draft Regulation imposes onerous burdens on organisations which could harm the free exchange of information with consumers, stifle innovation and deter investment.

2. Estimated potential cost of draft Regulation in its current format to UK businesses is £47 billion, with a particularly significant impact on SMEs.

3. We broadly welcome UK Government negotiating position but feel some fine tuning is needed.

1. Introduction

1.1 The Direct Marketing Association (UK) Limited (DMA) is Europe’s largest trade association in the marketing and communications sector, with approximately 900 corporate members and positioned in the top 5% of UK trade associations by income. The total value of direct marketing to the UK economy was estimated to be £9.1 billion in 2011. This comprises three separate figures; £4.3 billion on expenditure on direct marketing media and activities, £1.1 billion on goods and services brought in by companies to enable the undertaking of direct marketing activity and £3.7 billion on the spending of people employed in the industry as consumers (Putting a Price on Direct Marketing The DMA July 2012). The DMA represents both advertisers, who market their products using direct marketing techniques, and specialist suppliers of direct marketing services to those advertisers—for example, advertising agencies, outsourced contact centres etc. The DMA also administers the Mailing Preference Service, the Telephone Preference Service and the Fax Preference Service. The use of personal data in order to deliver targeted marketing is at the heart of our members’ activities and core to their business success. On behalf of its membership, the DMA promotes best practice, through its Direct Marketing Code of Practice, in order to maintain and enhance consumers’ trust and confidence in the direct marketing industry. The Direct Marketing Commission is an independent body that monitors industry compliance. Please visit our website www.dma.org.uk for further information about us.

1.2 The DMA welcomes the opportunity to respond to this inquiry by the Justice Select Committee on the European Union Data Protection Framework Proposals.

2. Will the proposed Regulation strike the right balance between the need, on the one hand, for a proportionate, practicable but effective system of data protection in the EU, and on the other for business and public authorities not to be stifled by regulatory, financial and administrative burdens placed upon them

2.1 The DMA does not believe that the proposed Regulation strikes the right balance for the reasons as set out below.

2.2 Opt-in/opt-out and obtaining explicit consent

The current proposal demands that organisations would have to obtain explicit consent from consumers by “clear statement or affirmative action” to use their data for marketing purposes unless they were relying on the “balance of interests” justification. While organisations would not necessarily have to get consumers to tick an opt-in box, they would not be able to take for granted that consumers consent to receiving marketing information—even if they have had previous interaction with them and were existing customers of the organisation.

The provision of personal data in return for benefits from commercial organisations is common practice well understood by consumers. More than half of respondents to a DMA survey published in June 2012 Data Privacy: What the consumer really thinks were happy to sign up for emails in order to receive special offers. If explicit consent were required for these offers they would become uneconomic for brands, reducing consumer choice.

The practice of driving business growth through prospecting using traditional direct mail channels would become extremely difficult if explicit consent were required for these approaches. This would have a severe impact not only on the Direct Marketing Industry but on the financial viability of the Royal Mail.

We are also concerned that there is continued doubt surrounding the issue of what would constitute “fair processing” when considering the “balance of interests” between the organisation and the consumer. The worst case scenario is that organisations that fail to prove they have properly obtained consent from individuals to contact them with direct marketing messages would have to scrap their contact databases completely. These could be difficult and very costly to replace. There is also the question of what would happen to “legacy data” validly collected under the current legal framework.

2.3 Definition of personal data and consequences for profiling

The new Regulation could class IP addresses as personal data. IP addresses are allocated to an individual device and often such devices might be shared in households, offices and other organisations, such as libraries. Furthermore, individuals connect via multiple devices (pc, laptop, mobile phone, and tablet) and a particular IP address does not specifically reveal individual behaviour but merely the behaviour of a device.

This extension of the definition of personal data would result in web analytics no longer being available to organisations without the express consent of individuals and therefore limit commercial development. In particular brands are using and developing digital direct channels to find new ways of stimulating consumer markets The DMA Report Putting a Price on Direct Marketing, July 2012, identifies that the retail sector would be among the sectors hardest hit by the inability to use web analytics for marketing purposes. Even though analysis is concerned with the online activities of anonymised batches of IP addresses, the information itself could be considered personal data and hence off limits to those who did not provide consent. This has very serious ramifications for digital marketers as they would then struggle to chart the journey consumers take from communication to action, or to analyse their behaviour online. Profiling is a legitimate business activity which benefits consumers, giving them more targeted and relevant marketing communications and this proposal would jeopardise that benefit. More than half of respondents to a DMA survey published in June 2012 Data Privacy: What the consumer really thinks, actively welcome recommendations based on previous purchases made online.

Classifying IP addresses as personal data would also overlap with the Privacy and Electronic Communications Directive. Doing so would damage user experience of websites: their preferences might not be stored, which would deny visitors a personalised experience with the inconvenience of having to upload their details with every repeat transaction. These two effects would inflict incalculable damage on sales. Respondents to a survey carried out by the DMA in connection with its report Putting a Price on Direct Marketing, cited the definition of personal data in the draft Regulation as having the most serious implications for their business.

2.4 The right to be forgotten

The new Regulation proposing to give individuals the right to request organisations to delete any personal information that is held on them has been designed with social media networks in mind. This requirement would certainly stifle innovation for social media platforms, but the consequences of the right to be forgotten reach beyond that.

Organisations that hold an individual’s data and pass them to third parties would not only have to delete their information but would also have to ensure that the third party does the same. This is clearly impractical. For data list brokers, this obviously has enormous and problematic implications and all organisations would also face increased data processing costs.

We welcome clarification from the European Commission that the right to be forgotten would not prevent the use of an individual’s data to be held for suppression purposes in direct marketing. However, this needs to be made clear specifically in the text of the Regulation.

The relationship between the draft Regulation and other legal requirements on organisations to keep personal data, for example for audit or anti-money laundering purposes, needs to be made clear specifically in the text of the Regulation.

2.5 Subject access request

Currently, organisations can charge a fee of £10 when supplying individuals with a copy of all of the information held on that individual, to meet a subject access request. Under the new Regulation, organisations would have to supply this information free of charge. The £10 fee does not cover the cost of collating and supplying the information but does, at least, act as a small check to discourage frivolous or vexatious requests. We are concerned that this may lead to an increase in subject access requests being used for other purposes, such as for early discovery at a pre-litigation stage in legal proceedings. (This point was identified in the Ministry of Justice’s Call for Evidence on the Data Protection Act 1998 in 2010.)

The administrative burden this places on organisations is huge. In 2009, the Ministry of Justice estimated that UK businesses spend £50 million a year in fulfilling subject access requests through additional manpower costs.

A positive note, however, is that we welcome the proposed provision that a subject access right can be met by providing information to the data subject electronically, if that information is held electronically and the data subject agrees to this.

2.6 Data breach notifications

There are no requirements under the current Data Protection Directive to notify the authorities of serious data breaches but the new Regulation would radically change this. Every organisation that holds personal data would have to notify the ICO and the individuals concerned within 24 hours of any instances of data breaches. Although the current draft is particularly vague on the detail of how this would work, it is difficult to see how the ICO would cope practically with the weight of breach notifications which may, in any case, be of a minor nature. It is not always possible to identify breaches within 24 hours, or to assess the extent or likely detriment of a security lapse. If every data breach has to be reported, regardless of its nature or importance, there is a strong possibility of “notification fatigue” setting in—there is evidence of this effect in the USA where most states have this obligation. There is then a risk that consumers may ignore the notification of a serious breach, where they need to take action in order to prevent identify theft.

2.7 International transfers of personal information to countries outside the EEA

While the rules on transferring personal information to countries outside the EEA may have been made more business-friendly, problems could arise with their application beyond the European Union. The law would apply to any organisation in the world processing information about European citizens, but in a digital world an organisation would not necessarily be aware that they were dealing with a European citizen until they had completed an online registration process. This requirement simply doesn’t reflect the reality of 21st century global data transfer practices, and needs to be rethought if it is to be workable.

2.8 Marketing to children

This is an area where a prescriptive “one size fits all” approach may not work. We would prefer to see a risk-based flexible framework here, as recommended in the ICO’s Personal Information Online Code of Practice [http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online.aspx]

2.9 Cost of compliance obligations

We have concerns about the proposal that organisations would have to keep full records of their data processing activities and supply them to the ICO on request, rather than as a matter of course under current rules. This does raise questions as to how the ICO will be adequately funded to carry out its work effectively.

The additional bureaucratic requirements will certainly create extra administrative costs, particularly for smaller organisations. Implementing the right to be forgotten, explicit consent for data processing and the appointment of a data protection officer will all create additional administrative costs. The requirement for organisations with 250 or more staff to have a designated independent data protection officer takes no account of the nature of the organisation’s business and how much, or little, data is handled by them. The cost of these compliance obligations would be most strongly felt by SMEs, which typically employ 250 or fewer people. Of the companies polled for the DMA’s report, Putting a Price on Direct Marketing, the majority of which were SMEs, 22% stated that the average likely cost to their businesses would be just over £76,000, equivalent to 11% of turnover. This translates to an estimated potential total cost to UK businesses of £47 billion. The Appendix contains the case studies we submitted as part of our response to the MOJ Call for Evidence on the Proposed EU Data Protection Legislative Framework in January 2012, which give more detailed information about the cost of compliance obligations.

2.10 Sanctions regime

The proposal to levy potential fines of up to 2% of an organisation’s global turnover is disproportionate and inappropriate in this context, and could lead to organisations removing their operations offshore, or restructuring into different parts to avoid larger penalties.

3. Will the proposed Directive strike the right balance between the need , on the one hand for a proportionate, practicable but effective system of data protection for police and criminal cooperation in the EU, and on the other for law enforcement authorities to be able to investigate crime without disproportionate financial or administrative burden?

3.1 This is outside the scope of the DMA’s work.

4. Are the next steps the UK Government proposes to take during the negotiations, set out in the Summary of Responses to the Call for Evidence, the right approach?

4.1 Transparency of processing

We generally agree with the Government’s position. Greater transparency of processing of personal information by organisations should enable consumers to have more trust in such organisations. According to the survey carried out for Data Privacy: What the Consumer Really Thinks, 60% of consumers that are really concerned about privacy say that they are happy to provide personal information to companies that they trust. However there is a danger that greater transparency may necessarily entail lengthier data protection statements/privacy policies. Even if such statements are written in accessible and easy to understand language, consumers may find it difficult to take in all the information because of their sheer length. The Government may want to consider arguing for a layered approach as outlined in the Article 29 Working Party’s Opinion on More Harmonised Information Provisions WP100 published November 2004. [http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2004/wp100_en.pdf]

As stated above, we do not agree with the requirement for organisations to obtain explicit consent for all data processing for all marketing purposes.

4.2 Subject Access Requests

We agree that the Government is taking the right approach.

4.3 Right to be forgotten

We are concerned that consumers may think that they have an absolute right to have their personal information deleted and will therefore be dissatisfied with the legislation when they find that one of the exemptions applies.

4.4 Bureaucratic and unnecessary obligations which do not offer greater protection for individuals

We fully support the Government’s negotiating position.

4.5 Data Breach Notifications

We agree with the Government’s approach.

4.6 National independent supervisory authorities

We believe that further thought should be given to the way in which national data protection authorities and the European Commission will work together on a common interpretation of the Regulation (the consistency mechanism). Some organisations may not be able to take advantage of the one-stop shop, where one national data protection authority will be the lead authority for that organisation. This will arise where management decisions are taken in each country in which that organisation operates rather at the European headquarters level. The risk of consumers reporting a breach to a national supervisory authority which takes a tougher line (“forum shopping”) needs to be addressed.

4.7 Administrative penalties

We agree with the Government’s position. It is important that national supervisory authorities do not spend all their time and resources on issuing penalties and are able to provide guidance to organisations on interpreting the Regulation.

4.8 Delegated and Implementing Acts

We fully support the Government’s negotiating position.

5. Conclusion

The DMA is willing to provide further assistance to the Committee and clarify any of the points made in its evidence. Please contact us if this is required.

August 2012

References

1. DMA report Data Privacy: What the consumer really thinks
http://www.dma.org.uk/sites/default/files/tookit_files/data_privacy_-_what_the_consumer_really_thinks_2012.pdf

2. DMA report Putting a price on direct marketing
http://www.dma.org.uk/sites/default/files/tookit_files/putting_a_price_on_direct_marketing_2012.pdf

APPENDIX

CASE STUDIES SUBMITTED AS PART OF OUR RESPONSE TO THE MOJ CALL FOR EVIDENCE ON THE PROPOSED EU DATA PROTECTION LEGISLATIVE FRAMEWORK

The examples below have been provided by some of our member organisations to illustrate their estimate of the impact on their business of the Regulation in its present draft.

1. Global Marketing Services Provider

The proposed Regulation will add significant additional administrative costs especially around the right to be forgotten, explicit consent for data processing and the appointment and training of a Data Protection Officer. Increased responsibility and accountability of data processors will also place additional administrative costs, plus increased insurance costs against potential fines and penalties.

There is a cost implication in the review and assessments of all legacy systems which collect personal data to make sure of compliance with the new requirements, egPrivacy by Design

It is difficult to quantify the potential additional costs but in staffing and training costs alone, the company would expect this to be in the region of £50,000 to £ 75,000 per year.

2. Data Services Provider to the Retail Sector

New data portability and right to be forgotten clauses could require one off new system development at a cost of £100,000.

Cost of up to £5 million pounds for each year of legacy data (up to a maximum of 7 years) that could not be used if Draft Regulation had retrospective impact on data which had already been collected.

3. Membership Organisation with Charitable Status

General rule requiring explicit consent for marketing would make fundraising via marketing almost impossible.

Increase in call time with regard to information needed to be provided to donor on phone—estimate of additional 10 seconds—means an annual full time requirement of 1.8 agents. Also additional 10 seconds average handling time to back office processes gives an annual requirement of 1.3 full time agents. Total of 3.1 full time agents or additional costs of £90,000 means a requirement of an additional 1800 individual memberships to cover this.

Several of our charity members have said that their ability to fundraise via marketing would be made more difficult. There is also a problem over how much information consumers can take in at a time and at least one charity thought that the extra time it will take to provide the necessary information on privacy could well put donors off the whole process.

4. Financial Services Organisation

Cost of reformulating databases to take account of changes—£ 100 to 500k.

General rule requiring opt-in consent for marketing may lead to inability to market to existing customer database— loss of revenue estimated at around £6 million.

Cost per lead from data list brokers could increase by double.

Cost or responding to a Subject Access Request would be an additional £ 30–50 per request based on system set –up costs and incremental staffing and administrative costs due to changes in procedure in draft Regulation.

Consent requirements would create additional administration, and possible difficulties, for accounts held in joint names.

5. Bureau Cleaning Services (organisation which cleans lists for other direct marketing organisations against preference services files and other suppression files, such as names of recently deceased persons and those who have recently moved house)

General rule requiring opt-in consent for marketing could lead to a 50% drop in data being sent to it for processing.

6. List Broking Company

Changes introduced in draft Regulation could lead to a 50% drop in turnover which would mean closure of business with loss of 26 full time jobs.

7. B2B Telemarketing and Digital Marketing Company

Digital side—adding a consent form to all website downloads—One day’s development work at £400 per day.

Adding opt-in telemarketing button to CRM system: One day development work at £560.

Cost of staff training £7,600 per annum.

Cost of updating CRM system with clear statement of affirmative action—require call recording cost £1000’s.

8. Global Data Company

Introduction of explicit requirements for consent—loss of revenue in excess of £1 million.

Review, assessment and updating legacy data to comply with new requirements—cost in excess of £500,000.

New data security and breach notification requirements—cost between £100–500,000.

System developments to take account of the right to be forgotten, data portability, removal of fee for subject access requests, privacy by design—one off cost in excess of £500,000.

9. List Broking and List Owning Businesses

Business

Current turnover
£000

Current revenue
£000

Current profit

£000

Impact of opt-in on turnover £000*

Impact of opt-in on revenue £000*

Impact of opt-in on profit
£000*

Large broker

3,500

1,000

100

350

100

10

Small broker

1,000

300

30

100

30

3

Total Broking sector

120,000

36,000

3,600

12,000

3,600

360

Large list owner

25,000

20,000

4,000

2,500

2,000

400

Small list owner

2,500

2,000

400

250

200

40

Total List Owners

600,000

480,000

96,000

60,000

48,000

9,600

* Assuming impact of opt-in would lose 80% of names, representing 90% of turnover

In these circumstances, list-broking would no longer be a viable business model and third party list ownership would become a high risk business option.

There are approximately 100 organisations directly involved in the UK in list-broking and list-owning sectors: between 600 and 1000 jobs would be at risk.

Additionally, the cost of customer acquisition would increase for all brands significantly.

Prepared 30th October 2012