The European co-legislator reached an agreement on the General Data Protection Regulation in Strasbourg on the 15th December 2015. While the formal adoption still remains to happen, the rest of the world can start working on what it actually means.
We will have two years to dissect these new rules, interpret them and find solutions to implement them. Considering all of this, two years is not a very long time, so we better not waste any.
The first work to do is to read the text. Following over 5 years of negotiations, and many different wordings for each provision, what has actually been adopted? Here is a review of the most important provisions for the data-driven marketing industry:
The definition of consent has always been one of the central issues of the text. While the European Parliament has always called for explicit consent, it seems that the negotiators finally settled for the Council’s position, which requires an “unambiguous consent”, also specifying that it should be given by “a statement or by clear affirmative action”. While being built on almost the same principles as the definition of consent in the 95/46 Directive, the new text provides more specification on what constitutes a valid consent and how to collect it. It is not a systematic call for the traditional tick box exercise, as solutions which meet the expanded criteria for a valid consent may also be considered.
However, marketing organisations should bear in mind that the rules on consent will tighten up. The information must be provided concisely, in a transparent and intelligible way, and be easily accessible using clear and plain language.
A last-minute decision from the co-legislators, raised and still raises a lot of concerns among the industry. The text foresees that minors under the age of 16 will need parental consent to provide personal data. The text also provides the Member States with the possibilities to adopted legislation lowering the age requirement as low as 13. However, this provision raises a lot of concerns, especially among social media, regarding the ability of teenagers to access their services without needing parental consent.
The most important issue for FEDMA and the European Data-Driven industry over the past five years has been the ability for the controller to access personal data on their legitimate interest. After having been heavily restricted by the European Parliament, the final version is back to a wording similar to the one in the existing directive, maintaining the ability of marketers to access data lawfully. However, the legislation provides some specification as to which criteria should be taken into account when assessing the possibility to use its legitimate interest. A marketer will have to take into consideration the reasonable expectations of data subjects based on the relationship with the controller.
However, the same recital clarifies that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. This provision will require the development of guidance in order to ensure proper implementation, in particular, what is a reasonable expectation, in various context.
Similarly, the provision on profiling, renamed “automated individual decision making, including profiling”, will require some interpretation and guidance to facilitate its implementation. Unlike the previous wording suggested by the European Parliament, the final article on profiling provides a more balanced approach. There is no ban on profiling, but the text requires specific safeguards for profiling which produces legal effects concerning him or her or similarly significantly affects him or her. Also on the issue of profiling, and on the request of the European Parliament, the text clarifies that when an individual opt-out from direct marketing, he or she can also opt-out from profiling related to such direct marketing. It will be interesting to look at both technical and self-regulatory solutions to implement this provision.
Administrative fines are a concern for all data controller, in particular, how important they can be. While the Commission and the Council argued for fines up to 2% of companies’ global turnover if they don’t comply with the rules, the European Parliament advocated for a 5% threshold. Negotiators settled for a threshold of 4%. Also, negotiators decided for the mandatory appointment of Data Protection Officers. However, SMEs are exempted of this obligation as long as data processing is not their core business activity.
The biggest ambition of the Regulation is to create a One Stop Shop for companies. The European Commission defended this as the biggest added value of the text for the industry. However, the agreement found has already been the subject of heavy criticism. While Data Protection Authorities (PDAs) will have to collaborate further, they all keep to a certain extent their powers to investigate in cross border cases, thus limiting in practice the benefits of the One Stop Shop for companies. The Article 29 Working Party, will become the European Data Protection Board, which will be the place of DPAs collaboration. The Board will be managed by the European Data Protection Supervisor.
So, what now? The biggest part of the journey is only starting and the challenge is to look at the text and decides on the best way to turn it into concrete practices. It is something that needs to be done at European level. To deliver its added value, the GDPR should be complemented by harmonised interpretation and the development of common implementation solutions, such as codes of conduct and self-regulatory programme. Looking at the number of key provisions for the data-driven Marketing industry where interpretation is needed to facilitate their implementation, there is no doubt that the coming FEDMA code of conduct on data protection will provide added value. Only by facilitating the implementation of the new rules, we will turn them into reality. The GDPR is merely a basis on which to build up responsible data management.