GDPR: The future of marketing and commercialisation of data. Alexander Brown & Matt Dyer, Simmons & Simmons

Transcription

1 GDPR: The future of marketing and commercialisation of data Alexander Brown & Matt Dyer, Simmons & Simmons 18 May 2017

2 Fair and lawful processing Consents and notices

3 Fair and lawful processing Personal data must be processed fairly and lawfully that means: having a legal basis for processing telling individuals what is being done with their data The legal basis often used for processing ordinary personal data: consent performance of a contract with the individual compliance with an EU/member state legal obligation legitimate interests (unless overridden by rights and freedoms of individual) Certain information must be provided to individuals about how their personal data will be processed 2 / B_LIVE_EMEA1: v1

4 Consent under the GDPR Consent must be freely given, specific, informed and unambiguous Freely given : not freely given if no genuine or free choice or if unable to refuse or withdraw consent without detriment where appropriate, obtain granular consents to different types of processing the provision of a service / performance of a contract should not be conditional on a consent that is not necessary for the provision or performance to take place not valid if a significant imbalance of power between the parties makes it unlikely that consent was freely given Unambigious : any clear affirmative act is sufficient (e.g ticking box on website, choosing technical settings when using e-commerce) opt-out consent not valid in case of sensitive data, the consent must be explicit 3 / B_LIVE_EMEA1: v1

5 Consent under the GDPR Specific and informed : the data controller s identity must be provided must relate to clearly defined, specific purposes and processing activities the individual must have been told exactly what they are consenting to if the consent is vague, sweeping or difficult to understand then it will be invalid Presentation of consent requests where given in writing, consent must be clearly distinguishable from the other matters that the individual is being asked to agree to must be prominent, concise, easy to understand and separate from other information if obtained electronically, it should not be unnecessarily disruptive to the use of the service If you would still process the personal data without consent, asking for it is misleading and unfair. 4 / B_LIVE_EMEA1: v1

6 Consent under the GDPR In relation to e-commerce, children under 16 years (or lower, to a minimum of 13 years, if provided for by a Member State) will require parental consent. Evidencing consent burden of proof rests with the data controller obligation to retain records of consents Right to withdraw consent at any time: obligation to inform individuals prior to obtaining their consent must be as easy to withdraw consent as to give it Existing consents existing consents remain valid, but only if they meet the GDPR s requirements ICO expects non-compliant consents to be repapered 5 / B_LIVE_EMEA1: v1

7 Consents Practical Challenges Is consent required/the right justification? Will positive opt-in decimate marketing bases? How much choice do we have to give people? Can we incentivise people to consent? Do we have to re-paper existing customer consents? Can we still buy-in marketing lists? Can customers still use data as their currency? 6 / B_LIVE_EMEA1: v1

8 Fair and lawful processing: privacy notices More information must be provided to data subjects: data controller s identity and contact details (including details of DPO, if applicable) purposes and legal basis for processing (and if that basis is legitimate interests a description of what those legitimate interests are) source of data (if not obtained from the data subject) recipients or categories of recipients to whom the data will be disclosed any intention to transfer personal data outside the EEA and information about the level of protection that will be afforded to the transferred data retention periods for the data (or the criteria to determine it) existence of the data subject s rights information about any automated-decision making, including profiling, undertaken based on the personal data, including the logic involved and its effects right to lodge a complaint with the national data protection authority Simmons & Simmons LLP Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities. 7 /

9 Fair and lawful processing: privacy notices Must be communicated: in a concise, transparent, intelligible and easily accessible form using clear and plain language (particularly if addressed to a child). Timing of communication: at the time the data is obtained; or where the data is not collected directly from the data subject: within a reasonable time of the data being obtained (and within no more than one month); or if earlier, at the time of the first communication with the data subject or first transfer to a third party. Delivery of communication: if the use of personal data will go beyond what an individual would reasonably expect, privacy information should actively be provided (rather than made available ) Simmons & Simmons LLP Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities. 8 /

10 Privacy Notices Practical Challenges How can all this information be provided in an accessible manner? Just how much detail? all third parties? detail on retention periods? all legal bases for all processing? How does this work on mobile? What if I am not an obvious part of the value/service chain? What if I got the data from a third party? Simmons & Simmons LLP Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities. 9 /

11 Profiling

12 Profiling Profiling : automated processing using personal data to evaluate certain personal aspects relating to an individual in particular to analyse or predict aspects concerning an individual s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements ICO s interpretation: gathering information about an individual or group of individuals and analysing their characteristics or behaviour patterns in order to place them into a certain category or group, and/or to make predictions or assessments about their: ability to perform a task; interests; or likely behaviour. Includes the act of creating a profile, as well as automated decision-making using profiling. 11 /

13 Profiling Must use appropriate mathematical or statistical procedures and implement technical and organisational measures to correct personal data inaccuracies, avoid errors and minimise the risk of discrimination on the basis of sensitive personal data. Profiling cannot be based on sensitive personal data unless: explicit consent (except where prohibited by law); or necessary for reasons of substantial public interest (on the basis of EU / member state law); Compliance with the data protection principles in relation to data collected / profiles created: data minimisation accuracy processing for no longer than necessary 12 /

14 Profiling Cannot make decisions based solely on automated processing which produce legal effects / significantly affect an individual, unless: necessary for entering into, or performance of, a contract; authorised by EU/member state law; or based on explicit consent. Where automated processing produces legal effects / significantly affect an individual: a privacy impact assessment must be carried out right to request human intervention and to contest the decision (where profiling is based on performance of contract or explicit consent) where the decision is based on sensitive personal data, suitable measures must be taken to safeguard the individual s rights, freedoms and legitimate interests 13 /

15 Profiling Information requirement: existence of any automated-decision making, including profiling, undertaken based on the personal data, including: meaningful information about the logic involved ; and the significance and envisaged consequences. Right to object (where based on legitimate interests or public interest) exception where compelling legitimate grounds which override the interests, rights and freedoms of the individual (unless related to direct marketing) right must be explicitly brought to the attention of the data subject and presented clearly and separately from any other information 14 /

16 Profiling Practical Challenges How does this sit with the increasing personalisation of services and marketing? Is personalised digital advertising profiling? Does this block big data analytics opportunities? If individuals have to consent will they? 15 /

17 e-privacy Regulation

18 e-privacy Regulation Regulation on Privacy and Electronic Communications alignment with GDPR (including as to consent and regulatory fines) proposed to take effect from 25 May 2018 Expanded scope application to Over The Top communications providers extra-territorial effect Wi-Fi hotspots: collection of data emitted by an end-user s device to enable it to connect to another device or network equipment only permitted if: for purpose of establishing a connection; or a clear and prominent notice is provided to the end-user (including the fair processing information required under the GDPR) together with information about how the user can stop or minimise the collection 17 / B_LIVE_EMEA1: v1

19 e-privacy Regulation Use of cookies focus on software allowing electronic communications to take place (e.g. internet browsers), rather than websites, providing means to obtain consent developers of internet browsers and similar software must inform the end-user during the initial set-up of the software about the privacy settings available and require them to select an option settings must include the option to reject third party cookies consent not required for first-party web audience measuring or where necessary for the purpose of enabling use of a service requested by the end user Metadata can only be used: to meet quality of service requirements; for the purposes of billing, calculating interconnection payments, preventing and/or detecting fraudulent or abusive use; or when the end-user has given their consent, provided that the intended purpose cannot be fulfilled using anonymised data. 18 / B_LIVE_EMEA1: v1

20 e-privacy Regulation Use of cookies focus on software allowing electronic communications to take place (e.g. internet browsers), rather than websites, providing means to obtain consent developers of internet browsers and similar software must inform the end-user during the initial set-up of the software about the privacy settings available and require them to select an option settings must include the option to reject third party cookies consent not required for first-party web audience measuring or where necessary for the purpose of enabling use of a service requested by the end user Marketing the rules stay largely the same application to a broader range of electronic communications (e.g. in-app notifications and instant messaging) direct marketing telephone calls must display calling line identification or present a specific code indicating that the call is a marketing call 19 / B_LIVE_EMEA1: v1

21 Key Contacts Alexander Brown Partner T E alexander.brown@simmons-simmons.com Matt Dyer Associate T E matt.dyer@simmons-simmons.com Follow us on 20 / B_LIVE_EMEA1: v1

22 GDPR: The future of marketing and commercialisation of data simmons-simmons.com This document is for general guidance only. It does not contain definitive advice. SIMMONS & SIMMONS and S&S are registered trade marks of Simmons & Simmons LLP. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated practices. Accordingly, references to Simmons & Simmons mean Simmons & Simmons LLP and the other partnerships and other entities or practices authorised to use the name Simmons & Simmons or one or more of those practices as the context requires. The word partner refers to a member of Simmons & Simmons LLP or an employee or consultant with equivalent standing and qualifications or to an individual with equivalent status in one of Simmons & Simmons LLP s affiliated practices. For further information on the international entities and practices, refer to simmonssimmons.com/legalresp. Simmons & Simmons LLP is a limited liability partnership registered in England & Wales with number OC and with its registered office at CityPoint, One Ropemaker Street, London EC2Y 9SS. It is authorised and regulated by the Solicitors Regulation Authority. A list of members and other partners together with their professional qualifications is available for inspection at the above address. 21 / B_LIVE_EMEA1: v1

23 elexica resources relevant to this session Our dedicated GDPR microsite provides a guide to the key changes introduced by GDPR as well as tools to help you prepare for the implementation of the new rules Visit the Events page for forthcoming seminars and training days and the Training page for video recordings, podcasts and slides Request a demo Contact elexica@simmons-simmons.com or speak to your usual Simmons contact to find out more. 22 / B_LIVE_EMEA1: v1