Sirius Legal - IgnitionOne Lunch & Learn

Sirius LegalData Driven Marketing and the EU: the Regulatory challenges aheadIgnitionOne: Data Driven Marketing: from collection to usage, 22 June 2015

Data Driven Marketing and the EU

Privacy means many different things


The right to privacy between individuals

EU Privacy law does not deal with this aspect of privacyNational (civil) law


The right to privacy in relationship to the government

NSAPoliceTax authoritiesSpecific rules and regulations on international and national level


Electronic processing of personal data

Electronic processingPersonal dataUsually for commercial purposesEU Data Protection Directive 95/46/ECE-privacy Directive 2002/58


New balls, please…

EU Data Protection Directive 95/46/ECE-privacy Directive 2002/58Have been around for 20 yearsPrinciples no longer fit economical and technical reality


New balls, please…

EU is working on a new set of rulesWork in progress since 2012End is not in sight…Uniform rules based on EU Regulation (as opposed to Directive)2017 - 2018


Current Privacy Law

Based on EU DirectiveTransferred into national law by each member stateRules date back to the 1990’sBased on location of company and/or serverAt the time most elaborate and progressive set of rules in the world


Current Privacy Law

“Right to privacy” >< data processingDefinition of personal data is very largeCJEU 2015: Even IP address – browser historyImpact on data collection and big data


Current Privacy Law

Straight and simple:Prior “opt-in” for all processingOr implicit opt-in if “justified reasons” for processing“Free and informed” opt-inTransfer of data to third party = additional opt-in

Cfr. Analytics tools, apps, cookies, database enrichment through mailings and actions, etc.: always opt-inCfr. also social media content


Current Privacy Law

Rightsopposition – access – correction - information

ObligationsInformation – opt-in – data security – (export)


New regulation

2016 – 2017

Regulation instead of Directive: 1 text instead of 28 texts…Work in progress since January 2012Complex procedure in EU Institutions: Commission – Parliament - CouncilLobbying


New regulation

How the EU legislative process works…

2012 Proposal European Commission (Reding)2012-2015 Parallel track in European Parliament and European Council

Proposal Parliament: 4000 amendments (“Michel” a.o.)2015 Parallel proposal Council Work in progress2016 Proposals have to be merged into one final text…


EU Proposals

Heavily influenced by consumer protection activists in EPLIBE Committee (protection of civil liberties)

Result:Consumer friendly, but unrealistic for direct marketing sector, e-commerce sector, …


EU Proposals

For all services offered in EU (also free services, also non-EU companies)Personal data = also online identifiers, “pseudonymous data”Explicit opt-inInformation obligation (icons)Right not to be submitted to profilingWarning obligations in case of data breach“Data protection by design”“Data protection officer” One stop shopSanctions: LIBE: up to 5% of yearly turnover or 100 million euro


EU Proposals

Work in progress24 June 2015: 1st “trilogue” meetingCore elements expected in Sept – Oct 2015Final text expected end of 2017 – early 2018More industry focused (?)


EU Proposals

Explicit opt-in But opt-out or implicit opt-in has been put back in if “legitimate interest”

To be expected:Lower penalties and less strict obligationsData protection officer obligation tuned downSofter rules on profiling prohibition


What should you do in the meantime?

Follow up on discussion (check our website www.siriuslegal.be)Start review vendor contracts (in view of data security obligation) Start to prepare for full update of policies, contracts, business processesPut in place data breach notification procedure(Temporary) data security officerPut in place impact assessment and/or risk analyses policyCreate compliance statements for annual business reportsTrain staff


Cookies

EU e-privacy directive 2002/58/ECBelgium: article 129 in Telecom law since Oct 2012


Cookies

Always opt-in

Except for “functional” cookies:necessary for technical reasonsnecessary for communication


Cookies

Law is vague and leaves room for interpretation

Sector is waiting for clarifications by Privacy Commission, BIPT/IBPT or FOD Economy…


Cookies

Opt-in should be:Free (i.e. possible to website visit without opt-in)Explicit (requires action by visitor)Informed (prior info)Prior to placing cookiesRevocable


2015Netherlands soften down lawFrance holds “cookie sweep”Spain imposes high penaltiesBelgium…?

Cookies

Advice Privacy Commission 4 Feb 2015 re cookies: • Continued surfing may constitute

acceptance if sufficient information on homepage (banner – no pop-up)

• surfer may always revoke consent• cookie-policy needed with information• advertisers: contract needed with owner of

website regarding re-use of data + mention in cookie-policy

• Analytics: no exemption; no major risk

Legal update in e-commerce Expert class e-commerce 27 mei 2015

Cookies

Advice Privacy Commission 13 May 2015 re tracking & tracing:

• Website owners with social media buttons(like/share/etc.): activate only if explicit consent

• Double click

Legal update in e-commerce Expert class e-commerce 27 mei 2015

Cookies

Legal update in e-commerce

Cookies

2016 - 2017Juncker commission announces reviewStreamlining with Privacy regulation Also: technical evolution (fingerprinting, etc…)Unclear what will happen in coming years…

Media & advertisement lawCopyright - trademarks - database - software - knowhowIT, Internet, e-commerce, domain namesPrivacy & cookiesTravel & consumer protectionTax & tax planning

Sirius Legal

Thank you!

www.siriuslegal.be

Bart Van [email protected]@BartVanBesien0486 626 355Linkedin.com/in/bartvanbesien

Sirius Legal

http://www.siriuslegal.be/

Sirius Legal - IgnitionOne Lunch & Learn

Law

Transcript of Sirius Legal - IgnitionOne Lunch & Learn