Latest Posts Subscribe to this blog RSS

Don’t call us, we’ll call you. Illegally.

AT&T image of data theftWhile the EU General Data Protection Regulation (GDPR) requirements have yet to be finalised, 20 years of European jurisprudence is a strong indication of the direction of travel where the supervisory authorities are going to clamp down hard on those organisations and their outsourcing providers that violate the new minimum standards for data protection.

And if you’re in any doubt how hard this will impact the telecoms sector, then you should look no further than what’s just happened to AT&T earlier this week in the US to get a taste of what we can expect to see here in the EU in the wake of the GDPR.

The US Federal Communications Commission (FCC) reached a settlement with the telecoms giant AT&T to pay close to $25m for a series of consumer data privacy violations following an investigation where in excess of 280,000 customers’ data records were illegally accessed and stolen by employees working at AT&T Call Centres in Mexico, Colombia and the Philippines.

To put that into context, the fine equates to around $90 per data record that was breached.

AT&T customer data was used to request unlock codes for AT&T handsets and this data was then provided to unauthorized “third parties” dealing in stolen and “secondary market” handsets.

Such practices may have escaped detection for years and not just within AT&T but across the telecoms sector as it’s highly unlikely to have been an isolated incident.

The FCC has taken the step to make its investigation and subsequent fine a very public matter so as to send a warning shot to all other telecoms companies and outsourcing providers that such data breaches will be severely punished. And European data protection authorities (DPAs) are studying the details of this case with close interest as they aren’t exactly a push-over when it comes to taking action on such a scale.

“You have to recognise that the sheer amount of data that these companies store and process on a daily basis leaves them extremely vulnerable to data breaches on this type of scale,” comments Professor Bryan Foss, a leading data protection and technology expert and former IBM director.

“It’s very common for organisations the size of AT&T to outsource such activities and related services to outsourcing providers and in doing so a great deal of data protection and security is passed—and quite possibly compromised—through the supply chain to third-party service providers.

“The situation also raises interesting questions as to levels of responsibility, as well as liability with regard to data flows through supply chains, and whether adequate safeguards and privacy compliance measures exist with service partners and vendors across the spectrum of industries. The GDPR squarely places responsibility for such data breaches on the shoulders of data controllers and processors,” adds Professor Bryan Foss.

This issue also reaches well beyond internal compliance policies that many large organisations must now look at in some detail, usually as a result of a data protection impact assessment (DPIA) that should be carried out across the whole organisation rather than simply on a project basis.

“However, this still leaves many other questions unanswered such as how do organisations implement sufficient data traceability measures as well as the levels of protection from the source and entry points to potential exit points through to the end of the supply chain,” observes Professor Bryan Foss.

In its news release, FCC announced:

“AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities…”

In response, AT&T has sought to calm the nerves of its shareholders and investors by releasing the following statement:

“Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information.”

Should AT&T and other telecoms providers continue to fall below the data protection standards expected of them they can be certain of being subject to severe fines on both sides of the Atlantic.

Bring Your Own Device to Work is a “ticking time bomb” warns security expert

BYOD tab and mobileAs many data protection, compliance, human resources and legal experts speculate as to the consequences that will be wrecked on all organisations as a result of the forthcoming EU General Data Protection Regulation (GDPR), there is widespread confusion across the web as to whether Bring Your Own Devices (BYOD) is still acceptable or whether organisations need to radically undertake a data protection impact assessment (DPIA) and change their internal policies as a result.

“Even though the law in this area hasn’t changed today, it would be foolhardy in the extreme for organisations not to carry out a DPIA as a precautionary measure given the massive data protection and security risks that allowing BYOD currently presents,” warns data protection and compliance expert Martin Hickley.

GDPR will replace a European-wide regime that was created by an EU directive in 1995 when the internet was still in its infancy and we didn’t have anything like the mobile technology we do today.

The dawn of smartphones came in January 2007 when Steve Jobs brandished a piece of plastic no bigger than a KitKat and proclaimed “this would change everything.” Eight years on, the Apple iPhone exemplifies the early twenty-first century’s defining technology.

Smartphones are now taken for granted and has opened up a new world of work where we are able to work equally effectively from the home as the local coffee shop as a result. Some studies have found that in developing economies every ten extra mobile phones per 100 people increase the rate of growth of GDP-per-person by more than 1%, for example, by drawing people into the banking system. WhatsApp was founded in 2009 and already handles 10bn more messages a day than the SMS global text-messaging system.

The phone is a platform, so start-ups can cheaply create an app to test an idea – and then rapidly go global if people like it.

The way in which mobile has become the centre of our connected world has changed work-life balance into work-life integration.

Mobile manufacturers have been quick to jump on this bandwagon and have been pushing the benefits of employees having their own devices that keeps them in touch with the office and more productive.

The mood music behind this surge in working ‘the way you want, when you want’ is why would organisations seek to supply every employee with a laptop or smartphone when they already have one? Wouldn’t knowledge-based organisations be missing out on cost savings?

If every employee already owns a smartphone and tablet (maybe several devices) why are organisations still buying employees a computer and smartphone when they join the company? That equipment then needs to be maintained, upgraded and replaced. Isn’t the money better spent improving internal infrastructure such as better security and collaboration tools to enable employees to work anywhere, anytime, on their own devices?

In this way the company can then take that money and reinvest it into tools that make that mobile worker more productive.

So will this get companies off the hook for getting caught in a spiral of escalating costs in investing in the latest technology and having to support this across the organisation?

As attractive as these arguments may appear, they are deeply flawed according to Martin Hickley.

“Cost savings aren’t comparable to the financial damage and reputational risk that can be incurred as a result of lost or stolen data and the security implications that a data breach entails. Data protection authorities (DPAs) are insisting that organisations must work to a much higher standard than at present and in the UK the ICO has just published guidance on this area and it makes interesting reading,” he says.

Under the existing Data Protection Act 1998, data controllers must ensure that all processing of personal data under their control remains compliant and in the event of a data breach, the data controller must be able to demonstrate that they’ve secured, controlled or deleted all personal data on a particular device.

The reality is the BYOD makes this almost impossible to police and the ICO guidance states:

“The underlying feature of BYOD is that the user owns, maintains and supports the device. This means that the data controller will have significantly less control over the device that it would have over a traditional corporately owned and provided device. The security of data is therefore a primary concern given that the data controller may have a large number and a wide range of devices to consider.”

Martin Hickley advises that companies should carry out an organisational DPIA that includes a review of the policy and procedures under which employees are permitted to use their own mobile devices for work purposes.

Specifically, data controllers MUST find out:

  • what type of data is held on BYOD used by all its employees
  • whether it is encrypted
  • where such data may be stored
  • how such data is transferred
  • what the risk is for data leakage as a result of BYOD
  • how can the company ensure that personal and business use of BYOD is maintained
  • the security capabilities and vulnerabilities for every BYOD used by employees
  • the policy for when an employee who owns a BYOD leaves employment having had access to personal and confidential information about the company’s customers/clients
  • how to deal with the loss, theft, misuse and failure of an employee’s BYOD
  • what support (if any) is offered by the company to help maintain a BYOD.

“When you start to run through that list you quickly realise that BYOD isn’t a way to save money – in fact, it’s potentially a nightmare that leaves the company massively exposed.

“For example, how can such devices be partitioned where personal information like photos of the employee’s children aren’t accessed by the company’s servers? And should an employee want to take a photograph of a PC screen displaying confidential information at the office, this image will be stored on the BYOD without any control by the company over its use whatsoever.

“Data controllers might be lulled into a false sense of security by thinking that the solution is an App that’s downloaded onto an employee’s mobile device where restricted data can only be accessed through this App.

“The trouble with that as a solution is that the employee may have downloaded other Apps on the BYOD that could be much less secure and could have security vulnerabilities where the employee’s mobile device could be completely hacked without them knowing this is happening. Such a scenario is a real danger for the theft and loss of personal data for which the company remains responsible. And under GDPR, there are significantly higher financial penalties for data breaches that will outweigh the cost of supplying a mobile device to every employee in the first place – which is still the most effective solution,” concludes Martin Hickley.

Europe’s Digital Czar fires warning shot at Facebook over data collection activities

facebook and clean up

Guenther Oettinger, Europe’s digital economy chief and the German representative on the European Commission has delivered a stark warning to Google and Facebook that they must either comply with the principles of the forthcoming EU General Data Protection Regulation (GDPR) or face being thrown out of the single market.

Oettinger accused the tech giants of using “an electronic vacuum cleaner” to collect and then target advertising using detailed information of users often without their knowledge or consent.

Speaking to the Wall Street Journal, Oettinger said: “The Americans are in the lead, they’ve got the data, the business models and so the power.”

He predicted that Google and Facebook “will go to the Member States where data protection is least developed, come along with their electronic vacuum cleaner, take it to California and sell it.”

Both tech giants have significant data centres located in Ireland thanks to high-speed fibre coupled with generous tax benefits on profits for tech companies that relocate to Dublin – making this a convenient bridge-head into the European market from which to carry out such activities.

Currently, the GDPR awaiting final agreement between the European Parliament, Council of Ministers and the European Commission and could emerge from the middle of 2015, after which all companies and organisations will have a two-year window to comply or risk significant financial penalties.

Oettinger’s warning comes in the wake of a major report commissioned by the Belgium Data Protection Authority that expressed growing concern about Facebook’s updated terms and policies.

The report will be used by the Belgian Privacy Commission in a probe launched in January 2015 over Facebook’s updated settings and terms and conditions that went live on 31 January.

“Facebook’s revised Data Use Policy is an extension of existing practices. This nevertheless raises concerns because Facebook’s data-processing capabilities have increased both horizontally and vertically,” the report authors said.

“Both are leveraged to create a vast advertising network which uses data from inside and outside Facebook to target both users and non-users of Facebook.”

The report’s authors added that Facebook puts too great a burden on users to sort through complex privacy settings.

At the same time, Facebook has increased its ability to track users elsewhere on the web and its acquisitions of Instagram and WhatsApp have allowed it to collect even more user data where there are natural synergies across all of these social platforms.

To coincide with this, Facebook is using ‘soft power’ in the propaganda war with European Regulators and its critics by running a series of TV commercials in the UK that’s part of a wider campaign featuring billboards and online advertising.

The TV spots focus on how the social network helps to build friendships, using the themes ‘Girl Friends’, ‘Friend Request’ and ‘Our Friends’.

The stories are played out over instrumental versions of classic tracks including Madonna’s ‘Like a Prayer’ and each one has a British voiceover. The ads are brand-focused rather than emphasising a product, aiming to highlight how Facebook ‘creates and sustains friendships’, according to its ad agency.

A poster campaign has also been launched, located at sites such as Oxford Street underground station, showing the image of a tick and the word Friends over a picture of people enjoying each other’s company.

While this is Facebook’s first UK TV advertising push, it has already rolled-out several campaigns in the US, with mixed results, the most famous being its ‘chairs are like Facebook’ spot which was widely ridiculed.

A spokesman for the network, which has 1.3bn global users, said the UK launch aimed to identify the network as a place where ‘friends go to make meaningful connections’.

Facebook remains unrepentant about the revision of its terms and conditions and maintains it’s not doing anything to cause alarm.

“We recently updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising,” explains Facebook spokesperson Matt Stanfield. “We’re confident the updates comply with applicable laws. As a company with international headquarters in Dublin, we routinely review product and policy updates ­ including this one ­ with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law.”

Such an argument will wear thin when Facebook faces a more restrictive EU-wide data protection regime under GDPR that will impact its ability to continue such activities irrespective of where it chooses to operate from within the EU.

Thought leadership in digital marketing

telepaint

Data protection rules overhaul – Top Tips for compliance

Extract: Data protection and the security of data is perhaps the biggest issue facing the advertising and marketing sector from a business continuity perspective as to get this badly wrong opens the door to punitive fines of up to five per cent of global turnover or €100m. Ardi Kolah shares his top ten tips for marketers.

Urgent Action is Required as Data Breaches hit Record Highs

Extract: According to global digital security firm Gemalto, 1,541 data breaches in 2014 led to one billion data records being compromised, representing a four per cent increase in data breaches and a 78 per cent increase in data records that were either stolen or lost compared to 2013. Ardi Kolah gets the views of one of the UK’s leading data protection and governance experts in conducting a data protection impact assessment (DPIA).

What does it take to succeed as a disruptive brand?

disruptive-innovationSeasoned music and film executive producer Helen Gammons runs the highly acclaimed MBA programme for the music and creative industries at Henley Business School.

Now in its third year, its graduates are living proof that the sector is one that’s in a constant state of re-invention and change – perhaps more than any other on the planet.

“The industry is completely different to what it used to be and this has opened the door to a much wider range of opportunities for disruptive brands,” explains Helen Gammons who can lay claim to having attracted some of the best in the industry to the MBA programme including Faber Music, Disney, Sony Music, Peermusic and ISM to name a few.

The sector is almost unrecognisable to the one Gammons joined back in the ‘70s. Today, there are fewer players, a completely different set of income streams, many new business models and an extraordinary level of influence from outside the traditional sector that is forcing the sector to manage for disruptive innovation.

On Tuesday 24 February 2015 Henley Business School throws its doors open to those who want to learn how to compete and win in the face of disruptive innovation. The one-day event Managing for Disruptive Innovation will reveal how Spotfiy intends to stay on course and promises to be a fascinating insight in what it takes to succeed as a disruptive brand.

Speakers are Professor George Tovstiga; Keith Jopling, Senior VP KAE; Mark Popkiewicz, CEO, Mirriad; Will Page, Chief Economist, Spotify; Simon Presswell, Music & Entertainment Entrepreneur and Ben Drury, Chief Strategy Officer at 7 Digital.

The one-day event is part of Henley’s cutting-edge ‘Creative Dynamics’ Programme and is an ideal meeting place for those looking for inspiration as well as all-important industry contacts!

To date, subjects covered by the Creative Dynamics Programme include the future of music and brand partnerships; leadership and strategy in the digital economy; building business performance through managing creativity; opportunities for using branded content and marketing with bytes

“The music and creative industries have experienced the ‘perfect storm’ of disruptive forces including digital technology and generational changes in consumption. It’s been open season for market entrants – legal or illegal. But, disruption is transforming the entire creative industries sector, on a global scale – new platforms, business models and access to data bring constant change so it’s a case of either embrace change or die,” warns Helen Gammons.

The programme is already shaping thinking not just here in the UK but as far as South Africa and there are plans to export the know-how and expertise to entrepreneurs in China over the next few years.

According to Keith Jopling, one of the ‘Creative Dynamics’ sponsors and a speaker at the event, the success of Spotify has turned traditional thinking on music rights on its head and has opened the way for new and disruptive models to take root in established and emerging markets.

But perhaps what wasn’t predicted is that ‘old school’ brands have caught up with the challenger brands in this global market and are also a source of disruptive innovation.

“Spotify succeeded in a business with notoriously high barriers to entry and with a model that few consumers had yet to adopt. However today the ground is moving beneath its feet and those brand owners seeking to knock it off its perch include Apple, Google and Amazon.

“Since 2009, Spotify has grown to become the biggest streaming music service in the world but its planned IPO could be under threat unless it can respond to these new challenges from much bigger competitors” reflects Keith Jopling.

spotify-logo-580x218Research by Henley Business School shows that challenger brands like Spotify can become incumbent in a competitive market in a relatively short space of time. They have thought differently about customer needs, rather than just replicating a previous business model and doing it a little better or more quickly. They’ve completely re-designed the market based on that customer insight and haven’t been afraid to step out of the mould of their industry.

“However, at the same time such brands can’t afford to stand still and disruptive brands like Spotify need to be agile and forward thinking in order to maintain momentum. There are as many ‘also run’ fads as there are enduring game changers – and the skill is to recognise those business models that have genuine capacity for building long-term customer value,” concludes Helen Gammons.

Why wait and see doesn’t work with Third Party Contracts

On your marksThere’s currently a ‘wait and see’ with the forthcoming EU General Data Protection Regulation (GDPR) and what’s certain from all the conversations we’re having with companies is that they need clear guidance in how to prepare for the inevitable when it arrives.

However, that doesn’t mean that companies should sit on their hands and wait, according to Martin Hickley, a leading data protection and governance expert.

“Imagine you’re a company and the data controller. You know that once the GDPR is approved, you’ll have a two-year grace period in order to ensure that all data protection and security procedures comply with the principles of the EU Regulation. However, two years is a shorter period of time compared with the average length of most business contracts so the implications of the GDPR take effect not in some distance point in time but from TODAY.

“For example, all contact renewals and new contacts that entail personal data transfer or processing will need to have a clause in them that effectively says that once the new EU Regulation is passed, the third party has to supply to you within a set time frame its plans to become compliant with the GDPR.

“Furthermore, you might need to re-negotiate the third party contract based upon those plans, due to cost and liability issues.

“For example, we know there’ll be a statutory requirement to declare a data breach within a very short time frame, so the third party will need a formal process to tell you that they believe there’s a breach and this is what you have to report.

“Timescales are short because it’s a two company process. But who’s responsible if the deadline isn’t met? The answer is simple – it’s you as the data controller!

“What penalties do you accept, and what do you pass onto the third party in such circumstances? This can only be done if it’s provided for in the contracts that you are entering today that have more than a two-year shelf life.

“Imagine if a data processor has a single data breach but the data is on multiple records. The fine will not be for one breach, but multiple breaches under the GDPR,” explains Martin Hickley.

Impact of GDPR on the financial services will be “significant”

Last week I chaired a seminar jointly organised by the Worshipful Company of Marketors and the Financial Services Forum at Cass Business School on the impact of the EU General Data Protection Regulation (GDPR) on the financial services sector.

EU-Reg-seminar-at-Cass-BusiOn the panel (L-R) were Martin Hickley, a data governance, protection and privacy specialist; Hazel Grant, partner and head of privacy and information law at Fieldfisher LLP; myself; Jenny Moseley, director and co-founder of Opt-4 and Chris Wood, head of business compliance in the UK for HSBC.

The journey of the GDPR to the present day has been a long and at times controversial one. In January 2012, the European Commission (EC) issued a proposal for a European-wide data protection reform.

In March 2014, a first reading of a draft bill went through the European Parliament and a second version was voted on by the Council of Ministers – in effect creating two drafts of the same Regulation with significant differences between them with the Council of Ministers declaring that nothing is agreed until everything is agreed.

To date these drafts have had more amendments than any previous body of EU regulation and given the priority to gain consent on this landmark regulation by EC President Jean-Claude Juncker, many believe that the GDPR will be agreed by all parties by the middle of 2015.

Although differences remain, the feeling among the panel was that the financial services sector can’t adopt a ‘wait and see’ approach in the vain hope it will go away. It won’t.

Data protection and the security of data is perhaps the biggest issue facing the sector from a business continuity perspective as to get this badly wrong opens the door to punitive fines of up to five percent of global turnover or €100m.

To underlie the vulnerability that large organisations have to becoming a victim of a data breach on grand scale, just 30 minutes before the seminar begun, both Facebook and Instagram were hacked by Lizard Squad, resulting in a ‘denial of service attack’ – denied by Facebook.

Either way, 1.6bn users of the social network couldn’t access their accounts for over half an hour. Lizard Squad and other hackers like them represent a continuing threat to the data that financial services firms hold on servers that can be infiltrated by those who are determined to carry out such attacks.

Under the new GDPR, data protection authorities (DPAs) will ‘hold hands’ and in doing so provide a so-called one-stop shop for complainants of financial services firms irrespective where the issue took place within the EU.

The GDPR will effectively replace the former Data Protection Directive 95/46/EC as well as make the existing Data Protection Act 1998 redundant by bringing in a European-wide approach to data protection and security that moves away from the patchwork approach that exists at present. It also places data processors and data controllers with equal legal responsibilities with respect to the transfer and use of data.

A proposed ‘data protection seal’ will notify consumers that the financial services firm complies with the supervisory authority and can transfer data to third parties on a lawful basis in the hope that consumers will be reassured about the higher standards of data protection that such a firm complies with.

The obligation to report breaches – however small – will be the responsibility of the Data Protection Officer (DPO) who will work independently within a large financial services organisation and the reporting of such breaches is likely to be done within 24 hours.

Some of the concerns on the panel of data protection experts was around slippage in the timetable to introduce the GDPR and that delays had created a false sense of comfort for senior executives who may not appreciate the threat to business continuity that the GDPR actually represents.

The issue of customer consent was also widely discussed and it’s clear that many banks are re-wiring their approach from the position of protecting the customer as the paramount principle in how they manage their business.

Under the new EU Regulation, financial services firms must obtain consent and this must be freely given for a specific purpose rather than for some blanket purpose. However, there’s still some argument between lawyers as to whether implied consent is a dead duck – and some lawyers feel that implied consent in certain circumstances will still be lawful under the GDPR.

A major cause for a data breach can be identified as human error and clearly the issue of education and training will be core to the way in which this risk within financial services can be reduced.

However, there was a recognition, particularly with junior staff, that such a risk could never be 100% eradicated, leaving open the possibility of fines and sanctions as a real possibility under the GDPR. Typical human error includes the failure to encrypt data, a lack of privacy policies and even mis-directed communications, whether post, fax or email.

As well as fines, DPAs like to ‘name and shame’ those firms that have fallen below the standards expected of them and the reputation damage to the brand in such cases could easily outstrip the financial penalties imposed. For example, the French authorities recently forced Google to publish details on non-compliance on its home page for 48 hours. Google complained but lost its case in the courts.

Top Ten Tips for marketers

  1. Write down a set of data protection policies and procedures and ensure that these are compliant with the GDPR. Such policies and procedures should include what actions need to happen in the event of a data breach.
  2. Consider what breaches might do harm to customers/clients and pay particular attention to mitigating these risks. The most serious are either financial fraud or identity fraud, so marketing professionals should pay particular attention to passport details and other personal information stored on their servers.
  3. All companies need to invest in education and training all employees involved in collection and processing of data with a view to reducing the risk of human error and as far as possible try and automate as many processes as possible in order to reduce the risk of human error.
  4. All companies need to set very clear, fair and transparent rules for obtaining customer consent.
  5. All companies shouldn’t keep data forever – unless of course it’s to ensure that they don’t contact someone who has expressly said that they don’t want to be contacted in the future and not having such information could lead to them being contacted again by accident.
  6. All companies should have a policy for destroying out-of-date data.
  7. All companies need to recognise the risk of consumer activism where one aggrieved customer can very quickly galvanise a mass campaign against the brand on Twitter and social network sites.
  8. Marketing professionals need to integrate data protection fully into all business processes and not treat this as an add-on or side issue.
  9. Marketers should consider the GDPR as a marketing opportunity and potentially a source of competitive advantage by performing data processing tasks more efficiently and accurately.
  10. Customers should be treated as a source of business rather than a piece of data and need to be treated fairly, with respect to their rights to privacy and without cynicism.

British Government delays progress on GDPR as EU pressure mounts

cameron06june14-480632Impatience with the progress of the forthcoming EU General Data Protection Regulation (GDPR) is starting to grow within the European Union.

A recent joint declaration adopted by representatives of the German, Austrian, Belgian, Croatian, French, Greek, Hungarian, Lithuanian, Luxembourg, Dutch, Portuguese, Czech, Romanian, UK, Slovakian and Swedish  parliaments called on European legislators to adopt the GDPR “by 2015″.

German Green MEP Jan Philipp Albrecht, vice chairman of the civil liberties committee at the European Parliament warned this week that failure to agree on the new security and data protection rules was “bad for democracy” as this left European citizens exposed to snooping from foreign and European security services as well as companies.

With the current spate of data breaches emerging on a daily basis as well as EU President Juncker’s determination to ‘fast track’ the passage of the GDPR, Albrecht’s intervention in the on-going discussion on the timetable for GDPR is certain to highlight the divisions within Europe and in particular the British Government position.

What appears to be happening is the debate about the protection of an individual’s right to privacy has become conflated with issues of national security.

In the UK, MI5, MI6 and GCHQ want greater surveillance powers in order to stop terrorist activities of the type witnessed this week on the streets of Paris.

Understandably, the British Government has already brought in emergency legislation in order to equip the security forces with the tools to protect the public from such atrocities and indeed attempts to blow up transatlantic airliners and an attack on the London Stock Exchange had all been thwarted by electronic intercepts.

The Head of MI5 Andrew Parker has warned: “I don’t want a situation where privacy is so… sacrosanct that terrorists can confidently operate from behind those walls without fear of detection.”

No one would disagree with that assessment but the GDPR deals with the current position for citizens to feel more confident that their data is properly collected, stored, transferred and used in a way that’s consistent with the principles of natural justice and the rule of law.

The existing European rules on data protection were adopted in 1995 when the internet was still in its infancy and clearly the world is in a very different place now.

In January 2012, the European Commission (EC) published a vast legislative package aimed at replacing the existing rules and providing a higher level of protection of personal data across the European Union.

The package includes two legislative proposals: a general regulation on data protection that’s directly applicable across all 28 Member States and a directive specifically aimed at data protection in the police and the justice system to be incorporated into national laws by enabling legislation.

Both legislative proposals were voted on during the first reading at the European Parliament in March 2014, before the European Elections and the GDPR includes measures to protect EU citizens’ data and to restrict its use by businesses.

Since then, the data protection debate has taken several twists and turns, notably in 2013 when American whistle-blower Edward Snowden revealed that the US National Security Agency (NSA) had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called PRISM.

Predictably, this led to a call from European politicians for tighter controls on the way in which EU citizens have a right to their privacy being protected.

However as a matter of logic, should someone be suspected of plotting terrorist activities and poses a threat to national security, then they have effectively waived their right to the protection of privacy afforded to law-abiding citizens on the grounds of national security.

No one in their right mind would think it was wrong to intercept the communications of those terrorists who murdered French citizens and who were eventually caught and killed by the police and national security authorities in a terrifying shoot out yesterday in two different parts of Paris.

The balance of rights and responsibilities is an important one in a civilised society and matters of national security and snooping on suspected terrorists aren’t incompatible with the proposed GDPR.

But the case for reform is overwhelming and shouldn’t be unnecessarily delayed as reflected by the joint communique recently issued by EU Member States.

In the UK, an often hostile attitude towards the EU has transferred itself into a flat rejection of a unified approach to data protection across Europe. This is likely to be a point of argument in the run-up to the forthcoming General Election on 7 May 2015 where divisions between the main political parties will be exposed.

But all of this smacks of politicisation of an issue that in many respects should be above politics.

According to Albrecht, issues surrounding informed consent for the use of data, sanctions, privacy by design and red tape remain sources of friction between the European Parliament and EU Member States represented at the Council of Ministers. Albrecht has warned that failure to agree the GDPR would encourage and increase unjustified snooping of security services on citizens in Europe. The MEP is supporting efforts by Microsoft to avoid disclosing data stored by its Irish office to the US authorities.

“The US authorities shouldn’t be allowed to demand data from companies headquartered in the EU and the Commission should be supporting that position. No EU rules bind the security services and national security is the black hole of European law. That is why the introduction of the GDPR is so necessary to limit the amount of data which they can easily access,” he argues and it’s clear he too is motivated on political grounds.

The European Parliament and the European Commission (EC) want data processors to seek explicit consent from users before processing the data whereas some Member States want such consent to be “unambiguous” – a less rigorous test according to MEPs.

The EU Executive – backed by EU Member States – has proposed a maximum sanction for breach of the rules by companies of up to two percent of global turnover while MEPs wish to see this threshold lifted to five percent of global turnover or €100m fine.

Just before Christmas 2014, the EC announced partial agreement on the setting up of a one-stop shop for citizens to be able to complain to their local supervisory authority in respect of a breach anywhere within the EU. However, not all EU Member States were in favour of such a move and this also has resulted in slowing down the passage to agreement over the GDPR.

German concerns focus on how the GDPR might erode the sovereignty of the country’s powerful regions and alongside France Germany is sensitive to the idea that data issues could be decided in the smaller EU Member States.

The British Government remains opposed to the notion of a GDPR and instead favours the idea of the EU adopting a Directive instead.

However, for global companies looking to do business across the EU, such a position will be disastrous as it would create uncertainty in how data protection laws will be interpreted and enforced across the EU, driving up rather than lowering costs – a situation that exists today.

President Juncker has already made it clear given the border-less nature of digital technologies means it doesn’t make any practical or legal sense for each EU Member State to have its own rules for telecommunication services, copyright, data protection or the management of the radio spectrum and many within the European Parliament agree.

“If ministers want a GDPR, it will be up to the Council to deliver it. If they want to allow companies to regulate themselves, they have to beef up the rights of individuals to overcome this with stronger levels of protection,” warns Albrecht.

June 2015 remains the indicative date by which a common general position on the GDPR should be achieved by the European Parliament and Member States.

Cowboy marketers face record fines in the New Year

Cowboy-marketersCurrent law
Under EU Privacy and Electronic Communications Regulations (PECR), organisations and companies are prohibited from transmitting or instigating the transmission of unsolicited electronic communications to consumers for the purposes of direct marketing unless the person receiving those communications has provided prior consent for the messages to be sent.

Companies also mustn’t disguise or conceal their identity in the messages or use invalid addresses where recipients of the messages would send responses to ask for the messages to stop being sent.

Marketers can send direct marketing via electronic mail to consumers if they have “obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient”, where the marketing is for “similar products and services only” and providing the recipient has a “simple means” to refuse the use of their contact details for that marketing “at the time of each subsequent communication.”

New powers to stop cowboy marketers
Cowboy marketers that send spam text messages, make nuisance calls or carry out other types of unsolicited direct electronic marketing activities face up to £500,000 in fines if their activities cause “annoyance, inconvenience or anxiety” under new plans currently being considered by the Government and supported by Ofcom, the Consumers Association and the DMA.

This latest move will give the Information Commissioner’s Office (ICO) new powers to take “robust action” against cowboy marketers that flout the PECR.

The change to the current EU Regulation will effectively lower the existing legal threshold of ‘harm’ and the ICO will now be able to issue fines if the breach is “likely to cause annoyance, inconvenience or anxiety.”

Currently, the ICO must prove that unsolicited direct electronic marketing causes consumers “substantial damage or substantial distress” and annoyance, inconvenience or anxiety isn’t sufficient in order to take action.

Now that’s set to change in early 2015. It’s evident that the current legal threshold is too high.
“The majority of rogue marketing firms make hundreds, rather than thousands, of calls and the nuisance is no less a nuisance for falling short of the ‘substantial’ threshold,” observes Information Commissioner Chris Graham.

“This change means we could now target those many companies sending unwanted messages – and we think consumers would see a definite drop off in the total number of spam calls and texts,” predicts Graham.

The current move comes as governments across the EU are under increasing pressure to protect the privacy of consumers who feel too little has been done to protect their rights as technology has made intrusive marketing techniques more widespread with little sanctions against cowboy marketers that felt able to avoid the long arm of the law.

Future of PECR?
PECR came into force on 26 May 2011 and this revision will extend its scope in 2015.

However, PECR is likely to be amended further or even repealed by the forthcoming EU General Data Protection Regulation that’s currently being considered by the European Council of Ministers and which could get European Parliament consent in the first half of 2015.

Unlocking the power of data under new EU Regulation

EU data protection keyAt a meeting of the Justice and Home Affairs, part of the EU Council of Ministers that took place on 4-5 December 2014, the forthcoming EU General Data Protection Regulation took a further step to becoming adopted across all 28 EU Member States.

The meeting, attended by Chris Grayling, Lord Chancellor and Teresa May, Home Secretary and chaired by Andrea Orlando, Italian Minister of Justice and President of the Council marks a tipping point in the harmonization of data protection laws across all 28 EU Member States.

At that meeting, the EU Council of Ministers gained partial consensus on two important and inter-related points with respect to data security and protection that sits at the heart of the proposed EU Regulation: a general EU framework for data protection and a ‘one-stop shop’ (OSS) mechanism that can be used by data subjects in order to arrive at a supervisory decision in trans-national data protection breaches.

Partial agreement by EU Council of Ministers

The EU Council of Minister reached partial agreement on a general approach on specific aspects of the draft EU Regulation setting out a general EU framework for data protection.

This partial agreement on the general approach includes provisions that are crucial to the public sector (Article 1, Article 6, paragraphs (2) and (3), Article 21) as well as provisions relating to specific data processing situations as outlined in Chapter IX of the proposed EU Regulation.

In addition, the majority of the Council of Ministers agreed to the Italian Presidency proposal of a ‘one-stop shop’ (OSS) mechanism that data subjects can access in order to pursue their legal remedies in cases of important trans-national data protection breaches.

The technical architecture for dealing with data breaches and other issues under the EU Regulation will be ‘fast tracked’ in the coming months in order to get the technical aspects of this sorted out.

“One-stop shop” (OSS) to enforce regulation for major data breaches across EU 

The objective of the OSS is to arrive at a single supervisory decision in instances of trans-national data breaches and this should be fast, ensure consistent application, provide legal certainty and reduce administrative burden. Many advocates of such an approach claim that this is a good example of balancing the need for a uniform approach for data controllers while providing remedies for data subjects.

“This is an important factor in enhancing the cost-efficiency of the data protection rules for international business and thus contributing to the growth of the digital economy,” adds the communique from the EU Council of Ministers.

From a UK perspective, the Information Commissioner’s Office (ICO) is likely to be closely involved as the decision-making supervisory authority as to whether enforcement action is brought against organisations and companies that are located in the UK but that have created a data protection breach across trans-national borders.

Proposed EU Regulation is now a step closer to being finalised

The proposed EU Regulation has taken a step closer to being finalised in 2015 and partially clearing these two hurdles that were once regarded as “insurmountable” is a clear indication of the appetite for getting on with the job of getting the EU Regulation out there once and for all.

Clearly the EU Council of Ministers needs to finalize its version of the draft EU Regulation before negotiations can enter their final stage but this latest partial agreement is another example of incremental progress that’s been made in the last 12 months.

Many in Europe, including those in Germany, France and Italy, see this forthcoming EU Regulation in the wider context of protecting fundamental human rights.

On 5 November 2014, the German Federal Commission for Data Protection Commissioner Andrea Voβhoff and the European Data Protection Supervisor (EDPS) Peter Histinx held a panel discussion in respect of the state of play and perspectives the forthcoming EU Regulation.

One of the panellist, Head of the Department for International Affairs at Italy’s Ministry of Justice, Stefano Mura reiterated that the proposed EU Regulation isn’t only a EU single-market issue.

“We need the highest affordable standard of fundamental rights,” said Mura with reference to Article 8 of the EU Charter of Fundamental Rights, which provides that everyone in the EU has the right to the protection of personal data.

This was particularly reflected in the controversial judgment of the European Court of Justice in the right to be forgotten case that specifically referenced this right in concluding that an individual could have a search engine listing removed where the material it linked to was no longer relevant.

This theme was developed further by Isabelle Falque-Pierrotin, President of the CNIL, the French Data Protection Authority and also chair of the Article 29 Working Party.

Falque-Pierrotin noted that the right to be forgotten judgment had shown that some of the ideas in the forthcoming EU Regulation were already being developed through the courts and this highlighted the urgency to get the EU Regulation agreed and to demonstrate to the world that Europe had a common standard in place and the regulatory powers to back it up.

Although the participants to the debate identified a number of key outstanding issues to be resolved prior to the conclusion of the reform, process, there was some optimism that such issues would be overcome and the process completed before the end of 2015.

Why this matters?

This is significant as the organiser of the debate, European Data Protection Supervisor (EDPS) is an independent supervisory authority whose members are elected by the European Parliament and the European Council in order to protect personal information and privacy, in addition to promoting and supervising data protection in the EU’s institutions and bodies.

The role of the EDPS includes, among other things, advising on privacy legislation and policies to the European Commission, the European Parliament and the European Council and working with other data protection authorities to promote consistent data protection across Europe.

Why 2015 could be the most important year for European marketers

The forthcoming EU Regulation has been discussed and debated in extraordinary detail by the European bureaucrats and it’s clear that public patience is wearing thin as existing data protection laws such as the Data Protection Act 1998 looks increasingly out-of-date as it’s no longer ‘fit for purpose’.

It’s clear that European laws have struggled to keep pace with technology changes that has impacted two fundamental rights – privacy and identity.

In the wake of the Snowden revelations, there’s increased public expectation for a uniform approach to European data protection, with calls for more sophisticated compliance tools and even stronger sanctions for those organisations and companies that transgress the new rules.

However it would be wrong for the EU Regulation to be rushed through in its final stages as consensus is required in its scope and approach in order to be effective and workable.

But that time has almost arrived.

Marketers should start NOW and follow best practice guidance given by the ICO ahead of the EU Regulation as much of the Regulation will be a codification of this guidance.

Not doing anything now is a recipe for disaster and simply creates a business continuity risk that can so easily be avoided.

The Council of Ministers is still reviewing the draft EU Regulation at a technical level and negotiations on the proposed text between the Council of Ministers and the European Parliament will only commence once the Council of Ministers is ready.

The earliest there could be agreement on the draft EU Regulation is likely to be the first six months of 2015 – and the expectation is that the revised data protection framework will be in place by mid-2017.