Latest Posts Subscribe to this blog RSS

Europe’s Digital Czar fires warning shot at Facebook over data collection activities

facebook and clean up

Guenther Oettinger, Europe’s digital economy chief and the German representative on the European Commission has delivered a stark warning to Google and Facebook that they must either comply with the principles of the forthcoming EU General Data Protection Regulation (GDPR) or face being thrown out of the single market.

Oettinger accused the tech giants of using “an electronic vacuum cleaner” to collect and then target advertising using detailed information of users often without their knowledge or consent.

Speaking to the Wall Street Journal, Oettinger said: “The Americans are in the lead, they’ve got the data, the business models and so the power.”

He predicted that Google and Facebook “will go to the Member States where data protection is least developed, come along with their electronic vacuum cleaner, take it to California and sell it.”

Both tech giants have significant data centres located in Ireland thanks to high-speed fibre coupled with generous tax benefits on profits for tech companies that relocate to Dublin – making this a convenient bridge-head into the European market from which to carry out such activities.

Currently, the GDPR awaiting final agreement between the European Parliament, Council of Ministers and the European Commission and could emerge from the middle of 2015, after which all companies and organisations will have a two-year window to comply or risk significant financial penalties.

Oettinger’s warning comes in the wake of a major report commissioned by the Belgium Data Protection Authority that expressed growing concern about Facebook’s updated terms and policies.

The report will be used by the Belgian Privacy Commission in a probe launched in January 2015 over Facebook’s updated settings and terms and conditions that went live on 31 January.

“Facebook’s revised Data Use Policy is an extension of existing practices. This nevertheless raises concerns because Facebook’s data-processing capabilities have increased both horizontally and vertically,” the report authors said.

“Both are leveraged to create a vast advertising network which uses data from inside and outside Facebook to target both users and non-users of Facebook.”

The report’s authors added that Facebook puts too great a burden on users to sort through complex privacy settings.

At the same time, Facebook has increased its ability to track users elsewhere on the web and its acquisitions of Instagram and WhatsApp have allowed it to collect even more user data where there are natural synergies across all of these social platforms.

To coincide with this, Facebook is using ‘soft power’ in the propaganda war with European Regulators and its critics by running a series of TV commercials in the UK that’s part of a wider campaign featuring billboards and online advertising.

The TV spots focus on how the social network helps to build friendships, using the themes ‘Girl Friends’, ‘Friend Request’ and ‘Our Friends’.

The stories are played out over instrumental versions of classic tracks including Madonna’s ‘Like a Prayer’ and each one has a British voiceover. The ads are brand-focused rather than emphasising a product, aiming to highlight how Facebook ‘creates and sustains friendships’, according to its ad agency.

A poster campaign has also been launched, located at sites such as Oxford Street underground station, showing the image of a tick and the word Friends over a picture of people enjoying each other’s company.

While this is Facebook’s first UK TV advertising push, it has already rolled-out several campaigns in the US, with mixed results, the most famous being its ‘chairs are like Facebook’ spot which was widely ridiculed.

A spokesman for the network, which has 1.3bn global users, said the UK launch aimed to identify the network as a place where ‘friends go to make meaningful connections’.

Facebook remains unrepentant about the revision of its terms and conditions and maintains it’s not doing anything to cause alarm.

“We recently updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising,” explains Facebook spokesperson Matt Stanfield. “We’re confident the updates comply with applicable laws. As a company with international headquarters in Dublin, we routinely review product and policy updates ­ including this one ­ with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law.”

Such an argument will wear thin when Facebook faces a more restrictive EU-wide data protection regime under GDPR that will impact its ability to continue such activities irrespective of where it chooses to operate from within the EU.

Thought leadership in digital marketing


Data protection rules overhaul – Top Tips for compliance

Extract: Data protection and the security of data is perhaps the biggest issue facing the advertising and marketing sector from a business continuity perspective as to get this badly wrong opens the door to punitive fines of up to five per cent of global turnover or €100m. Ardi Kolah shares his top ten tips for marketers.

Urgent Action is Required as Data Breaches hit Record Highs

Extract: According to global digital security firm Gemalto, 1,541 data breaches in 2014 led to one billion data records being compromised, representing a four per cent increase in data breaches and a 78 per cent increase in data records that were either stolen or lost compared to 2013. Ardi Kolah gets the views of one of the UK’s leading data protection and governance experts in conducting a data protection impact assessment (DPIA).

What does it take to succeed as a disruptive brand?

disruptive-innovationSeasoned music and film executive producer Helen Gammons runs the highly acclaimed MBA programme for the music and creative industries at Henley Business School.

Now in its third year, its graduates are living proof that the sector is one that’s in a constant state of re-invention and change – perhaps more than any other on the planet.

“The industry is completely different to what it used to be and this has opened the door to a much wider range of opportunities for disruptive brands,” explains Helen Gammons who can lay claim to having attracted some of the best in the industry to the MBA programme including Faber Music, Disney, Sony Music, Peermusic and ISM to name a few.

The sector is almost unrecognisable to the one Gammons joined back in the ‘70s. Today, there are fewer players, a completely different set of income streams, many new business models and an extraordinary level of influence from outside the traditional sector that is forcing the sector to manage for disruptive innovation.

On Tuesday 24 February 2015 Henley Business School throws its doors open to those who want to learn how to compete and win in the face of disruptive innovation. The one-day event Managing for Disruptive Innovation will reveal how Spotfiy intends to stay on course and promises to be a fascinating insight in what it takes to succeed as a disruptive brand.

Speakers are Professor George Tovstiga; Keith Jopling, Senior VP KAE; Mark Popkiewicz, CEO, Mirriad; Will Page, Chief Economist, Spotify; Simon Presswell, Music & Entertainment Entrepreneur and Ben Drury, Chief Strategy Officer at 7 Digital.

The one-day event is part of Henley’s cutting-edge ‘Creative Dynamics’ Programme and is an ideal meeting place for those looking for inspiration as well as all-important industry contacts!

To date, subjects covered by the Creative Dynamics Programme include the future of music and brand partnerships; leadership and strategy in the digital economy; building business performance through managing creativity; opportunities for using branded content and marketing with bytes

“The music and creative industries have experienced the ‘perfect storm’ of disruptive forces including digital technology and generational changes in consumption. It’s been open season for market entrants – legal or illegal. But, disruption is transforming the entire creative industries sector, on a global scale – new platforms, business models and access to data bring constant change so it’s a case of either embrace change or die,” warns Helen Gammons.

The programme is already shaping thinking not just here in the UK but as far as South Africa and there are plans to export the know-how and expertise to entrepreneurs in China over the next few years.

According to Keith Jopling, one of the ‘Creative Dynamics’ sponsors and a speaker at the event, the success of Spotify has turned traditional thinking on music rights on its head and has opened the way for new and disruptive models to take root in established and emerging markets.

But perhaps what wasn’t predicted is that ‘old school’ brands have caught up with the challenger brands in this global market and are also a source of disruptive innovation.

“Spotify succeeded in a business with notoriously high barriers to entry and with a model that few consumers had yet to adopt. However today the ground is moving beneath its feet and those brand owners seeking to knock it off its perch include Apple, Google and Amazon.

“Since 2009, Spotify has grown to become the biggest streaming music service in the world but its planned IPO could be under threat unless it can respond to these new challenges from much bigger competitors” reflects Keith Jopling.

spotify-logo-580x218Research by Henley Business School shows that challenger brands like Spotify can become incumbent in a competitive market in a relatively short space of time. They have thought differently about customer needs, rather than just replicating a previous business model and doing it a little better or more quickly. They’ve completely re-designed the market based on that customer insight and haven’t been afraid to step out of the mould of their industry.

“However, at the same time such brands can’t afford to stand still and disruptive brands like Spotify need to be agile and forward thinking in order to maintain momentum. There are as many ‘also run’ fads as there are enduring game changers – and the skill is to recognise those business models that have genuine capacity for building long-term customer value,” concludes Helen Gammons.

Why wait and see doesn’t work with Third Party Contracts

On your marksThere’s currently a ‘wait and see’ with the forthcoming EU General Data Protection Regulation (GDPR) and what’s certain from all the conversations we’re having with companies is that they need clear guidance in how to prepare for the inevitable when it arrives.

However, that doesn’t mean that companies should sit on their hands and wait, according to Martin Hickley, a leading data protection and governance expert.

“Imagine you’re a company and the data controller. You know that once the GDPR is approved, you’ll have a two-year grace period in order to ensure that all data protection and security procedures comply with the principles of the EU Regulation. However, two years is a shorter period of time compared with the average length of most business contracts so the implications of the GDPR take effect not in some distance point in time but from TODAY.

“For example, all contact renewals and new contacts that entail personal data transfer or processing will need to have a clause in them that effectively says that once the new EU Regulation is passed, the third party has to supply to you within a set time frame its plans to become compliant with the GDPR.

“Furthermore, you might need to re-negotiate the third party contract based upon those plans, due to cost and liability issues.

“For example, we know there’ll be a statutory requirement to declare a data breach within a very short time frame, so the third party will need a formal process to tell you that they believe there’s a breach and this is what you have to report.

“Timescales are short because it’s a two company process. But who’s responsible if the deadline isn’t met? The answer is simple – it’s you as the data controller!

“What penalties do you accept, and what do you pass onto the third party in such circumstances? This can only be done if it’s provided for in the contracts that you are entering today that have more than a two-year shelf life.

“Imagine if a data processor has a single data breach but the data is on multiple records. The fine will not be for one breach, but multiple breaches under the GDPR,” explains Martin Hickley.

Impact of GDPR on the financial services will be “significant”

Last week I chaired a seminar jointly organised by the Worshipful Company of Marketors and the Financial Services Forum at Cass Business School on the impact of the EU General Data Protection Regulation (GDPR) on the financial services sector.

EU-Reg-seminar-at-Cass-BusiOn the panel (L-R) were Martin Hickley, a data governance, protection and privacy specialist; Hazel Grant, partner and head of privacy and information law at Fieldfisher LLP; myself; Jenny Moseley, director and co-founder of Opt-4 and Chris Wood, head of business compliance in the UK for HSBC.

The journey of the GDPR to the present day has been a long and at times controversial one. In January 2012, the European Commission (EC) issued a proposal for a European-wide data protection reform.

In March 2014, a first reading of a draft bill went through the European Parliament and a second version was voted on by the Council of Ministers – in effect creating two drafts of the same Regulation with significant differences between them with the Council of Ministers declaring that nothing is agreed until everything is agreed.

To date these drafts have had more amendments than any previous body of EU regulation and given the priority to gain consent on this landmark regulation by EC President Jean-Claude Juncker, many believe that the GDPR will be agreed by all parties by the middle of 2015.

Although differences remain, the feeling among the panel was that the financial services sector can’t adopt a ‘wait and see’ approach in the vain hope it will go away. It won’t.

Data protection and the security of data is perhaps the biggest issue facing the sector from a business continuity perspective as to get this badly wrong opens the door to punitive fines of up to five percent of global turnover or €100m.

To underlie the vulnerability that large organisations have to becoming a victim of a data breach on grand scale, just 30 minutes before the seminar begun, both Facebook and Instagram were hacked by Lizard Squad, resulting in a ‘denial of service attack’ – denied by Facebook.

Either way, 1.6bn users of the social network couldn’t access their accounts for over half an hour. Lizard Squad and other hackers like them represent a continuing threat to the data that financial services firms hold on servers that can be infiltrated by those who are determined to carry out such attacks.

Under the new GDPR, data protection authorities (DPAs) will ‘hold hands’ and in doing so provide a so-called one-stop shop for complainants of financial services firms irrespective where the issue took place within the EU.

The GDPR will effectively replace the former Data Protection Directive 95/46/EC as well as make the existing Data Protection Act 1998 redundant by bringing in a European-wide approach to data protection and security that moves away from the patchwork approach that exists at present. It also places data processors and data controllers with equal legal responsibilities with respect to the transfer and use of data.

A proposed ‘data protection seal’ will notify consumers that the financial services firm complies with the supervisory authority and can transfer data to third parties on a lawful basis in the hope that consumers will be reassured about the higher standards of data protection that such a firm complies with.

The obligation to report breaches – however small – will be the responsibility of the Data Protection Officer (DPO) who will work independently within a large financial services organisation and the reporting of such breaches is likely to be done within 24 hours.

Some of the concerns on the panel of data protection experts was around slippage in the timetable to introduce the GDPR and that delays had created a false sense of comfort for senior executives who may not appreciate the threat to business continuity that the GDPR actually represents.

The issue of customer consent was also widely discussed and it’s clear that many banks are re-wiring their approach from the position of protecting the customer as the paramount principle in how they manage their business.

Under the new EU Regulation, financial services firms must obtain consent and this must be freely given for a specific purpose rather than for some blanket purpose. However, there’s still some argument between lawyers as to whether implied consent is a dead duck – and some lawyers feel that implied consent in certain circumstances will still be lawful under the GDPR.

A major cause for a data breach can be identified as human error and clearly the issue of education and training will be core to the way in which this risk within financial services can be reduced.

However, there was a recognition, particularly with junior staff, that such a risk could never be 100% eradicated, leaving open the possibility of fines and sanctions as a real possibility under the GDPR. Typical human error includes the failure to encrypt data, a lack of privacy policies and even mis-directed communications, whether post, fax or email.

As well as fines, DPAs like to ‘name and shame’ those firms that have fallen below the standards expected of them and the reputation damage to the brand in such cases could easily outstrip the financial penalties imposed. For example, the French authorities recently forced Google to publish details on non-compliance on its home page for 48 hours. Google complained but lost its case in the courts.

Top Ten Tips for marketers

  1. Write down a set of data protection policies and procedures and ensure that these are compliant with the GDPR. Such policies and procedures should include what actions need to happen in the event of a data breach.
  2. Consider what breaches might do harm to customers/clients and pay particular attention to mitigating these risks. The most serious are either financial fraud or identity fraud, so marketing professionals should pay particular attention to passport details and other personal information stored on their servers.
  3. All companies need to invest in education and training all employees involved in collection and processing of data with a view to reducing the risk of human error and as far as possible try and automate as many processes as possible in order to reduce the risk of human error.
  4. All companies need to set very clear, fair and transparent rules for obtaining customer consent.
  5. All companies shouldn’t keep data forever – unless of course it’s to ensure that they don’t contact someone who has expressly said that they don’t want to be contacted in the future and not having such information could lead to them being contacted again by accident.
  6. All companies should have a policy for destroying out-of-date data.
  7. All companies need to recognise the risk of consumer activism where one aggrieved customer can very quickly galvanise a mass campaign against the brand on Twitter and social network sites.
  8. Marketing professionals need to integrate data protection fully into all business processes and not treat this as an add-on or side issue.
  9. Marketers should consider the GDPR as a marketing opportunity and potentially a source of competitive advantage by performing data processing tasks more efficiently and accurately.
  10. Customers should be treated as a source of business rather than a piece of data and need to be treated fairly, with respect to their rights to privacy and without cynicism.

British Government delays progress on GDPR as EU pressure mounts

cameron06june14-480632Impatience with the progress of the forthcoming EU General Data Protection Regulation (GDPR) is starting to grow within the European Union.

A recent joint declaration adopted by representatives of the German, Austrian, Belgian, Croatian, French, Greek, Hungarian, Lithuanian, Luxembourg, Dutch, Portuguese, Czech, Romanian, UK, Slovakian and Swedish  parliaments called on European legislators to adopt the GDPR “by 2015″.

German Green MEP Jan Philipp Albrecht, vice chairman of the civil liberties committee at the European Parliament warned this week that failure to agree on the new security and data protection rules was “bad for democracy” as this left European citizens exposed to snooping from foreign and European security services as well as companies.

With the current spate of data breaches emerging on a daily basis as well as EU President Juncker’s determination to ‘fast track’ the passage of the GDPR, Albrecht’s intervention in the on-going discussion on the timetable for GDPR is certain to highlight the divisions within Europe and in particular the British Government position.

What appears to be happening is the debate about the protection of an individual’s right to privacy has become conflated with issues of national security.

In the UK, MI5, MI6 and GCHQ want greater surveillance powers in order to stop terrorist activities of the type witnessed this week on the streets of Paris.

Understandably, the British Government has already brought in emergency legislation in order to equip the security forces with the tools to protect the public from such atrocities and indeed attempts to blow up transatlantic airliners and an attack on the London Stock Exchange had all been thwarted by electronic intercepts.

The Head of MI5 Andrew Parker has warned: “I don’t want a situation where privacy is so… sacrosanct that terrorists can confidently operate from behind those walls without fear of detection.”

No one would disagree with that assessment but the GDPR deals with the current position for citizens to feel more confident that their data is properly collected, stored, transferred and used in a way that’s consistent with the principles of natural justice and the rule of law.

The existing European rules on data protection were adopted in 1995 when the internet was still in its infancy and clearly the world is in a very different place now.

In January 2012, the European Commission (EC) published a vast legislative package aimed at replacing the existing rules and providing a higher level of protection of personal data across the European Union.

The package includes two legislative proposals: a general regulation on data protection that’s directly applicable across all 28 Member States and a directive specifically aimed at data protection in the police and the justice system to be incorporated into national laws by enabling legislation.

Both legislative proposals were voted on during the first reading at the European Parliament in March 2014, before the European Elections and the GDPR includes measures to protect EU citizens’ data and to restrict its use by businesses.

Since then, the data protection debate has taken several twists and turns, notably in 2013 when American whistle-blower Edward Snowden revealed that the US National Security Agency (NSA) had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called PRISM.

Predictably, this led to a call from European politicians for tighter controls on the way in which EU citizens have a right to their privacy being protected.

However as a matter of logic, should someone be suspected of plotting terrorist activities and poses a threat to national security, then they have effectively waived their right to the protection of privacy afforded to law-abiding citizens on the grounds of national security.

No one in their right mind would think it was wrong to intercept the communications of those terrorists who murdered French citizens and who were eventually caught and killed by the police and national security authorities in a terrifying shoot out yesterday in two different parts of Paris.

The balance of rights and responsibilities is an important one in a civilised society and matters of national security and snooping on suspected terrorists aren’t incompatible with the proposed GDPR.

But the case for reform is overwhelming and shouldn’t be unnecessarily delayed as reflected by the joint communique recently issued by EU Member States.

In the UK, an often hostile attitude towards the EU has transferred itself into a flat rejection of a unified approach to data protection across Europe. This is likely to be a point of argument in the run-up to the forthcoming General Election on 7 May 2015 where divisions between the main political parties will be exposed.

But all of this smacks of politicisation of an issue that in many respects should be above politics.

According to Albrecht, issues surrounding informed consent for the use of data, sanctions, privacy by design and red tape remain sources of friction between the European Parliament and EU Member States represented at the Council of Ministers. Albrecht has warned that failure to agree the GDPR would encourage and increase unjustified snooping of security services on citizens in Europe. The MEP is supporting efforts by Microsoft to avoid disclosing data stored by its Irish office to the US authorities.

“The US authorities shouldn’t be allowed to demand data from companies headquartered in the EU and the Commission should be supporting that position. No EU rules bind the security services and national security is the black hole of European law. That is why the introduction of the GDPR is so necessary to limit the amount of data which they can easily access,” he argues and it’s clear he too is motivated on political grounds.

The European Parliament and the European Commission (EC) want data processors to seek explicit consent from users before processing the data whereas some Member States want such consent to be “unambiguous” – a less rigorous test according to MEPs.

The EU Executive – backed by EU Member States – has proposed a maximum sanction for breach of the rules by companies of up to two percent of global turnover while MEPs wish to see this threshold lifted to five percent of global turnover or €100m fine.

Just before Christmas 2014, the EC announced partial agreement on the setting up of a one-stop shop for citizens to be able to complain to their local supervisory authority in respect of a breach anywhere within the EU. However, not all EU Member States were in favour of such a move and this also has resulted in slowing down the passage to agreement over the GDPR.

German concerns focus on how the GDPR might erode the sovereignty of the country’s powerful regions and alongside France Germany is sensitive to the idea that data issues could be decided in the smaller EU Member States.

The British Government remains opposed to the notion of a GDPR and instead favours the idea of the EU adopting a Directive instead.

However, for global companies looking to do business across the EU, such a position will be disastrous as it would create uncertainty in how data protection laws will be interpreted and enforced across the EU, driving up rather than lowering costs – a situation that exists today.

President Juncker has already made it clear given the border-less nature of digital technologies means it doesn’t make any practical or legal sense for each EU Member State to have its own rules for telecommunication services, copyright, data protection or the management of the radio spectrum and many within the European Parliament agree.

“If ministers want a GDPR, it will be up to the Council to deliver it. If they want to allow companies to regulate themselves, they have to beef up the rights of individuals to overcome this with stronger levels of protection,” warns Albrecht.

June 2015 remains the indicative date by which a common general position on the GDPR should be achieved by the European Parliament and Member States.

Cowboy marketers face record fines in the New Year

Cowboy-marketersCurrent law
Under EU Privacy and Electronic Communications Regulations (PECR), organisations and companies are prohibited from transmitting or instigating the transmission of unsolicited electronic communications to consumers for the purposes of direct marketing unless the person receiving those communications has provided prior consent for the messages to be sent.

Companies also mustn’t disguise or conceal their identity in the messages or use invalid addresses where recipients of the messages would send responses to ask for the messages to stop being sent.

Marketers can send direct marketing via electronic mail to consumers if they have “obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient”, where the marketing is for “similar products and services only” and providing the recipient has a “simple means” to refuse the use of their contact details for that marketing “at the time of each subsequent communication.”

New powers to stop cowboy marketers
Cowboy marketers that send spam text messages, make nuisance calls or carry out other types of unsolicited direct electronic marketing activities face up to £500,000 in fines if their activities cause “annoyance, inconvenience or anxiety” under new plans currently being considered by the Government and supported by Ofcom, the Consumers Association and the DMA.

This latest move will give the Information Commissioner’s Office (ICO) new powers to take “robust action” against cowboy marketers that flout the PECR.

The change to the current EU Regulation will effectively lower the existing legal threshold of ‘harm’ and the ICO will now be able to issue fines if the breach is “likely to cause annoyance, inconvenience or anxiety.”

Currently, the ICO must prove that unsolicited direct electronic marketing causes consumers “substantial damage or substantial distress” and annoyance, inconvenience or anxiety isn’t sufficient in order to take action.

Now that’s set to change in early 2015. It’s evident that the current legal threshold is too high.
“The majority of rogue marketing firms make hundreds, rather than thousands, of calls and the nuisance is no less a nuisance for falling short of the ‘substantial’ threshold,” observes Information Commissioner Chris Graham.

“This change means we could now target those many companies sending unwanted messages – and we think consumers would see a definite drop off in the total number of spam calls and texts,” predicts Graham.

The current move comes as governments across the EU are under increasing pressure to protect the privacy of consumers who feel too little has been done to protect their rights as technology has made intrusive marketing techniques more widespread with little sanctions against cowboy marketers that felt able to avoid the long arm of the law.

Future of PECR?
PECR came into force on 26 May 2011 and this revision will extend its scope in 2015.

However, PECR is likely to be amended further or even repealed by the forthcoming EU General Data Protection Regulation that’s currently being considered by the European Council of Ministers and which could get European Parliament consent in the first half of 2015.

Unlocking the power of data under new EU Regulation

EU data protection keyAt a meeting of the Justice and Home Affairs, part of the EU Council of Ministers that took place on 4-5 December 2014, the forthcoming EU General Data Protection Regulation took a further step to becoming adopted across all 28 EU Member States.

The meeting, attended by Chris Grayling, Lord Chancellor and Teresa May, Home Secretary and chaired by Andrea Orlando, Italian Minister of Justice and President of the Council marks a tipping point in the harmonization of data protection laws across all 28 EU Member States.

At that meeting, the EU Council of Ministers gained partial consensus on two important and inter-related points with respect to data security and protection that sits at the heart of the proposed EU Regulation: a general EU framework for data protection and a ‘one-stop shop’ (OSS) mechanism that can be used by data subjects in order to arrive at a supervisory decision in trans-national data protection breaches.

Partial agreement by EU Council of Ministers

The EU Council of Minister reached partial agreement on a general approach on specific aspects of the draft EU Regulation setting out a general EU framework for data protection.

This partial agreement on the general approach includes provisions that are crucial to the public sector (Article 1, Article 6, paragraphs (2) and (3), Article 21) as well as provisions relating to specific data processing situations as outlined in Chapter IX of the proposed EU Regulation.

In addition, the majority of the Council of Ministers agreed to the Italian Presidency proposal of a ‘one-stop shop’ (OSS) mechanism that data subjects can access in order to pursue their legal remedies in cases of important trans-national data protection breaches.

The technical architecture for dealing with data breaches and other issues under the EU Regulation will be ‘fast tracked’ in the coming months in order to get the technical aspects of this sorted out.

“One-stop shop” (OSS) to enforce regulation for major data breaches across EU 

The objective of the OSS is to arrive at a single supervisory decision in instances of trans-national data breaches and this should be fast, ensure consistent application, provide legal certainty and reduce administrative burden. Many advocates of such an approach claim that this is a good example of balancing the need for a uniform approach for data controllers while providing remedies for data subjects.

“This is an important factor in enhancing the cost-efficiency of the data protection rules for international business and thus contributing to the growth of the digital economy,” adds the communique from the EU Council of Ministers.

From a UK perspective, the Information Commissioner’s Office (ICO) is likely to be closely involved as the decision-making supervisory authority as to whether enforcement action is brought against organisations and companies that are located in the UK but that have created a data protection breach across trans-national borders.

Proposed EU Regulation is now a step closer to being finalised

The proposed EU Regulation has taken a step closer to being finalised in 2015 and partially clearing these two hurdles that were once regarded as “insurmountable” is a clear indication of the appetite for getting on with the job of getting the EU Regulation out there once and for all.

Clearly the EU Council of Ministers needs to finalize its version of the draft EU Regulation before negotiations can enter their final stage but this latest partial agreement is another example of incremental progress that’s been made in the last 12 months.

Many in Europe, including those in Germany, France and Italy, see this forthcoming EU Regulation in the wider context of protecting fundamental human rights.

On 5 November 2014, the German Federal Commission for Data Protection Commissioner Andrea Voβhoff and the European Data Protection Supervisor (EDPS) Peter Histinx held a panel discussion in respect of the state of play and perspectives the forthcoming EU Regulation.

One of the panellist, Head of the Department for International Affairs at Italy’s Ministry of Justice, Stefano Mura reiterated that the proposed EU Regulation isn’t only a EU single-market issue.

“We need the highest affordable standard of fundamental rights,” said Mura with reference to Article 8 of the EU Charter of Fundamental Rights, which provides that everyone in the EU has the right to the protection of personal data.

This was particularly reflected in the controversial judgment of the European Court of Justice in the right to be forgotten case that specifically referenced this right in concluding that an individual could have a search engine listing removed where the material it linked to was no longer relevant.

This theme was developed further by Isabelle Falque-Pierrotin, President of the CNIL, the French Data Protection Authority and also chair of the Article 29 Working Party.

Falque-Pierrotin noted that the right to be forgotten judgment had shown that some of the ideas in the forthcoming EU Regulation were already being developed through the courts and this highlighted the urgency to get the EU Regulation agreed and to demonstrate to the world that Europe had a common standard in place and the regulatory powers to back it up.

Although the participants to the debate identified a number of key outstanding issues to be resolved prior to the conclusion of the reform, process, there was some optimism that such issues would be overcome and the process completed before the end of 2015.

Why this matters?

This is significant as the organiser of the debate, European Data Protection Supervisor (EDPS) is an independent supervisory authority whose members are elected by the European Parliament and the European Council in order to protect personal information and privacy, in addition to promoting and supervising data protection in the EU’s institutions and bodies.

The role of the EDPS includes, among other things, advising on privacy legislation and policies to the European Commission, the European Parliament and the European Council and working with other data protection authorities to promote consistent data protection across Europe.

Why 2015 could be the most important year for European marketers

The forthcoming EU Regulation has been discussed and debated in extraordinary detail by the European bureaucrats and it’s clear that public patience is wearing thin as existing data protection laws such as the Data Protection Act 1998 looks increasingly out-of-date as it’s no longer ‘fit for purpose’.

It’s clear that European laws have struggled to keep pace with technology changes that has impacted two fundamental rights – privacy and identity.

In the wake of the Snowden revelations, there’s increased public expectation for a uniform approach to European data protection, with calls for more sophisticated compliance tools and even stronger sanctions for those organisations and companies that transgress the new rules.

However it would be wrong for the EU Regulation to be rushed through in its final stages as consensus is required in its scope and approach in order to be effective and workable.

But that time has almost arrived.

Marketers should start NOW and follow best practice guidance given by the ICO ahead of the EU Regulation as much of the Regulation will be a codification of this guidance.

Not doing anything now is a recipe for disaster and simply creates a business continuity risk that can so easily be avoided.

The Council of Ministers is still reviewing the draft EU Regulation at a technical level and negotiations on the proposed text between the Council of Ministers and the European Parliament will only commence once the Council of Ministers is ready.

The earliest there could be agreement on the draft EU Regulation is likely to be the first six months of 2015 – and the expectation is that the revised data protection framework will be in place by mid-2017.

Advertising the benefits of marriage – India style!

parsi posterBack in 1989 I joined the BBC in London and was very fortunate to have met my beautiful wife Fenella who then worked as the executive assistant to the Head of BBC World Service Training.

I often tell friends that joining the BBC was the best thing I ever did in my life and I was incredibly lucky to have found someone as wonderful as Fenella who also turned out to be a Parsi! With a small community of around 5,000 in the UK and just 80,000 globally, the odds-on meeting the girl of my dreams who was also Parsi was not high, to say the least!

Years later, when I entered the PR agency world, it appeared that my impending marriage became a national news story here in the UK!

So it was with some amusement that I read this morning that Parzor Foundation, with a little help from Bombay Parsi Panchayat and the Indian Ministry of Minority Affairs, has come up with a print campaign that quite simply urges Parsis to get married and have children.

Yes, really!

OK, so there’s an issue, recognised by UNESCO, that my tiny ethnic community may not make it through to the end of this century as to be a Parsi you need to have been born a Zoroastrian, and our faith doesn’t allow people to convert, largely on historical reasons that date back thousands of years and was a condition imposed on us by the Hindu Kings when we left Persia to escape persecution from the Romans and Muslims and settled in our adopted country India.

But I doubt running a national print campaign in India is actually the answer, is it? Falling in love and meeting the person of your dreams is actually down to luck and chance in most cases and imploring people in my community to marry each other could look as being a bit naive or even desperate.

However, I do think there’s a more serious issue that needs to be addressed and it’s one of religious leadership within the Zoroastrian community coupled with the relevance of our faith in the lives of its adherents.

Like it or not, I think we are fast approaching the point where inter-marriage with others from different religious faiths is probably a more tenable solution to the current problem, although I realise there are very strong views on this issue, which often bring out the worst xenophobic tendencies among some Parsis in our community.

But our faith was never intended to be the exclusive preserve of those of the Royal Court as exemplified by Cyrus the Great and Xerxes the Great from ancient Persian times.

Parzor Foundation is a Delhi-based NGO that works towards preserving Zoroastrian heritage and Madison BMB is the creative agency behind this humour-laden effort, titled ‘Jiyo Parsi’.

The campaign attributes the dwindling numbers of the Parsi community to four main factors, namely, an increasing preference for staying single, for marrying late, and for having only one child, and, of course, to infertility.

While the campaign speaks about each of these reasons, it focuses on in-vitro fertilisation (IVF) for which the government is offering financial help to members of the Parsi community, under the Jiyo Parsi scheme.

“The Parsi community in India has gone from 114,000 people in 1941 to just 61,000 people in 2001. And more disturbingly, for every 800 deaths there are only 200 births in the community. We thought, instead of making it just about IVF, we should talk about the entire issue, about the way the entire Parsi population is on the decline,” explains Sam Balsara, managing director, Madison World and himself Parsi.

Just to put this into perspective, India’s population reached 1bn in 2001 and is likely to become 1.3bn by 2025, becoming the world’s most populous country and overtaking China.

“While doing our research,” explains Shernaz Cama, director of the UNESCO Parzor Project, “we came across some places where, hundred years ago, around 1,000 Parsis used to live. But now they are just deserted villages. The whole point of the campaign is not about marriage; instead, it’s about having more children, because that can keep the population stable.”

The irony of the situation is not lost on Balsara – a mass media campaign that’s targeted at just a handful of Parsis who’re based in different parts of the country.

The ad agency feels humour can help to lighten the message and leverage the “Parsi sense of humour” to address the problem at hand. Perhaps they should’ve employed a stand up comedian instead?

“We decided as a team to put the messaging out in a way that wouldn’t be bleak or morbid. On the contrary, we decided to go the other way and use humour as a weapon,” explains Raj Nair, chief creative officer, Madison BMB.

Other folk in ad land tend to agree with this strategy, but whether it will work in encouraging Parsis to get married and have babies only time will tell and it would be a very brave planner who thinks there’s a correlation that could be made on such an outcomes that can be plotted on an excel spreadsheet!

“I think it’s based on certain fundamental insights into the community. That’s what makes it incredibly real and effective. It’s laced with self-deprecating humour which is also the leitmotif of the brand – ‘the Parsi’. Overall, a glorious effort,” claims Swapan Seth, CEO of Equus Red Cell, a WPP-owned advertising agency in India.

But telling adults not use condoms in order to get pregnant probably wasn’t the most intelligent aspect of the campaign, was it?

Let’s hope that the campaign helps to raise the issue so it becomes a talking point rather than being seen as a clumsy attempt to reverse the birth rate in India’s smallest ethnic minority community.

“Instant death” to prospect-driven DM is on the cards

Gagging-DMThe stark warning, delivered by market research agency fast.Map, is contained in its Annual Marketing-GAP Tracker Report, published today.

According to the research, marketers consistently under-estimate the level of consumer concern regarding the use of contact details and the unauthorised distribution of such information to third parties, say the report’s authors.

Most consumers “don’t bother to even read the opt-out box” and the report’s authors warn that the forthcoming EU General Data Protection Regulation “could spell instant death to third-party data collection companies and an end to prospect-driven direct marketing”.

Based on the responses of two panels – 1180 consumers and 310 marketers –fast.Map found that marketing respondents shockingly “underestimated by up to 100% all consumers’ areas of concern”.

For example, 85% of consumer respondents said they would be “concerned” or “very concerned” if their details were passed to another organisation but only 45% of marketers surveyed thought consumers might see this as a problem.

In addition, 83% of consumer respondents said they’d be worried if an organisation didn’t keep the promises it had made in its permission statement and again 45% of marketers surveyed failed to appreciate the depth of consumer feeling on this issue.

More worryingly for the DM industry is that only 6% of consumers in the survey would opt-in to receive marketing messages from all the companies that currently contact them, although 19% of marketers thought they’d be willing to receive offers about future products and services.

With the swing towards permission-based marketing now a reality for all companies, audience and customer segments expect to receive something in return for the use of their data, such as generous discounts, special offers and samples.

Marketers can’t now take opt-in as a default position, even where there’s an existing business relationship unless there’s something of value delivered as a result of wanting to maintain contact with the customer.

“This is the new battleground of marketing and there’ll be a huge growth in compliance and helping marketers gain consent,” predicts David Cole, managing director at fast.MAP.

He added that marketers would have to deploy skills of “analysis, copy writing and creativity to engage people on that new battleground”.

It’s clearly a training issue that the marketing industry needs to face up to in order to avoid the sanctions for breach of the forthcoming EU Regulation that could be up to 5% of global turnover or €100m in fines for the biggest offenders.