Trends in data protection for direct marketing

Have data protection authorities begun the great fightback against business? Perhaps they have been tasked with bringing in some much-needed cash to national coffers, because fines have become the next big trend in data protection and should seriously concern marketers in all sizes of business.

Some recent marketing-related fines have included:

  • Amazon – €746m for compiling data on customers
  • WhatsApp – €225m for failing to provide information in clear and plain language
  • Austria Post – €9.5m for failing to allow subject access requests by email
  • Grindr – €6.3m for sharing location services without consent because it was special category data on sexual orientation
  • Sky Italia – €3.3m for unwanted phone calls

Overall, there’s been a 113% increase in GDPR fines between July 2020 to July 2021, with 709 in total compared to 332 in the year before. Penalties for violations have more than doubled as well, from €130.69 million up to July 2020 to €293.96 million up to July 2021. 

One interesting case which should be of serious concern to any marketers or those undertaking market research was an action against the agricultural conglomerate Monsanto. They were fined €400,000 for maintaining a dossier of lobbyists, journalists and environmental activists. This was based on publicly available information. They stored the individual’s contact details, their employment records, as well as assigning a score to each person to assess their influence, their credibility and their opinions on matters like pesticides or GM crops.

What’s interesting about this fine is that they used it to form an opinion about the individual and were essentially tracking them in an ongoing fashion without informing them. That was the breach of GDPR. So as a marketer if you are collecting information, even publicly available data about others, make sure you do it in a GDPR compliant way.

What language do GDPR policies have to be in?

Also be mindful of the language you are using to communicate terms and conditions to people. TikTok received a fine of €750,000 from the data authority in The Netherlands because it failed to provide its terms and conditions in Dutch. Make sure your privacy policies and the small print is available in national languages. 

Also your internal policies need to be looked at. If you are running a marketing team, how are you monitoring and tracking them? This is particularly relevant when so many of us are still working from home or are hybrid working. There was a €35.3 million fine against H&M because when an employee came back from a period of absence, they forced them to have a return to work conversation that was recorded, plus they were making notes of their employees religion and political opinion.

How to collect home working data in a GDPR compliant way?

Regarding hybrid working, understanding what information you are collecting on employees, how and why and for what purpose, is very important. For instance, you might be collecting data on employee’s working practices, are they at home or at the office, have they been vaccinated, what equipment have they taken home, even how are they feeling and have they taken time off. That’s all potentially legitimate information, but you need to have done the proper assessments to show that it’s reasonable to collect, that it’s for a legitimate purpose, and that it’s limited and protected.

And remember that Covid-19 vaccination data is special category data under GDPR because it relates to health. That doesn’t mean it can’t be collected, but it must be collected and stored in the right way. Similarly with any sort of IT tracking and monitoring. Particularly if it might be used to track employee’s personal devices, for example. This could also be important if you are asking customers to show proof of vaccination, how are you going to store that.

Is the UK planning to reform GDPR?

The UK is planning some very significant changes to GDPR. Despite the adequacy decision coming from the EU last year, this is limited to four years and the EU have warned they could revoke it if the UK goes too far. And the UK might very well be about to go too far. 

Among the key proposals are:

Making it easier to use AI, but also creating a new condition for processing sensitive personal data in order to detect and monitor bias.

Amending the legitimate interest condition to scrap the need for a balancing test and instead create a list of legitimate interests including for internal research or business innovation aimed at providing a better customer experience. In essence – for any business purpose.

Fees for subject access requests.

More soft opt-in for direct marketing communications to include anyone a business has been in touch with during a sale or transaction. So you can essentially merge your prospects and customer lists to your marketing lists.

Automated decision making is going to get easier with Article 22 of GDPR being removed wholesale. Cookie pop ups won’t be needed either, and accountability is being changed so organisations only need to have a privacy management programme tailored to their risk and size and not have to show how they comply with GDPR.

There won’t be a requirement to appoint a DPO, and there won’t be a need to undertake a DPIA, or engage in prior consultation with the regulator, the ICO, for any high risk activities. In fact, the ICO is getting gutted so that it becomes more like a government body and can help businesses use data, instead of being a regulator. Individuals won’t be able to complain directly to the ICO either in the first instance, they will have to go through a dispute resolution process with the business. 

Article 30 around record keeping is to be removed, and breach thresholds will be changed so that breaches that do not pose a material risk to individuals won’t have to be reported. At the moment even low risk breaches are reportable when they pose a risk to the rights and freedoms of individuals

But fines for PECR breaches will be raised to the level of GDPR, so despite the relaxation of some requirements, the risk of getting it wrong will become much more expensive. .

What are European countries doing on GDPR?

Germany

German data protection authorities have been actively enforcing Schrems II by reaching to companies involved in website hosting and web tracking. They are asking if you have SCCs in place. Cookie compliance spot checks are also taking place, and ransomware audits with questionnaires on IT security

France

CNIL priorities are cybersecurity of popular French websites across all sectors, cookie compliance, and the security of health data particularly when it comes to digitization of health records and COVID-19. Also they want to extend the rights of employees to access data and have clarified DPO rules.

Austria

Fines are coming left right and centre in Austria. €10m a piece for Austria Post and a customer loyalty programme. The authorities struck down transfers of fingerprint data to the US in light of Schrems II. Over 100 similar complaints about transfer of data to the US are under investigation. But Austria did uphold the right of a municipal authority to contact a student for a PCR test when a classmate was positive. Although given Austria’s attitude to mandatory vaccinations this is not surprising.

Belgium 

New guidance on health data and Covid-19, and heavily investigating advertisers for GDPR breaches. Belgian authorities have been reaching out to their EU counterparts with their concerns about advertisers.

Italy

The first nation to adopt a green pass covid certificate and mandatory vaccination for over 50s. Italy has been a leader in developing Covid-19 and GDPR compliance. Cookie compliance is also a priority for the Garante authority in Italy, and is cracking down on the telemarketing sector with sanctions and fines for breaching consent.

Poland

The regulator slapped a fine on a broadcaster for not mitigating the risk of data being misused by a third party, even though it was the fault of the third party. Poland plans to crack down on data sharing in mobile applications, and how banks perform credit checks.

The Netherlands

The authorities are switching from education and prevention in the early GDPR years to punishment. Fines are coming thick and fast. €400,000 against an airline for hackers downloading 83,000 individuals’ data. €750,000 against TikTok for failing to protect children’s data as well as not providing policies in Dutch. Another €525,000 against a platform for failing to appoint an EU representative, with a fine of €20,000 for every two weeks the company fails to comply. €2.7m against the Dutch tax authority for discriminatory processing, which lead to the Dutch government resigning.

Hungary

Here there have been more moderate fines, but the regulator is cracking down on data breaches and infringement of data subject rights, in particular CCTV recordings and children’s data.

Will there be a new EU-US Privacy Shield?

One hot topic for 2022 is the potential for a new privacy shield between the EU and US. There has been some talk about it since the last version was scrapped in the Schrems II decision. Since then we have had the new Standard Contractual Clauses from the European Commission, which of course which businesses can use to set up these data transfer routes to the US, but these are a bit of a regulatory hassle. The Biden administration has been on the receiving end of calls from the US Chamber of Commerce and other business groups to settle the issues raised by the EU court’s concerns. Even if it doesn’t come to fruition this year, it is likely we will see a concerted effort on both sides of the Atlantic within the coming months to make a new privacy shield happen

Regulators are honing in on data breaches and challenging the legal bases for processing data alongside cross border data flows. Early indications from some of these actions show children’s data is a big concern, as is the use of sensitive health data, financial information and excessive digital marketing.

What is the EU planning to do on data protection?

Brussels is planning a raft of EU legislation, including The Digital Services Act (DSA), Digital Markets Act (DMA), Data Governance Act (DGA), e-Privacy Regulation (ePR), Network and Information Security (NIS) Directive (NIS II) 

The European Data Protection Board looks set to expand on the concepts of de-identification and anonymisation which is also important to watch out for.