Third party use of customer lists

Transcription

1 May 2006 slaughter and may marketing: part 4 Third party use of customer lists Rob Sumroy, Partner In the fi rst article in this series we considered the legislative and regulatory framework that direct marketers are required to work within. The second article considered in greater detail the requirement to obtain consent before carrying out marketing activities and the third considered the rules and guidance which apply in relation to direct marketing to children. This fourth and fi nal article considers some of the data protection issues which arise in the context of transactions relating to databases. Selling Databases: Three Scenarios Increasingly in today s world companies are regarding their customer databases as an asset to be exploited. Having collected data relating to their customers, companies seek diverse opportunities to exploit that data in a way which generates income for them. Often this is referred to this as selling a database, but what exactly does this mean? In our practice, we have seen this worked out in a number of different ways. The database may be exploited by entering into a commercial arrangement with a third party, in order that that third party may market its products or services to the customers contained within the database. Alternatively, a party may seek to exploit its database by selling its rights in the database in their entirety to a third party, or indeed, by disposing of the company which owns the rights to the data. In whichever context clients will often refer to customers and their data in terms of ownership; concerned to know whether they own a particular group of customers. This may be a correct characterisation from the perspective of the intellectual property rights which exist in the data and the commercial exploitation of those rights. However, from a data protection perspective, the position is more complex. Whatever the structures adopted, when data controllers enter into such a transaction (whether they are sellers, purchasers or parties to a commercial agreement) they will process personal data. Below are three examples which will be referred to throughout this article. Commercial Agreements Where two parties seek to collaborate by entering into a commercial agreement, for example to market a range of products of one party to the customers of the other, it will result in the transfer of certain customer data between the parties. At each stage of the negotiations, the parties will need to consider at each stage whether any personal data is being passed between them. In this case, processing of personal data may occur during the negotiation stage, in connection with due diligence carried out by each party. However processing of personal data will occur: > on and following completion where information relating to customers will be passed between each party and used by each of the parties for their respective commercial ends. In addition, following completion, management reports and other data relating to the customer base will be transferred between the parties on a regular basis. Sale of database as an asset ( Database Sale ) When a company disposes of the entirety of its rights in a database by selling that database as an asset it will need to consider the same issue as when it contemplates entering into a commercial agreement at each stage of the transaction will any personal data be passed between them. In this situation processing of personal data will occur: > on completion of the transaction, where the database is transferred to the actual purchaser and processed in the purchaser s business.

2 Sale of a company which owns a database ( Company Sale ) In the case of a company sale, processing of personal data will occur: > during the negotiation process, where the seller will provide prospective purchasers with information including personal data relating to the directors, employees, suppliers and customers of the target. > during the disclosure exercise where documents relating to the target are handed over to the prospective purchasers via a data room or otherwise. Compliance with the Act Whenever a company processes personal data they must comply with all the provisions of the Data Protection Act 1998 (the Act ). As has been discussed in the previous articles in the series, this will include, amongst other things, complying with both the data protection principles and the notifi cation obligations. Fair Processing Information Although it is important that data controllers observe all the Act s principles and comply with all other obligations under Act, a key principle to consider in the context of a sale of database is the fi rst principle (that data be processed fairly and lawfully). Disclosing or transferring information to a prospective purchaser or to a commercial partner will not be fair unless certain information (the fair processing information ) has been provided to the data subject. This information must include the following: > the identity of the data controller > the purpose(s) for which the data will be processed; and > any other information which is necessary to enable the particular processing to be fair. In the ordinary course of business, data controllers typically provide the fair processing information at the moment they fi rst capture personal details from their data subjects (for example by including a statement on the company s standard terms of business). However, in most cases data controllers do not specify at data capture stage that the personal data may at some point in the future be disclosed (or sold) to parties in the context of a commercial transaction. In addition, parties to a commercial transaction who receive data will also be processing data and would therefore be obliged under the Act to provide the data subject with a new fair processing notice. Where new use of the data is envisaged, the fair processing information should be given before the proposed processing takes place. In limited circumstances, where the personal data are obtained by someone other than the data subject (for example, from a seller) the provision of fair processing information need not be given where it would involve a disproportionate effort. Disproportionate effort is not defi ned but is likely to mean that the benefi t to the data subject of receiving the information does not justify the administrative burden and/or cost to the data controller in providing it. It is not clear when this provision may be relied upon but the Information Commissioner has emphasised that in certain circumstances, a quite considerable effort could reasonably be expected of the data controller. Providing The Fair Processing Information In Each Scenario Commercial Agreements Pre-contract disclosures Where two parties enter into a commercial agreement under which they agree that one party will provide its products or services to the customers of the other there may be an exchange of information between the parties prior to the signing of the agreement. It is not commercially viable to notify customers of the potential (and at that stage confi dential) transaction affecting their data. In these circumstances both parties will need to ensure that this information is anonymised to the extent possible, and (where anonymising is not commercially practicable) that any disclosure is protected by strictly enforced confi dentiality undertakings. 2 slaugh ter and may

3 Disclosures on and following completion Following the conclusion of such a commercial agreement, there will be a transfer of customer information between each party. In addition, the data will be used by one or both of the parties following completion in connection with the commercial arrangement. In this situation both parties will be processing the data on their own behalf (they will each be a data controller) and, as such, will each have a direct connection with their respective data subjects. Best practice in this case would be for the parties to agree the form of notifi cation to be given by each party (or jointly) to the data subjects. The commercial agreement is a convenient place to document these obligations. If it is not practicable for the parties to agree the exact form of the wording for this prior to signing the commercial agreement, the parties should at least agree which party is responsible for determining the form of the language and whether the other party is to have a right of approval over the substance, style and content of that wording. Database Sale or Company Sale Pre-sale disclosures in a Database Sale or Company Sale During the due diligence and disclosure stages of a transaction, the data protection issues will be similar regardless of whether the transfer is of the database or the shares in the company which owns the database. This is because similar due diligence processes will be undertaken and lists of customers, suppliers, employees or offi cers will be exchanged by the seller to the prospective purchasers. The rules on providing fair processing information require that both the seller and the prospective purchaser to a transaction inform the data subject of the disclosure and receipt of personal data. As with the prospective commercial agreement considered above, it is not commercially acceptable to notify data subjects of the potential transaction. In order to avoid the requirement to notify, sellers should anonymise the personal data so that it falls outside the ambit of the Act. Where purchasers object to information being redacted, it is worth pointing out that the receipt of personal data will make them data controllers in respect of that information. In guidance issued by the Information Commissioner it is acknowledged that sometimes the disclosure of personal data without the provision of fair processing information during the course of a transaction is inevitable. In these circumstances the best approach would be to minimise the risk of further disclosures by asking the purchaser to sign a confi dentiality undertaking which would in addition ensure that the information will be returned to the seller or destroyed should the sale not go ahead. Transfer of data on completion Company Sale On completion of a company sale there will be no actual transfer other than that relating to the shares. This means that the identity of the data controller will not have changed and no fair processing information need be given, except where the new owner of the shares proposes to use the data for a new purpose. However, fair processing issues may arise if data subjects felt it was important that they had given their data to the target company as a member of a particular group. For example, if a data protection consent obtained at the time of the data permitted marketing to the data subject by a member of the data controller s corporate group, a change on the identity of that group should be notifi ed to the data subject. Transfer of data on completion - Database Sale On the sale of a database as an asset, there will be a transfer of personal data between the seller and the purchaser. As both the disclosure and receipt of personal data in these circumstances will amount to processing, both parties will be under a duty to inform the data subject that the personal data is now being held by a new data controller. Although the Act requires that both seller and purchaser as data controllers provide the fair processing information to the data subject, in practice it is suffi cient for one of the parties to fulfi l this obligation. As the transfer of personal data in a straightforward sale of a business will mean that the seller will no longer be the data controller of that data, it is more common for the purchaser to notify the data subjects on behalf of both parties. Where sellers rely on the purchaser to contact the data subjects on their behalf, it is important that they obtain assurances from the purchaser that this will be done, for example in the sale documentation. It is common for sellers to seek to agree with the purchaser the text of the fair processing notice to ensure that it is consistent with the general message being publicised by the seller regarding the sale. 3 slaugh ter and may

4 Fair Processing Conditions Schedule 2 In addition to providing the fair processing information, data controllers must ensure that all processing can be justifi ed under one of the conditions set out in the Act at Schedule 2. In essence, this will require that either the consent of the data subject is obtained, or that processing must be necessary for one of a number of specifi ed purposes. In the context of commercial transactions the two most important conditions are the consent condition and the legitimate interest condition. Consent The Act does not provide any defi nition of consent. The Data Protection Directive (95/46/EC) defi nes a data subject s consent as any freely given specifi c and informed indication of his wishes by which the data subject signifi es his agreement to personal data relating to him being processed. The Information Commissioner has made it clear that obtaining consent is not easy to achieve. Where the data subject feels he or she has no option but to consent, it may be that consent is not freely given. Where it is intended that databases will be used to market individuals electronically (which is defi ned as being by fax, , SMS or automated calling system), prospective purchasers will need to consider the additional restrictions imposed by the Privacy and Electronic (EC Directive) Regulations The requirements of these regulations in respect of consents obtained from data subjects were discussed in the second article in this series, Getting the consent right on data capture, volume 6, issue 3 of Privacy & Data Protection (January/February 2006). The Privacy and Electronic (EC Directive) Regulations 2003 do not apply where direct marketing communications are sent by post. However, consent must nonetheless be obtained in respect of communications to be sent by post for the purposes of complying with the Act. This is considered further below, in respect of each scenario. Legitimate interest Most data controllers would agree that obtaining consent from each data subject before entering into a confi dential commercial transaction is both impracticable and undesirable. For this reason, data controllers will often turn to one of the other conditions set out in Schedule 2 of the Act. The most useful of these is the condition relating to the legitimate interest which requires the proposed processing by data controllers (and any third party to whom the data are disclosed) to be in their legitimate interest, but at the same time not prejudicial to the rights and freedoms or the legitimate interests of the data subject. Clearly, this balancing act that data controllers must perform will be a subjective one. However, it would appear reasonable to rely on this condition unless the proposed processing would be prejudicial to the interests of the data subject. What may be prejudicial in this context is discussed further below. Complying with the Schedule 2 Conditions in Each Scenario In relation to the different case studies described above, the application of the Schedule 2 conditions would be as follows. Commercial Agreement Although the disclosure, transfer and use of the data in connection with the operation of a commercial agreement is comparable in many ways to the sale of a business the database is likely to be transferred to the other party - care must be taken when considering how to justify the processing involved under Schedule 2. Legitimate interest condition Although it is clearly in the interest of both the parties to the commercial agreement for the processing to take place, the same may not be said of the data subjects. As described above, the purpose of entering into the commercial agreement was so that one party could effectively market new products or services to the other party s customer base. This means that the processing carried on following disclosure of the personal data is likely to be different to that prior to disclosure. 4 slaugh ter and may

5 In these circumstances, where a new use of data is envisaged, it will not be possible to rely on the legitimate interest condition, as some data subjects will invariably object to their personal details being used for a purpose other than that to which they originally consented. Consent The processing of personal data by the other party to the commercial agreement will therefore need the consent of each of the customers. This will be a consideration in respect of both the data transferred between the parties at the beginning of the operation of the agreement and in respect of any new data collected by either party over the duration of the agreement. In order to comply with the Act, the party who is passing personal data to the other party will need to be sure that, in respect of all data being passed, it has the consent of the data subjects to share that data with third parties and for the purpose being contemplated by the agreement. To the extent that party does not already have the relevant consents, these will need to be obtained. As these entities will already have to provide the fair processing notice (see above) it would be best for both obligations to be carried out at the same time. This means that no processing of personal data should occur prior to consents having being obtained (if not already in place) which will probably take place after the commercial agreement has been signed. It is important to bear in mind also that if either party is collecting new personal data during the term of the agreement and it is intended that this data is shared with the other party (for example, for the purposes of marketing or reporting management information) then the consents obtained at the point of data capture will need to be suffi ciently broad to cover this purpose. It is advisable to agree the wording of this consent at the outset of the relationship or if this is not possible at least to agree which party will have control of the language and whether the other party should have a right of approval. Database Sale or Company Sale Disclosures and receipt of personal data pre-sale (in the context of both a sale of a company or a database) and the ultimate transfer of personal data (in the context of a sale of a database) may be justifi ed by both the seller and the prospective purchaser either under the consent condition or the legitimate interest condition. Obtaining customer consents pre-completion may be impracticable in the context of a confi dential commercial transaction. For these reasons, it is likely that in the context of acquisitions of a business as a going concern both the seller and the purchaser would rely on the legitimate interest condition, on the grounds that the transfer of data in connection with a sale or acquisition of an asset is clearly within a data controller s legitimate interest and would not prejudice the rights or freedoms or the legitimate interests of the data subject. It would however remain necessary to make the legitimate interest balancing assessment in each particular case. For example, in the context of a transaction involving the transfer of insurance polices, where the disclosure of personal data would ensure a continuity of an identical service to the policy holders, it would be hard for the policyholder to claim their rights, freedoms or legitimate interests were being prejudiced. Another example may relate to an employee of that same business - the transfer of their contract of employment thereby ensuring continuity of their jobs would appear to be justifi able under the legitimate interest condition. However, we must distinguish between the situation where a company or business is being sold as a going concern and the situation where a database (or indeed a company which owns the database) is simply being sold to enable the purchaser to use the data contained within the database for its own purposes. If the latter is true, it is unlikely that the disclosure could ever fall within the legitimate interest condition of Schedule 2 to the Act. Processing Sensitive Data When processing sensitive personal data, for example data which concerns a data subject s health or sexuality, a data controller must comply with one of the conditions set out in Schedule 3 (in addition to a condition set out in Schedule 2). Schedule 3 conditions are harder to comply with than Schedule 2 conditions and in most cases data controllers will have to opt for the condition which requires processing of the sensitive data to be done with the explicit consent of the data subject. The term explicit consent is not defi ned in the Act. However the Information Commissioner has issued guidance which suggests that the use of the word explicit suggests that the consent of the data subject must be absolutely clear. In appropriate cases it should cover the specifi c detail of the processing, the particular type of data to be processed (or even the specifi c information), the purposes of the processing and any special aspects of 5 slaugh ter and may

6 the processing which may affect the individual, for example disclosures which may be made of the data. Although sensitive personal data will be more relevant to certain types of businesses (for example, healthcare organisations and insurance companies), most businesses will process some, particularly in records relating to employees. A Pragmatic Approach Navigating the data protection maze during a transaction can be a frustrating and diffi cult task. It is important therefore that consideration is given to the key issues as early as possible so that the transaction can be managed in a way which adopts a responsible but pragmatic approach to compliance. Early consideration of these issues and careful assessment of the risks of non-compliance should ensure that transactions proceed without prejudice to the data subject. The steps that any company will need to take and the issues it will need to consider will be similar regardless of the structure of the particular transaction. Due Diligence Prior to agreeing to acquire or use under a commercial agreement another party s database, a company should undertake due diligence in regard to the database. It is particularly important that the true size (and therefore value) of the database is ascertained at this stage. For example, if a database may contain the details of 5000 customers. However, if only 1000 of those customers have consented to their personal data being passed to third parties for the purposes of marketing, this will signifi cantly reduce the value of the database to the acquire. Indeed, such information may ultimately affect the acquirers decision as to whether it proceeds with the proposed transaction. In this situation, the acquirer may seek protection from the seller by obliging the seller only to transfer to it such parts of the database in respect of which it has the relevant consents. Alternatively, the transaction may be expressed to be conditional upon the seller obtaining relevant consents in respect of the entire database. Defining the database Consideration should be given to how the database to be acquired is defi ned. This will be particularly important to the purchaser in a Database Sale as they will want to be confi dent they have all the rights required to use the database. However, it will also be an important consideration in the context of a Company Sale and commercial agreement. If a purchaser is buying a company in order to acquire the database, the purchaser will want to be sure that the company it is buying owns all the rights in the database. In the context of a commercial agreement, the parties will need to consider whether the transfer of data is a once in time event or whether the party selling its database will be obliged to refresh the database on a regular basis as it collects new data. Warranty protection In any of the transactions considered in this article, the acquiring party may seek warranties from the other party in respect of the database. These warranties may cover areas such as the ownership of the data, that party s ability to pass the personal data to third parties and whether they have fully complied with the provisions of the Act in respect of the data. Protection such as this should act to reduce the fi nancial risk to the acquiring party. Use of the database going forward The acquirer of a database should consider its intended future use of the database and particularly whether that use is covered by the original consent obtained from the data subjects at the point of data capture. The acquirer will need to consider whether it is not prepared to use the database (or at least those parts in respect of which the consent does not cover its future use) until it has had the opportunity to refresh the fair processing information and consent. Weighing the risks Any potential breach of a principle should be approached with caution. However, full compliance with the data protection principles (and particularly the fi rst principal requiring fair and lawful processing) in the context of a commercial transaction may present signifi cant barriers to the parties abilities to complete the transaction. Certain acts of non-compliance will present greater risks than others. For example a one off breach or a breach which will ultimately be resolved will present less of a risk than a breach which will continue after the relevant transfer of the 6 slaugh ter and may

7 database. Whilst the importance of complying with all of the Act must not be underestimated, data controllers may have to take a view, in each set of circumstances on the risk of non-compliance. With the benefi t of proper planning it should be possible to minimise the breaches of the Act and manage the risk of any non-compliance whilst avoiding prejudice to data subjects. A version of this article appeared in Volume 6, issue 5 of Privacy & Data Protection (May 2006) London One Bunhill Row London EC1Y 8YY United Kingdom T +44 (0) F +44 (0) Paris 130 rue du Faubourg Saint-Honoré Paris France T +33 (0) F +33 (0) Brussels Square de Meeûs Brussels Belgium T +32 (0) F +32 (0) Hong Kong 47th Floor Jardine House One Connaught Place Central Hong Kong T F Published to provide general information and not as legal advice Slaughter and May, 2006 One Bunhill Row, London EC1Y 8YY T +44 (0) F +44 (0) jmya188.indd308