RESPONSE FROM THE DIRECT MARKETING ASSOCIATION (UK) LTD. TO THE EUROPEAN COMMISSION'S CONSULTATION ON THE IMPLEMENTATION OF DIRECTIVE 95/46 EC ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA. A. INTRODUCTION The Direct Marketing Association (UK) Ltd (DMA) welcomes the opportunity to respond to the consultation in connection with the preparation of the European Commission's first report on the implementation of the Data Protection Directive ("the Directive") The DMA and its Members The DMA is Europe's largest trade association in the marketing and communications sector, with over 870 corporate members and positioned in the top 5% of UK trade associations by income. 11.14 billion was spent on direct marketing activity in 2001 (DMA Census of the Direct Marketing Industry 2001/2). The DMA represents both advertisers, who market their products using direct marketing techniques, and specialist suppliers of direct marketing services to those advertisers - for example, advertising agencies, mailing houses, list brokers, computer bureaux, database companies, etc. The DMA also administers the Mailing Preference Service and other self-regulatory mechanisms designed to protect consumers. On behalf of its membership, the DMA promotes best practice, through its Codes, in order to maintain and enhance consumers' trust and confidence in the direct marketing industry. The Direct Marketing Authority is an independent body that monitors industry compliance. B SUMMARY OF DMA's RESPONSE I. Personal data and its use in the business to business environment. The DMA is concerned that the current definition of personal data may catch data such as job title and business e-mail address, which should not be considered personal data if it is simply used to ensure that communications reach the right employee
II. Applicable law and jurisdiction Differences between the national laws in the Member States mean that multinational companies with branches and subsidiary companies throughout the EEA should only have to comply with the data protection legislation in the EEA country where their principal office is located. III Transfer of Personal Data to third countries and use of contracts Globalisation and the growth of the Internet mean that the Directive needs to be amended to allow greater use of company group wide security/privacy policies as a method of allowing transfers to third countries. IV. Sensitive Personal Data The definition causes problems for business in that they may be inadvertently holding sensitive personal data. Data subjects do not gain any real benefit from the extra protection. The category should therefore be deleted. V. Right of Access - Data Subject Access Requests Owing to the increase in the amount of data held on data subjects, data controllers should be exempt from providing a full data subject access request when to do so would involve a disproportionate effort on the part of the data controller VI. Notification The notification system is a regulatory burden on businesses and ties up resources at the national data protection authorities. Our view is that the requirement to notify should be removed. C SPECIFIC COMMENTS ON THE DIRECTIVE 1. Personal Data and its use in the business-to-business environment (Article 2 Definitions) We are concerned about the issue that name, job title and workplace e-mail addresses may be considered to be personal data. This poses problems for companies as often they only hold this information for the purpose of ensuring that the communication reaches the correct person in the other organisation. The growth of Internet and e-mail usage since the Directive was passed makes reform in this area essential. The Direct Marketing Association (UK)
Limited in their Code of Practice (2 nd Edition) suggest a simple test for determining whether or not such data is personal or business data which is as follows:" if the job holder changes will there be any changes to the data other than the change in the jobholder's name, If the answer is yes then the data is personal data, if no then it is business data." DMA recommendation is for an exemption from the definition of personal data for basic contact information (name, job title and workplace e-mail address) about an employee held either by the employer or by another organisation, which has a relationship with the employer. We accept that in the case of sole traders and partnerships this basic information would remain personal data. Employees already have sufficient protection through the duty of trust and confidence between an employer and an employee to cover unlawful disclosure of an employee's e-mail address by an employer. We are aware that the European Commission has launched a first stage consultation on the protection of workers personal data. We believe that Directive 95/46 provides sufficient protection for workers personal data. The UK Information Commissioner is in the final stages of producing The Employment Practices Data Protection Code, which deals with issues of workers personal data. We would suggest that there is no need for action at the European level in this field and it should be left up to national data protection authorities to clarify the application of Directive 95/46 to workers personal data. DMA recommendation is that there is no need for further action to protect workers personal data. 2. Applicable law and jurisdiction (Article 4) The Directive was introduced under the Internal Market provisions and was designed to harmonise data protection legislation throughout the EEA. However there are differences in implementation between Member States, for example some require an opt -in approach fo personal data being passed on to third parties, whereas others require an opt -out approach. This makes it difficult for members of the DMA, who are increasingly becoming involved in pan European marketing programmes. Many companies, particularly SMEs, do not have the resources either to check the data protection legislation in the 15 Member States internally or to afford the costs for professional advice in this area. This position will only worsen with expansion of the EU to include the current candidate countries from Central and Eastern Europe. Furthermore there is a problem for companies who have offices throughout the EEA. Each individual office may have to notify the relevant data protection authority and comply with the national law in the country where the office is located. The company is likely also to be transferring personal data relating to employees and customers between different countries within the EEA. Clearly the current legislative situation is not practical in today's business world.
DMA recommendation is that, if notification is retained, there should be a system whereby a company can have one notification in the EEA country where its principal office is located. This would cover it for all the other countries in the EEA, where it has offices. Similarly the Data Protection Authority in the country where the company had notified would take the lead in any enforcement action. The company would only have to comply with the data protection legislation in the country where the notification was made and the Directive. 3. Sensitive Personal Data - (Article 8) In the direct marketing arena it is perfectly possible for a data controller to inadvertently hold sensitive personal data, such as medical or health information, about a data subject, which is for the benefit of the individual. The data controller may not always have the explicit consent of the data subject or be able to process the sensitive data under one of the exemptions. DMA recommendation is for the definition of sensitive personal data to be abolished. Whether or not the processing of sensitive personal data was fair could be dealt with under the fair processing code in Article 7. 4. Right of Access - Data Subject Access Requests ( Article 12) There are problems with this right for both data controllers and data subjects. Data controllers, particularly SMEs can find it expensive in time and resources to comply with a data subject access request, especially if they hold a large amount of information about the data subject. The increasing use of e-mail has caused part of the problem. It is quite likely that the data subject is only interested in one particular piece of information or is looking for confirmation from the data controller that the data subject' s record has been changed as requested. DMA recommendation is for there to be a exemption for data controllers where a disproportionate effort would be required on the part of the data controller to comply with a data subject access request. 5. Notification (Article 18) We do not see the need for the notification provisions to remain. The national data protection authorities can take enforcement action against companies, who are in breach of data protection legislation, regardless of whether the companies have notified or not. Many businesses see notification as a regulatory burden. We accept that there may be certain benefits for consumers and other businesses in knowing that a particular company has notified its national data protection authorities of its activities, but on balance we believe that the requirement to notify should be removed. This would free up resources at the national protection authorities and allow more resources to be diverted to enforcement action. DMA recommendation is for this article to be deleted.
6. Transfer of Personal Data to third countries and use of contracts (Articles 25 and 26) Developments since 1995 have meant that these Articles need revision. Firstly the growth of the Internet, in particular e-mail and online shopping, since 1995 has been one of the profound changes to the way business-to-business and business to consumers communicate with each other. Secondly globalisation has meant an increase in the number of global companies who have branches or subsidiary companies within the EEA and need to store and access customer and employee information on a global basis. This has meant that there is a far greater amount of personal data, which is being transmitted from the EEA to other third countries than was the case in 1995. Although the agreement with the USA on the Safe Harbor Principles is a welcome development, there are problems with it, in particular the fact that it does not extend to the financial services. industry. The number of countries that have been given adequate level of protection status is limited. It is also not practical to expect companies with multiple branches and subsidiaries to enter into multiple contractual arrangements within the group for the transfer of personal data. Many global companies have sought to develop group wide security and privacy policies, and rely on the provisions in Article 26 (2). It is interesting to note that the use of these policies has been one of the reasons why the 1995 Directive has become the global standard. DMA recommendation is that there should be specific reference to group wide security and privacy policies as a means of complying with Article 26(2). The national data protection authorities clearly do not have the resources to approve every security/privacy policy and therefore prior approval by the authority should not be required. Rather there should be a presumption that such a security or privacy policy provides an adequate level of protection until proved otherwise through enforcement action taken as a result of a complaint by an individual. D. COMMENTS ON ISSUES RAISED IN THE QUESTIONNAIRES 1.Use of the Internet. As already noted above in the comments on Articles 25 and 26, the growth of the internet has been one of the major developments in the online world since 1995. The DMA has actively been involved in giving consumers confidence to shop online, through its membership of the Alliance for Electronic Business (AEB), a partnership between the following UK organisations, Confederation of British Industry, Intellect, and the e-centre. The AEB, together with the UK Consumers Association has set up Trust UK as an initiative to accredit the on -line codes of practice of associations and organisations whose members' websites display an e-hallmark. This initiative has the endorsement of the UK Government.. The DMA has achieved Trust UK approval for its codes of Practice on Electronic Commerce and Commercial Communications to Children Online. All DMA members have to comply
with the codes, and those who carry out e-business must therefore display the Trust UK logo, which provides a means for consumers to complain about web trading activities. The DMA believes that the use of such codes of practice is way to encourage consumer confidence rather than a specific legislation dealing with data protection issues and the Internet. E.CONCLUSION The DMA welcomes the extensive consultation process, which the European Commission is engaging in this revision of the Directive. A representative from the DMA will be attending the conference at the end of September. Please contact us if you wish to discuss any of the points raise in this consultation in greater detail. The Direct Marketing Association (UK) Limited 30 August 2002