IR Global | View firm profile
The following article discusses session one in the IR Global Virtual Series on 'GDPR Live: Troubleshooting the EU's New Data Protection Legislation'
James Simpson – England (JS) When GDPR first came out, there was a concern among lots of businesses that it would completely stop any form of direct marketing. The thinking was that most marketing databases, which had been put together over significant periods of time, had suddenly become useless and would have to be deleted. Certainly, some of the first movers who were trying to get ahead of the game in terms of getting ready for GDPR took that approach.
What we found as we got closer to deadline day, was that the Information Commissioner’s Office (ICO) in the UK was issuing slightly softer guidance, saying that direct marketing could be a legitimate interest.
So rather than having to go down the consent root, the ICO was comfortable with legitimate interest being a basis for retaining databases but said there was a distinction between the B2B (business-to-business) market and the B2C (business-to-consumer) market.
That was primarily because of non-GDPR regulations around the privacy of electronic communications (PECR), that has a slightly different application in relation to direct marketing. It requires some form of soft opt-in or soft consent in a B2C scenario.
A lot of our clients who left GDPR compliance late, have approached it on a risk basis and have really taken a more relaxed approach when complying with data protection obligations under a B2B scenario. Of course, in terms of accuracy and retention of data, strict rules apply, but, otherwise, when marketing to businesses, appropriate unsubscribe options are acceptable. There are some small nuances within that because partnerships and sole traders are regarded as individuals for the purposes of PECR. The ICO has given guidance on how to undertaken legitimate interest assessments, including the three-pronged test to determine whether there is a legitimate purpose for direct marketing and balancing out the harmful nature of marketing to individuals. Companies are using that test as a backstop to show that they've been through the correct thinking and applied the correct logic in terms of the marketing they're doing.
For B2C, it's slightly more difficult, but where there has been some form of soft opt-in, or they've provided services to an individual before, then companies can apply a soft repositioning, where they can ask an individual to let them know if they would prefer to cease contacting them. So, rather than asking for express consent, it is pointing people towards an opt-out, rather than an opt-in.
Companies might even break things down further to past clients, current clients, future clients and prospective clients – both on the B2B and the B2C side.
Every company has their level of risk appetite; some are prepared to be slightly more on the edge, while some want to be super cautious because they have brand issues which they need to be concerned about and that's just their policy.
Anna Fernqvist Svensson – Sweden (AFS) Around the 25th of May this year, there were so many emails coming in, some of them requiring consent and some of them containing only information on the processing of personal data. Many made a strategic decision to collect consent.
I don't know if that is good or bad, but for many, it was also a misunderstanding that you needed consent. So many companies sent out emails asking for consent and lost a large amount of their existing customer base as a consequence.
What is more relevant in Sweden at present is the upcoming EU e-privacy regulation.
In Sweden, there are not many discussions on this new EU e-privacy regulation, which is a bit surprising. We don't know exactly how the text will be formulated, but there is a risk at least that consent will be needed, not only in the B2C relationships but also in B2B relationships. In Sweden, when it comes to B2C, you have to apply the Swedish Marketing Practices Act, which stipulates in detail when you're allowed to send out emails with marketing messages, and when a soft opt-in solution is required for consumers.
England – JS One of the interesting things, is that the e-privacy regulations are different across Europe. When we've been dealing with American companies or New Zealand companies, them trying to understand what they can and cannot do in each of the European jurisdictions has been quite interesting, because you have double opt-ins, opt-outs, soft opt-outs – it is all very different.
I will be very interested to see how that regulation nets out, albeit the UK may not be party to it.
Jake Schwarz – California (JSZ) I cannot speak for the whole US market place. Rather, our focus has been primarily on emerging growth companies and technology start-ups. Candidly, nuance is not a strength of the US start-up ecosystem and so we see a lot of these rules about opt-in versus legitimate interest being treated as a distinction without a difference.
While the European continent is viewed as one marketplace to a lot of start-ups, they are faced with a myriad of different privacy rules that they have to follow. What we're seeing are companies that are in growth stages revamping their entire marketing approach. There is a lot more use of influencers and targeted viral advertisements that carry with them a voluntary opt-in. Basically, a “non-legal” path to compliance.
When we refer clients serious about compliance with our friends in Europe and they are then told there are approximately 25 different key privacy regulations they need to follow they start to think about alternative approaches. A quote in a recent New Yorker magazine article about Mark Zuckerberg summarises Silicon Valley’s instinct to try to solve the problem from any direction other than head-on:
“Scaling and growth are everything while individuals and their experiences are secondary to what is necessary to maximise the system – move fast and break things – that's the DNA of Silicon Valley.”
So, the credo in Silicon Valley remains that when in doubt, avoid the regulations at all cost by just trying to go in a different direction. In terms of marketing, that has presented itself through using online influencers and different types of marketing campaigns that make it clear you are providing opt-in, or double opt-in if necessary. It’s about trying to clear the runway no matter what on the front end rather than having to re-architect your entire back end. As such, legitimate interest is being viewed by clients used as a lifeboat, i.e., if all else fails we can argue that we still have a legitimate interest.
Erdem Balkan – Turkey (EB) In Turkey there is a law similar to GDPR, which is the Turkish Personal Data Protection Law No. 6698 (“TPDPL”), and the consent process is pretty much the same. The opt-in procedures are almost the same as GDPR. So, when it comes to compliance with GDPR, it's not a hard issue for Turkish companies because they also have to comply with the TPDPL.
TPDLP doesn’t refer to B2B or B2C contacts. The main analyses TPDLP makes are, whether a person is a natural person or not in order to be within the scope of TPDLP and also whether we can identify such natural person by the data we collect or we receive anyhow. In Turkey, the topic of e-commerce is regulated mainly under the Law on the Regulation of Electronic Commerce No.6563 and other relevant legislation. Such legislation actually speaks about the differentiation of B2B and B2C concepts and also regulates an intersection with TPDLP regarding commercial electronic messages (“CEM”) (e.g. SMS, e-mails, voicemails) since such messages also contain personal data. In B2B relationships e-commerce legislation does not require consent for CEMs but a soft opt-out option is mandatory. On the other hand, in B2C relations, you have to be compliant with e-commerce legislation and you have to acquire an explicit consent for CEMs sent out for marketing purposes specifically with an opt-out option. E-commerce legislation has very strict content requirements, but unfortunately, it doesn't matter how parallel it is with GDPR, consents regarding this legislation are required to be acquired independently from the consent required under TPDLP.
However, of course, there are some differences, specifically with regard to data protection officers (DPO) which we will discuss later. The main question we get from clients in Turkey though is how GDPR is going to apply to tourists who are residents of the European Union.
We have a lot of tourists coming in and especially retail chain stores wish to collect their data. The question we get from clients is, what happens if there is a non-compliance with GDPR.
For companies which have subsidiaries in the European Union, we tell them that their subsidiaries can receive penalties, so they have more reasons to comply with GDPR. However, if it’s just a local hotel and most of their customers are from the European Union, we do have a hard time trying to convince them that they have to comply with GDPR.
When approached with a view to ensuring compliance to GDPR and TPDPL, clients often fear that we are trying to have them delete all of their personal data which took long years and hard work for them to accumulate, and they sometimes refrain from taking action. Turkey is still in the adaptation period to the new data protection legislation and it will take some more time to see how this will directly affect the Turkish market. We also have Turkish clients who have appointed DPOs in the European Union, so actually, things are happening pretty fast.
Maarten Van Staeyen – Belgium (MVS) We have had to educate our clients to some extent because some had the wrong idea about GDPR. Once we had explained to them how it works, there was a lot of disbelief and panic, as many thought it would become impossible to do any marketing and indeed hamper operations.
As we have already seen, there are a couple of grounds that make it legal to do direct marketing, while there is also the legitimate interest situation, which applies, alongside the consent model. What we see in practice, is that both are used, and it depends on the risk profile or the risk acceptance appetite of the client in question. I've seen a bank invoke legitimate interest on the one hand, while, on the other hand, I have seen small businesses who don’t want to take the risk in a similar situation and ask for full consent.
James mentioned the soft consent option, which is problematic in my view, since it may not qualify as full consent under GDPR.
Valérie Kopéra – Luxembourg (VK) As a general observation, we have noticed two different approaches of our clients about compliance with the GDPR. Some clients, mainly the large international groups, have always been extremely prudent when dealing with personal data and had all of the necessary security measures and procedures in place before the entering into force of the GDPR. Small and middle-sized companies feel sometimes less concerned. Some of them don't really assess the risks linked to the non-compliance with the GDPR, not only in terms of fines but also for the reputation of their business.
There's a real need to educate those clients. The general concern of most of our clients is that the implementation of GDPR shouldn’t affect existing relationships with their own clients.
Our role is to advise them on how to smoothly introduce GDPR into their day-to-day operations, especially when it comes to marketing.
In that respect, our clients have to adapt their marketing strategies. They need notably to take into account the nature of data processing requirements, and the relationship they have with the data subjects (B2B or B2C), in order to first determine the legal basis for processing the data. The methods used previously to attract prospects or to retain clients have to be revised in the light of the GDPR principles.
Whenever possible, our clients are relying on legitimate interest as main legal basis, rather than on consent. Legitimate interest generally serves also as grounds for further processing of personal data, for instance when data are used for marketing purposes following a previous commercial relationship.
In the business-to-business (B2B) scenario, contacts are more likely to reasonably expect further processing of their personal data and that processing is less likely to have a significant impact on them personally. In a business-to-consumer (B2C) scenario, we generally advise our clients to be rather cautious and analyse carefully whether the personal data is being processed in circumstances where the data subject reasonably expects further processing.
Anne-Marie Pecoraro – France (AMP) Our clients in France have already adopted the spirit of GDPR, with the view that GDPR is an opportunity. Our national supervisory authority promotes the idea that it's a strong tool for EU companies to be stronger in other markets because the GDPR structure will have such an influence on the non-EU market.
We help our clients to implement the regulation progressively through very practical solutions and rigorous mindsets, including in their marketing strategies.
Relating to this specific area, we have developed with our clients a pedagogy that involves trying to implement opt-in from the beginning of a project to establish solid ground with their clients. If our clients implement consent very deeply from the beginning, they can use it as a tool to enhance business and become a stronger competitor in each market they work in.
With regard to business-to-consumer (B2C) interactions, it is better for the clients to obtain the opt-in or the double opt-in. Nevertheless, it appears that sometimes we can work with exemptions though, especially for charities. The two main exemptions to opt-in, are when the consumer is already a client of the company, consuming the same products or services that are being marketed, and when the marketing is not commercial in nature. When the marketing is around the development of non-profit impact and influence in society, working without confirmation of the consent appears easier in these circumstances.
With regard to B2B interactions, the information regime that applied before the GDPR is maintained. If marketing was done on an opt-out basis before, then that still applies, but an option to opt-out (easy and free) must be given to the data subject. It may be noted that the solicitation object has to be in relation to the prospect’s job. In addition, generic email addresses are free from the rule of consent, because they are not seen as personal.
We also work on clarifying the key concepts that allow our clients to work on the basis of legitimate interest. Nevertheless, even though the legitimate interest was specified through the GDPR, it appears that it remains a vague notion which does not allow to secure all data processing. The use of “legitimate interest” can be interesting but it implied to make an ethical reflection in order to guarantee data is used for a purpose that data subjects can expect and which does not affect their rights and freedoms.
Finally, our National Supervisory Board is really keen to cooperate with the other supervisory authorities in the EU to expand the international impact of GDPR. It recently made a ruling against Google about the right to be forgotten, asking Google to apply the right to be forgotten to all EU citizens. Google agreed to apply that principle in French territory, but the French authority believes that the right should be applied without territorial limitation.
The case has been filed with the European Court of Justice (ECJ) to assess if the right to be forgotten also applies to other internet companies and should be applied, not only in France when requested, but all over the world. The outcome should be very interesting to follow.
Petya Dobrenova – Bulgaria (PD) We believe a good strategic approach for marketing, is the use of different loyalty programs with clear UVP /Unique Value Proposition. This UVP should really be beneficial for customers and prospects in order to achieve positive involvement.
We also take into consideration the opinion of the European Union’s Article 29 Data Protection Working Party (WP29), those offering incentives is not in contradiction with the requirement of consent to be freely given. However, we always try to structure such marketing programs carefully in order to keep the balance. The really great thing about GDPR and local provisions in the field of e-privacy is that they force businesses to reconsider their UVPs and make an assessment on where this business stands among competitors on the market. This may well show the importance of the synergy between legal strategy, on one hand, and on the other – marketing and sales strategies.
For active clients, where applicable, we recommend using legitimate interest as legal grounds for data processing. Regardless of the particular legal ground used, we strongly advise our clients to immediately terminate direct marketing activity when signs of disagreement are present in a data subject. Therefore, proper technical mechanisms for follow-up should be present.
Kathrin Schürmann – Germany (KS) Many of our clients rely heavily on online marketing or are providers of online marketing solutions.
Due to the rules implemented into German law under the e-Privacy Directive not much has changed with GDPR concerning newsletter-marketing and email-advertisement. Even though there has been a lot of confusion, most companies did not have to change their general approach to become GDPR compliant. In a contractual relationship, a company can oftentimes facilitate its legitimate interest, outside of that a company will most likely have to obtain consent in order to get in touch with a potential customer.
This has not been the case for other means of online marketing. The use of cookies, retargeting techniques and analytics have been a much-debated topic. The German data protection authorities have issued statements concerning the use of Google and Facebook products that have caused heavy insecurity within the online community. Many companies decided to stop using Facebook custom audiences and pixel while some companies opted to put up consent walls on their website in order to use cookies.
We advise our clients to rely on their legitimate interest if at all possible. Sometimes companies will also be able to put in place contractual clauses that legitimise certain data processing, e.g. when it comes to customer insight analytics. In this area, our clients also experience a clear improvement/facilitation compared to the very restrictive old legal situation. The GDPR provides more possibilities which can be used within the scope of customer analytics.
Contributors
James Simpson (JS) Blaser Mills Law – England www.irglobal.com/advisor/james-simpson
Petya Dobrenova (PD) Karastoyanov, Mitkov & Associates Law Office – Bulgaria www.lawyers-bg.net/en/page/5
Valérie Kopéra (VK) Bonn Steichen & Partners – Luxembourg www.bsp.lu/professionals/counsel/valerie-kopera
Erdem Balkan (EB) Guzeldere & Balkan Law Firm –Turkey www.irglobal.com/advisor/erdem-balkan
Anna Fernqvist Svensson (AFS) Hellström advokatbyrå kb – Sweden www.irglobal.com/advisor/anna-fernqvist-svensson
Kathrin Schürmann (KS) Schürmann Rosenthal Dreyer Rechtsanwälte – Germany www.irglobal.com/advisor/kathrin-schurmann
Maarten Van Staeyen (MVS) QUORUM – Belgium www.irglobal.com/advisor/maarten-van-staeyen
Anne-Marie Pecoraro (AMP) ATurquoise – France www.irglobal.com/advisor/anne-marie-pecoraro
Jake Schwarz (JSZ) Pacific Crest Law Partners – U.S. – California www.irglobal.com/advisor/jake-schwarz