1. Respecting the Consumer – the Data Protection Perspective Billy Hawkes Data Protection Commissioner Association of Advertisers in Ireland 3 June 2009

2. Presentation Outline Marketing – what do people think? Data Protection – what is it? Direct Marketing – the Rules Best Practice

3. Very Important  A good health service *89%  Crime prevention87%  Privacy of personal information84%  Protection of consumer rights77%  Ethics in public office77% (new question in 2008) Importance of key issues affecting the general public (2008)

4. Eurobarometer 2008 Individual (DS) Concern about Data Protection EU Average % Ireland % Concerned63.870.5 Not Concerned34.828.2 Don’t know / no answer1.41.3

5. Personal Experience of Privacy Invasion Received unsolicited post, addressed to you personally Yes % Received unsolicited text messages from commercial organisations Received unsolicited emails from commercial organisations Had excessive personal information sought from business/public sector organisations Had a virus/spyware on personal computer Disclosures of your personal information to others without your agreement Had information, images or footage of you posted on the internet without your consent Had personal information being withheld from you without explanation Inappropriate access to personal information held about you within an organisation Any experience

6. 2008 2005 Not at all happy (1) The post E-mail/the internet The telephone to your home SMS/Text messages (to your mobile phone) Not very happy (2) Very happy (4) Fairly happy (3) 89 1622 3037 1316 Don’t Know ‘08‘05 Attitude Towards Unsolicited Mail or Offers… % Unhappy (%) Unsolicited mail via telephone or post remain the approaches the public most dislike. However, irritation with text or e-mail contact has significantly increased since 2005. 76 74 71 66 60 55 74 75

7. No not Entitled % Yes Entitled % Don’t Know % To get a copy of any information about you held by any organisation To have any inaccurate information about you corrected/deleted To have your name removed from junk mail lists To have your telephone number removed from direct marketing lists To have any of your medical records deleted To claim compensation through the courts if personal information held about you is misused To get personal information about other people 23 24 35 39 32 Q.7 – Awareness of Rights

8. Complaints to DPC 2008 1031 formal complaints Many more enquiries dealt with informally * Mainly electronic (SMS etc). Direct Marketing accounted for 57% of complaints in 2007 TYPE% Direct Marketing*35 Access Rights30 Disclosure16 Accuracy2 Other17

9. Unsolicited Marketing – DPC Annual Report Case Studies Unsolicited Text Messages (12/2005; 5/2006 – deletion of database ordered) Unsolicited Faxes (20/2008) Unsolicited e-mails (8/2008; 17/2008 – database deleted and marketing suspended) “Cold-Calling”/Failing to respect right to “opt- out” including via NDD (11/2005 (prosecution); 1/2006; 2/2006; 4/2007 – order to suspend marketing; 11/2008) Postal Marketing (15/2007: supermarket)

10. Case Studies 2008 : Direct Marketing 123.1e (insurance) Interactive Voice Technologies Buy-as-you-Fly Celtic Water Solutions Matrix Internet Dell 2 Cases where we found in favour of DC

11. Presentation Outline Marketing – what do people think? Data Protection – what is it? Direct Marketing – the Rules Best Practice

12. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy: necessary in a Democratic Society (but not absolute) Un-enumerated right under Irish Constitution Explicit right under European Convention on Human Rights: ECHR Act 2003

13. EU Charter of Fundamental Rights: Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.

14. Lisbon Treaty Article 16 Treaty on the Functioning of the Union 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

15. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2003 (SI 535/2003) and 2008 (SI 526/2008) Corresponding Acts Good Friday Agreement Disability Act 2005

16. Rights and Obligations Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data” (very broad definition) Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)

17. The Data Protection Rules 1.Fair obtaining & processing Consent 2.Specified purpose 3.No disclosure unless “compatible” 4.Safe and secure 5.Accurate, up-to-date 6.Relevant, not excessive 7.Retention period 8.Right of access

18. Sensitive Data (special protection) Physical or mental health Racial origin Political opinions Religious or other beliefs Sexual life Criminal convictions Alleged commission of offence Trade Union membership

19. Obtain & Process Fairly I Data controller must give full information about  identity  purposes  disclosees  any other data necessary for “fairness” Third party data controllers  must contact data subject to provide these details  must give name of original data controller Rule 1

20. Obtain & Process Fairly II One of these conditions required:  Consent  Legal obligation  Contract with individual  Necessary to protect vital interests  Necessary for a public function (Justice)  necessary for ‘legitimate interests’

21. Processing Sensitive Data One of these additional conditions is required  Explicit consent  Necessary under employment law  To prevent injury or protect vital interests  Process the data of members/clients of non- profit orgs.  Legal advice  For Medical Purposes  Statutory function

22. Specified Purpose Part of obligations when obtaining to specify purpose Cannot expand purpose without reverting to individual Rule 2

23. Disclose only if compatible General rule – no disclosure for different purpose Exceptions made, to balance other interests of society Section 8 exceptions  Investigation of crime  Collection of taxes  Security of the State  Protect life & limb  Law or court order  Legal advice and legal proceedings No general “public interest” test Rule 3

24. Presentation Outline Marketing – what do people think? Data Protection – what is it? Direct Marketing – the Rules Best Practice

25. Direct Marketing Legislation The Data Protection Acts 1988 and 2003  Mainly Section 2 SI 535 of 2003 European Communities (Electronic Communications Networks and Services) Data Protection and Privacy) Regulations as amended by SI 526 of 2008  Mainly Regulation 13 (Unsolicited Communications) Other Legislation: Consumer Protection, E- Commerce, Financial Regulation etc

26. Direct Marketing Definition “direct marketing” includes direct mailing other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office;

27. Direct Marketing – the Golden Rule of Consent Only market willing customers Strong Irish customer resistance to “junk mail” or “spam” Failure to respect consumer choice is against the law  Criminal offence where electronic means used

28. Mailing lists Legal Right to opt-out of direct marketing  Delete data subject from mailing list  Notify the data subject within 40 days Failure is breach of Data Protection Acts (S. 2(7))  Complaint to Commissioner  Enforcement Action (e.g. delete database)

29. SMS and email Non- Customers (Individuals)  Must Opt-in  Must include the name of sender  Must include valid address for opt-out  Opt-in must be in the last 12 Months

30. SMS/e-mail Continued Customer (Individuals)  Opportunity to object at point of collection  Must include identity of sender  Valid opt out instructions  Only Similar and Related Services

31. SMS/email Continued Businesses  Do not need opt-in consent  Must respect any opt-out request  Must include valid instructions on opt-out  Must include name of sender

32. Phone Non-customers  All marketing calls must be screened against the National Directory Database opt-out list (NDD)  marketing calls made to numbers recorded on the NDD opt-out list are an offence  Company must record any individual opt-out requests  All marketing calls must be screened against internal do not call list

33. Phone Continued Customers  Provide an opt-out at time of collection  Must respect any opt-out request  Can only market them for related or similar products

34. Faxes Individuals  Must receive prior consent  Must respect any opt-out received Businesses  Must respect any preference on the NDD opt-out list  Must respect any opt-out given directly to the company

35. Penalties Postal  Enforcement action by Data Protection Commissioner (deletion of database etc) Electronic  Criminal Offence: €5,000 per message, up to 10% of turnover  350 prosecutions going through Courts

36. Presentation Outline Marketing – what do people think? Data Protection – what is it? Direct Marketing – the Rules Best Practice

37. Best Practice (1) Treat Consumer with Respect  Respect their right to be “let alone” Marketing that respects the Consumer’s preferences is more likely to be successful The more intrusive the marketing, the more likely Consumer will be upset Don’t abuse public information (electoral register etc)

38. Best Practice (2) IDMA Consumer Guide (www.idma.ie) FEDMA Direct Marketing Guide (www.fedma.org)  Approved at EU level  On-Line Annex in preparation Irish DPA Guidance (www.dataprotection.ie)www.dataprotection.ie

39. DPC Contact Details Office of the Data Protection Commissioner Canal House Station Road Portarlington Co Laois Phone: LoCall 1890 252231 057 8684800 Fax: 057 8684757 Email: info@dataprotection.ie Website: www.dataprotection.ie