How will UK data reforms hit the marketing industry?

data more2Data protection experts have delivered their verdict on the Government’s planned data protection reforms, with opinion divided as whether the overhaul will make any significant changes to the way companies handle personal data or even if it is needed.

While the DMA has backed the overhaul, which could see structural changes to the Information Commissioner’s Office and a fresh clampdown on nuisance calls, one of the key areas of focus for marketers has been on the so-called “cookie law”, which falls under the Privacy & Electronic Communications Regulations (PECR).

Under one proposal, organisations would be able to use analytics cookies and similar technologies without the user’s consent, with the consultation document stating that “these cookies would be treated in the same way as ‘strictly necessary’ cookies under the current legislation for which consent is not required”.

A second option is to permit the use of cookies without consent “for other limited purposes”, including “processing that is necessary for the legitimate interests of the data controllers where the impact on the privacy of the individual is likely to be minimal – such as when detecting technical faults or enabling use of video or other enhanced functionality on websites”.

A more radical plan is to remove cookie consent requirements altogether.

Information law expert Claire Edwards of Pinsent Masons said: “Whilst the two main options contained in the consultation would certainly assist to reduce some of the cookie consent requirements in place today, they would not act to remove cookies for marketing or real-time bidding or building profiles of users, where much of the tracking activity is focused today.”

On entirely removing pops up, Edwards added: “Certainly, a solution which looks to centralise consent and set preferences at a device or browser level would help to achieve this. However, this may raise competition issues and potentially undermine the real-time bidding market as we know it.”

Another area up for review is the existing accountability rules, which the DCMS document states “may be generating a significant and disproportionate administrative burden, and leading organisations to misdirect time and energy away from the activities that ensure the responsible use of personal data in a specific context”.

More specifically, the Government wants to cut the need for businesses to carry out data protection impact assessments (DPIAs) and to increase the threshold for notifying the ICO of data breach incidents.

Under those proposals, organisations would have to report a breach unless the risk to individuals is “not material”, although the document failed to produce examples of what is and what is not reportable.

DCMS is also considering reintroducing a charge for consumers to access to their personal to address the burdens entailed in handling data subject access requests (DSARs).

Pinsent Masons data protection law expert Jonathan Kirsop said: “Businesses – particularly SMEs – will be likely to welcome many of these proposals, particularly attempts to limit the administrative burden regarding issues such as data breaches and DPIAs.

“Reforms regarding the ease with which data subject access requests can be made will also be interesting to companies who are often receive these for ulterior motives in the context of wider disputes and grievances.

“That said, the UK GDPR is already predicated largely on a set of risk-based principles and the principle of proportionality. There could be a risk that some proposed reforms – such as greater prescription as to what constitutes ‘legitimate interests’ – could go too far in diluting data subject’s rights while giving businesses – in practice – less flexibility as to how they comply.”

John Story, general counsel and chief data ethics officer at Acoustic, added: “In reality, this is less to do with privacy and more the politics of Brexit. The UK is looking to do something that moves us away from the of overly restrictive nature of EU law to be more realistic or business-friendly, while still protecting customer rights.

“Is this a good thing? It depends on what UK’s post-Brexit privacy regime actually achieves. If it dilutes the rights enshrined in GDPR, that’s clearly bad. However, if it successfully polices the misuse of data even without requiring cookie banners (which many web users see as more of a nuisance than safeguard) then that’s a very good thing.

“What does it mean for marketers? It depends in part on what the post-Brexit privacy regime is, but will means that they’ll have to adhere to one set of rules in the UK and another in the EU.

“The final question is what happens if the UK regime actually achieves a better result for data subjects and business? Will the EU follow suit? Again, that will have less to do with privacy and more to do with the politics of Brexit.”

For Dmitri Zotov, chief technology officer for performance marketing platform affise.com, the new regime should be adequate enough for the EU to keep the data flowing freely and easily between the UK and EU territories.

He added: “The UK and any other foreign businesses should also not forget that if their social platforms are offered internationally – including to individuals in the EU – or if they monitor individuals’ behaviour that takes place within the EU, they have to comply with the GDPR (due to its extraterritorial operation).

“What’s more, a number of global territories are creating their own data protection legislations (Brazil, China and India to name a few), and this means there will be more shapes and forms in which the protection of personal data will come. It also means less room for violations and getting away with them from large corporations.”

Finally, Adam Rose, head of Mishcon de Reya’s Data Practice, sees the reforms as a further gesture from the Government, suggesting a willingness to push the boundaries data protection adequacy agreement with the EU.

However, he commented: “Behind the bold words we are only just beginning to see what may emerge in terms of concrete proposals or changes to the underlying law, and whether there really is a public policy need for reform.

“Our current data protection laws are based on international (as well as European) frameworks that go back 40 years or so. There is a good argument that those frameworks, and those existing laws, already allow for the data innovation and economic growth which the Government is so keen to encourage.

“Squaring the circle of giving citizens and consumers more control over how their data is used, while also giving business and government greater freedoms to use that data, will be the big challenge.

“Coming just a couple of months after the adequacy agreement the announcements put the UK on a collision path with the EU, but also more widely with civil society organisations, with the likelihood of serious domestic data litigation in the future.”

Whether the Government will be willing to risk being dragged through the courts, however, remains to be seen.

Related stories
Govt reforms to axe Information Commissioner’s role
Critics round on overhaul of data law; Daily Mail rejoices
Govt plots major data law shake-up steered by NZ chief
NZ data chief and Facebook critic tipped to lead ICO
MPs warn new data regulator must not be Govt patsy
New ICO to ‘boldly’ lead UK into global data economy
UK firms express relief as EU data transfer deal looms
Hunt begins for the next UK Information Commissioner
Brits demand trade deals don’t water down data laws
UK industry chiefs call for ‘precious’ Brexit data deal
Japan data deal better than EU agreement, Truss insists
DMA hails EU data pact but Govt could yet scupper deal

Print Friendly