I assume by now, many of you know that many places like the European Union (EU) have data protection laws. These directives and regulations have been in place for around 15 or more years depending on the country. One of the more popular ones is the EU Data Protection Directive 95/46/EC. For those who don’t know about this, Directive 95/46/EC is the reference text, at European level, on the protection of personal data. It sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the EU. To do so, the Directive sets strict limits on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the protection of these data.
Yes, for many of you this also includes email and social media, how you can collect, use (process), share, control, etc the personal data on ANY individual with in the EU. Hopefully for the past fifteen (15) years those who do B2C business in the EU have been performing explicit opt-in to use someone information.
On January 25, 2012 the Vice-President of the European Commission for Justice, Viviane Reding, officially presented the Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Basically the proposed changes the EU commission deems necessary for the ongoing protection of individuals information in an online world.
Now, these are just proposals today as they stand, but upon publication, their must be an agreement on a final text before the Regulation can be adopted as law by Council of the European Union (an institution representing each of the national governments) and the European Parliament (composed of representatives elected by EU citizens). Changes to the text are therefore very likely.
So what changes if any will happen?
- The biggest change will be who has to abide by this. In the past, it was sort of clear as to where the location of the equipment used to process data helped determine if you needed to abide by the current regulations. With these new changes the Regulation would apply to any processing of EU/European Economic Area (“EEA”) residents’ personal data when the processing relates to: (i) the offering of goods or services to such individuals, and (ii) the monitoring of individuals’ behavior. This means that if your headquartered in the United States (US) and collect data on EU citizens, you have to abide by such rules as explicit opt-in. No more hiding behind your demographic location.
- Right to be forgotten; this portion has gone through a lot of debate these past few years. the proposal requires a controller (you) to create a way for an individual to “erase” any links to personal data IF the data is made publicly available. This would probably have a much larger impact on your social media marketing than anything than email, but in general still follows the best common practices of an individual to opt-out of your campaigns through links or preference centre’s
- The next changes is how consent is defined. In the past, assumed consent in some cases was valid. However, in the new proposal content is defined as freely given, specific, informed and explicit indication of an individual’s wishes, and can be expressed in the form of a statement or as clear affirmative action that signifies an individual’s agreement to the processing of his/her personal data. What this means to you for email is that if you want to obtain consent to email or contact an individual via social media you have to gain an actionable consent from the person such as them affirmatively checking a check-box saying they want you to “process” their data. This means no affirmatively pre-checked boxes.
- As already done today, they will be expanding the ability of the commission to state which countries EU data can and can’t be transferred to without individual permission or model contracts filed with the government giving prior authorization by the authorities. Today, the EEA does NOT allow data to be freely moved to the US, but does allow for it to be moved to Canada. Eloqua hosts in Canada which makes it much easier for us to do business with companies in the EU who also do business with EU citizens.
There are tons of other parts of the proposals such as:
- Data Protection Officer Mandatory for all Larger Organizations (me)
- Data Breach Notification
- Right of Action and Right to File Claims or Complaints
- Tougher Administrative Sanctions for Violations
- Stronger and Harmonized Powers of National Supervisory Authorities
I don’t want you to get all caught up in those just yet, but my purposes here in this blog post is to let you know that no matter where you are located you will have some new regulations to consider when collecting and processing of EU personal data that you never have had to consider in the past. Depending on the pathway these proposals take, you will have to start obtaining more permission from users, expanding on your technologies (or third parties) to help you control this data, and understanding more about how data flows need to be handled in the next two (2) years when it comes to doing business with the EU and its citizens.
As things progress I will continue to give you more updates here, but for the timing being start talking to your counsel and or service providers about their involvement in this process. As marketers start asking those hard questions above data governance and make yourself prepared for some possible big changes in marketing.
-Dennis
Eloqua
Don’t Just Send, Deliver!
Last 5 posts by Dennis Dayman
- Delivery and deliverability debunked - May 7th, 2012
- European Regulator Warns Silicon Valley About Privacy - April 28th, 2012
- Canada’s anti-spam law won’t take effect until 2013 - April 28th, 2012
- Mr. Dayman Goes to Washington - April 2nd, 2012
- EU proposes a reform of the data protection rules - March 28th, 2012
