. . . but not necessarily in that order. Alastair Tempest reports.

Our business depends on being able to use personal data, and anything that threatens to upset the ability to keep databases and build relationships is of great importance.

Thus, July 2009 may have been a tipping point.

On that date, the German Federal Parliament, as it packed up to prepare for the national elections in September, passed a revision to the German Data Protection Law (Bundesdatenschutzgesitz).

This revision was sparked by a series of breaches of security. The main one concerned a call centre where data, including the bank details, of customers of a large telecom were stolen. These customers were then cold called and offered a monthly lottery (Eurochance). Their bank accounts were debited €30 per month (allegedly, even if they did not agree to contribute). These activities broke a number of criminal, as well as administrative and data protection laws.

German politicians, unfortunately, picked up the wrong end of the stick and demanded an end to ‘this trade in data’. The victims of these fraudsters were both the unfortunate consumers and also the direct marketing business.

A long and complex battle has been taking place in Germany over the last ten months on the new provisions of the revised Federal Data Protection Law. Since Parliament literally adopted the new law in the 11th hour and 55th minute, there are many details which are still to be set down.

It appears at present that there are a number of interesting exceptions to the new general rule of opt-in.

Opt-in will not be needed for B2B; selling to existing customers; or using lists from public databases to sell a company’s own products; for marketing of charities and political parties; or if the source of the data is clearly identified in, for example, a mailing.

This is also the case for rented lists which must be referred to in the marketing materials.

The devil will be in the detail here: what exactly do you have to say when you list your sources – just the name of the list(s) you have used, or full details of how to contact the owners of these lists in order to opt out?

There are additional restrictions – databases will need to keep as little data as absolutely necessary; there are new strict rules on scoring/profiling; wider enforcement powers for the data protection authorities and increased fines; more powers for company data protection offices, including less possibility to lay off a data protection officer.

In the great scheme of things restrictive, the German law as revised is not the worst.  The exceptions are extremely useful. But Germany has always been a model – its first Federal data protection law dates back 30 years – and therefore the influence this new revision probably will have is far greater than, for example, a similar change in any of the other EU countries.

EC revision
Unfortunately, we are also about to see the European Commission start the revision of its 1995 Data Protection Directive. The European Commission will certainly be influenced by the new German changes.

Obviously, we have been looking carefully at the European Commission and weighing up its options as it prepares to revise the 1995 Data Protection Directive.
Public consultations are starting and, in terms of timing, a new initiative would most probably come out at the beginning of 2010 under the Spanish Presidency of the European Council.

There are many interlinking and convergent influences at present which concern opinion formers – and thus influence public policy.

To give just a few examples:  the ‘Big Brother’ syndrome created by ever-increasing public surveillance (CATVs, travel data, ID clip cards, etc); the apparently cavalier attitude which government bodies and some businesses show towards the databases they are responsible for (security breaches); the confusion in the regulators’ minds over the role of behavioural advertising, online profiling and segmentation; and the use of cookies, etc.

All these – and many other – elements are converging to create a potentially serious challenge to our business’s use of personal data.

We need solutions to these challenges; but first we need a collective appreciation and recognition that there is a vast task before us.

The German debate is a constant reminder that regulators’ responses are triggered by political influences, which are not necessarily in tune with economic or business realities.

We are also dealing with many global issues while politicians think in terms of national responses.

Take, for example, the question of online behavioural advertising and privacy.

In the USA, co-operation between the advertisers, agencies and the DMA, working with the leading self-regulatory body, the Better Business Bureaus, has resulted in a set of principles for Online Behavioural Advertising (OBA). A code is now being prepared, which will be applied with the support of the Federal Trade Commission.
Will this become a solution for Europe? Or the rest of the world? In principle, a US solution should become the template.

Different approaches
On the other hand, we can expect that the planned revision of the EU Data Protection Directive (which has strong influence on national laws in Canada, Australia, Argentina, Hong Kong, etc) will not provide a template for the US, or for many other countries.

Different concerns will also create different approaches, as a very recent example shows – the Canadian data protection authority is presently pursuing Facebook for allegedly breaking Canadian Privacy Law.

The ‘globalness’ of the online world offers many examples already of similar cases.

We may be approaching a solution for OBA led from the US. It is, however, very difficult to see how the many other issues will be solved globally, which throws us back on national or regional initiatives. In my view, that is a recipe for confusion.

Confusion may, of course, be a temporary refuge for some players to build business while lawmakers and others struggle to influence the ‘final’ regulations.
But confusion can also lead to fiercer regulatory responses at the end of the day.

For our sector, it would seem very sensible to use the next months to debate what we want from a data protection regime, and how we can marshal the arguments (including economic data, etc) to ensure our arguments are heard, understood and taken into account by the regulators.

This will be FEDMA’s task in the next months. You all have the knowledge to help – so please do so!