Many data practitioners are still in denial that the new Data Protection Regulation could be as tough as it seems. If they moved from defiance to thinking about how they might comply, says David Reed, they could win friends in Brussels - and get some changes made.
You have less than 120 days to save your industry. Journalists are often accused of being alarmist, but in this case, it is the Direct Marketing Association making the claim. It has been running a countdown clock since 8th January when the draft Data Protection Regulation proposals were published. The end date is when the European Parliament takes a vote on what new legislation will replace the existing Data Protection Directive.
In between, there is a very real opportunity to make a difference through lobbying. The problem is that, in a survey of 250 direct marketing practitioners carried out in January, 50 per cent of business executives said they were unaware of how the Regulation might impact on what they do. Unless business users of data make their voice heard loudly and clearly in Brussels - particularly by lobbying MEPs - when it comes to the vote, what gets passed may be what 99 per cent of respondents most fear - a data protection law unfairly weighted against business.
To help try to avoid that happening, the DMA has launched a toolkit for data practitioners to use in their own lobbying (http://www.dma.org.uk/eu-data-protection). It includes a timeline to show where discussions have got to, an interactive map showing who your MEP is and how to contact them and information on what the proposals involve. The DMA says it will help users to “stand up for your business in 4 1/2 easy steps.”
If commercial organisations get on board with the lobbying effort, it could make a real difference. Already, close contact has been taking place with MPs, MEPs and the Council of Ministers who are involved in the discussions. A “big tent” alliance of 18 UK trade associations has been pursuing a common position in its messaging.
“We continue to chase MEPs’ votes,” says Chris Combemale, chief executive of the DMA. That effort continues. But talking at the DMA Data Protection 2013 event in early February, he was also keen to stress that, “whatever the final result, the direct marketing industry will find a way to communicate with people about products and services effectively.”
That was an important counter-balance to the gloom and doom that has tended to shroud discussions about the proposals. While the DMA is using the threat to DM as a marketing and mobilisation technique, it also understands that direct marketing will not come to an end in June. One questioner at the event went so far as to ask whether some of the more controversial proposals, like the Right to Be Forgotten, were really that different from existing data protection law, including the Fifth Principle.
Combemale’s pragmatism also chimed with the stance being taken by Information Commissioner Christopher Graham. “When lobbying, bear in mind legislators want to see that companies are adhering to the rules. If there are elements in the industry ignoring what they are supposed to do, that is not a good platform,” he told the February event. “The basis of lobbying has to be a balanced approach to the Data Protection Regulations if you want to change minds.”
He summed up the right approach as, “compliance yes, defiance no. You don’t have the right to take personal information and do whatever you want, even if you deliver services in return. As a consumer, I want the right to say whether I want this to happen or not.”
At the heart of Graham’s view of where lobbying should focus is a recognition that, since the Lisbon Treaty, data protection is a fundamental right. “There are very good reasons for that, given Europe’s history,” he pointed out. It is easy to forget the malicious uses to which personal information has been put in Europe, from sterilisation programmes in Sweden to ethnic cleansing in Germany. Those might seem remote from the world of data-driven marketing and evidence-based decision marketing, but they are the reason why tighter data protection has strong political support within the European Commission and Parliament.
It also explains why the level of discussion about the proposals has been frantic. Within the European Parliament, four committees are looking at them and coming up with their own suggestions. These have now become extensive - in once case, 900 amendments have been proposed on a specific proposition.
At some point, these will get digested into a final version. Currently, seven different possible variants of the Regulation are working their way through the system. While Parliamentary committees are well advanced in their considerations, the Council of Ministers is behind schedule. The proposals coming through those twin tracks will eventually have to undergo “trialogue” to reach a compromise between what the Commission, Parliament and Council want.
Combemale referred to this process as “horse-trading” and there is an opportunity for unwanted elements to be traded off for acceptance of key principles. The downside risk is that compromises will be chosen from among the hundreds of proposals, leading to a version that nobody wants.
Graham has his own reasons to plead for an approach to lobbying which starts from the acceptance of the principles, but argues for changes to the practices being considered. Experience of the “cookies law’, from its initial proposal through to implementation and then enforcement has been a poisoned chalice for the ICO.
“The saga of cookies is not terribly encouraging for proportionate and balanced regulation,” he said. That applies to both sides - legislators passed an amendment that was excessive in meeting a low-level consumer concern, while many digital marketers have been extreme in their views about the law and how the ICO has enforced it.
“This week we followed our own guidance on cookies permission for web analytics. When we first introduced that [in 2011], we played it by the book and had a clunky banner, which meant we got no information because nobody gave their consent. When we issued our guidelines, we were accused of changing the law. Now we have been accused of changing our own guidelines,” he said.
A blizzard of social media comments was triggered by the ICO web analytics notice which accused the regulator of everything from changing the law itself - “not true,” said Graham - to breaking the Internet.
If the data industry approaches Brussels in the same way as digital marketers have responded to the “cookies law”, it would be a disaster. The Data Protection Regulation proposals need to be taken seriously and there has to be acceptance that new laws will come - it is 18 years since the Data Protection Directive was passed, after all.
That does not mean Graham completely welcomes the draft or recent responses to it. He argues that it is too prescriptive and should be more risk-based. As it stands, it leaves it unclear how the ICO is to be funded and could change regulation in the UK from being consultative to more tick-box compliance.
“It is not going to be easy,” he warned, but changes are still possible. “You need to show respect for consumers and be realistic about controls. On that basis, we can work together on the same page so direct marketing can flourish, exciting things can happen online and prosperity can result.”