Transparency in Marketing Your Panel: Paula Barrett, Head of Privacy & Information Law, Eversheds LLP Aurélie Pols, Privacy Advocate, Advisory Board Member, MyPermissions Yasmeen Rahman, EMEA Regional Coordinator, EU Law, BMW Group IAPP Europe Data Protection Intensive, London, 16 April 2015
33
Embed
Transparency in Marketing - International Association of ... · Transparency in Marketing Your Panel: ... Author Aurélie Pols ... Contact: [email protected]
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Transparency in Marketing
Your Panel:
Paula Barrett, Head of Privacy & Information Law,
Eversheds LLP
Aurélie Pols, Privacy Advocate, Advisory Board
Member, MyPermissions
Yasmeen Rahman, EMEA Regional Coordinator, EU
Law, BMW Group
IAPP Europe Data Protection Intensive, London, 16 April 2015
BMW GROUP PRIVACY. TRANSPARENCY IN MARKETING: BMW GROUP, THE INSIDERS VIEW
BMW Group Privacy, IAPP European Intensive, April
2015
Section break title Verdana 32pt
Sub-heading Times New Roman italic 34pt
Transparency in Marketing
Drivers and impact assessments
Privacy Impact Assessments
tool for extracting facts
creates framework for
discussion
not just legal analysis -
assess against commercial risk appetite
and corporate ethos
mitigating actions to be
taken
PIA requirement
can be attached to
specific project gateways e.g. digital platform
changes
the outcome - business
enabler and greater
transparency
Conducting Impact Assessment
Understanding jurisdiction(s) and
applicable law
Identifying the players - data controllers and data
processors
Recognizing what personal data/private
information is processed
Work through application of principles, lawful reasons, fairness,
transfers, filings, etc
other relevant issues
•Other legislation/laws/torts!
•Culture and expectations
•Political/regulatory stance
PIA Report
• Consider actual and potential breaches
– Legal and practical consequences
– Likelihood of action and impact
• Business case justifying privacy intrusion/implications
– alternatives considered and rationale for decisions made
• Mitigation steps/design features
• Bear in mind legal privilege - this may become published/disclosable
• Consider separate annexes for sensitive elements.
• Local activity, UK Consumer Bill of Rights, Germany class action amendments
• Prohibits misleading acts/omissions and aggressive commercial practices
– false product information or deceptive presentation
– providing material information which is unclear, ambiguous or untimely
– failure to abide by commitments in a code of conduct
• Remedies
– not the same jurisdictional constraint on establishment of controller
– sanctions can include imprisonment
– burden of proof on trader
– policy non-compliance actionable as breach of contract?
• Could be applied to privacy practices - increasingly a significant factor in consumer entering into contract?
Misuse of Private Information
• UK Court of Appeal Judgement 27/03/2105 – Google Inc v Vidal-Hall, Hann and Bradshaw
• misuse of private information determined as a tort – distinct from breach of confidence
• consent required for use of “private information”
– other lawful reasons/exemptions not specified
PECD
• Stricter rules than DPD alone
• Consent – freely given, specific and informed AND:
– notified to the sender (not a third party?)
– that he consents for the time being (Ongoing?)
– to such communications (what type?)
– being sent by or at the instigation of the sender (third parties?)
• Inferring consent more difficult
• Driving greater transparency on consent obtained by or for third parties
GDPR Consent?
• Expansive definition of personal data
• Profiling
• Consent
– Data controller to bear the burden of proof
– right to withdraw his consent at any time
– purpose-limited - will lose its validity when purpose ceases to exist or as soon as processing is no longer necessary for carrying out the purpose for which they were originally collected.
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
Where each tool can
Collect data
Aggregate data
Share data
Calculate new data
Push data towards other systems
…
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
• Adhere to the Terms of Service, Terms of Use, … or not
• Align the use of these tools with your own policies… or not
• Find yourself in trouble due to some data use down the road.. or not
And your company could
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
1. When did Google last change it’s Privacy Policy?
2. Is your company using for eg. Google Analytics?
3. Bonus: who owns the data?
So let me ask you 2 simple questions
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
A EU perspective of marketing
Source: Amicus brief for the Digital Analytics Assocation (DAA), Should you measure when a user logs out? Author Aurélie Pols http://www.slideshare.net/AurliePols/privacy-ethics