In the past year the Data Protection Registrar has investigated more than 100 companies, found 52 guilty and convicted them for breaching data laws. Companies have subsequently criticised the DPR, Elizabeth France, for misinterpreting existing data protection legislation.
But the situation is now about to change with publication of the Government’s guidelines for adapting the existing law. The proposals fall short of a radical overhaul. But they do bring the UK’s data protection legislation into line with the European directive on the subject which was first drafted in 1990 and represents the most major makeover of UK data protection law in 13 years.
The proposals clarify and strengthen certain consumer rights which have brought companies into conflict with the DPR. And formalise the use of “opt-outs” by companies in their mailers.
The UK Government’s interpretation of the directive should become law by October 1998. Significantly it will take a second legal overhaul later in the year to clarify the position for the utilities whose sharing of database information has brought them into conflict with Elizabeth France.
Direct Marketing Association director of legal affairs Colin Fricker says: “There are some battles to come, though in most respects it seems the Government is taking a realistic line. Business can be comforted that the Government is not taking a hostile stance.”
The new act will clarify certain thorny issues. The Data Protection Act 1984 made only vague reference as to how consumers should be protected from unwelcome mailings. It said the data had to be collected “fairly” so as not to mislead. The new Act will put into law the consumers’ right to object to being sent circulars.
The proposals state: “In accordance with the first part of article 14b (of the European directive) the Government intends to provide for data subjects to be able to object free of charge to their personal data being used for direct marketing purposes (that is to opt out.)” This will not change the practice that many marketers have been involved in since 1984, which usually consists of sending a form with a box which the consumer ticks if they don’t want to receive the mail-outs.
In the case of so-called “sensitive data”, such as information about ethnic origin, voting patterns or sexual orientation, there must be an explicit consent or an “opt-in” – the consumer must say they do want to receive mail-outs before companies can target them.
The proposals continue: “The Government is still considering how best to give effect to the requirement for data subjects to be made aware of their right to object.”
This is where the DMA will be trying to persuade the Home Office that the industry is best placed to inform consumers about their rights. Fricker says: “The data subject must know about the possibility of objecting to mailings being sent. We suggest that to inform subjects, we might take out notices in the press.”
Ironically, the organisation which promotes the interests of the direct marketing industry is preparing to turn to above-the-line advertising to communicate with the public.
Another issue the DMA is discussing with the Home Office is the move to give consumers a legal right to request information about who is processing data about them and why.
So where does this leave some of the companies which have fallen foul of the Data Protection Registrar?
One company being investigated at the moment is Tesco after a number of complaints – ten to be exact – about the way it has targeted members of its Clubcard loyalty scheme with information about products from other companies.
The DPR insists that the new proposals would not change its view of this matter – Tesco did not tell Clubcard members they would be targeted with third-party mailings when they first signed up. Therefore, argues the DPR, it is only fair that members request specific information about other products, rather than sign an opt-out.
Tesco argues that as it offered members an opt-out, it is in the clear. The DPR says the European Directive – and thus the new Data Protection Act – still insists that information on individuals must be fairly and lawfully collected, as well as enshrining in law the right to be offered an opt-out.
Neither will the new regulations change the situation for the utility companies which are seeking to cross-sell other utility services – for example gas companies looking to sell electricity. The most high-profile row concerns British Gas sending mailers to its 19 million customers allowing them to opt out if they do not want information about other products, such as the Goldfish Credit Card which enables you to get money off your gas bill.
The DPR says it is in the terms of the Gas Act, which paved the way for gas privatisation, that British Gas cannot use data collected on customers when it was a state monopoly to push products other than gas, without a specific request (or opt-in) from the consumer. The DPR has put in place an “enforcement order” forbidding British Gas from using opt-out clauses. The utility is understood to be preparing to call for a DPR tribunal on the subject.
But this situation is not affected by the new data protection legislation, but rather the acts governing utilities.
President of the Board of Trade Margaret Beckett announced at the beginning of July that she would review regulations governing the utility industries “to ensure they deliver value, quality and choice to consumers”. She says: “In short, it is time to take stock to see how the existing framework can be updated, modernised and refreshed.”
British Gas and other utility companies are pushing the Government to ditch the requirement for them to have to use opt-ins. Liberalisation of data protection was on the agenda in a series of secret pre-election meetings (MW April 17) between the Labour Party and the utilities.
At the time it was believed that data protection was the quid pro quo for not opposing the windfall tax. The utilities are stumping up 5bn to the Government and they want something in return – the right to target existing consumers is a beginning.
Ironically, if they gain the right to request only opt-outs rather than opt-ins from the utilities review this will fly in the face of the DPR’s view on what is a fair way of gaining information. It raises the prospect that Beckett’s utilities legislation will allow the utilities to behave in a way that other companies cannot. Which can only add to the confusion which the new Data Protection guidelines are designed to erase.