Executive Briefing: UK/EU Data and Marketing Regulations Now that Brexit is Done
Brexit is now a reality and the nuances of cross-border trade are slowly being understood. Many business leaders are feeling a palpable sense of relief, as the post-pandemic future comes gradually into focus.
But for marketers, some uneasiness still remains. Although there is a trade agreement in place between the EU and the UK, it specifically declines to deal with the issue of data adequacy, deferring the matter for further negotiation. It will surprise some to learn that we are presently in an “extended adequacy negotiation period”, the results of which are not yet guaranteed.
In this article, we’ll examine how current legislation (including the EU’s GDPR and the UK’s Data Protection Act) affects both UK marketers, and their EU counterparts looking to target UK consumers or businesses. We’ll also highlight some key dates, and discuss some strategies for remaining compliant, come what may.
Avoiding a No-Deal (Again)
The UK officially left the EU on the 31st January 2020, embarking on an 11-month transition period, during which, rules and regulations remained aligned. On the 1st of January 2021, that period ended, and the UK became an independent nation - ostensibly no longer bound by the bloc’s rules.
You might assume that now that’s the case, the GDPR (which is EU law) no longer applies. To some extent, this is true - but for reasons we’re about to discuss, largely irrelevant.
Whilst there is now a trade agreement (waiting ratification) between the UK and the EU, governing everything from livestock and produce, to investment and competition - as we’ve already mentioned, data is not included. The parties judged the topic to be too technical, opting to kick the can down the road in favour of reaching a deal overall.
When it comes down to it, this is a simple question of whether the UK’s data law is sufficient for the European Commission to deem it “adequate”. Seeing as both parties’ data protection laws are virtually identical, many are hopeful that this is somewhat of a formality - but the process hasn’t been without hurdles. A recent ruling by the European Court of Justice (ECJ) found that the UK’s collection and processing of data for surveillance purposes was unlawful. In October, a UK parliamentary Digital Culture Media and Sport (DCMS) committee hearing saw experts express concern that this could affect any adequacy determination.
Nonetheless, on the 19th of February, the EU signalled an intent to move towards adopting an adequacy decision, which was met with a positive response from the UK data commissioner. No dates are yet forthcoming, and such decisions have been known to take some time, but this is certainly a positive development.
Current Legislation you Should Know About
The EU GDPR
When processing the data of EU citizens, in whatever jurisdiction a business is located, it must comply with the GDPR. Further, if a business is located inside the EU, it must comply with the GDPR when processing personal data of any kind.
The GDPR doesn’t place direct restrictions on marketing itself, only the processing of personal data. But if you’re processing the personal data of individual citizens in order to conduct your campaigns (highly likely), you need to take steps to ensure compliance.
Legal requirement: A lawful basis for processing personal data
As a brief recap, there are six legal bases for processing EU citizens’ personal data, defined by Chapter 2, Article 6 of the GDPR. For marketers, the most relevant are usually;
- The subject has freely given their informed consent
- It’s necessary for a legitimate interest of the marketer - on the understanding that they have conducted a balancing test to ensure that their interests are not outweighed by those of the subject.
Most Business-to-Consumer (B2C) marketing will require consent, due to other applicable legislation, such as the ePrivacy Directive (more on this later). When explicit consent is not required, as can be the case for some forms of targeted Business-to-Business (B2B) marketing, businesses may choose to rely on Legitimate Interest. When doing so, offering simple opt-out mechanisms, ensuring the recipient is likely to find the message relevant, and ensuring a reasonable frequency are all requirements for compliance.
The UK Data Protection Act (revised 2018)
The DPA is the law governing how personal data controlled by a UK entity (such as a company, person, or the government) may be used. As with many EU laws, the UK transposed the vast majority of the GDPR into the revised Data Protection Act in 2018. There are several differences (as allowed for by the GDPR itself - referred to as “derogations”), but few which have a significant impact on marketers.
As with the GDPR; if you’re processing the data of UK citizens, you must comply with the DPA. Further, if you are domiciled within the UK, and processing personal data of any kind, you must comply.
The Information Commissioner’s Office (ICO) is the UK authority charged with enforcing the DPA, and publishes a variety of guides and in some cases statutory codes of practice, such as the recently updated Data Sharing Code of Practice.
Top Tip: The “UK GDPR”
The DPA actually establishes a “UK GDPR”, as the EU GDPR was “retained EU law” when the UK left the EU, establishing it as part of UK domestic legislation. This may be varied over time, but as it currently stands, the Keeling Schedule for the UK GDPR alters the EU GDPR only enough to reflect the fact that the UK is no longer part of the EU, change the courts of jurisdiction, etc.
The 2002 EU ePrivacy Directive (amended 2009)
The ePrivacy Directive (note “Directive”, not “Regulation”) is the EU’s other important law for marketers. Since its update in 2009, the EUePD is often referred to as the “Cookie Law”, as it is the legislation that required the infamous cookie consent notices you see on many online properties to this day.
The ePD sets out EU citizens’ rights relating to electronic communications networks and services. It deals primarily with privacy, communications, and by default, marketing - as opposed to the GDPR, which deals predominantly with data. The two are intrinsically linked, but not necessarily the same thing.
In short, the ePD constitutes the basis of member states’ law around the sending or facilitating of electronic communications, and (most important for marketers) how and when entities may collect information, track, or contact EU citizens whose data they have the right to process under the GDPR. For marketers, perhaps their key stipulation is that you may not send electronic marketing messages to individuals unless they have given you consent, unless certain exceptions apply.
Pertaining to the more nuanced clauses of the ePD - because it is a directive, rather than a regulation - member states have much greater latitude for interpretation and implementation, meaning that local law across the EU can differ significantly.
Top Tip: The “Soft Opt-In” Exemption
Where it complies with the GDPR, marketers may be able to contact their existing customers for marketing purposes, on the basis that they are likely to find such marketing relevant, and are easily able to withdraw their consent. This is allowed by UK law, but precluded by some EU member states.
The UK Privacy and Electronic Communications Regulations 2003 (PECR)
PECR is the UK implementation of the EU ePrivacy Directive, which (similarly) deals with privacy, communications, and by default, marketing - as opposed to just data.
The aforementioned ICO is largely responsible for enforcing PECR, and maintains a reasonably detailed guide on its use. Effectively, these are the rules that govern the circumstances in which marketers (and others) may contact citizens electronically.
Top Tip: Business-to-Business
The EUePD considers business users to be “corporate subscribers”. As such they do not qualify as “natural persons”, giving them fewer rights under the GDPR, and the EUePD. In turn, member states are able to legislate individually on the subject of B2B communications. In the UK (as in many EU member states), marketers may contact business people provided certain conditions are met.
The ICO provides guidance for B2B marketers which covers this in some detail.
The EU-US Privacy Shield
The Privacy Shield is a framework agreement designed by the United States and the European Union. It aimed to provide entities in both regions a rubber-stamped mechanism to ensure transatlantic data transfers would be legal under both EU and US law.
In July 2020 however, the ECJ poignantly struck down the Privacy Shield, ruling that it does not comply with the level of protection required by the GDPR, finding that the US justice system would likely prioritise US national security interests over the rights and freedoms of EU citizens - effectively meaning that it is no longer a valid mechanism for transferring data.
Top Tip
Even if you’re not knowingly transferring data to the US - it’s important to consider that many suppliers who store or otherwise process data on your behalf may do so in the USA. Scrutinise T&C’s or contracts carefully to ensure you're not caught out.
Key Considerations and Strategies for the Future
EU ePrivacy Reform
The EU has been looking to reform it’s ePrivacy Directive since 2017, seeking to turn it into a more powerful Regulation, and retool it for the modern digital environment. As of February 2021, EU member states have approved draft text and a negotiating mandate to move forward with this reform, bringing it a significant step closer to reality.
The current text is less onerous for marketers than previous versions, reintroducing some important possibilities, including;
- The soft opt-in for B2C customers
- The soft opt-in for relevant B2B business people acting in a professional capacity
- Less onerous restrictions around cookies
As we’ve already seen, certain EU member states may implement tougher rules, and of course - the negotiations are far from complete. This has been a long and difficult process, with significant lobbying from nation states, industry bodies (including the UK’s DMA), multinational technology companies, publishers, and many more - all with differing opinions and objectives, which could ultimately affect the final text significantly.
Standard Contractual Clauses (SCCs)
Where no trade agreement or valid framework exists, data controllers can still transfer data outside of the EU (or the UK), provided they ensure compliance with the relevant law (the GDPR or the DPA). This can be complex, as contracts need to offer the same protections for data subjects as the relevant law, and controllers must be able to monitor and enforce to ensure compliance.
A common mechanism for achieving this uses standardised contractual clauses. The EU has ratified a set of SCC’s, which can be used as part of agreements between processors and controllers to effectively create a private GDPR between the parties, ensuring citizens rights are protected by way of contract.
A key requirement is the ability of the legal system in the recipient country to adequately adjudicate and enforce these contracts. It is the responsibility of the controller to ensure that this is the case, and avoid a “vanity contract”. If there is no reasonable expectation of compliance or enforcement capability, there may as well be no contract.
Since the failure of the Privacy Shield framework, SCC’s are coming under closer scrutiny. Renewed SCC’s are currently being drafted by the EU, which are likely to see tighter restrictions.
Future Divergence
Of course, it’s a fact of life that governments change, legislation evolves, and new laws are introduced. Whether led by the UK or the EU, there’s always the chance of divergence, which can invalidate existing agreements.
If the UK wished to enter into a trade agreement with a third country which had lower data standards, in turn that might breach EU data protection regulations, which would likely cause the EU to rescind any adequacy designation. Conversely, if the UK decided to increase the level of protection afforded to its own citizens, transfers to the EU might become problematic.
The CPTPP
The UK has recently applied to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), which has its own data stipulations, aimed at easing data flows between member states. Watch out for conflicts and turbulence with the EU and the GDPR, as the UK negotiates accession to this new trade area, which currently includes nations as diverse as Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam.
So the mid-to-long term future is opaque - But safe to say that the global trend is toward privacy and data protection. As such, the best way to protect your business and your marketing strategy is likely to opt for voluntary compliance with the more demanding data regulations of the jurisdictions in which you operate. High standards will usually pay off in the long-run.
About Corpdata
Corpdata is a market leader in direct marketing data, serving the growing need for compliant B2B information and in-depth database analysis.
Accurate marketing information adds value to every campaign. Corpdata records are researched in-house and updated twice each year, making the average age of each record 94 days. All industry sectors are included with specialist information in the IT and Telecomms, Marketing and Media, Building and Construction and Fleet industries. In depth analysis is also available on FTSE 350, UK Call Centres, and IT and Telecoms hardware and software infrastructure in UK businesses.
For more information, or to talk to our experts, visit corpdata.co.uk or call +44 (0)1626 777 400.
This article does not constitute legal advice, and should not be relied upon as such. Bizibl, Corpdata, our officers, and partners make no assertion as to the accuracy, timeliness or correctness of this article or derivative works.
Want more like this?
Want more like this?
Insight delivered to your inbox
Keep up to date with our free email. Hand picked whitepapers and posts from our blog, as well as exclusive videos and webinar invitations keep our Users one step ahead.
By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy
By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy
Other content you may be interested in
Categories
Want more like this?
Want more like this?
Insight delivered to your inbox
Keep up to date with our free email. Hand picked whitepapers and posts from our blog, as well as exclusive videos and webinar invitations keep our Users one step ahead.
By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy