±±¾©Èü³µpk10

It was a long time coming, but the arrival of the new Data

Protection Act could still catch a lot of companies unawares. After

years of wrangling, the regulations finally came into force on March 1,

with miscreants now facing fines of up to pounds 5000.

Although no-one has been prosecuted under the Act to date, two

companies, Second Telecom and Top 20, have been sent enforcement notices

under the Telecommunications (Data Protection and Privacy) Regulations

1999,which are intertwined with the Data Protection Act.

They had been sending unsolicited marketing faxes in breach of the

regulations, and have 30 days from May 25 to comply fully with

regulations or face the Data Protection Commissioner (DPC) (see

box).

The new rules shift the balance firmly in favour of consumers, who have

the right to check or withdraw their personal data and claim

compensation where it is used improperly.

The use of details relating to health, ethnicity and other sensitive

areas is subject to controls, and companies which allow data files to

fall into the wrong hands will be penalised.

The Act strengthens existing legislation passed in 1984 and follows an

EC directive, itself influenced by powerful consumer lobbies in

countries such as Germany, which have pressed for voluntary

self-regulation to be beefed-up by statutory powers.

Change arrived in the UK last year when the self-regulatory Telephone

Preference Service, set up by the Direct Marketing Association (DMA) in

1995, was effectively transformed into a statutory system. The DPC,

based in Wilmslow, Cheshire, says it will take action against

telemarketing companies that have abused the rules. Its annual report,

due for publication on July 12, will contain details of

prosecutions.

All this is a significant step up from the previous regime, which

penalised only those personal data-handling companies which had

registered with the DPC. From now on any company that uses data will be

subject to sanctions for its misuse, regardless of whether or not it is

registered.

However, it could have been worse. In Germany and Italy interpretation

of the Brussels directive has been stringent. Companies have to get

explicit permission from individuals before using most personal data,

and in some cases are obliged to wipe their records immediately

afterward.

That this will not happen in the UK is largely thanks to five years of

energetic lobbying by the DMA. By invoking a ’derogation’ - Eurospeak

for exception - direct marketers can ignore the consent rule where a

’disproportionate effort’ would be involved and where there is no

significant risk to the consumer.

Government influence

’The Tory and Labour governments have been very good, doing just enough

to implement the directive, so that we in the UK have fewer new burdens

than other countries,’ says Colin Fricker, director of legal affairs at

the DMA.

Fricker believes the Act will provide greater openness and encourage

better relationships with consumers. That view is echoed by agencies,

which tend to regard their data practices as sufficient and say that

compliance with the original Act means they are already 80% of the way

there. But ambiguities lurk in legislation based on vague EC

directives.

Ops Room managing director Stuart MacMillan Pratt was surprised when

senior representatives at a DPC training seminar earlier this year were

unable to clarify particular scenarios, suggesting that things will only

become clear through court judgments. ’It will be interesting to see

what happens when someone does get it wrong,’ he says.

Appeals on DPC rulings will be heard by tribunals made up of marketers

and consumer protection body representatives, whose decisions can in

turn be scrutinised by the courts.

Lawyers argue that should eventually clarify how marketers deal with

certain grey areas, but, in the meantime, it is a good idea to play

safe.

’One potential difficulty, for example, is that a person under 18 cannot

be bound in contract to purchases over the net, which, according to the

DPC, means they cannot be deemed to consent to the use of their details

either,’ says Myles Jelf, a solicitor at law firm Bristows. ’Data

gatherers have no way of knowing their age, but they can cover

themselves with a box that is checked to confirm the individual is not a

minor.’

Already it seems that interpretations of the Act could differ. According

to Julie Screech, data director at Joshua, it is lifestyle data

gatherers and list brokers who are in the firing line, not the agencies

and clients who buy the data in for specific purposes. But the DPC

argues that the Act means users are equally responsible.

’There is more of an obligation to check that data is accurate, and we

would look at the extent to which users are serious or just going

through the motions,’ says compliance manager Samantha Brierley.

The spectre some fear is that self-regulation will gradually be replaced

by statutory measures, which could come about if a few delinquent

companies taint the whole industry.

Shaun Doyle, chairman of Intrinsic, which helps build databases for

clients including Sainsbury’s and Thames Water, suggests that pressures

for statutory regulation come from areas not necessarily related

directly to marketing.

He cites problems over credit scoring, where customers who have recently

moved into a house previously occupied by a loan defaulter are unfairly

tarred. ’Abuses like that scare people,’ he points out.

The heart of marketers’ concerns is the possibility that the opt-out box

which allows consumers to hang out a do-not-disturb sign could be

replaced by a more limiting opt-in. This is happening in some parts of

Europe and is still a possibility in e-mail regulations.

’Complacency would be dangerous,’ says Stephen Groom, marketing law

expert at Osborne Clarke. ’With the telemarketing regulations now in

force, the government has warned it will not hesitate to go for an

opt-in if the system does not work.’

PRINCIPAL IMPLICATIONS FOR MARKETERS

- Companies handling personal data that fail to register with the DPC,

or procure data without right of access, face fines of up to pounds

5000.

- Companies that fail to respond within 40 days to a request for an

individual’s details held on file, face possible compensation demands in

the courts.

- Individuals have the explicit right to object if they feel data is

being used improperly. If the offence is repeated they can claim

compensation.

- Companies must ensure the data subject is broadly aware of how their

details are being used. Data may only be used for the purposes for which

it was expressly gathered.

- Consent must be sought in all cases where information relates to

health, race, sexuality, religion and other sensitive categories.

- Rules on security are tightened, with the company’s data controller

being held responsible for the misuse of information by unauthorised

third parties.

- Unsolicited marketing faxes must not be sent to individual subscribers

without prior consent.

- The DPC has new powers to investigate complaints by demanding access

to data files, enforceable by search warrants.

- All data in every organisation is now covered, including corporate

databases, sales contact lists, personnel files, etc. Structured filing

systems not on computers are also included.

- Corporate subscribers cannot opt out of phone sales but can opt out of

unsolicited faxes by calling the central stop-list on 0845 0700702.

- For additional information: DPC helpline is 01625 545745 or

www.dataprotection.gov.uk.