Direct Marketing Under Data Protection Law - Part 2 (EU)
In Part 1 of this three-part mini series, I considered the regulation of Direct Marketing in South Africa under the Protection of Personal Information Act 4 of 2013 (“the POPIA”). In Part 2, I will discuss the position under the European Union’s General Data Protection Regulation (“GDPR”), as well as Recommendations and Guidelines from international Data Protection Authorities. Finally, in Part 3, I will compare and contrast the regulation of Direct Marketing between South Africa’s POPIA and the European Union's GDPR.
What does Direct Marketing mean in the context of data protection law?
According to the International Association of Privacy Professionals (IAPP), from an EU perspective:
direct marketing can be defined as personal data processed to communicate a marketing or advertising message.
This definition includes messages from commercial organisations, as well as from charities and political organisations.
How is Direct Marketing Regulated under the GDPR?
Direct marketing is regulated in an indirect manner under the GDPR - what I mean by this is that there is no specific section of the GDPR dedicated to Direct Marketing. Rather, Direct Marketing is considered under a right to object in Article 21, and is mentioned in Recitals 47 and 70 - all of which are covered in turn below.
What right to object do Data Subjects have under the GDPR?
Article 21(2): Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
It is clear from a glance at Article 21(2) that Data Subjects can, at any time, have an unconditional right to object to the processing of their personal data for 'Direct Marketing purposes'. Commentary on what 'Direct Marketing purposes' entails points to the fact that it is not merely the activity of Direct Marketing that is considered here, but the entire process around that activity - linking back to the initial purpose for which personal data was collected. Therefore (hypothetically speaking), even if a Data Subject has not yet been contacted during the course of Direct Marketing but a Data Subject is aware that a Data Controller holds that Data Subject's personal data and plans on processing it for Direct Marketing purposes, the Data Subject may object.
The right to object goes even further and applies to profiling that is related to such direct marketing. For the purposes of this Article, I will not delve into the technicalities of what profiling is, or what rights data subjects 'actually' have under the GDPR in relation to profiling. However, what I can say here on this point is the following:
The extent of protection (if any) against profiling that takes place in the absence of automated decision-making, is unclear and unsettled in EU law. Even if one had a concrete right to object to profiling in practice it is very difficult for a Data Subject to know if, when and how they are being profiled (which weakens the practicality of this aspect of the right to object). In many instances, the profiling being conducted is not individual profiling but group profiling using anonymised data - which falls outside the scope of the GDPR.
What obligations are there on Data Controllers under the GDPR in respect of Direct Marketing?
There are two main obligations on Data Controllers under the GDPR in respect of Direct Marketing activities.
Data Controllers are obliged to bring the right to object to the attention of Data Subjects "clearly and separately from any other information" when first making contact with a Data Subject - Article 21(4); and Data Controllers are obliged to stop all processing for Direct Marketing purposes upon receiving an objection from a Data Subject - Article 21(3).
What do the GDPR Recitals say about Direct Marketing?
Articles 21(2), (3) and (4) are for the most part mirrored in Recital 70 of the GDPR. Interestingly, Recital 47 states that "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest". Again, due to space limitations I will not go into the practical implications of different grounds for processing under the GDPR. However, what this Recital is pointing to is that Data Controllers engaging in Direct Marketing activities may not always require consent from a Data Subject to Direct Market to them.
It is important to note that Recitals under the European Regulations are not legally binding on their own. Recitals do not confer a right, nor do they restrict a right, but instead have a resolutive function (they assist European Courts in 'dissolving ambiguity'). Pointing to a recent practical scenario, on 3 March 2020 the Dutch Data Protection Authority ("AP") announced a decision in which it fined a Data Controller for relying on legitimate interest as a ground for Direct Marketing and in doing so, completely ignored the contents of Recital 47 mentioned above.
How Are International Data Protection Authorities Handling Direct Marketing Regulation?
The European Unions Data Protection Board ("EDPB") is yet to publish Guidelines and Recommendations on Direct Marketing. However, Data Protection Authorities in EU Member States have begun to publish their own Recommendations. For example, the Belgian Data Protection Authority published Recommendation 01/2020 on 17 January 2020. This Recommendation includes guidance on the following topics which may prove useful as a starting point when assessing the lawfulness of an Organisation's Direct Marketing activities:
Determine the purpose for processing
Define the operations involved in processing
Identity the data necessary for achieving the purpose
Confirm whether you have a legal basis to process
The Recommendation also encourage Data Controllers to include the right to object in their privacy policies in a simple and clear language and emphasises the requirements for valid consent (which needs to be specific, informed, clear, and unambiguous under the GDPR). The Belgian DPA also recommends that Data Controllers engaging in direct marketing put in place Codes of Conduct as provided for in Article 41 of the GDPR to harmonise their approaches.
On 4 March 2020, the Information Commissioner closed a public consultation on a draft direct marketing code of practice ("the Draft Code"). The Draft Code is a requirement under Section 122 of the UK 2018 Data Protection Act and provides "practical guidance for those conducting direct marketing or operating within the broader direct marketing ecosystem". The Draft Code also "explains the law and provides good practice recommendations". The Draft Code covers some of the following scenarios:
Data protection by design
Generating leads and collecting contact details
Profiling and data enrichment
Sending Direct Marketing messages
Online advertising and new technologies
Selling or sharing of data;Individual rights
Both of the above examples indicate practical scenarios that other Data Protection Authorities (including South Africa's Information Regulator) may consider when drafting Recommendations or Guidelines to assist organisations in conducting Direct Marketing lawfully.
In Part 3, I will tie up the mini-series by comparing and contrasting the regulation of Direct Marketing between South Africa’s POPIA and the European Union's GDPR.
Disclaimer: the information provided in this Article are my own thoughts and may not represent those of the organisation I work for. These thoughts are for awareness and discussion purposes only and does not constitute legal advice. For any enquiries, please get in touch with me at firstname.lastname@example.org