e-privacy Regulation not ready to coincide with GDPR implementation

 Jan 26, 2018 3:00 PM
by Derek Lackey

It is hoped that the Trilogue on the EU e-privacy Regulation will start after the summer recess, the rapporteur for the European Parliament on e-privacy Regulation, MEP Birgitta Sippel said yesterday at the CPDP conference in Brussels. She said that it is important to have the GDPR and e-privacy Regulation ready at the same time. But this would now not be possible and she would not give any forecast on when the e-privacy provisions would be in force. She thought that the principle of consent needs to be strengthened, and the new Regulation could even introduce higher standards than the GDPR.

Speaking for the European Commission’s DG Justice, Karolina Mojzesowicz said that it is important that there is no duplication between the GDPR and e-privacy. It is in the Commission’s interest that the same regulators supervise both GDPR and e-privacy. “We need to provide DPAs with a full set of cooperation mechanisms as under the GDPR, for example, rules on how to deal with transborder cases.”

Rosa Barcelo from EU DG Connect said that some issues still remain where decisions need to be taken, for example, the question of transparency and browser settings, and restrictions on data retention. She thought that the European Parliament would endorse the Commission’s proposal on competent authorities, but the Council may have a different view. The Council is trying to reach a joint position by June.

The CPDP conference continues until the end of Friday, when PL&B Chief Executive, Stewart Dresner, will chair a panel on data breach notification under the GDPR. See www.cpdpconferences.org.

Read more


The 5 Stages of CASL Compliance

 Jan 14, 2018 10:30 AM
by Derek Lackey

Understanding the law is a good start. 

Knowing what consent you are claiming, being fully compliant when sending messages and respecting individual’s right to chose - these are all solid foundations for a CASL compliant program. 

It is NOT CRTC’s place to tell you what to do in order to be compliant.
The CRTC recognizes that small businesses cannot match the resources of larger organizations so they have developed a series of ‘illustrative’ practices rather than ‘prescriptive' that will assist all organizations in their effort to be CASL compliant. 

They will however tell you what you cannot do, engaging you in the process and making you think your email marketing plans through - from front to back. It is your responsibility as an organization, to understand this new law and comply. 

If you develop the strategy for building your lists you are much more likely to be discriminate. In the past if there was any doubt, we would simply add the email address to the list and see if they engaged or unsubscribed. No skin off our nose. In the CASL Era we have a criteria - a set standard that we measure that same individual against. If they fit we add them to our list, understanding where they came from, what our relationship is with them at any given point in time and when they should be deleted from our list. 

Let’s face it, even if you are very discriminate about who is and who is not on your list, if they have not opened one of your last 15 emails, should they remain on your list? CASL aside, good business practices suggest you should drop them from your list, or at the very least send them a notice that requests them to click or take an action if they wish to remain on your list.

Many of us have been caught up in ‘bigger is better’ when in reality ‘quality and engagement of your list’ is what email marketing is all about. 

The relatively small cost of emailing an individual week after week, with no regard to their interest or engagement, fostered a ‘what the heck’ attitude and created fertile ground for the ‘bigger is better’ mentality when it comes to email lists. CASL changes that. The potential cost for being that indiscriminate is now significant. The potential cost of the private right to action will make things even more interesting.

CRTC - Compliance and Enforcement information

In June 2014, just prior to the July 1, 2014 date when CASL began being enforced, CRTC published a document called Compliance and Enforcement information Bulletin CRTC 2014-326. <http://www.crtc.gc.ca/eng/archive/2014/2014-326.htm> The purpose of the document was "to provide general guidance and best practices for businesses on the development of corporate compliance programs."

Although each case will be judged on it's own merits, CRTC states that 
" The development and proper implementation of a documented and effective corporate compliance program is a useful risk-management strategy: it may 
(i) reduce the likelihood of businesses violating the Rules and/or CASL, and (ii) help businesses establish a due diligence defence in the case of a violation of the Rules or CASL. "

Take note, a 'due diligence defence' is not out of the question. CRTC recognizes that while we are all on new ground with this new law, there are ways to reduce the risks and penalties. The CRTC Enforcement Staff can exercise some discretion when evaluating fines or undertakings.

Having a well thought out, documented process that is part of your staff training process could go a long way to your due diligence defence.

Who Is In Charge?
Once again, if Senior Management was involved in the development and implementation of your Compliance Process, CRTC interprets that as a deeper commitment.  "Rules and policies by themselves have a greater chance of success in preventing misconduct when senior management strongly conveys that violations of the Rules and/or CASL are not acceptable." They go on to suggest that "a member of senior management could be named as the business’s chief compliance officer,".  The more senior the manager the better the optics. CRTC may view this as a measure of commitment to your CASL compliant email marketing process.

No ‘Cookie-cutter’
Each organization should develop their own plan. "The chief compliance officer or point person should consider conducting a risk assessment to determine which business activities are at risk for the commission of violations under the Rules and/or CASL. The chief compliance officer or point person should then develop and apply policies and procedures to mitigate those risks."

Based on CRTC "to provide general guidance and best practices for businesses on the development of corporate compliance programs.”, we developed a 5 stage process to ensure CASL compliance. 


1. Email Marketing Audit - an indepth examination of your current email marketing practices is an absolute necessity for every organization. Compliance with this new law start with understanding where you are on the continuum. You should do a complete risk assessment to determine challenges for your organization.

2. Develop Your Email Marketing Plan - first and foremost, CASL must be clearly understood. The Compliance Officer should then lead the team in designing a written corporate compliance policy for all aspects of CASL. Lawyers and outside consultants should be considered at this stage as it is critical to develop a compliant program.

3. Document The Plan - a well thought out, properly documented plan will go a long way to convincing CRTC that 
you care and 
b) you are committed to CASL compliance. 

This also allows you to incorporate it into your staff training (stage 5). All organizations will be expected to keep hard copy or electronic files of the following information: 
- your commercial electronic message policies and procedures;  
- all unsubscribe requests and actions;  
- all evidence of express consent (e.g. audio recordings or forms) by consumers who agree to be contacted via a commercial electronic message; 
- commercial electronic message recipient consent logs; 
- commercial electronic message scripts; and
- actioning unsubscribe requests for commercial electronic messages. 
- campaign records;  
- staff training documents; 
- other business procedures; and 
- official financial records.

4. Tracking Technology - as CRTC demands you know - in real time - the source of every name on your opt-in list, how it got there and what your organization’s relationship is with each individual, for every single person on your email list, you will require robust technology that automates as much of this process as possible. Good record keeping is an absolute cornerstone of any CASL Compliance Program. Your organization must understand each and every individual's current and past relationship with the Company, if you are claiming express or implied consent. In CRTC’s words: "Good record-keeping practices may help businesses:  (i) identify potential non- compliance issues,  (ii) investigate and respond to consumer complaints, (iii) respond to questions about the business’s practices and procedures, (iv) monitor their corporate compliance program, (v) identify the need for corrective actions and demonstrate that these actions were implemented, and (vi) establish a due diligence defence in the event of complaints to the Commission against the business.”.

5. Staff Training - you must have a formal plan to communicate with existing as well as new staff members so everyone in the organization understands your email policies and practices and why it is important for them to know and respect them. In CRTC’s words: "The policy may also: a) establish internal procedures for compliance with the Rules and/or CASL; b) address related training that covers the policy and internal procedures; c) establish auditing and monitoring mechanisms for the corporate compliance program; d) establish procedures for dealing with third parties (for example, partners and subcontractors) to ensure that they comply with the Rules and/or CASL;  e) address record keeping, especially with respect to consent; and f) contain a mechanism that enables employees to provide feedback to the chief compliance officer or point person. CRTC places a great deal of weight on effective staff training that begins at the very top levels of management so CASL is taken seriously throughout the Corporation. "Effective training of staff at all levels on what constitutes prohibited conduct and on what could be done if they witness prohibited conduct is integral to the implementation of a credible corporate compliance program. Effective training helps employees determine roles and responsibilities, and when to seek advice from senior management. For the training to be effective, links should be made between the business’s policies and procedures, and the situations that employees may face in their daily activities. 

The chief compliance officer or point person should consider developing and implementing a training program, including refresher training, regarding the corporate compliance policy for current and new employees, including managers. After training, employees could provide written acknowledgment that they understand the corporate compliance policy, and these written acknowledgments should be recorded and maintained. The business could also monitor employee comprehension of the corporate compliance policy, and the training program could be adapted and re-administered accordingly. The business could re-administer training following important modifications or updates to the corporate compliance policy. The chief compliance officer or point person could evaluate the effectiveness of this training at regular intervals."

Reviewing Your Program
It is the responsibility of the Compliance Officer to keep up with any changes or modifications required to the Company's Policies and Procedures and to ensure that all staff are updated accordingly. 

Auditing and Monitoring Procedures
In addition, all Auditing and Monitoring Procedures should be documented. "Auditing and monitoring mechanisms help 
(i) prevent and detect misconduct, and
(ii) assess the effectiveness of the corporate compliance program. 

The implementation of these mechanisms also reminds employees and managers that they are subject to oversight. The chief compliance officer or point person could be responsible for ensuring that audits are conducted at regular intervals with or without external help. 

Auditing may involve developing and implementing a quality assurance program that would, for example, monitor a statistically significant percentage of the business’s telephone or email marketing campaigns. The results of all audits should be recorded, maintained, and communicated to senior management. Following an audit, the business should address any recommendations and modify or update the corporate compliance policy as appropriate. "

Managing Complaints
The complaint-handling system should also be documented and clearly communicated. Consumer complaints should be documented and resolutions should be recorded. CRTC does not want any Compliance Officer to think that having a complaint system excuses them from following CASL's rules, such as having a working unsubscribe in every CEM and removing those individuals within 10 days of their request.

Last but not least your firm's corrective or disciplinary policy should be clearly stated, communicated and enforced. "This code would help 
(i) demonstrate a business’s credibility regarding its corporate compliance policy, and 
(ii) deter against possible employee contraventions of the corporate compliance policy. 

Businesses should consider taking corrective or disciplinary action, or providing refresher training, as appropriate, to address contraventions of the corporate compliance policy. Businesses could maintain a record of the contravention and the action taken in response to the contravention."

These suggestions from CRTC are designed to help organizations develop and implement CASL Compliance Programs. While they could help in the case of a due diligence defence, they are more designed to help a Company be more effective when using email marketing. 

Knowing, in detail, how your organization intends to use email marketing is a very good start to being CASL compliant.

Derek Lackey is the Managing Director, Newport Thomson - a global data & privacy compliance consultancy, helping organizations with CASL, PIPEDA, GDPR and CAN-SPAM comp[liance programs.


Privacy’s not dead. It’s hiring.

 Jan 11, 2018 3:00 PM
by Derek Lackey

Written By: Phil Lee, Partner, Privacy, Security and Information, Fieldfisher, phil.lee@fieldfisher.com

Some time back, in the early dawn of my legal career, a colleague took me aside and said to me “You do realise that this whole privacy thing is just a fad?  It’ll soon pass.”  That was some ten years ago or so, and it’s gratifying (and, frankly, a relief) to find that the area of law I chose to settle on has proven far from a fad.

There is a danger when speaking with fellow privacy professionals, though, that we become something of an echo chamber.  Every privacy professional tends to believe that privacy is of paramount importance (why else would they move into it?) and we tend to reaffirm one another’s beliefs that the significance of data protection law will endure indefinitely.

That isn’t a view always held by non-privacy colleagues though.  Many view the current GDPR as something of a flash in a pan - a kind of Y2K for privacy professionals.  There can be a sense that, while privacy is a big deal now as companies rush to complete their GDPR implementation projects, come May 25th next year everyone will breathe a big sigh of relief and things will calm down again.

This won’t be the case.  Privacy will only grow in importance over the coming years.  For now, I’ll leave aside the social and ethical arguments about why privacy will continue to dominate since these are necessarily more subjective in nature.  Instead, I’ll just point to a few objective legal reasons why privacy will be a big ticket compliance concern for many years to come:

1.  The GDPR is not a project.  Within some organisations, there is still a tendency to see the GDPR as a one-off project, but it’s not.  Getting GDPR-ready will mean implementing ongoing privacy governance, policies and processes that will endure on an ongoing basis.  Think, for example, about Privacy by Design programs, the conduct of Privacy Impact Assessments, DPO appointments, and security incident reporting, among others - quite aside from the need to train staff on privacy compliance measures and to audit compliance and effectiveness on an ongoing basis.

2.  The story doesn’t begin and end with GDPR.  Quite aside from the GDPR, there are other important ongoing legislative, regulatory and judicial developments in the privacy and security space.  Think, for example, about the implementation of the Network and Information Security Directive, the incoming (and wildly debated) e-Privacy Regulation, and Member State local law developments (such as the continuing controversy surrounding the UK’s Investigatory Powers Act), to name a few.  The e-Privacy Regulation, for example, will significantly impact any business operating in the online space, by reforming cookie consent requirements and communications privacy rules.  Put simply, there are many more privacy and security reforms coming down the pipeline over the coming years - it’s not all GDPR.

3.  International transfers are in peril.  The future of international data transfers between Europe and other worldwide territories (especially the US) is under particular scrutiny.  Think, for example, about the ongoing court cases concerning the validity of the Privacy Shield and the Standard Contractual Clauses.  Beyond that, consider the European Commission’s announcement that it is reviewing the ‘adequacy’ status of those countries currently deemed safe to receive EU data.  Not to mention that many our existing data export mechanisms will all need updating by the regulatory bodies to ensure that they too are GDPR-ready.  These developments will introduce significant turbulence for the international data movements that are the lifeblood of every global organisation - and that’s before you start to consider the rise of data localisation rules in territories like Russia and China.

4.  There’s more to the world than just Europe.  The world of data protection extends beyond just the EU and its legislative reforms.  Over the past few years, there has been an explosion in the number of territories worldwide that have data protection laws (see, for example, here) - to the point that there are now more countries with, than without, local privacy legislation.  While there is inevitably an upper limit on how many countries can adopt privacy laws (there are only so many countries in the world), it does make the business of privacy ever more complicated: each of those laws will approach privacy issues in ever-so-slightly-different ways; those laws will inevitably be reformed and adapted over time; and organisations operating on a global scale (especially online businesses) will face significant challenges in meeting the laws of all the countries where they do business.

5.  Privacy has become a commercial imperative.  It’s easy to get excited about the regulatory and ethical risks when talking about data protection, but there’s another dimension too: the commercial risk.  The reality is that, in commercial deals, privacy has gone from being a last minute, minor consideration (if it was even a consideration at all) to becoming a major impediment to deal closure.  Organisations that do not have a robust answer to privacy compliance issues are finding it increasingly difficult to close deals - or, at least, to close them quickly - and this is an issue that will grow with time, especially in light of points 1 to 4 above.

What do you take away from this?  Well, it’s important for organisations to...

Read The Full Article




Privacy Shield (begrudgingly) here to stay! For now…

 Jan 11, 2018 3:00 PM
by Derek Lackey

Written By: Alexander de Gaye, Privacy Advisor - Privacy, Security and Information, Fieldfisher, alexander.degaye@fieldfisher.com

The Commission gave it the official (if lukewarm) ok in October, following the first annual review. Last week it was time for the Article 29 Working Party (WP29) to have its say.  The overall verdict: OK but could do better.  This is backed up by a threat to mount a legal challenge.  But whilst this is more of a story than the Trump announcement earlier this year (see my earlier post), Privacy Shield organisations or those considering it should not lose any sleep.


The Opinion starts with the usual lines about welcoming progress before we get down to the juicy stuff.  A great improvement on Safe Harbor, welcome the Department of Commerce's commitment and dedicated staff, welcome increased transparency on surveillance and declassification of certain documents etc etc.  It reads like a huge 'but' is coming.

"Could do better..."

The WP29 split their objections into two categories: they are not happy with certain aspects on the commercial side, and they have major concerns about state surveillance.

a) Commercial aspects

WP29 bemoaned the lack of guidance both for organisations certifying to PS and for individuals trying to assert their rights. The Department of Commerce (DoC) retorted that it was principles-based and they wanted organisations to consider the principles rather than copy and paste official text.

WP29 wants clear guidance for individuals and organisations on how the scheme works. A criticism that could equally be levelled at the pace of WP29's GDPR releases!

WP29 complained the DoC is not sufficiently checking certifications or ongoing compliance. Whilst DoC reviews privacy notices, it does not check vendor contracts, test a certified organisation's statements nor undertake any proactive compliance monitoring.

The certification process, which may take a month, requires organisations to publish their privacy notice once they apply; likewise recertifying organisations are given a month's grace. WP29 did not like the idea that the Privacy Shield site would thus be temporarily listing organisations as certified when they were not.

It transpires there is a major misunderstanding between the EU and US on what constitutes HR data. In DoC's view it only applies to employees of the exporting organisation. One can imagine the stunned silence in the room: "Of course, once it gets transferred to the US, information about thoseemployees stops being HR data, right?"

b) State surveillance

US authorities make assertions that collection of data under the Foreign Intelligence Surveillance Act s702 is no longer generalised. However, the WP29 had an issue with the lack of evidence or binding commitments to back this up.

WP29 sees the upcoming deadline to re-authorise s702 as an opportunity to add safeguards such as a 'reasonable suspicion' criterion or oversight body. This seems unlikely given the lack of current appetite in Congress. It won't help that Trump announced the US can keep warrantless surveillance under s702 even if Congress fails to extend it.

WP29 would like the Privacy and Civil Liberties Oversight Board (PCOLB) to update is report on mass surveillance under s702 and release its currently privileged report on Presidential Policy Directive 28.

Whilst it rates the PCLOB highly, WP29 laments the fact there are many vacancies on the board (actually only currently one sitting member). Given the vast number of senior posts in the current administration that remain unfilled, this is likely to remain a problem.

The same gripe was raised against the Ombudsman, which is yet to be appointed. The WP29 also wanted its exact powers and procedures to be clarified.

The Opinion finishes with 20 or so pages of facts that came out of the review interviews, which provide an interesting insight to how the scheme is actually working in practice.

"We may challenge"

The Opinion starts and ends with an invitation to the Commission to rethink the adequacy decision backed up by a threat: the serious concerns must be addressed at the latest by 25 May 2018, the remaining concerns must be addressed at the latest by the second joint review.  Failing this, the WP29 will seek a CJEU preliminary ruling. 

So what?

Stern words. The WP29 represents all EU DPAs so gives an insight into how they perceive Privacy Shield.  It also will be the future EDPB and guardian of the GDPR.  The WP29 may also be trying to assert its role as overseer of EU data protection following criticism in the Schrems decision.

That said,...

Read The Full Article



GDPR: Profiling and Consent Debate Put to Bed

 Jan 11, 2018 3:00 PM
by Derek Lackey

Written By: Phil Lee, Partner, Privacy, Security and Information, Fieldfisher, phil.lee@fieldfisher.com

In a post last week, I said that “There’s a perpetuated misconception that all profiling needs consent. It doesn’t, end of.” Since this seems to have been an area of much confusion under the GDPR, I thought it worth taking the time to elaborate on this point.

What is “profiling”?

To start with, it’s important to understand what profiling means. The GDPR defines profiling as follows:

“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” (Art 4(4)). 

In simple terms, profiling refers to using someone’s personal information in order to build up a picture of the type of person they are and the way they behave - whether for analytics reporting (e.g. “15% of the visitors to our website are female, in professional jobs, and in the 25-34 age bracket”), for some kind of evaluation (e.g. “This individual presents a high risk of defaulting on a loan”), or for targeting purposes (“Serve this ad to an audience of men aged between 35 - 44 and interested in sports”).

The difference between “profiling” and “automated decisions”

One word that is conspicuously absent from the definition of profiling, though, is “decision”. This is very important for reasons I'll explain below. Many commentators have failed to distinguish the concepts of profiling and automated decision-making, and this has resulted in confusion about whether consent requirements apply for profiling.

To be fair, this confusion is understandable, because the GDPR seemingly blurs the lines between the two concepts at Art 22 when it says that:

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her” (emphasis added). 

Art 22 then goes on to say that this restriction against automated decisions does not apply if the individual has given “explicit consent” (in addition to a couple of other grounds). 

So there you have it: in a single article of the GDPR you have the words “profiling” and “consent”, ergo all profiling requires consent, right? 

No, no, and no!

Wrong - and here’s why:

1) First off, the Art 22 restriction applies to automated decision-making, not profiling per se. A controller might use an individual’s profile in order to make an automated decision, but profiling is not in and of itself an automated decision. Remember the word “decision” does not appear once in the definition of profiling. To give a real-world example, I might look at someone’s credit profile to decide whether or not to advance them a loan: the ‘decision’ here is whether or not to make the loan; the individual’s profile is what I use to inform that decision. 

2) Building on that point, Art 22 restricts automated decision-making “based solely on automated processing, including profiling”. The words “including profiling” here relate solely to the concept of “automated processing” - profiling is an example of “automated processing”, not of “automated decision-making”. 

3) Recital 71 makes this distinction slightly clearer, noting that “The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her… Such processing includes ‘profiling’” (emphasis added). Once again, note the distinction between the “decision” and the “processing” (profiling).

4) You don’t have to take my word for it though. Look at the evidence in the textual development of this provision as the GDPR passed through the legislative process. In the Commission’s original 2012 proposal, the then-article 20 said: 

“Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.” 

Again, the focus here was on the “measures” produced by profiling, not the profiling itself. 

There were, however, quarters in Europe that did want consent for all processing, including the European Parliament which, in its review of the draft GDPR, proposed the following:

“The processing of personal data for the purposes of profiling, including in relation to the offering of electronic information and communication services, shall only be lawful if” based on consent or one of the other proposed lawful grounds.

In this draft, the European Parliament clearly aimed to restrict all forms profiling. However, the European Parliament’s approach did not make it into the final version of the GDPR and this itself is telling. The final version of the GDPR was ultimately closer to the Commission’s initial proposal; namely, that profiling itself is not restricted, only automated decisions based on automated processing - with profiling being one example of automated processing.

5) Even if you disagree with this interpretation, it’s worth noting that automated decisions are not, as a whole, restricted - only decisions which produce “legal effects” or which have “similarly significant effects” on the individual. Whatever your personal view on profiling, from a legal perspective it’s very hard to evidence that profiling in the context of, say, online advertising or analytics has a “significant” or “legal” effect on any individual.

6) If after that, you’re still not convinced, then have a look at Art 21 of the GDPR. Among other things, this article gives individuals the right to object to processing of their personal data which is based on public interests grounds (under Art 6(1)(e)) or legitimate interests grounds (under Art 6(1)(f)) and expressly refers to “profiling based on those provisions”. This is an express acknowledgement, directly within the operative provisions of the GDPR, that profiling can be based upon these non-consent-based processing grounds - establishing objectively and definitively that, as a matter of law, consent is not required for all profiling.

Why this matters...

Read The Full Article