Privacy watchdogs nip at Europe

Posted on

Pity the poor marketer trying to launch a creative promotional campaign in Europe. While the Commission of the European Communities wants to make it easier to market across the continent, data protection watchdogs are growling fiercely at practices that slip over a shifting line of propriety.

Misuse of personal information is a growing concern in countries on both sides of the Atlantic, but responses have varied on the two sides of the ocean. In the U.S., self-regulation by data collectors is giving way to calls for legislative action. In Europe, protection of personal data is perceived as a fundamental human right and is therefore governed by law, on the European Union (EU) level as well as in single member countries.

The EU has passed many provisions dedicated to protecting personal data (especially financial data, medical records, genetic information and anything about children), and these affect marketing and promotion, mostly by slowing online business development. National data protection commissioners (special, independent authorities in charge of domestic implementation of EU directives) are especially alert to such marketing techniques as e-mail ads, electronic (pop up) ads, cookies, banners, Java scripting and spyware.

The DP commissioners coordinate on a trans-national level through the Data Protection Working Party (DPWP), and address businesses based in and outside of the EU. Their powers extend to foreign subjects using equipment located in EU territory, and they have begun to enforce protocols for data processing on the Internet, through audiovisual systems and in direct marketing. Currently, the DP commissioners can apply sanctions — generally fines, but violations of privacy rules can be ruled criminal offenses, punished with imprisonment up to three years.

Several European marketers have had “first contact” with the new restrictions. In Italy, a professor complained when he received an e-mail ad via his university’s Web site. The advertiser protested that the address’ listing in a “public directory” (the university Web site) allowed its use. The Italian Data Protection Authority disagreed. In June 2002, it held that personal data — although accessible on the Net — is not publicly available, and the promotion should not have been sent without prior consent.

In a second case, a banking customer received ads attached to his account statements. When the bank kept sending the unsolicited mailings, the customer complained to the DP commissioner. The bank argued that the mailing was primarily for informative/educational purposes (to explain the effects of the new euro). The other content was of marginal importance and didn’t change the main purpose.

According to the Data Protection Authority’s decision, issued in May 2002, the bank acted illegally by sending the ad material despite the client’s clear opposition, and it was required to exclude the client’s data from its commercial communications database. In addition, the DPA transferred the case to a criminal prosecutor. Illegal personal data processing is a criminal offense, punishable with imprisonment up to three years. The verdict on the bank isn’t in yet, but it will be a milestone decision for similar cases.

In the United Kingdom, two relevant cases were brought recently before the Advertising Standard Authority (ASA). In the first, a computer games company sent the mobile phone text message: “Report to your local army recruitment centre immediately for your second tour of duty. Commandos 2 on PC, it’s more real than real life — out today from….” The sender was identified as “SNBS.”

An ex-member of the British Army complained to the ASA that the message could cause fear and distress. The advertiser responded that it had not intended to alarm recipients, but to mimic a call out reminiscent of recruiting during World War II. It apologized for any distress caused and assured the ASA that the campaign would not be repeated.

In the second UK story, a promotion was e-mailed with the subject line: “LEGAL DOCUMENT. PLEASE READ. OFFENCE NO. 323 — INTERNET PERVERSION.” The text accused recipients of accessing “material of a violent, sexually explicit or immoral nature” and stated, “Full details of the offences have been passed to your local police authority.” Recipients were told they could appeal via a link that, when accessed, featured an ad for the car show.

A complaint was filed claiming the ad had caused fear and distress by presenting the e-mail as an official document. The advertiser explained that the e-mail had been sent to 50,000 registered users who had provided personal data in return for products and services. It assumed the target audience (18- to 25-year-old men) would realize that the e-mail was a joke. (Only seven out of 50,000 recipients complained.)

The ASA acknowledged that most recipients would get the joke once they had followed the link, but it considered the e-mail misleading and its “official” presentation could embarrass or distress recipients.

Both cases raise the question: Does consent to some commercial messages permit all such messages? And how rigorously will European regulators interpret data privacy protections?

A May 2002 opinion by the DPWP hints at what’s coming up. It states the protection of Web-based data is a general question of international law, and protection is not limited to EU citizens.

And that interpretation will reverberate with marketers around the world.

Stephen Groom, a partner in the London-based law firm Osborne Clarke and head of it’s advertising and media group, can be reached at Stephen Groom. Felix Hofer, senior partner of Studio Legale Associato Hofer Losch Torricelli in Florence, and general manager of the European Advertising Lawyers Associationcan be reached at Felix Hofer.

Marketers proceed with caution

European regulators are asking marketers to follow protocols for Web-based data:

  • Cookies contain data on individuals, including pages viewed, ads clicked, user IDs, etc. The Data Protection Working Party has agreed to them if notice is given to “data subjects” about the info stored, its purpose and duration. Surfers must get the option to accept, reject or choose info released via cookies.

  • Java scripts are software applications sent by a Web site to a computer, which allow remote servers to run applications on a user’s PC. They can also collect and process personal data stored in user’s PC for “profiling” without a user’s awareness. DPWP considers these an invisible and illegitimate form of data processing.

  • Spyware is software secretly installed on PCs, typically when downloading other software (e.g. a music player), which can send back information related to the data subject (e.g. music titles). Also known as “E.T. applications” because, once lodged in user’s PC, they “phone home” and report about a data subject’s habits and send it to another location. DPWP considers these another illegal form of data handling.

Source: Data Protection Working Party

More

Related Posts

Chief Marketer Videos

by Chief Marketer Staff

In our latest Marketers on Fire LinkedIn Live, Anywhere Real Estate CMO Esther-Mireya Tejeda discusses consumer targeting strategies, the evolution of the CMO role and advice for aspiring C-suite marketers.

View More 
	
        

        
Call for entries now open

    

        

        
		
	             
        

 

 








CALL FOR ENTRIES OPEN




















                

                    

        

	
SIGN UP FOR UPDATES!
 Fill out the fields below to receive the latest news and special announcements from Chief Marketer.