| Advertising and marketing | 13 |
The idea that a business can be built without the aid of advertising seems unlikely, but is not impossible. For most businesses, however, advertising is an indispensable part of their strategy in the highly competitive business world, and publishers are no different. Indeed, advertising is an integral part of the publishing industry, which uses adverts to promote texts as well as serving as a useful platform. With personalised digital advertising becoming increasingly commonplace, consumers are used to seeing only what is directly relevant to them, and are empowered to skip or simply ignore adverts which do not catch their attention. This is creating a fiercely competitive environment for businesses, but advertisers should be careful not to get carried away in their quest to come out on top. We considered some of the general risks, which accompany all published text, such as defamation and malicious falsehood, in Chapter 8. In this chapter we will take a look at the laws which particularly apply to advertising and promotional techniques, and which govern what you say in advertisements and marketing communications, and how you say it.
All advertisers sooner or later face the same universal temptation: to overstate the value of the thing being sold. You know the sort of thing: brilliant author, uniquely authoritative (or hysterically funny/thrilling/raunchy) work, miraculously good value at this never-to-be-repeated pre-publication offer. In a world increasingly dominated by the media, consumers are probably immune to much of this, and most of it is harmless enough. If it is no more than generalised hype, the law treats it, rather crushingly, as a ‘mere puff’, and gives it no particular legal significance. But beware: look again at the above blurbs. Are you simply throwing in the adjective ‘authoritative’ (for example) as a mere puff or are you actually stating – or implying – that your author or publication has specific authority (such as that of an examining board or Royal College)? Similarly, are you merely describing your product as being ‘good value’, or are you making a specific pre-publication offer? The difference could be highly significant. Where statements are made which mislead the consumer into buying something which he or she would not otherwise have bought, publishers may find themselves breaking the law. The criminal law is often involved in this area of publishing, with fines and even imprisonment for those who infringe. It is therefore very much in publishers’ interests to take care how they describe their publications.
New consumer protection law has also raised the stakes in terms of what you can say in advertisements and marketing communications. Any pre-contractual information which must be given to a consumer about goods, services or digital content under the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 becomes a contractual term unless it is expressly varied with the consumer’s consent. In addition, the unfair contract terms regime has been extended to apply to notices – a term which is wide enough to include pretty much anything which talks about the product or service on offer.
The Unfair Commercial Practices Directive 2005/99 was implemented in the UK on 26 May 2008 by the Consumer Protection from Unfair Trading Regulations 2008 (the 2008 Regulations). The 2008 Regulations were amended by the Consumer Protection (Amendment) Regulations 2014. The 2014 Regulations give consumers a private right of redress against traders and close some gaps in consumer protection for serious breaches of the 2008 Regulations.
The aim of the Directive is to harmonise member states’ unfair trading laws – it introduces a general prohibition on traders treating consumers unfairly.
With the introduction of the 2008 Regulations there is a new language applied to this aspect of trading law, with, in effect, a ‘commercial practice’ replacing a ‘trade description’. A commercial practice is defined as:
any act, omission, course of conduct, representation or commercial communication (including advertising and marketing) by a trader, which is directly connected with the promotion, sale or supply of a product to or from consumers whether occurring during or after a commercial transaction (if any) in relation to a product.
A commercial practice is unfair if:
(a) it contravenes the requirements of professional diligence; and
(b) it materially distorts or is likely to materially distort the economic behaviour of the average consumer with regard to the product.
This new term ‘professional diligence’ means the standard of special skill and care which a trader may reasonably be expected to exercise towards consumers which is commensurate with either:
(a) honest market practice in the trader’s field of activity; or
(b) the general principle of good faith in the trader’s field of activity.
‘Materially distorts the economic behaviour’ means, in relation to an average consumer, appreciably to impair the average consumer’s ability to make an informed decision thereby causing him to take a transactional decision that he would not have taken otherwise.
A commercial practice will be unfair if:
(a) it is a misleading action;
(b) it is a misleading omission;
(c) it is aggressive; or
(d) it is on a blacklist contained in schedule 1 of the Regulations.
A MISLEADING ACTION
A commercial practice is a misleading action if it contains false information and is therefore untruthful, e.g. in relation to the main characteristics of the product – such as the availability of the product, benefits of the product or composition of the product, or if its overall presentation in any way deceives or is likely to deceive the average consumer and it causes or is likely to cause the average consumer to purchase it.
A MISLEADING OMISSION
A commercial practice is a misleading omission if, for example, it omits material information or provides material information in a manner which is unclear, unintelligible, ambiguous or untimely, and as a result it causes or is likely to cause the average consumer to purchase it.
AGGRESSIVE COMMERCIAL PRACTICE
A commercial practice is aggressive if it significantly impairs or is likely to significantly impair the average consumer’s freedom of choice in relation to the product concerned through the use of harassment, coercion or undue influence; and it thereby causes or is likely to cause him to purchase it.
Coercion, in this context, includes using physical force. Undue influence means the exploitation of a position of power over the consumer.
COMMERCIAL PRACTICES WHICH ARE IN ALL CIRCUMSTANCES CONSIDERED UNFAIR: SCHEDULE 1 OF THE 2008 REGULATIONS
Schedule 1 of the 2008 Regulations contains a list of 31 practices which are, in all circumstances, considered unfair. The list includes:
(1) Claiming that a trader (including his commercial practices) or a product has been approved, endorsed or authorised by a public or private body when the trader, the commercial practices or the product have not, or making such a claim without complying with the terms of the approval, endorsement or authorisation.
An example of this would be a plumber who claims to be a registered engineer on the Gas Safe Register when he is not so registered.
(2) Making an invitation to purchase products at a specified price without disclosing the existence of any reasonable grounds the trader may have for believing that he will not be able to offer for supply, or to procure another trader to supply, those products or equivalent products at that price for a period that is, and in quantities that are, reasonable having regard to the product, the scale of advertising of the product and the price offered (bait advertising).
This is the practice of advertising a product at a low price but where the business has such a small stock of the product that there is no prospect of meeting the demand.
(3) Making an invitation to purchase products at a specified price and then:
(a) refusing to show the advertised item to consumers;
(b) refusing to take orders for it or deliver it within a reasonable time; or
(c) demonstrating a defective sample of it, with the intention of promoting a different product (bait and switch).
(4) Falsely stating that a product will only be available for a very limited time, or that it will only be available on particular terms for a very limited time, in order to elicit an immediate decision and deprive consumers of sufficient opportunity or time to make an informed choice.
(5) Using editorial content in the media to promote a product where a trader has paid for the promotion without making that clear in the content or by images or sounds clearly identifiable by the consumer (advertorial).
Publishers need to ensure that there is no confusion between adverts and editorial content and that advertorials are clearly identified as adverts.
(6) Promoting a product similar to a product made by a particular manufacturer in such a manner as deliberately to mislead the consumer into believing that the product is made by that same manufacturer when it is not.
In effect, a form of passing off. For further discussion on passing off, see p. 302 and Chapter 11.
(7) Establishing, operating or promoting a pyramid promotional scheme where a consumer gives consideration for the opportunity to receive compensation that is derived primarily from the introduction of other consumers into the scheme rather than from the sale or consumption of products.
(8) Falsely claiming that a product is able to cure illness, dysfunction or malformations.
(9) Claiming in a commercial practice to offer a competition or prize promotion without awarding the prizes described or a reasonable equivalent.
An example of this might be an on-pack promotion involving a prize (such as a large cash payment) where there are ‘winning’ codes but in reality, none of the codes corresponds to the prize.
(10) Describing a product as ‘gratis’, ‘free’, ‘without charge’ or similar if the consumer has to pay anything other than the unavoidable cost of responding to the commercial practice and collecting or paying for delivery of the item.
(11) Including in marketing material an invoice or similar document seeking payment which gives the consumer the impression that he has already ordered the marketed product when he has not.
(12) Creating the impression that the consumer cannot leave the premises until a contract is formed.
(13) Conducting personal visits to the consumer’s home ignoring the consumer’s request to leave or not to return, except in circumstances and to the extent justified to enforce a contractual obligation.
This would cover the classic scenario of the encyclopedia salesman with his foot in the door and not heeding the consumer’s entreaty to go away.
(14) Demanding immediate or deferred payment for or the return or safekeeping of products supplied by the trader, but not solicited by the consumer, [except where the product is a substitute supplied in accordance with regulation 19(7) of the Consumer Protection (Distance Selling) Regulations 2000] (inertia selling).
This type of activity became quite prevalent some years ago. Businesses send goods out unsolicited and then try to extract payment. This is now an offence. The consumer can keep the goods and does not have to pay for them.
(15) Creating the false impression that the consumer has already won, will win, or will on doing a particular act win, a prize or other equivalent benefit, when in fact either:
(a) there is no prize or other equivalent benefit; or
(b) taking any action in relation to claiming the prize or other equivalent benefit is subject to the consumer paying money or incurring a cost.
In our view (b) above is likely to catch some of the scratch cards that, for example are included in newspapers and magazines. The consumer is led to think that they have won a prize but is then required to incur the cost of a premium rate phone call to have the chance of receiving the prize.
ENFORCEMENT
In most cases the 2008 Regulations are enforced by trading standards offices although where the alleged infringement is serious and/or widespread, the Consumer and Markets Authority (CMA) may get involved. The Regulations can be enforced either by using the civil injunctive power (provided by the Enterprise Act 2002) or by way of criminal prosecution. The OFT has published guidance on when it will use criminal enforcement measures under the 2008 Regulations. In addition to applying the basic tests laid down by the Code for Crown Prosecutors (in short; (i) is there a realistic prospect of conviction and (ii) is prosecution in the public interest) the OFT will consider issues such as:
(i) is the (unfair) practice widespread;
(ii) is there a risk of the practice becoming widespread and causing consumer detriment;
(iii) is the trader deliberately or recklessly engaged in misleading or aggressive practices.
PENALTIES
Offences under the 2008 Regulations are punishable, on summary conviction, by a fine not exceeding the statutory maximum (which, as of March 2015, is unlimited) or, on conviction on indictment, to a fine or imprisonment for up to two years, or both.
DEFENCES
There are various defences to offences committed under the 2008 Regulations including where it can be proved that the offence was due to a mistake or to the act or default of someone else. However, this is a two-pronged defence, requiring in addition that the trader must be able to demonstrate that he ‘took all reasonable precautions and exercised all due diligence’ to avoid committing the offence (including by any person under his control).
There is an ‘innocent publication of advertisement’ defence for those whose business it is to publish advertisements. However, a person in this position would also need to be able to show that he did not know and had no reason to suspect that publication of the advertisement would amount to an offence.
The Unfair Contract Terms Act 1977 (UCTA) governs the fairness of contractual terms in non-consumer contracts. Fairness in consumer contracts is now governed by the Consumer Rights Act 2015 (CRA) which revokes the consumer facing provisions of UCTA and replaces the Unfair Terms in Consumer Contracts Regulations 1999.This is particularly significant in terms of advertising and marketing because the CRA explicitly brings consumer notices within the scope of the unfair contracts regime. Notices are broadly defined as anything which appears to restrict or exclude a trader’s liability to a consumer or relates to the rights and obligations between a trader and a consumer. They can be oral or written and essentially cover any communication which it is reasonable to assume will be seen or heard by a consumer. Notices as well as contracts are subject to control for fairness under the CRA even if they arguably do not form part of the contract between the trader and the consumer. A term will be unfair if it causes a significant imbalance in the parties’ rights and obligations under the contract to the detriment of the consumer. Like UCTA, the CRA contains a non-definitive list of ‘blacklist terms’ which will automatically be unfair and of ‘greylist’ terms which may be unfair depending on the circumstances. If a term is found to be unfair, it will not be binding on the other party. Fairness is assessed by looking at all the circumstances in question.
Terms in written consumer notices and contracts must also be transparent (in plain and intelligible language and legible). This will not, by itself, make a term compliant. The main objective should be to draft a term in such a way as to ensure a consumer can make an informed choice about whether or not to accept it. This means, for example that the intended audience needs to be taken into account; particularly onerous terms need to be brought clearly to the consumer’s attention; and ‘legalese’ or terms referring to statutes which the consumer cannot be expected to know about without explanation of what they say should be avoided.
Another feature of the CRA which advertisers and marketers need to take into consideration is that it implements parts of the Consumer Rights Directive 2011. In particular, it provides that any information which must be given to a consumer prior to the consumer entering into a contract, for goods, services or paid for digital content, becomes a contractual term unless it is expressly varied with the consent of the consumer. Similar provisions around free digital content are covered in the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013.
These recent changes to consumer law mean that publishers selling to consumers need, more than ever, to be careful that their advertising and marketing communications do not, inadvertently, lead them to making contractually binding promises or challengeable statements to consumers.
BUSINESS PROTECTION FROM MISLEADING ADVERTISING
The Consumer Protection from Unfair Trading Regulations 2008 (as amended) revoked the Control of Misleading Advertising Regulations 1988.
Directive 2006/114/EC concerning misleading and comparative advertising was implemented in the UK by the Business Protection from Misleading Marketing Regulations 2008 (as amended by the Business Protection from Misleading Marketing (Amendment) Regulations 2013).
The Regulations prohibit advertising that misleads traders. In other words, it covers business to business relationships. However, it also affords some protection to consumers.
The Regulations allow comparative advertising which is defined as: ‘advertising which in any way, either explicitly or by implication, identifies a competitor or a product offered by a competitor’. However, for a comparative advertisement to be permitted, there are nine conditions that must be met. These are:
(a) it must not be misleading (under the Regulations);
(b) it must not be a ‘misleading action’ or ‘misleading omission’ under the 2008 Regulations;
(c) it must compare products meeting the same needs or intended for the same purpose;
(d) it must objectively compare one or more material, relevant, verifiable and representative features of those products (which may include the price);
(e) it must not create confusion among traders, i.e. between the advertiser and a competitor or between the trade marks, trade names, or other distinguishing marks or products of the advertiser and those of a competitor;
(f) it must not discredit or denigrate the trade marks, trade names, other distinguishing marks, products, activities or circumstances of a competitor;
(g) for products with a designation of origin, it must relate in each case to products with the same designation;
(h) it must not take unfair advantage of the reputation of the trade marks, trade names or other distinguishing marks of the competitor; and
(i) it must not present products as imitations or replicas of products bearing a protected trade mark or trade name.
OFFENCES
The Regulations make it a strict liability offence for a trader to breach the prohibition on misleading advertising.
On summary conviction the offence is punishable by a fine not exceeding the statutory maximum (which, as of March 2015, is unlimited) and on conviction on indictment to a fine or up to two years imprisonment, or both.
ENFORCEMENT
In the main, the Regulations are enforced by local weights and measures authorities. There is provision for an enforcement authority, when determining how to comply with its duty of enforcement, to have regard to the ‘desirability of encouraging control of advertising’ by ‘such established means as it considers appropriate’. This allows for an informal approach in the resolution of disputes between traders and, for example, a case may be referred to the Advertising Standards Authority (ASA) for a ruling under the terms of the appropriate code. For further commentary on this, please see below under the heading British Codes of Advertising and Sales Promotion.
In the government’s consultation process when formulating the Regulations a number of brand owners and organisations representing the interests of brand owners and the holders of IP rights pressed for the inclusion of specific powers for businesses to take civil (injunctive) enforcement action to stop look-alike packaging. The government rejected this request, taking the view that the existing enforcement arrangements are adequate. However, the government agreed to keep this issue under review. The Department for Business Innovation & Skill (‘DBIS’) began a formal review process and publishing a call for evidence in April 2014. The results of this review were published in October 2015. Essentially, the important points drawn from the evidence suggested that:
• copycat packaging does reduce a consumers ability to make accurate decisions, though this is not necessarily to the detriment of consumers; and
• consumers sometimes deliberately buy copycat products and a majority of such consumers are happy with the purchase.
Retailers, several enforcers and Which? had all provided evidence questioning the appropriateness of civil enforcement of the Regulations. It was generally only brand owners who supported such measures. The DBIS made no recommendations supporting either side. It is not known at the time of writing whether civil enforcement is still being considered.
DEFENCES
As with the Consumer Protection from Unfair Trading Regulations (see above) there are various defences including due diligence (mistake), the act or default of a third party and innocent publication.
TRADE MARK INFRINGEMENT
If your advertisement uses a rival’s registered trade mark, you may be infringing that trade mark unless the advertisement complies with the Business Protection from Misleading Marketing Regulations (see above). On trade marks generally, see Chapter 11.
COPYRIGHT INFRINGEMENT
If you reproduce a substantial part of a rival’s copyright work – for example, packaging design, a title or logo, or distinctive typeface – in an advertisement without their permission, you may infringe their copyright in that work, and (subject to defences such as incidental inclusion, for example in a film) they would have the usual remedies for infringement (see Chapter 10).
MALICIOUS FALSEHOOD
If you publish an untrue statement, motivated by malice (or some other improper motive), and thereby cause loss or damage to someone else, you may be guilty of publishing a malicious falsehood (on this generally, see Chapter 8, p. 224). The injured party may sue for damages and apply for an injunction: in one case between two computer companies, Compaq and Dell, the plaintiffs, Compaq, succeeded in obtaining an interim injunction on these grounds which prevented Dell from making untrue and misleading comparisons (particularly on dealer price) between the computer products of both companies.
PASSING OFF
Although most comparative advertising seeks to distinguish one product from another, it is possible to refer to a rival’s product in advertising in such a way that the public is given the impression that they are somehow approving or endorsing your own product, or that the products are linked, with the result that their own goodwill would be diluted and confusion would be caused. A good example of this was the 1985 case between McDonald’s Hamburgers and Burger King, where McDonald’s took action to prevent advertisements being displayed by Burger King bearing the words ‘It’s Not Just Big, Mac.’ Although McDonald’s failed on the ground of malicious falsehood, they succeeded in obtaining an injunction to prevent passing off: on the grounds that potential customers would be misled into thinking that there was an association between McDonald’s successful Big Mac hamburger and Burger King, and that they could get a Big Mac at Burger King establishments. (For further treatment of passing off; see Chapter 11, p. 302.)
Publishers would therefore be well advised to do all they can to make absolutely certain that statements made in comparative advertisements are fair comparisons, comparing like with like, that the quoted facts are true at the time of the advertisement, that they do not infringe any copyright or registered trade mark owned by rivals, and do not indulge in any form of passing off or in any other way mislead or confuse the public.
BRITISH CODES OF ADVERTISING AND SALES PROMOTION
In addition to the various legal controls mentioned above, the advertising industry has developed a parallel system of self-regulation, monitored and enforced by the Advertising Standards Authority (ASA), an independent body, ensuring that the self-regulatory system works in the public interest. The ASA investigates complaints, publishes findings and in serious cases makes references to Trading Standards for action under consumer protection legislation. The ASA may also request newspapers and other publishers not to accept particular advertisements. The rule book for non-broadcast advertising is called the UK Code of Non-Broadcast Advertising Sales Promotion and Direct Marketing (the CAP Code). The CAP Code is created and revised by the Committee of Advertising Practice (CAP). It is the CAP which makes the decision on complaints about adverts. There are separate codes covering TV advertising and radio advertising although the ASA has assumed powers over advertising in these media from the communications regulator Ofcom.
The ASA’s remit extends to online paid-for advertising (such as pop-up adverts) and more significantly (perhaps) to marketing communications (advertising) on advertisers’ own websites.
Following a period of consultations, in August 2015, specific rules relating to distance selling were removed from the CAP Code. In making the decision to remove these rules, the Committee of Advertising Practice acknowledge that post-contractual matters are not advertising issues (and that issues such as misleading advertising are, of course, covered by the general rules of the CAP Code). It is the responsibility of Trading Standards to enforce distance selling legislation.
The first principle of the CAP Code has become famous (‘All marketing communications should be legal, decent, honest and truthful’) but there are many other provisions covering, among other things, safety, personal privacy, prices, free offers, guarantees, and comparisons with rival products.
The codes have no independent legal force, and are written in fairly general terms, but evidence that an advertiser has not complied with one or other of the codes is likely to be taken into account in any court proceedings. Also, an adverse adjudication by the ASA can lead to negative publicity. It is therefore very much in publishers’ interests to do all they can to see that their advertising complies with the codes, and that copies of the codes – which are usually available free of charge from the ASA website – are on every marketing and advertising department’s shelves.
The CAP has prepared a range of adverting guidance notes – previously called ‘Help Notes’ – including one on the marketing of publications. This can be accessed on-line from CAP at www.cap.org.uk.
We give below an example of the ‘key’ points in the note:
• All factual claims must be substantiated.
• Unproven claims contained in the title of a publication must be put in inverted commas.
• The first reference to the title should be followed by the author’s name.
• Marketers should not misleadingly describe pamphlets and the like as ‘books’.
ONLINE BEHAVIOURAL ADVERTISING
With the inexorable growth in online commerce has come the deployment of technology to track consumer online activity and to utilise that data to make assumptions about a consumer’s interests and characteristics and from that to target the consumer with relevant advertising. This is known as Online Behavioral Advertising (OBA).
It is unlikely that there are many of us who use online facilities to research and/or purchase goods and/or services who have not received OBA. For some consumers this can be helpful but for others the practice can be an irritation. In reaction, CAP (in February 2103) added specific rules relating to OBA to the CAP Code. These rules are in Appendix 3 to the CAP Code.
The CAP Code OBA rules apply to parties (such as advertising networks) who collect the data on users’ web viewing behaviour for the purpose of targeting such users with advertising that is likely to be of interest to them. The rules reflect a pan-European industry – wide self-regulatory standard – the European Advertising Standards Alliance (EASA) Best Practice Recommendation. This pan-European initiative is aimed at ‘empowering consumers with transparency and choice towards OBA’.
The main objectives of the CAP Code OBA rules are:
• To ensure transparency – by providing notice to web users that what they are seeing is OBA. In most cases this is achieved by an icon that is positioned in a corner of the advertisement display; and
• To give web users the wherewithal to opt out of their web viewing behaviour being collected and used for OBA. Web users must be provided with a link to a mechanism that allows them to opt out of such collection and use.
JURISDICTION
As we have acknowledged above, the growth in online commerce continues unabated. This poses an interesting question about how the law governs such activity, given that a website of one country is accessible from any country in the world.
One case where the problems of the worldwide web were exposed involved the huge US online web portal company Yahoo! Yahoo! sold Nazi memorabilia (via online auction) on its US-based website (yahoo.com) presumably for the benefit of US citizens only. The items were not available on the Yahoo sites of other jurisdictions for obvious reasons (for example, the sale or promotion of Nazi-related items is prohibited by French law). However, as the website was accessible in France (even though France has its own French version of Yahoo! which did not have access to the material), an anti-racism group took Yahoo! to court in France to prevent sales of the paraphernalia to French citizens. The French court ordered Yahoo! to block the sale of Nazi items to French citizens or face fines of £10,000 per day. This was somewhat of a shock outcome not least because experts appointed by the court acknowledged that it was not, in practice, possible for Yahoo! to block all French users. However, Yahoo! sought and obtained a declaration from the US federal courts that the French ruling is unenforceable against Yahoo! in the US. Whilst national courts have often taken a pragmatic approach and generally only ruled against foreign sites that are actually targeted at users in the country in question, the significance of the French ruling should not be underestimated, and online advertisers and retailers should be wary of similar claims.
Another interesting question is how the law governs Internet transactions from the point of view of consumers. For example, if an individual, who resides in the UK, purchases a new bestselling novel (in the US) from Amazon.com or equivalent US-based online retailer using a laptop while on holiday in France, in which country does the buyer seek a remedy if the book is not delivered and the retailer denies responsibility? Would it be his home courts (UK), those of the country where the purchase was made (France) or the country where the website is based (USA)?
Assistance has been provided by an EU Regulation on Jurisdiction, Recognition and Enforcement to ensure that rules of jurisdiction and enforcement of judgments are dealt with consistently in the EU. The Regulation broadly confirms the ‘country of origin’ principle that persons (including companies) domiciled in member states must be sued in their own courts. However, this is subject to certain exceptions. For example, in contracts for the sale of goods or delivery of services (including website services), consumers may sue in the courts of the place of performance of the contract. This will usually be in their home courts in a sale of goods case (place of performance is deemed to be where the goods were or should have been delivered). The same will probably apply in a provision of services case (place of performance is deemed to be where the services were or should have been provided).
SUMMARY CHECKLIST: ADVERTISING AND MARKETING
• Are our claims legal, decent, honest and truthful?
• Is it an unfair commercial practice (a misleading action or omission including as to price)?
• Might we have a defence, if we took all reasonable precautions, and used all due diligence?
• Is this an ‘Advertorial’? If so, this must be made clear on the advertisement.
• Do we hold documentary evidence substantiating all claims which are capable of objective substantiation?
• Are our terms, including any terms in notices which deal with liability, fair?
• Are our terms, including those in written notices, transparent?
• Are we indulging in any comparative advertising?
• Are we infringing any trade marks or copyrights (or using a well-known personality for implied endorsement without their consent)?
• Have we advertised online, and, if so, have we considered the impact this may have in countries where the site is accessible?
• Does the advertisement contain anything that might cause serious or widespread offence, such as on the grounds of race, religion, sex or sexual orientation.
UNSOLICITED GOODS AND SERVICES
One of the more notorious promotional techniques of the 1960s was ‘inertia selling’, an aggressive system of sending products – and invoices – out to people who had not ordered them in the hope that some at least would be passive or compliant (or intimidated) enough to buy them. The public outcry that resulted led to the passing of the Unsolicited Goods and Services Act 1971 (which has been amended by the Unsolicited Goods and Services Act 1971 (Electronic Commerce) (Amendment) Regulations 2005 and the Regulatory Reform (Unsolicited Goods and Services Act 1971) (Directories Entries and Demands for Payment) Order 2005) which now, together with other legislation (including the Consumer Protection from Unfair Trading Regulations 2008), severely restricts such practices.
Under section 2 of the 1971 Act, it is a criminal offence, punishable by fine, for anyone in the course of a trade or business to make a demand for payment for goods when:
• they know that the goods are unsolicited;
• they sent goods to another for the purpose of them acquiring them for their trade or business; and
• they have no reasonable cause to believe they have any right to payment.
Regulation 12 of the Consumer Protection from Unfair Trading Regulations 2008 makes it an criminal offence for a trader to engage in a commercial practice set out in paragraph 29 of schedule 1, namely by demanding immediate or deferred payment for or the return or safekeeping of products supplied by the trader, but not solicited by the consumer. Where a trader does engage in such activity, the consumer is exempted from any obligation to pay for the products supplied by the trader and may treat any unsolicited products supplied as an unconditional gift. The absence of a response from the consumer following the supply does not constitute consent to the provision of consideration for, or the return or safekeeping of, the products.
Most businesses maintain a certain amount of information about individuals. For example, as advertising and marketing models become more sophisticated, business reliance on information about customers and subscribers increases, and the type of information collected and used becomes more detailed. Also, a business involved with publishing, like any other business, will hold and use personal information about its employees, and other people with whom it deals including authors. It may also, of course, publish information that identifies individuals.
Use of information which relates to individuals is regulated in the UK by the Data Protection Act 1998 (‘the 1998 Act’). The 1998 Act was brought into force to implement a 1995 European Commission Data Protection Directive and provides the framework for the UK’s data protection regime, with the detail being filled in by way of separate secondary legislation or regulations. It is important to note that contravention of the 1998 Act can be a criminal offence and directors and officers involved can also be held personally (and criminally) liable.
At the time of writing, a package of proposals to reform EU data protection law has been agreed and is expected to be adopted in spring 2016. The cornerstone legislation takes the form of an EU Regulation which will have direct effect across the EU member states without the need for further national legislative implementation. This new Regulation will provide for greater harmonisation of data protection law across Europe in place of the current patchwork of rules, rights and protections created through different local law implementations of the 1995 European Commission Data Protection Directive, as well as updating the law to reflect the modern world of globalised networks, cloud services, digital content and social media.
The current legislative timetable suggests that the agreed text of the Regulation will be formally adopted in the spring of 2016. Organisations will then have some time to implement changes to bring their processing of personal data and supporting procedures into compliance with the new law, before the Regulation enters into force two years and 20 days from its publication in the Official Journal of the European Commission, i.e. in the summer of 2018. A summary of some of the key changes anticipated in the new law are provided at p. 359.
THE DATA PROTECTION ACT 1998
What does the 1998 Act cover?
The 1998 Act, which is enforced by the UK Information Commissioner and the courts, governs the ‘processing’ of information about individuals (‘personal data’) in the UK. Any business, person or company that ‘processes’ ‘personal data’ is known as a ‘data controller’ (except where that processing only takes place on behalf of and purely in accordance with the instructions of someone else in which case it is known as a ‘data processor’).
• ‘Data’ is defined as information that is processed automatically (i.e. held on a computer) and information held in certain organised paper records (a ‘relevant filing system’). In order for information held in a relevant filing system to be covered, that filing system must be structured by reference to individuals or by criteria enabling the user to readily access specific information relating to that individual. ‘Personal data’ is data that relates to individuals who can be identified from the data, or from the data and other information which is in, or is likely to come into, the possession of the data controller. Personal data can include expressions of opinion about the data subject and indications of the intentions of the data controller or any other person in respect of the data subject.
• ‘Processing’ is defined extremely widely and essentially includes any use of data from the collection and recording of data, the holding or disclosure of data and the carrying out of any operation on data, across the full lifecycle of the data, up to and including the point of the data’s eventual disposal or destruction. The UK Information Commissioner has made it clear that the term will be interpreted broadly to include any conceivable operation on data.
The Information Commissioner has published technical guidance on determining what is personal data. At its most basic level personal data may be processed because a living individual can be identified by an organisation from the data or other information in its possession or that is likely to come into its possession. Identification here might be due to the presence of the person’s name along with other contact information. However, knowing a person’s name is not critical, as identification may still be achieved because a person can be distinguished from others, perhaps because of their physical characteristics or because they are recognised from a photo or are recognised as living in a certain property. Aside from identification, other factors relevant in determining whether data is personal data include establishing if the data obviously relates to an individual, is linked to them or used to learn, record or decide something about that person or that has an impact on them or affects them in some way. Personal data may also be data that says something about an individual in a biographical sense or places the person at the focus of the information.
What must be done before personal data may be processed?
Notification
If someone is a UK data controller processing personal data, generally speaking (there are some exemptions), they must notify the Office of the Information Commissioner that they are doing so.
Under the 1998 Act, notification must take place annually. A notification involves giving certain information to the Office of the Information Commissioner including the data controller’s name and address, a description of the personal data being processed, the purposes for which those data are processed, any recipients of the personal data and a description of any intended destination countries for international transfers of the data. The details of the notification will then appear on a publicly accessible register. Failure to notify or to notify the details of any material changes to personal data processing within 28 days of the change is an offence under the Act. A fee is paid on making a notification and each year on renewal of the notification entry. The level of fee to be paid is tiered. A yearly fee of £500 must be paid by any data controller with an annual turnover of £25.9 million and more than 249 employees, or by a public authority with more than 249 employees. All others who are required to notify, pay a lower fee of £35.
The Act is based on eight ‘Data Protection Principles’ which must be observed by all data controllers whenever any personal data is collected and subsequently processed and can be viewed as enforceable, common sense standards that govern the handling of personal data. These are summarised below.
• Principle 1. Personal data must be processed fairly and lawfully and, in particular, shall not be processed unless at least one of a specified list of pre-conditions is met (for example, the data subject has given his consent or the processing is necessary for the performance of a contract to which the data subject is a party), or the processing is necessary for the legitimate interests of the controller or by the third parties the data are disclosed to, unless the processing is unwarranted because it prejudices the rights and freedoms and legitimate interests of the data subject.
• Principle 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be used in any manner incompatible with that purpose or those purposes.
• Principle 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
• Principle 4. Personal data shall be accurate and, where necessary, kept up to date.
• Principle 5. Personal data shall not be kept for longer than is necessary considering the purpose for which they are used.
• Principle 6. Personal data shall be processed in accordance with the rights of data subjects under the 1998 Act (see below).
• Principle 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
• Principle 8. Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data (see below for further comment on this principle).
Compliance with the first principle is viewed as important as it deals with transparency and fairness in the collection and use of personal data by ensuring data subjects know what data will be held about them and by whom, what use will be made of it and how it might be shared – often (not always) it is necessary to obtain consent from the data subjects to use their personal data in the way intended by the person collecting the data. ‘Consent’ is not defined in the 1998 Act although the 1995 European Commission Data Protection Directive (on which the 1998 Act is the UK implementation) requires that consent must be freely given, specific, informed and consist of any indication by which the data subject signifies their agreement.
Other principles focus on ensuring the ongoing quality and appropriateness of personal data relevant to the purpose of its processing, of respecting the rights individuals have in relation to their data and of making certain that transfers of personal data outside of the European Economic Area only take place under a legally recognised mechanism for ensuring adequacy of protection for individuals and their personal data.
In recent years the importance of compliance with the seventh security principle has been thrown into the spotlight by an increasing number of high-profile security breaches involving personal data, many of which have made front page news. With the exception of public electronic communications service providers such as those providing voice telephony, mobile, data and Internet communications networks and services (including here telecommunications companies and Internet service providers) who are subject to reporting obligations under the separate Privacy and Electronic Communications Regulations (see p. 357), there is currently no general legal obligation to notify the Information Commissioner or affected data subjects of a security incident. However, an increasingly proactive approach by the Information Commissioner’s Office to the enforcement of breaches of the seventh security principle has resulted in a presumption on the part of the Information Commissioner that serious data breaches should be reported to his office. Guidance published by the Information Commissioner suggests assessing three factors in deciding whether a breach should be reported:
• The potential harm to affected individuals – The potential harm to individuals is considered by the Information Commissioner to be the ‘overriding consideration’ in deciding whether to report. Harm here may include risk of identity or other fraud by the release of non-public identifiers including financial account records or information about a person’s private life becoming available to others.
• The volume of personal data affected – A large volume of affected data can be a trigger for a report to the Information Commissioner although it may be necessary to consider the facts of the specific breach as low volumes of data may also need to be reported in circumstances where the nature of the data means the risks associated with a breach in those circumstances are particularly high.
• The sensitivity of the personal data affected – Where a breach would cause significant risk of individuals suffering substantial damage or distress, there should be a report to the Information Commissioner. This could include here data classed under the 1998 Act as sensitive (see below), such as information about a person’s health, political opinions or sexuality.
In addition to reporting the details of a breach to the Information Commissioner, the Commissioner also expects that the circumstances of certain breaches may also mean that the affected data subjects should be informed. This will particularly be the case where people can take certain steps to further protect themselves, for example, by changing key account passwords or notifying their bank.
For all the above reasons it is important that an organisation has a documented and rehearsed incident response plan by which all relevant employees understand what should happen in the event of a breach and who in the organisation has the responsibility for taking forward specific containment, assessment, remedial and other actions as required.
Sensitive personal data
The 1998 Act treats processing of certain kinds of personal data (‘sensitive personal data’) more strictly. For example, in order to comply with principle 1 in the case of sensitive personal data, at least one of an additional set of pre-conditions must also be satisfied which include obtaining ‘explicit consent’ from the data subject rather than mere ‘consent’.
‘Sensitive personal data’ are personal data containing information relating to racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health or condition, sex life, offences committed or alleged to have been committed by the individual and proceedings in respect of offences.
Rights of data subjects
The 1998 Act confers a number of rights on individuals in respect of their personal data. For example, individuals:
• may make written requests to those who process personal data about them (known as ‘subject information requests’) for a copy of the data including information as to what that data are used for, the recipients to whom it is or may be disclosed and the source of the personal data;
• have rights to prevent processing likely to cause substantial damage or substantial distress to them or to another;
• have the right to object to the processing of personal data about them for direct marketing; and
• are entitled to take action through the courts for compensation from data controllers where any breach of the 1998 Act causes them to suffer damage. Compensation for distress can be claimed in circumstances where either damage is also suffered or where the breach relates to the processing of personal data for journalistic, literary or artistic purposes. An Appeal Court decision on 27 March 2015 in Google Inc. v Vidal Hall ([2015] EWCA Civ 311) determined, among other matters, that it was not necessary to establish pecuniary loss to show damage in actions for compensation, although leave to appeal the findings of the Court of Appeal was in part granted to Google by the Supreme Court on 28 July 2015 and a further determination of this point in these appeal proceedings is therefore pending.
How is the 1998 Act relevant to the publishing trade?
The 1998 Act may apply in a number of situations:
• For example, as mentioned above, it may be necessary, as with any customer-focused business, to collect and use personal information about customers. This may take the form of a mailing list of individuals or (possibly more likely in the case of a publisher) a list of individuals within customer organisations such as retailers. Any use of this information must comply with the 1998 Act. The simplest example is marketing – if the publisher wants to contact a database of customers to try to sell a book, then it will be necessary to comply with the relevant provisions of the 1998 Act. This is likely to involve obtaining the consent of each person whose details are held for direct marketing, and giving them the ongoing right to opt out of such direct marketing at any time.
• Also, like any other data controller, the personal data must be held securely from unauthorised access. This will involve investing in up-to-date technology as well as training staff and taking obvious steps to restrict access to specific systems and files that include personal information to only those who are authorised and have a legitimate need to access the specific personal data in question.
• It is important to comply with the provisions of the 1998 Act in relation to personal data records held about any individuals which includes here data about employees or other individuals such as authors.
• The content of some publications is potentially affected by the 1998 Act. For example, a publisher may publish a directory of experts in a certain field (both online and offline) along with comments about each expert. It will have been necessary to obtain clear consent from each person included in order to use their information in this way (although it is appreciated that good practice would probably dictate that this procedure was followed anyway).
• Subject to the exemption relating to the use of personal data for the purposes of journalism, literature and art (referred to below), personal data published for publication or which has been published is governed by the 1998 Act.
Journalism, literature and art
The 1998 Act contains a number of exemptions (covered generally below) and includes an exemption relating to the use of personal data for the purposes of journalism, literature and art. The exemption is intended to ensure there is an appropriate balance between the right to freedom of expression and an individual’s right to respect for their private life.Personal data that are processed only for journalism, artistic purposes or literary purposes, are exempt from specific provisions of the 1998 Act including certain of the rights of individuals and the data protection principles (but are not exempt from the seventh data protection principle that relates to security measures, which continues to apply). The exemption only applies if:
• the processing is undertaken with a view to the publication of any journalistic, literary or artistic material; and
• the data controller reasonably believes that, having regard to the special importance of the public interest in freedom of expression, publication would be in the public interest; and
• the data controller reasonably believes that, in all the circumstances, compliance with the provisions covered by the exemption is incompatible with the purposes of publication.
In practice the exemption is only engaged where it is not possible or it is unreasonable for the organisation to comply with the 1998 Act in order to achieve its journalistic, literary or artistic objectives and having balanced the public interest in publication against the impact of the processing on the privacy rights of individuals.
When considering whether to publish the personal data, it is important to be able to satisfy each of the conditions and, in particular, take into account any relevant codes of practice in deciding whether a belief that publication would be in the public interest is reasonable. Relevant codes of practice include, for example, the Editors Code of Practice enforced by the Independent Press Standards Organisation (IPSO) and the Broadcasting Code.
It is necessary for the data controller to have a reasonable belief that publication would be in the public interest. Processing (including publishing) information and photos about a person where there is no public interest is not covered by the exemption and may be unlawful or prevented. For example, identifying photos of a baby of a celebrity published without consent is likely not to be in the public interest and publication is likely to be unlawful. In most cases data protection law will be coexistent with privacy law (see Chapter 9)
The Information Commissioner’s Office has published a detailed guide on how the 1998 Act applies to journalism, including further advice on the scope of the exemption relating to the use of personal data for the purposes of journalism, literature and art. The guidance, entitled ‘Data Protection and Journalism: a guide for the media’ can be found on the Information Commissioner’s website at www.ico.org.uk.
Removal of online links to published personal data
Following a controversial judgment of the Court of Justice of the European Union (CJEU) in the case of Google Spain in May 2014 (C-131/12), individuals can (subject to limited exceptions) request that search engines disable links to third party pages which come up against searches using their name, whether or not the information relating to them is prejudicial and even where it is accurate and lawfully published, if they can validly claim that data is no longer being processed lawfully.
The normal grounds which the data subject would be expected to use to support his claim would be that the data is inadequate, no longer relevant or excessive in relation to the original purpose for which it was processed and in the light of the time which has elapsed since that processing began.
The individual’s rights to privacy and data protection will usually take precedence over the rights of Internet users and search engines to access and display information relating to them in search results unless there is a public interest in the information being available.
The Information Commissioner has, at the time of writing, also sought to enforce his view that links to later news stories published about the removal of online links (and which therefore repeat the original content that had been removed) should also be removed where these appear as part of the results displayed when conducting a further searching for the subject’s name.
Human Rights Act 1998
When considering the application of the above exemption relating to journalism, literature and art, and also when processing personal data generally, the application of the Human Rights Act 1998 will also need to be taken into account. As mentioned in Chapter 9, Article 8 of the European Convention on Human Rights provides that:
Everyone has the right to respect for his private and family life, his home and his correspondence.
Article 10(1) of the Convention provides that:
Everyone has the right to freedom of expression.
The courts considering a case concerning the publication of any information about an individual, will also need to balance rights to freedom of expression. This is particularly relevant to journalism, an area where there has been some significant case-law, generally, each case turning on its facts. The process of balancing the conflicting rights set out above as well as interpreting other legislation in a way that is compatible with the Convention rights is, at present, a delicate and often unpredictable exercise. The overriding consideration is that the Human Rights Act must be considered when interpreting any legislation, including the Data Protection Act 1998. At the time of writing, the current UK government has announced that it is considering replacing the Human Rights Act with a ‘British Bill of Rights’. This is because the European Convention on Human Rights, the UK courts and the Human Rights Act are subject to the jurisprudence of the European Court of Human Rights in Strasbourg. The UK government does not always agree with Strasbourg jurisprudence.
More specific information about the approach of the courts to issues of privacy and confidence since the Human Rights Act and the relevance of recent case law to publishers can be found in Chapter 9.
International sharing of personal data
Generally speaking, transfers of personal data to countries outside the EEA will only be allowed if the third country in question ensures an ‘adequate’ level of protection. Very few countries outside the EEA are deemed by the European Commission to have adequate protection. In the context of the US, one of the ways certain US organisations used to be able to demonstrate an adequate level of protection was by signing up to a set of Safe Harbor Principles, a self-certification standard operated by the US Department of Commerce and enforced by the Federal Trade Commission (FTC). In October 2015 however, a judgment from the Court of Justice of the European Union (CJEU) declared Safe Harbor to be invalid, ending data transfers under this mechanism.
Following the decision of the CJEU, the European Commission has been negotiating a replacement adequacy mechanism to Safe Harbor with the US Government and announced a new EU–US Privacy Shield in February 2016. The EU–US Privacy Shield is intended to address the failures with Safe Harbor that led to its demise, such as lack of transparency over the data gathering activities of US intelligence agencies in respect of EU data, lack of oversight and lack of judicial redress for EU citizens in the US for misuse of their data.
At the time of writing, full details of the new Privacy Shield mechanism have yet to be published and it remains unclear whether its terms will be acceptable to and endorsed later in 2016 by the body representing the collective views of the EU data protection authorities, the Article 29 Working Party.
If the destination country outside the EEA does not have adequate data protection laws in place then the transfer will only be permitted in one of certain specified circumstances, such as where the data subject has consented, the transfer is necessary for the performance of a contract with the data subject or the rights of the data subject are protected by a contract based on European approved terms between the sender and the recipient of the data. It is also possible for multinational organisations to adopt binding corporate codes of conduct to ensure adequacy of protection for transfers of personal data to other group companies based outside the EEA. European guidance in the form of a checklist for the content of a binding corporate code, a procedure for making applications and a standard application form for approval of a set of binding corporate codes are available. However, the process for approval is complex and costly. So far, it has remained a process that has been limited to larger multinational organisations to consider.
Many breaches of the 1998 Act are criminal offences under which directors or other officers can be personally liable, aside from breaches giving rise to other civil issues. Criminal offences can arise where personal data is processed in a way not described by a data controller’s notification entry or in a way that contravenes an enforcement notice issued against a data controller by the Information Commissioner.
More significantly an offence can also arise where there has been unlawful obtaining, disclosure or procuring of personal data or the offering for sale of personal data that has been unlawfully obtained, disclosed or procured. The offence is particularly relevant to our media hungry society, where ever-increasing demands for information, often driven by publishing or journalistic interests has led individuals such as private investigators or rogue employees to compromise, steal or use deception to obtain information often for their own purposes to discover private information for media stories or for financial gain. The use of an agent or middleman to obtain an unlawful disclosure of personal data is equally unlawful unless the procurer could show that he acted in the reasonable belief that he had the right in law to do so or that the consent of the data controller would have been forthcoming had they known the circumstances of it or that what the procurer did was in the particular circumstances, in the public interest.
An amendment to the 1998 Act by way of the Criminal Justice and Immigration Act 2008 included the power to impose a custodial sentence on conviction for an offence of unlawful obtaining, disclosure, procuring or offering for sale of such personal data. It also introduced a stronger defence for those persons processing the data for journalistic, literary and artistic purposes and where they held the reasonable belief that their actions were justified as being in the public interest. This power and enhanced defence mechanism has yet to be commenced.
To force compliance, the Information Commissioner may also serve enforcement and information notices, the latter requiring a controller to provide information to assist the Commissioner in determining whether the data protection principles have been breached. Going even further, the Commissioner may in certain circumstances apply to the court for an entry and inspection warrant.
As of April 2010 the Information Commissioner has also had the power to issue fines of up to £500,000 for serious, deliberate or reckless breaches of the data protection principles of the 1998 Act and the Privacy and Electronic Communications Regulations and monetary penalties are regularly applied. At the time of writing, the most recent annual report of the Information Commissioner (published in July 2015) identified that his office had imposed monetary penalties totaling over £1.2million in the 2014–2015 reporting year. Fines are most frequently applied for failures to adequately secure the processing of personal data.
Finally, the inconvenience factor of a breach of the 1998 Act should not be overlooked. The administrative costs of having to deal with complaints and, ultimately investigations by the Office of the Information Commissioner can be very high, in addition to the negative publicity that complaints, fines or successful prosecutions entail.
In addition to the exemption relating to the use of personal data for the purposes of journalism, literature and art, the 1998 Act contains a number of other exemptions from some or all of the data protection principles and from other provisions of the 1998 Act such as:
• where national security is involved;
• where processing concerns the detection of crime or the assessment of taxation;
• where information must be made public by law;
• where the disclosure is made in connection with legal proceedings, or pursuant to a court order;
• for the purposes of research, history and statistics; and
• for processing for purely domestic purposes.
Achieving and maintaining compliance
Being compliant means having an up-to-date notification in place and internal policies and supporting procedures that are sufficient to ensure that in practice the organisation processes personal data in accordance with its notification and with applicable data protection law.
Generally, it is important to assess (and revise where appropriate) all data processing activities on a regular basis. Data protection notifications must reflect the data processing activities in practice from time to time and relevant staff need to be aware of the impact of the Act and be appropriately trained. There should be suitable internal procedures in place to ensure the continuing compliance of the above and the effective handling of enquiries and complaints by individuals. This may involve appointing a data protection officer.
Finally, anyone publishing materials from which individuals can be identified should be extra careful to comply with the 1998 Act as well as the plethora of other laws covered by this book.
OTHER LAWS
Recent years have seen a number of other very significant items of legislation in this area, much of which has emanated from Europe. These laws have implications beyond the field of data protection but also have implications for data protection.
First, there are the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the ‘2003 Regulations’) which came into force in December 2003. The 2003 Regulations apply, among other things, to those sending electronic direct marketing communications such as by telephone, fax, e-mail or mobile text messages (SMS). In the case of marketing by e-mail or SMS, the default requirement is that it is only possible to send unsolicited communications in this way if the recipient has positively consented. There is an exception to this rule where a business is sending e-mail offers of its own similar goods or services to its existing customers who were offered an opt-out at the time their details were collected and at each time their details were subsequently used.
In relation to telephone marketing, the 2003 Regulations prohibit direct marketing calls to individuals or to employees at corporates who have either previously notified the caller that they do not wish to receive such unsolicited calls, or who have registered with the UK statutory suppression register, the Telephone Preference Service (TPS). Where a person has specifically told a particular organisation that they consent to their calls, then the fact that the person is also registered with the TPS would not prevent the organisation from calling them.
When calls are made, the organisation making the call must identify who is calling and, where requested, provide a contact address or Freephone number.
The 2003 Regulations also include rules relating to the use of cookies and related tracking technologies. These tools are regularly used by online publishers or third-party service providers working with online publishers to enhance the functionality of online published content, to collect analytics of how users interact with such content or to personalise or monetise the published content through ad-serving models or user retargeting techniques. At the end of 2009 the European Union and the European Parliament agreed amendments to the Directive on which these UK Regulations are based, resulting in the implementation of UK amendment regulations in 2011. The amended Directive and UK Regulations included a requirement to provide information to, and obtain the consent of, individuals for the use of cookies and similar technologies that allow information to be placed on or accessed from a user’s device.
The Regulation of Investigatory Powers Act 2000 regulates, among other matters, the interception and monitoring of communications on networks including private lines such as the internal telephone network of a business. Monitoring is allowed only if the controller of the network has obtained a warrant, if both parties to the call consent, or if the purpose of the monitoring falls within the Lawful Business Practice Regulations 2000. These separate Regulations permit the monitoring of communications, for example to ascertain compliance with regulatory or self-regulatory business practices, to ascertain or demonstrate the standards achieved by those using the system for work or to detect or investigate unauthorised use of the employer’s system. It is also possible to monitor (but not record) communications in order to establish whether a communication is work related. However, for any of the exceptions to apply, the business must first have taken all reasonable efforts to inform staff that monitoring takes place. A drafting Investigatory Powers Bill, intended to consolidate and update the law relevant to intrusion and interception capabilities has been put forward by the Home Office and is currently being considered.
Finally, the Freedom of Information Act 2000 is likely to be of interest to publishing and related trades, not because they are likely to be directly regulated by the provisions of the legislation (which, generally speaking, places obligations on public authorities such as government or other public bodies), but because the legislation provides for general rights of access to recorded information public authorities hold. The Act offers the opportunity for anyone to make a written request for information held by a public authority, providing authors and journalists among others with wider opportunities to access previously unavailable information. Extensive use has been made of the access rights since these came into force in January 2005. This has in turn fostered high profile public debates on issues of real significance, including the importance of public transparency and accountability including in connection with the historic publicity surrounding the obtaining of access to MPs’ expenses and Prince Charles’ letters to certain government departments.
Future changes to EU data protection law
In January 2012, the European Commission published proposals aimed at overhauling and harmonising the EU’s data protection regime. When the agreed text is finally adopted, the new data protection framework will introduce enhanced rights for individuals, new compliance obligations for organisations and tough penalties for non-compliance.
The agreed text of the data protection framework is lengthy, contentious and has been the subject of a protracted period of negotiation. While the data protection principles and some but not all of the defined terms, remain largely unchanged, there are a number of likely changes including for example:
• Personal data – a broader definition of personal data, including personal data that is ‘pseudonymous data’ meaning data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution. It is assumed that a lesser standard of protection may be required where personal data is classified as pseudonymous but what that standard may be is not yet clear.
• Consent – a potentially stronger definition covering ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes’.
• Profiling – individuals may have an enhanced right not to be subject to any measures based on automated processes which use personal data to analyse, evaluate or predict factors such as their performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
• Additional enforcement powers and sanctions – data protection authorities’ enhanced powers. Penalties for breaches of data protection law could reach a maximum of 4 per cent of annual global turnover for ‘enterprises’ or fines of up to 20 million Euros.
• Mandatory security breach notification – data protection authorities are expected to have to be informed of a data security breach by the data controller without undue delay, and, where feasible, within 72 hours of becoming aware of the breach. Data subjects must then be informed ‘without undue delay’ of the breach. where it is likely to result in a high risk to the data subject’s rights and freedoms, unless the data has been rendered unintelligible (e.g. by way of encryption), the data controller has taken steps to ensure the high risk is unlikely to materialise or to inform the data subjects individually would involve disproportionate effort (in which case a public announcement can be made).
• Additional administrative requirements – there are new administrative requirements which data controllers and, in most cases, data processors may have to comply with. These include the obligation to maintain a form of compliance register and to conduct privacy impact assessments before conducting certain data processing, generally to do more to document and evidence how processing of personal data is undertaken in compliance with the proposed law and under certain circumstance to appoint a data protection officer.
At the time of writing, much remains unclear about the final form and content of the law, however the current legislative timetable suggests that the Regulation will be adopted in 2016. Organisations will then have some time to implement changes to bring their processing of personal data and supporting procedures into compliance with the new law. It is likely that the Regulation will not then come into force until 2018.
In a separate development, an announcement was made in September 2014 that the head of the European Commission had asked the newly appointed EC Commissioner for digital economy and society to prepare a separate reform of the e-Privacy Directive, which includes the rules covering electronic marketing and the use of tracking tools such as cookies. The detail of the reform is not known at the time of writing.
SUMMARY CHECKLIST: PROMOTION AND DATA PROTECTION
Promotions
• Are we promoting unsolicited goods or services?
• If so, do we have reasonable cause to believe we are entitled to payment?
• Are we engaged in distance selling?
• If so, have we provided all the relevant information to the consumer?
Data protection
• Are we using personal data in any way?
• If so, do we need to put in place notification with the UK Information Commissioner?
• To the extent we need it, do we have the consent of the individual?
• Are we using any ‘sensitive personal data’?
• If so, do we have explicit consent from the relevant individuals?
• Is the processing of personal data for the purposes of journalism, literature and art, and if so does the exemption relevant to the processing of personal data for these purposes apply?
• Do we have procedures in place to ensure compliance and to handle complaints or subject information requests?
• Are we sending unsolicited communications?
• Do we make any transfers of personal data outside the EEA?
• If so, can we meet the requirement for adequacy of protection of the transfers?
• Are all relevant staff trained to understand the impact of the 1998 Act on their particular area?
• Do we have in place procedures to ensure ongoing compliance with data protection laws?