Email and the Law

Data Protection Regulation Vote

I was wrong. I thought that the vote on the amendment to the proposed Data Protection Regulations put forward by the European Parliament's Civil Liberties Justice and Home Affairs Committee (LIBE), fronted by MEP J. Albrecht, would be close. However, the MEPs voted 621 to 10 in favour.

The amendment has been heavily criticised, not the least for its poor wording, which is unforgivable. It is almost as if it must be deliberate. Further, there is conflict between the wording of the Amendment and that of the draft Regulations.

The main problem is that it is not, to say the least, business friendly. However, now the dust has settled on the vote to a degree, we can see that it is not as bad as it first appeared.

Firstly, and most importantly, this is not the final nail in the coffin of direct email marketing. Far from it in fact. The regulations, whilst oppressive in the eyes of those with an email marketing list, can be conformed to without much extra cost.

Secondly, and probably more importantly, the DPR is not signed off and, we would hope, is unlikely to be in its present form given concerns raised by Cameron and Merkel.

Before the DPR becomes law the details will have to be agreed between the European Commission (EC), European Parliament (EP) and the Council of Ministers (CoM). One refreshing point is that the CoM is likely to address the wording and turn it into something that is at least clear, and hopefully less open to costly misinterpretation.

Much has been made, and quite rightly, of the punitive provisions of the Regulations, including the upgrading of the fines to businesses to a maximum of €100m (£85m) or 5% of annual worldwide turnover, whichever is greater. Given our tight margins, this is eye-watering. Further there is the threat of speculative compensation claims.

Other points of concern to those of us engaged in bulk email marketing include the right to erasure, profiling, data security breach notification, and appointment of data protection officers.

There is one positive: nothing is settled. With the EC, the EP and the CoM all supporting differing versions of the Regulations, the original target date of early next year is now abandoned. The date of late 2016 has been muted but this too seems all but impossible. So we are looking at 2017 in all probability.

This gives time for concerns from the likes of the DMA,, to be brought to the attention of ministers and pressure exerted for a more business-friendly version before finalisation. At the very least we need clear and accurate language in the Regulations.

Despite the variables, there are things we can do so that when the Regulations become law we have something of a head start. It is a fair assumption that data controls will be stricter so building in checks at this stage means you will not be under pressure when it becomes a requirement. Keep clean and accurate email marketing lists. Privacy by design will be covered in a future article.

We can be sure that the requirement to notify customers of breaches of security will be in the final draft so now is the time to plan.



30 days full functionality - No credit card required - INSTANT ACCESS