U.K.’s Data Protection Act makes overseas mailings trickier
On March 1, when the U.K.’s Data Protection Act (DPA) takes effect, one of Europe’s largest mail order markets will become even trickier for U.S. list and database professionals to navigate.
Not only does the act expand the definition of data processing and strengthen opt-in regulations, but it also increases the authority of the Office of Data Registrar (to be renamed the Office of Data Commissioner next month) to determine who can and can’t hold and process information on British citizens.
But these measures do not exempt U.S. companies from renting U.K. lists, despite explicitly stating that no data may be exported outside the European Economic Area, (the 15 European Union, or EU, member countries, and Norway, Iceland, and Liechtenstein). U.S. firms may process U.K. data, but only under contractual obligation to abide by the new regulations and to subject themselves to the authority of the British courts if complaints arise.
“The main difference between the DPA and existing laws is that the existing laws talk about the automatic processing of data, and under the new law, manual data processing is covered,” explains Chris Jones, a consultant with Coventry, U.K.-based list software firm Sanderson CFL. Before, automatic processing referred specifically to computer output of multiple records. But under the new statute, just looking up a record is considered data processing. “Now anyone looking at the data has the responsibility for its disclosure,” Jones says.
The new DPA also clarifies what constitutes permission for the use of sensitive data, defined as race or ethnicity, political affiliation, religious persuasion, union membership, medical information, sexual preference, and criminal record. “This data may be processed only if the data subject has unambiguously given his consent,” Jones says. Marketers must be able to prove that recipients have explicitly granted permission for mailers to use this data in specific campaigns.
The authority of the Office of Data Commissioner, confined before the new regulations to fining data processors that did not register their activities, now extends to every aspect of data handling. The data commissioner must be notified of all plans to process data, including what information will be used, who will be targeted, and what will be offered.
The data commissioner will also draft a sample contract that U.S. companies must use when processing U.K. data. An arrangement between the Office of Data Commissioner and the U.S. Department of Commerce, called a safe harbor agreement, allows U.S. firms to possess U.K. data only when operating under contract. The U.S. firm must agree to be held responsible for the activities of any of its employees and vendors that come in contact with the data.
The contract also stipulates that the U.S. firm “must guarantee the same protection as the DPA provides, and it must be enforceable,” Jones says. “The U.S. firm is subject to prosecution by the Office of Data Commissioner and cannot say after a violation, `I’m sorry, but that’s British law, not U.S. law.'”
The statutes of the DPA aren’t unique among European nations. In fact, by adopting the new regulations, the U.K. is merely matching its laws to those of other EU member countries as stipulated by the 1995 EU directive on data processing. The safe harbor agreement for U.S. firms using U.K. data is endorsed by the EU’s joint advisory committee, the Working Party on the Protection of Individuals, and theoretically allows U.S. firms full access to EU markets – if they’re willing to abide by the stringent EU privacy laws.