It pays to observe data privacy, says Simon Stokes at Tarlo Lyons Solicitors, not just to avoid legal liability, but to enhance the value of the data itself. In recent years laws protecting the privacy of individuals when personal data about them is stored or processed have proliferated internationally. These laws deal with data privacy and (as it is called in Europe) data protection. All UK e-commerce businesses must comply with data protection law. This is not just to avoid legal liability; by paying careful attention to compliance issues the value of a company’s data can be significantly enhanced. For example, compliance may allow you to conduct direct marketing or to sell data to a third party (if, for instance, your business is sold). Under the Data Protection Act 1998 (‘Act’) the general rule is that anyone using personal data (which could be as simple as a name and address or even an email address) must notify their processing of the data to the UK’s Information Commissioner. Failure to do so is a criminal offence. The Information Commissioner can also take legal action where there are other breaches of data protection law. In particular the eight data protection principles in the Act must be complied with, namely: 1. Personal data shall be processed fairly and lawfully. 2. Personal data shall only be obtained for one or more specified and lawful purpose. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary. 6. Personal data shall be processed in accordance with the rights of data subjects. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Persons who suffer harm as a result of unlawful processing or other breaches of the Act are also entitled to claim damages against the business concerned. There are also special rules for ‘sensitive personal data’ – ethnicity, health records, membership of a trade union, etc.

The need for a privacy statement Where a business collects personal data – for example, contact details and other data such as customer preferences – via a web page or email, the business must ensure that the personal data is fairly and lawfully processed. It must also be obtained only for one or more specified and lawful purposes and must not be processed in a manner incompatible with these purposes. In practice this includes making sure that you have an online privacy statement in the proper form, which is brought to the attention of those submitting personal data. The privacy statement must clearly set out the purposes for which the data is collected and processed. Where the data will be used for direct marketing purposes current practice is to include an ‘opt out’ box, giving the person the right not to have their data used for this purpose. The privacy statement can also help you to comply with other areas of the Act, for example if the data is to be transferred (exported) outside Europe for processing.

Data exports The current law (under the eighth data protection principle) is that personal data can only be exported outside Europe if the country to which the data is exported has an adequate level of protection. The United States is not considered to have this, for example. Where the importing country does not have this level of protection, it may be possible to resolve the situation by having the data exporting and data importing parties enter into a ‘model form contract’ approved by the EU. Or the importing country concerned may have its own voluntary regime, such as the US ‘safe harbor’ regime. Where the prior consent to the transfer of the data subjects (that is, the persons about whom personal data is held and processed) is obtained, then there is no need to worry about ‘model clauses’ etc; the transfer will be lawful. Where possible, this is the best course of action. A carefully drafted online privacy statement can help too.

Security The seventh data protection principle requires that ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’. In other words, the data must be kept secure. This is particularly important when the data may be available online and where there is a risk that it may become available to others. To comply with this principle it is typical to conduct a risk assessment of current data security measures. Also, any third-party data processors (for example, persons you have outsourced to) must be under a written contractual obligation to ensure that personal data are kept secure.

Spamming and direct marketing

The current law The current law in this area is complex – involving the Data Protection Act 1998 and the Telecommunications (Data Protection and Privacy) Regulations 1999 (as amended). It requires that the making of automated calls or sending automated faxes by way of direct marketing must have the prior consent of the recipient (ie an ‘opt in’). Where unsolicited non-automated calls or faxes are sent or made then the relevant ‘opt out’ register, kept by the Director General of Telecommunications, must be consulted in advance. If the recipient of a fax is an individual subscriber rather than a company, then a prior ‘opt in’ must always be obtained. Customer preferences communicated to the sender or caller must also be respected. For direct marketing sent by email or ‘snail mail’ (post/courier), the recipient has the right to opt out. Of course, the person processing the data for direct marketing purposes must be compliant with data protection law generally as well – for example, their privacy statement should deal with direct marketing.

The new law The 2002 Directive on Privacy and Electronic Communications (‘Directive’), which must be implemented into UK law before 31 October 2003, sets out a new regime regulating unsolicited communications for direct marketing sent by:  automatic calling machines (use of automated calling systems without human intervention);  fax;  electronic mail (this includes SMS text messages). These are only allowed where subscribers have given their prior consent – ie ‘opt in’ applies. However, where there is an existing customer relationship, and electronic contact details are obtained in the context of a sale of a product or service, then you are allowed to use email to market to customers in the future for your own similar products or services. But you must give customers the right to opt out when their email details are collected initially and then each time you send a subsequent direct marketing email. For other unsolicited electronic communications for direct marketing (eg by telephone or mobile phone) the UK will be able to choose whether there is an ‘opt in’ or ‘opt out’ regime. Also any direct marketing electronic mail must not disguise or conceal the identity of the sender and must have a valid address for the receipt of any ‘opt out’. This is in addition to the requirements of the Electronic Commerce Regulations 2002, which also deal with the need to identify unsolicited ‘commercial communications’ as such, and with other online information requirements.

Cookies, web crawlers, spiders, web bugs These technologies potentially allow third parties access to the contents of your computer. A ‘cookie’ is a small text file that is stored on the hard drive of your computer when you visit a website. Their purpose is to allow repeat visits (eg by a subscriber to the site) and they can also be used to gather information about you. Web bugs, spyware and other similar devices can be used to gain access to information on your computer, to store hidden information and to trace your activities. They are used typically for clandestine purposes. The new Directive sees ‘cookies’ as a legitimate and useful tool. However, web bugs and similar devices are seen as a serious threat to privacy, and they must only be used for legitimate purposes with the knowledge of the users concerned. The use of ‘cookies’ is permitted provided that:  the user is given clear and comprehensive information about the use to be made of the information gathered by the cookie – this must be made as ‘user friendly’ as possible; and  the user has the opportunity to refuse the cookie. However, access to a website can be made conditional on the user’s well-informed acceptance of a cookie.

Conclusion Dealing with online privacy issues is just part of dealing with data protection compliance more generally. Areas typically included in any compliance programme are:  existence and role of a compliance officer and management involvement;  internal staff policies and awareness of procedures and sanctions for non-compliance;  website privacy statements and processes of collecting personal data; duration of data retention;  staff monitoring;  handling of requests by data subjects to access their personal data;  security standards applied (both technical and operational). Looking more specifically at online privacy issues, privacy statements are essential when addresses or personal data are collected. Where email/telephone numbers are to be used for direct marketing (eg by email or SMS) then best practice will be to obtain prior ‘explicit’ consent, for example by a tick in an ‘I consent’ box on a web form. Information must also be put in place dealing with cookies, and users must be able to refuse them. Where personal data will be transferred outside the EU for processing, it is essential that either consent is obtained or other compliance options are investigated. Tarlo Lyons is a leading London law firm focused on delivering commercial solutions for technology-driven business. It has one of the largest teams of dedicated technology lawyers in England, and believes in leveraging the expertise and talent it has assembled to provide real benefits for its clients. It believes that success comes from contributing to its client’s objectives, and its ability to understand and work with technology is central to this. For further information contact: Tarlo Lyons, Watchmaker Court, 33 St John’s Lane, London EC1M 4DB. Tel: +44 (0)20 7405 2000; Fax: +44 (0)20 7814 9421; Email: Simon.Stokes@tarlolyons.com; Website: www.tarlolyons.com