Chris Combemale, CEO of the Data & Marketing Association, discusses why interpretations of GDPR have restricted growth in the digital economy, highlighting some changes that will help the government achieve its vision set out within the National Data Strategy.
A recent UK Government taskforce branded the GDPR as “prescriptive and inflexible”, urging Boris Johnson to replace it with a new framework for data protection that doesn’t stifle growth and innovation. The Data & Marketing Association (DMA), and many of the data privacy experts we work with, believe that it is interpretations of the GDPR that are restricting growth in the digital economy.
The UK Government’s National Data Strategy (NDS) sets out an ambitious vision for a future economy and society with data at its heart, through 5 key missions. They have global aspirations for UK data expertise and privacy standards to be at the core of international data flows. Essentially unlocking the value of data across the digital economy.
This vision can be achieved with the GDPR in place, if properly applied.
There is an opportunity for industry associations like the DMA, in partnership with the ICO, to establish industry Codes of Conduct across every sector of the economy. This possibility is outlined by articles 40 and 41 of the GDPR. Industry Codes of Conduct can help to apply current data protection legislation to achieve the government’s growth and innovation objective.
This will help businesses to innovate while maintaining a high level of privacy protection, the degree necessary to build trust and consumer confidence in the modern digital economy.
Balancing privacy and growth
UK GDPR is a risk-based legislation which seeks to balance many rights, not just the right to privacy. It places the decision-making responsibility for processing data on each organisation.
But to ensure we find a better balance between innovation, growth and privacy we must introduce industry Codes of Conduct. This makes organisations and their industry associations responsible and accountable for finding this balance in a safe way.
To understand how the legislation supports the government’s vison we need only look at Recital 4 of the GDPR’s text. It specifically states that “the processing of personal data should be designed to serve mankind”, but “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society”. It goes on to say that “this Regulation respects all fundamental rights”, including the “freedom to conduct a business…”.
GDPR outlines six bases of processing data depending on the type of organisation and the nature of their activity. Each organisation is responsible for considering what it is aiming to achieve and to select the basis that is most appropriate for them. The ICO has always been very clear that each of these is equal under the law and that each applies in specific contexts.
For the purposes of the data and marketing industry, the main bases selected will normally be either consent or legitimate interest. The two bases are equally valid in the text, as highlighted by Recital 47, and particularly its applicability to the data and marketing sector.
Interpretations of GDPR have restricted growth
In a recent article in the Financial Times, the Secretary of State for Digital, Culture, Media and Sport correctly observed: “Right now, too many businesses are reluctant to use data – either because they don’t understand the rules or are afraid of inadvertently breaking them. That has hampered innovation...”.
Given what the text actually says, the key question is, how has this situation come to pass?
My strongly held view is that this is not because of what is written in the GDPR, but because Data Protection Authorities (DPAs) in 28 countries have been inconsistent and lacked clarity about the use of legitimate interest. In addition, lawyers have advised companies to take a risk-free approach by always defaulting to consent, even if that might severely limit innovation and growth.
Interpretations of the applicability of legitimate interest to data and marketing vary greatly. The Dutch DPA argues that commercial activity is not a legitimate interest, whereas Austria and Italy have approved Codes of Conduct under GDPR that highlight legitimate interest as the preferred grounds for direct marketing, especially activities that benefit customers.
In this regard, it is crucial that DPAs should apply the law as it is written. This was reinforced in November when a Dutch court ruled comprehensively that commercial interests, including data and marketing, were indeed legitimate interests. Essentially concluding that the collection and transmission of personal data in order to advertise effectively could also be a legitimate interest.
Developing Codes of Conduct
In order for businesses to provide a relevant experience for customers, they must be able to process insights gained from their own first-hand knowledge of customers, as well as additional insights from other sources. Organisations that communicate the right products and services to customers create a more efficient economy, reduce wasteful spending, and are valued by their customers.
Such legitimate economic activity is an example of the normal, beneficial processing of data that was anticipated by the legitimate interest basis. It certainly meets the reasonable expectations threshold and is essential to support growth and innovation.
This brings us to the role of Codes of Conduct, which were intended to interpret the GDPR for particular sectors and to achieve harmonisation across Europe through co-regulation. Article 40 specifies the role of Codes of Conduct more specifically, with clause 40(b) being particularly crucial. It offers scope for each sector of the economy to balance their legitimate interests while offering robust privacy protection and compliance.
All Codes of Conduct must reflect GDPR text in the way it was written and clarify how the text should be applied through the lens of specific sector knowledge and expertise.
The DMA is working closely with the ICO to approve a direct marketing Code of Conduct and secure approval of our existing Data & Marketing Commission as the Industry Monitoring Body. Many other industry sectors are doing the same.
This will unleash innovation across the economy while ensuring high standards of privacy protection are maintained, building trust and confidence in a modern, data-driven economy.