Privacy Challenges in Marketing Practices: European (Over)Ruling of the Use of Personal Data?*

Article by Felix Hofer1,2

1. In order to promote their products and services effectively marketers need extensive information about the subjects they're dealing with or they'd like to target for future business. Technical progress requires such information to be more and more sophisticated: in order to perform a successful campaign it's crucial to know as much as possible and in detail about targeted companies, individuals, categories, industry sectors, shopping habits, consumer profiles, gender, race, age, location, financial capacity and health conditions.

   That's the reason why nowadays 'data' has become the most valuable 'raw material' in the modern economy. That is also the reason why marketers' techniques for approaching target subjects have become extremely complex and rely on top level technology.

   Marketers' business nowadays involves practices such as behavioral-, contextual-, location- and mobile marketing; it extends way beyond (earlier) traditional media, reaching out to the on-line communities (virtual worlds, social networks, blogs, discussion forums, etc.) and makes use of advanced technological tools – especially in the area of neuromarketing - such as Radio Frequency Identification (RFID), Functional Magnetic Resonance Imaging (fMRI), Steady State Topography (SST), Facial Coding and Galvanic Skin Response3. And yes, cookies are still immensely popular and widely used.

2. Practices that dwell so deep into an individual's personal sphere, do monitor his habits and profile many aspects of his personality, are also capable to cause data subject's annoyance and opposition.

   More and more frequently we find reports in the news – both in Europe as well as in other geographic regions around the world - about clashes between aggressive marketing techniques and privacy concerns. Nevertheless I feel that the exact dimension and the real terms of this problem are still not correctly perceived. Any time I mention this issue among my colleagues and friends in the US, I face a rather annoyed reaction, usually accompanied by the objection that the 'sacrifice' of giving up a bit of privacy is largely compensated by the multiple benefits one receives from allowing the processing of personal data. When I try to insist and to make my point, my interlocutor generally labels me as 'one of those consumer protection advocates'.

   This personal experience is an illuminating example of a patent misperception of a problem, which – if not correctly assessed - could put marketers into serious trouble.

3. First of all, foreign companies not familiar with the European approach to processing of personal data and with the laws and regulations governing such practice need to realize that on this side of the Atlantic 'privacy' has little to do with consumer protection: the issue at stake (and the interest considered by legislation) is not that of avoiding "harm" to consumers, but that of granting individuals a fundamental right, which benefits from protection at a maximum (i. e. constitutional) level.

   The Charter of Fundamental Rights of the European Union4 clearly states (in Article 8 on 'Protection of personal data') that "1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority".

   Well ahead of the Treaty of Lisbon many countries, members to the European Union, had in their national Constitutions identical or similar provisions, meant to assure adequate protection to an individual's private sphere5. The reasons for such an approach are to be found in the historical context surrounding World Wars I and II. In other terms, the 'fundamental right reference' puts the guarantees for an individual's personal data in the same league as freedom of speech and First Amendment protection. Therefore no surprise that infringement of some of the most relevant provisions governing the processing of personal data are sanctioned not just by fines, but also under criminal law.

   Any time marketers processing personal information do not give adequate consideration to this aspect and its implications, they may easily find themselves exposed to critical situations and to significant risks for their business practices.

   There are a few things marketers ought to bear in mind when crossing the Ocean and addressing the EU's plus 550 million consumers market. Without pretending to result exhaustive and just focusing on the very basic aspects the following comments try to summarize some of the most significant legal implications for companies doing business on an international level.

4. The starting point for a correct privacy policy are clearly the principles laid down in the so-called 'Data Protection Directive'6. While recognizing the importance of data-processing systems and of data-flow without excessive obstacles, these principles also claim that handling of an individuals' personal information has to "respect their fundamental rights and freedoms, notably the right to privacy".

   Accordingly the Directive requires7 all personal data to be:

   processed fairly and lawfully, collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes, adequate, relevant and not excessive in relation to the purposes for which they are collected, accurate and, where necessary, kept up to date, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected, and Establishes8 that personal data may be processed legitimately only if the data subject has unambiguously given his consent, or processing is necessary:

   for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or for compliance with a legal obligation to which the controller is subject, or in order to protect the vital interests of the data subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed, or for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1. 5. This initial framework was then completed by the ePrivacy Directive9 (amended and integrated in year 200910), which extends the requirements set by the '95 Directive to "publicly available electronic communications services in public communications networks". This additional Directive clarifies that "Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms"11 and enlightens about the limits of legitimate use of cookies12. Finally, it gives indications as to the collection, use and storage both of 'traffic data' as well as of 'location data'13 and provides for measures specifically...