Article by DataGRC Ltd. 8th September 2018.
There's no doubt that 2018 is a particularly special year for data protection and privacy.
The EU General Data Protection Regulation (GDPR) kept a lot of people busy this year. It is still creating a lot of confusion and mis-information about data protection and privacy.
It certainly kept marketing teams on their toes, even though much of that related to a 2003 law - the UK Privacy and Electronic Communications Regulations (PECR), with its amendments in 2004, 2011, 2015 and 2016. Many argue it's still not right, with the EU due (sometime soon, perhaps) to update their related legislation and on-going confusion around Cookie Notices. It really does take the biscuit.
And now the FGCA is chipping in on Privacy too...
So what on earth is FGCA, you may ask?
The Financial Guidance and Claims Act 2018 received royal assent on 10 May 2018. Eagle-eyed readers will notice that it doesn't have "Privacy" or "Protection" in the title. It has important provisions for establishing a new financial guidance body. But deep within the 61 page document (a minnow compared with the new DPA at 353 difficult pages) it also has some interesting provisions for data protection.
It tweaks PECR so that claims companies (e.g. PPI refunds and that accident you never had) must gain consent before making unsolicited marketing calls. The calls were previously legal, if the person had not directly opted out or had not added themselves to the TPS register.
It doesn't touch electronic mail (emails or text messages), which in the main already require opt-in consent (exceptions can include corporate subscribers and the "soft-opt-in").
Most people would agree that claims calls are largely unwanted and potentially distressing. The UK government comments:
"The Financial Conduct Authority highlighted that in the last 12 months, approximately 2.7 billion unsolicited calls, texts and emails were made to the UK's adult population offering to help them make a claim. This includes calls about recent accidents or mis-sold PPI. This is equivalent to approximately 50 calls, texts or emails being made to every member of the adult population."
That looks like a bad thing.
So, there's a new law here to help?
In its normal comedically un-transparent and overly complicated style, the FGCA tinkers with PECR, by stating:
35 Cold calling about claims management services (1) The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) are amended as follows. (2) In regulation 21 (calls for direct marketing purposes), after paragraph (5) insert "(6) Paragraph (1) does not apply to a case falling within regulation 21A." (3)After regulation 21 insert "21A Calls for direct marketing of claims management services (1) A person must not use, or instigate the use of, a public electronic communications service to make unsolicited calls for the purposes of direct marketing in relation to claims management services except in the circumstances referred to in paragraph (2). (2) Those circumstances are where the called line is that of a subscriber who has previously notified the caller that for the time being the subscriber consents to such calls being made by, or at the instigation of, the caller on that line. (3) A subscriber must not permit the subscriber's line to be used in contravention of paragraph (1). (4) In this regulation, "claims management services" means the following services in relation to the making of a claim- (a) advice; (b) financial services or assistance; (c) acting on behalf of, or representing, a person; (d) the referral or introduction of one person to another; (e) the making of inquiries. (5) In paragraph (4), "claim" means a claim for compensation, restitution, repayment or any other remedy or relief in respect of loss or damage or in respect of an obligation, whether the claim is made or could be made- (a) by way of legal proceedings, (b) in accordance with a scheme of regulation (whether voluntary or compulsory), or (c) in pursuance of a voluntary undertaking." (4) In regulation 24 (information to be provided for the purposes of regulations 19 to 21)- (a) in the heading, for ", 20 and 21" substitute "to 21A"; (b) in paragraph (1)(b), after "21" insert "or 21A".
All clear then.
It will be interesting to see how quickly the calls stop or how quickly fines (probably to be limited to PECR's £500k slap on the wrist max, although potentially considered under GDPR's consent obligations) happen.
The biggest irony in here is those claims companies lining up for the "Has the privacy of your data been breached?" no-win-no-fee deals won't be cold calling the British Airways customers who were unlucky enough to have made a payment while the crooks were snooping. Back to targeted social media pop-ups for them then.
DataGRC provides data protection and security advisory services, including outsourced DPO and CISO resource, compliance systems, online training, assessment and remediation support.
Comments currently in review.
ADD YOUR COMMENTS
To add a comment on this article or to contact DataGRC for more information, add your details now:
Articles made publicly available on this website are general information, and should never be mistaken for formal or legal advice. If you are seeking formal advice for your specific requirements, please contact our advisory team using the form above.