Clíona J. M. Kimber S.C. Bar of Ireland
Address to PRII: 15 September 2021
Data Protection is very important for in-house and agency PR consultants who ranging from working in public and private sector organisations to being sole traders to being senior agency leaders / MDs who advise across the areas of reputation, consumer / FMCG, Public Affairs, finance, construction, internal communications, to name but a few.
Data Management of project communications for large infrastructure projects is a big issue also especially around public consultations on projects.
Brexit has thrown a spanner in the works especially where there is uncertainty about where computer servers are housed.
Much, but not all, of what is sent on behalf of clients or employers by public relations professionals to journalists is unsolicited e.g., media releases, invitations to events. Generally, public relations practitioners and press officers have access to a media contacts database/s in some format e.g., Excel. These databases commonly contain journalists’ names, who they work for, their work and possibly personal email address, their work and possibly personal mobile number.
According to the GDPR, storing or using such data constitutes ‘processing’ personal data. Journalists have the same rights in relation to their personal data as any other person under GDPR. Public relations practitioners and press officers must therefore ensure they are compliant with the GDPR. Breaches of these regulations can have a severe impact on organisations, including onerous fines.
All members of staff who have access to, or store on their phone, laptop etc, such as mailing lists or data bases of contacts must therefore be made aware of the GDPR and act within the regulations.
I will look at the following matters:
- The GDPR
- Key issues and solutions
- Data base management
- Privacy & data protection policies
- Consent at events, photographs
- Some Stories on Enforcement
- The Learnings
The GDPR, in article 5, sets out 5 key principles. These are not aspirations, but are serious obligations placed on the controller or processor should they elect to process any personal data, regardless of the extent or duration. The principles are that personal data must be:
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- Processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
- Restrict disclosure and processing;
- Taken care of in storage, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- accurate and, where necessary, kept up to date (‘accuracy’).
Article 5 also provides for an additional principle, directed at the controller, that it shall be responsible for, and be able to demonstrate compliance with, the above principles (accountability’).
In brief, the most common areas of difficulty are:
- The scope of ‘personal data’. What is personal is very broad – it is defined as ‘any information relating to an identified or identifiable natural person’ and is not limited to ‘identifiers’,
- Lawfulness of processing – there are six reasons in legislation, but in essence three – reasons (a) (e) and (f) of the list of six – are applicable to public relations:
‘(a) consent’ and that it must be freely given, explicit, informed and revocable at any time, or legitimate interest.
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
- Sensitive personal data
Where processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited unless there are two good reasons.
- What is a Legitimate interest – in brief, it is really necessary for your business, bearing in mind that unsolicited mailing and sales are not permitted. This will be looked at in more detail at Key issues and Solutions
- The need to exercise Due care in the retention of data:
- Confidentiality of data to be preserved and there should only be limited sharing of data; even within the workplace information should be kept secure and access should only be on a need to know basis.
- Confidentiality should be preserved and secure systems and devices ensured while working at home.
- ‘Transfers to third countries’, may be problematic and this can include cloud storage abroad. Therefore, the laws of that third country need to be considered to determine whether or not any effective technical measures can prevent any access from infringing on the rights of a data subject.
Transfers to the UK will be considered transfers outside of the EU/EEA and will require a mechanism to ensure an adequate level of data protection. Fortunately, the EU Commission formally adopted two UK adequacy decisions on 28 June 2021, one under the GDPR and the other under the Law Enforcement Directive (LED). This means that personal data can continue to flow freely from the EU to the UK, without putting in place additional safeguards, such as the Standard Contractual Clauses. They are of a four-year duration.
Key issues and solutions
Lawfulness of processing databases of contact
There are many practical questions facing PR professionals. Can I keep a database of journalists to e-mail them your press releases? Can my PR agency keep a database? These are thorny questions and there is no definitive answer to them yet, as many edge cases will be decided by the judiciary.
The main basis for lawful processing is legitimate interest. To successfully rely on this to justify keeping all the data bases and e-mailing contacts is that the specific interest in question must be identified for the data subject.
So, what is the specific interest? A fair and reasonable interpretation of GDPR is that public relations agencies and in-house departments would be exercising a ‘legitimate interest’ in storing and processing journalist data and contacting journalists to provide relevant information. Remember, access to the media is important not just for big corporates but small businesses, charities and pressure groups too – organisations of all types and sizes.”
If public relations professionals have to get specific consent from every journalist for every client and every campaign (granularity of consent built into GDPR), then this will be very difficult for public relations and it could be said there is a public interest in good journalism and reporting as necessary for democracy, which is in the public interest.
A public interest case could actually be made for communications with You can argue that the impact of the media is so great, that it is necessary to monitor what the media are writing and which journalists in particular are following your industry.
There is a good case to be made that companies have a legitimate interest to manage a list of stakeholders.
The corporate communication best practices say that you should have a good overview of your stakeholders.
That means that, at a minimum, you need to have a list of stakeholders and their representatives – as well as some classification and information about their views. You can think of stakeholders like:
- Federations and associations
- Policy makers
- Local Organisation
- NGOs and pressure groups
For example, if you are working for a chemical plant, it makes sense to have a database of contacts in surrounding residential areas, such as local authorities, Gardaí, fire service, residents’ organisations.
But also, perhaps, groups that might have goals that are at odds with your organisation, such as competitors.
Right to Object
However, a scattergun approach to contacting journalists or stakeholders is not likely to be permissible, e.g. sending a press release on a food product to a sports journalist. This may be seen as spam and would not be covered by legitimate interest. In any event, it is also likely to be bad business, as a journalist who keeps getting irrelevant press releases from you is likely to ignore them.
Don’t forget also that a journalist or stakeholder has the right to opt out, and also to request access to the data you hold on them.
Photographs at Events
A picture tells a thousand stories, and that is why photographs are so important for public relations. Where events take place, a few good photos can be the hook to good publicity. However, the taking of images of those present, and what you do with them is a minefield for GDPR.
For example, one large company which sponsored an award for persons with disabilities, kept the pictures on its website for many years. While the award was a stepping stone at the outset, the image became a hindrance as the person had moved into long term employment and wanted more privacy around their particular disability.
The Guidance Note of PRII “GDPR Information for Public Relations Professionals Compiled by the Public Relations Institute of Ireland 2018” is extremely useful and has very good advice.
“Personal data includes photographs and images which do/can identify an individual. PR professionals are used to using photography release forms and this should be continued.
Images also need to be stored in a safe and secure manner. Bear in mind that under GDPR this data is included in the right of individuals to know what data you hold on them and people can request for such data to be deleted.
In crowded situations, for example, at an event it may not be possible to get consent from everyone so consider making it clear by announcement, notice on invitations, and on-site signage that there will be photography or another image recording taking place.”
A Privacy Notice should confirm that an organisation is aware of, and operating in alignment with, the GDPR, that only necessary data is held, that it is held for the legitimate interest of doing business, that the data is secure, that it will not be shared, and that it can be amended or deleted at the request of the individual data subject within one month, on request.
A sample given by PRII is:
“Please be advised that [photographs, video, livestreaming] will be [taken, made, taking place] at this event. These materials may be used by [name of company/companies] and included in [publications, media materials, promotional materials, digital platforms and social platforms]. If you do not wish to appear in any images captured, please contact a member of [company] staff on site. [Company] can then take appropriate steps to comply with your wishes.”
Some stories on enforcement
The GDPR and Data Protection Act provide the Data Protection Commissioner with a raft of significant powers, including investigative and corrective powers and the authority to impose administrative fines of up to €20 million or 4% of global turn over, or a maximum of €1m for state bodies. Any fines must be effective, proportionate and dissuasive. The DPC has published very detailed and comprehensive decisions which provide significant clarity on how the DPC considers imposing a fine.
The DPC, as the Lead Supervisory Authority for many of the world’s largest controllers and processors, is placed in a unique and powerful position to enforce the GDPR. However, as many of these controllers and processors are engaged in cross-border processing of personal data, the one-stop-shop mechanism often comes into play.
The mechanism means that any draft decision the DPC comes to in Ireland needs to be sent to the Concerned Supervisory Authorities in other countries, and the same is true for the equivalent of the DPC in other countries. However, there has been controversy over the fines of our Irish DPC – that they are too lenient, and we have been receiving recommendations from the EU body.
One example in Autumn 2021 is the fine imposed on WhatsApp where European regulators directed the Irish DPC to increase the fine from what was originally proposed. As a result, the DPC, Helen Dixon, has imposed a record €225 million fine on WhatsApp for “severe” breaches of privacy laws.
The breaches found by the DPC in combination with the EU bodies were a failure to abide by transparency obligations that are placed on data controllers by the GDPR in the context of the possible sharing of personal data between WhatsApp and a variety of Facebook companies. In particular that there was
The way in which information was provided was not adequate, the report noted that it was piecemeal and needed a link through to different screens.
The DPC found that WhatsApp had failed to comply with its obligations pursuant to Article 13(1) (d) of GDPR. WhatsApp was criticised for a “very significant information deficit” in particular that the company provided only 41 per cent of the prescribed information to users of its service and none to non-users. The impact was “particularly severe” on non-users of WhatsApp, who were denied the right to exercise control over their personal data.
Disputed and appealed by WhatsApp
WhatsApp has disputed the fine. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision,” the company said. It has appealed.
It is certainly true that privacy regulators have taken a more aggressive position on enforcement. On July 30 2021 Amazon.com Inc (AMZN.O)was fined with a record €746 million for processing personal data in violation of the EU’s GDPR rules. The original complaint was that Amazon’s advertising system was not based on free consent. However, little is known about what Amazon has been fined for.
DPC Prosecutions for sending unsolicited marketing emails and contacts
Another enforcement power which the DPC has is to bring criminal prosecutions against companies who breach GDPR. It has been doing a lot of these.
One example of the type of breach is in relation to the Prosecution on 7th September 2021 in the Dublin Metropolitan District Court against two prominent telecommunications companies in relation to marketing offences under S.I. 336 of 2011.
Three Ireland (Hutchison) Limited pleaded guilty to two charges of sending unsolicited marketing emails to one customer who had not consented to his email address being used by the company for marketing purposes. The complainant opted-out of receiving marketing emails in mid-February 2021. When Three Ireland (Hutchison) Limited attempted to execute the opt-out request an issue arose from a scenario of two records getting sent simultaneously and losing sequence, resulting in its system not being updated correctly. As a result, three further marketing emails were sent to the complainant in the following weeks. The Dublin Metropolitan District Court applied the Probation of Offenders Act in this case on the basis that the company will donate €3,000 to charity.
Vodafone Ireland Limited pleaded guilty to a total of seven charges of sending unsolicited marketing text messages, emails and telephone calls without consent. One case concerned a former customer who had called Vodafone on seven separate occasions to try to opt-out of receiving marketing phone calls to his mobile phone. On each occasion the agent he spoke to did not follow proper procedures and this resulted in him not being opted-out of marketing and receiving further marketing calls. The complainant closed his account with Vodafone Ireland Limited and switched to a different operator due to the marketing phone calls he received.
From these stories on enforcement, PR professionals can see that keeping in line with GDPR is very important for them and their company. While it might seem complex, the basic touchstone is to be aware of peoples’ privacy and their right to be left alone – even if a company wants to contact them. After that, if you have databases and contacts, keep them safe and secure and only accessible on a need to know basis.
Also, from the WhatsApp case we can learn that taking care of data is not enough, a company also has to communicate its policies and be transparent. Thankfully this is something that PR professionals should already be very good at
For further advice: Clionakimber@lawlibrary.ie