Will the EU’s new privacy law restrict the use of A.I.?
2017 is the breakout year for Artificial Intelligence (A.I.) in digital marketing
By combining data from multiple sources, and have these data analysed by A.I., a wealth of information becomes available. This makes it a lot easier to send highly personalised emails.
This benefits the consumer because they will only receive information and offers of interest to them. Imagine an airline like Air France/KLM – flying to 599 destinations – being able to tailor offers to an individual, based on past bookings and favourite holidays? Or a large web shop like Wehkamp – offering over 180.000 articles- being able to pick just those of interest to a specific client, to include in a personal newsletter?
Helpful or annoying
While Artificial Intelligence allows email marketers to take relevance to the next level, it could also go too far when collecting and combining personal data from many different sources.
What if what you pay for car insurance is influenced by your online behaviour (looking for auto repair shops or information about traffic fines) or your social media posts (here’s a selfie of me with my dented car)? What is in the interest of the insurance company, is probably undesirable from the client’s point of view.
A factor that could seriously impact the use of A.I. in marketing is the EU’s new privacy law, the General Data Protection Regulation (GDPR), due to go into effect on May 25, 2018. This legislation is intended to be future-proof for the digital age.
Why a General Data Protection Regulation?
At the moment, all member states of the European Union have separate privacy laws. These individual laws are based on an EU directive from 1995. At that time the EU had 15 members (in 2017, there are -still- 28). Cast your mind back: This was the year Sony introduced the Play Station, Star Trek Voyager premiered on American TV and the DVD was launched. Only 0,6% of the world’s population had internet access (in 2014 this had risen to 39% and it has exploded since the smartphone became the norm).
For companies that do business across multiple member states, having to comply with different privacy laws in each one takes a lot of research time and may incur extra legal costs. With the GDPR, the EU aims to simplify privacy laws for businesses and at the same time to better protect its citizens’ privacy.
What’s covered in the GDPR?
What are personal data? The definition of personal data according to the GDPR covers all information that belongs to and can be traced to an individual. This includes identifiers like a customer ID, email address, telephone number, online nickname, IP- and MAC-address.
Citizens’ rights: Every natural person owns his or her data. He or she has the right of inspection, improvement of, addition to and removal of data (‘right to be forgotten’) held by any organisation or service provider. Included in these rights is data portability: a person can ask to receive his data in a standard format, in order to move it to a different organisation or service provider.
Permission: To obtain permission for the use of data, an active action (like clicking on a link or ticking a box) is required. Every specific use of data needs a separate permission. For minors under 16, additional parental consent is needed.
Liability: Third parties that process data for owners can also be held accountable in the case of a data breach. It is, therefore, necessary to draw up a solid data processing agreement with all parties concerned.
Points of action
Every organisation that collects and processes personal data has to be able to prove they are fully compliant with the GDPR. This calls for careful administration. From May 25, 2018, fines of up to 20 million Euro, or 4% of the worldwide revenue (whichever is highest) can be imposed in case of infringement. If you are a marketer or a data processor, the following things may need your urgent attention:
DPO and PIA: Organisations that collect and/or process data, may need to appoint a Data Protection Officer (DPO). In the case of large-scale or sensitive projects, it might be a good idea to conduct a Privacy Impact Assessment (PIA).
Mandatory notification of data breaches: Under the GDPR, any data breach has to be reported within 72 hours to the Autoriteit Persoonsgegevens (or its equivalent in other EU countries). In the Netherlands, this rule has already been implemented.
Documentation, Privacy by Design and Privacy by Default: Opt-ins need to be meticulously administrated. All data processing systems need to be set up according to these principles. Only data relevant to the intended use may be collected and default settings must be designed with privacy in mind (pre-ticked boxes are not allowed). For each different use of personal data, a separate opt-in is recommended. Opt-out needs to be as easy to do as opt-in.
Data processing agreement: All parties need to enter into an agreement that defines the purpose of the data processing, the nature of the data to be processed, anyone with access to the data, safety measures, audits and the returning or destruction of the data after processing.
Record of Data Processing Activities: Under the GDPR, keeping a written record of all data processing activities is mandatory for both Controller and Processor. Details about the content of this record can be found here.
To help you prepare for the GDPR, we have compiled a handy checklist, which you can download in pdf format.
Can digital marketers rely on their marketing automation platforms to abide by the law? Can self-learning Artificial Intelligence be contained, or will it develop independently and take a path we cannot follow? We may have to wait for the first sanctions and court cases to find out. The only thing the marketing industry can do is make sure they are prepared for the new law. If you haven’t started yet, you might be in trouble. You may need to update your system for opt-ins and opt-outs and the way you record them. The demand for Data Protection Officers is also expected to be much higher than the number of qualified candidates available.
But what about personal responsibility?
In our opinion, consumers also have a personal responsibility to be careful with their data. Your mobile phone, thermostat, tv, even your washing machine is connected to the internet. But you are paying a price for convenience by sharing data through these, and other, smart devices.
In the past couple of years, producers and consumers have been investing in developing and buying smart products. (Unfortunately, hackers are also starting to explore the possibilities of the Internet of Things.) It might be a good idea for the EU to organize a campaign to raise awareness among consumers about managing personal data, ahead of the implementation of the new law.
Anja Bart and Pim van den Boogaard
This article has been updated on August 14, 2017, to reflect recent media reports
White & Case, a British law firm, has compiled an extensive dossier on the GDPR.
Autoriteit Persoonsgegevens (the Dutch Authority for the Protection of Personal Data)