1 | P a g e
Response to the European Commission consultation on European Data Protection Legal Framework
A submission by Acxiom (ID number 02737212854-67)
Correspondence Address: Martin-Behaim-Straße 12, 63263 Neu-Isenburg, Germany
Executive Summary:
Acxiom works with variety of customers from leading multi nationals to small and medium sized companies in supporting their marketing activities, making use of consumer data collected from across Europe. Based on its hands-on experience, Acxiom would like to provide the European Commission with its views, relating to the working of the European Directive.
As illustrated in the case study, the challenges faced by the Directive, brought by technological
advancement and globalization, are particularly noticeable when applying European Data Protection laws to complex and numerous (international) data uses and transfers.
Acxiom feels that the Directive is generally meeting the challenges well. However, there are four areas that should be addressed as they are not congruent with today’s technological and globalised reality. They are:
(1) the concept of applicable law, (2) data transfer procedures (3) data transfer within a group of companies and (4) the lack of harmonization in implementing the Directives.
2 | P a g e
Who we are:
Acxiom provides data processing services and information products to help our clients effectively use personally identifiable information from across and outside their enterprise for marketing purposes. This includes improving the quality of the information, accurate integration of information from multiple sources, campaign management services, email deployment services and analytical services. Acxiom augments these services with socio demographic information to supplement a client’s customer information and improve insight into their business. Acxiom also provides prospect lists to help our client’s grow their business.
Our clients include many of the largest companies from the banking, insurance, electronics, technology, telecommunications, retail, pharmaceutical, travel and entertainment, and transportation sectors across the globe. Acxiom’s European operation has, in addition, a significant number of small and medium sized companies in its portfolio.
Acxiom is headquartered in the US with offices in the UK, France, the Netherlands, Germany, Poland, Portugal, China, Australia and New Zealand. Acxiom processes data from over 150 countries in various locations in the US, Europe and Asia. Acxiom has about 6,000 employees worldwide. Our global annual revenue is about $1.3 billion.
Considering the size of our operation, Acxiom processes a large amount of personal data. Acxiom therefore takes privacy very seriously. Acxiom has a global privacy organization, which operates independently from the profit centers, that is actively engaged internationally in numerous privacy
associations and data protection initiatives. In Europe, Acxiom has privacy officers in all countries where it is present. In addition privacy officers of France, Netherlands, Poland and Germany are ‘Data Protection Officers’ as mentioned in Article 18 (2) of the Directive.
The Challenges for Personal Data Protection in the light of New Technologies and Globalization
Since the Directive was passed in 1995, there is a significant increase in the amount of data that are transferred internationally. Centralization of databases to enable cost efficient IT structures using data warehouses and sophisticated Enterprise Resource Systems and most certainly the internet dependency of our society have no doubt accelerated this trend. The case study in appendix 1 illustrates the
processes, controls and the complexity of transferring data across numerous borders for marketing purposes. While this is an example of one company’s experience, it is representative of the information flows and challenges many organizations face in developing global business systems involving personal information.
In addition, the nature of data transfer has become complex with multiple parties being involved in processing the data. In case organizations make use of “cloud computing,” where numerous computers physically located in multiple jurisdictions, randomly process personal data to optimize server capacity, technology may have made the term ‘national border’ an obsolete notion.
3 | P a g e
Does Current Legal Framework Meet These Challenges?
The Directive was intended to be technology-neutral and it clearly defines the principles for protecting the right to privacy of data subjects. It has also provided guidance to other international projects such as the Council of Europe Convention and the APEC Privacy Framework.
However, the following issues must be addressed to bring the Directive more closely in line with the business realities of the 21st century.
1. Applicable law: Article 4
Where a data controller is not established within Europe, it is difficult to determine which law is applicable. For instance, when processing data using Acxiom’s data centre in the UK, and, where data is controlled by a U.S. entity, it is unclear if the data should be governed under U.S. law or under the UK law.
Similarly, it is unclear how data controlled by an entity in a non-European country, processed in a facility in Europe, should be governed by Data Protection law of the member state. This results in putting off non-European companies from making use of European based cloud computing services and physical facilities.
2. Data Transfer Procedure: Article 26
Arranging data transfer using Model Clauses is time consuming, not only in drawing them up but also maintaining them. Every time a new category of data is added to a data file, an addendum or a new contract is required. In the case of the attached case study, at least 45 such contracts were initially drawn up between Acxiom and our client. In addition, it takes a while to go through the approval process for such contracts. For instance, an application Acxiom submitted 3 months ago, for transferring consumer data, has not yet been approved by the Dutch authorities. Where business contracts are being closed on a daily basis, such time consuming activity is a major hindrance to economic growth.
In addition, the procedures and requirements vary from one member state to another. While UK and Germany allow the transfer without approvals from Data Protection Authorities when using the Model Clauses, other countries such as France and Portugal require data exporters to go through a formal approval process.
Safe Harbour Certification in the United States and Binding Corporate Rules may be solutions for organizations with sufficient resource. However, for many medium and small enterprises, procuring external legal advises and financing a dedicated data protection team for obtaining the necessary level of compliance is unrealistic.
4 | P a g e
3. Data transfer within a group of companies: Article 2 (f)
Since the term ‘third party’ is defined as ‘any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data,’
any transfer within the same group of companies are treated the same as when transferring data to, for instance, an external service provider. The restriction also applies when all companies within the group are established in Member States.
Thus data transfers among a group of companies incur an unnecessary administrative burden with questionable added value to improving the rights or protections of data subjects. For instance, despite being present in only six countries, a small change in Acxiom’s European accounting system has required 24 contracts among the entities to be either drawn up or updated.
Similarly, treating companies within the same group of companies as ‘third party’ may not be relevant to the actual organizational structure. Acxiom has restructured and became a functionally organized company, to, among other things, better respond to the way our clients operate. The adoption of a matrix structure means that a department head and its subordinates can be working for separate legal entities, usually located in a different European country. Hence, there must be a data transfer agreement in place to facilitate such processes as Acxiom’s employees’ holiday approval processes.
4. The Lack of harmonization in implementing the Directive
It is Acxiom’s observation that even when the provisions in the Directive are pragmatic and technology-neutral, the way some Member States have implemented them as local laws have resulted in unworkable consequences. For instance, Article 17 (1) of the Directive sets out that Member States shall provide that data controllers implement appropriate technical and organizational measures to protect personal data. Based on this article, Poland has implemented detailed security regulations for processing data. For instance, the Polish legislation has introduced requirements which go beyond what is envisioned in the Directive – each person having access to personal data has to be granted special authorization by the data controller/data processor, and, a register of those authorizations has to be kept by the relevant entities. In addition, detailed documentation on data processing has to be drawn up and implemented by each data controller/data processor. No other member state has interpreted Article 17 (1) in this way.
These cumbersome requirements, among other things, discourage our clients from both having a corporate head quarter in Poland, and, opening up a data center for hosting global data warehouses there.
Another example comes from the way the ‘balance of interest’ clause, Article 7(f), has been interpreted by some countries. The revised Data Protection Act in Germany, for instance, does not provide the balance of interest clause for direct marketing purposes. As a result, a number of data suppliers are moving out of Germany to neighboring countries, and are serving their existing clients from abroad.
5 | P a g e
The third example draws on the way consent should be obtained for the use of sensitive data.
Article 8 states that the use of sensitive data requires explicit consent from the data subjects. As suppliers of marketing data, Acxiom collects, for instance, information on smoking and alcohol consumptions, through online surveys. In an aggregated non-personal form, such information can be used by our clients to devise effective marketing campaigns and/or determine where to open a new retail outlet. Unlike Germany, France, UK or the Netherlands, explicit consent can only be collected off-line in Poland, making it almost impossible to collect what may be low-risk non- discriminatory information online. For this reason, Acxiom’s Polish operation is still forced to rely on paper based survey which are expensive, and have the tendency to attract a disproportionately large number of respondents from the 60 plus age group. Acxiom is not convinced that the right to privacy is better served by paper surveys with hand written signatures that are later digitalized for further processing, compared to online questionnaires.
Acxiom hopes that the European Commission will consider its comments on the Directive based on both Acxiom’s pro-active involvement in data protection initiatives across Europe and our practical experience.
Acxiom is open to sharing more insights into how the legal framework of data protection in Europe affects the daily business of us and our clients, to help ensure better protection of personal data in the future.
6 | P a g e
Appendix 1: Case Study
The project involved consolidating personal information for a client from many locations across the world then allowing the centralized information to be used by the marketing departments in various client locations to increase sales.
The client was a multinational firm headquartered in Europe with over 100 offices in 80 countries. The project was conducted for one division who had historically sold exclusively through retailers, but had moved to selling directly to the consumer via their own web portals.
Through an aggressive acquisition effort, the client had acquired numerous brands around the world.
These brands operated autonomously in various geographies and needed to retain the local brand recognition. They each had their own Customer Relationship Management (CRM) system with varying degrees of information and sophistication. Each had different types of customer data which varied greatly in both quality and coverage.
The company wanted to standardize and upgrade the CRM systems used across all brands and
geographies to drive additional revenue and reduce the cost of maintaining multiple systems. This meant centralizing their global marketing activities.
To achieve these objectives the client created a centralized global marketing system housed at Acxiom in the U.S. which consisted of three global marketing databases maintaining all customer and prospect data.
For customers, the database included all offline and online warranty registration data, online purchase data, and consumer contact and demographic data from joint promotional activities with partners. For prospects, the database included third party lists from Acxiom and other list brokers with contact and socio demographic information.
Both databases were enhanced with additional geographic level socio demographic data purchased from Acxiom and other providers and, where permitted by law, with marketing contact and intelligence data at an individual and household level purchased from Acxiom and other providers.
The global marketing system also included a preference/suppression database. This included preferences expressed by consumers to opt-out or opt-in to various promotions and suppression names the client did not want to market. For example, it included names from the U.S. Federal Trade Commission’s Do-Not- Call Registry.
In planning marketing campaigns, marketers in the client’s offices from around the world would submit queries to their third party analytics vendor located in India. This vendor would then access the client’s central marketing system and perform the requested analysis, sending the results back to the marketer.
Because of compliance issues in Europe, the vendor could not access personally identifiable information, so instead they were provided anonymized data by the global marketing system. If the analysis produced favorable results, they would then be used to execute a promotional campaign via mail, telemarketing, or email.
The client outsourced to Acxiom’s U.S. office the broadcast of promotional email messages from the global marketing system which needed to comply with all Spam laws in the various countries where these messages were sent.
To illustrate a typical promotional process and the associated information flows -- a marketer in Spain would use the criteria developed by the analytics vendor in India to select a list of customers from the global marketing system in the US which would be transferred to their call center in Mexico for execution of
7 | P a g e
a telemarketing campaign to consumers back in Spain. Results from the telemarketing effort executed from Mexico would then be fed back to the US to update the information in the global marketing system.
Another example includes a promotional effort involving a pan-European email campaign which begins with the email addresses being captured by Acxiom through a consumer survey and permissioned for use by a third party. This involves providing an opt-out in some geographies, like the US, and an opt-in in other areas, like Europe. The email addresses are then appended to the client’s global marketing database. A marketer, in say the UK, can then use criteria developed by the analytics vendor in India to select a list of European customers from the global marketing system in the US. This list would then be transferred to Acxiom’s email deployment solution in the US. The email message would be prepared in the local language for each country. All client opt-outs would be purged from the campaign. The emails would then be sent to consumers across Europe. Hard and soft bounces would be recorded by the email deployment system and the results would be fed back into the global marketing system in the US.
The global marketing system housed records on some 10 million consumers. It supported hundreds of campaigns on an annual basis. It was updated daily by hundreds of thousands of transactions.
While Acxiom was a primary service provider, there were other service providers located in various places around the world. Contracts were executed between the client and all service providers clearly stipulating each party’s roles and responsibilities.
The following figure provides an overview of the kinds of data flows required to support such a global marketing system.
8 | P a g e
Because of the global nature of this project, the number of countries and local laws that had to be
respected, the privacy and compliance departments from each client office and each Acxiom office across around the world was involved.
Managing compliance after a centralized system is put in place is always easier than during the initial creation of such a system because, as is often the case, the origin of much of the source data can be difficult to trace. Legacy systems do not always accurately reflect the origin of the data. This can be further complicated when data has already crossed several borders. For example purchases made by a customer in Australia may have been made on a Malaysian website and transferred to the US for fulfillment of the order.
With hundreds of sources contributing information from dozens of countries, it is necessary to map each source and flow to assure all the proper notices and permissions were granted. For any global system it is critical that there be a means of maintaining all origination and transfer intelligence accurately over time.
Security was a major consideration of the project. Acxiom uses secure data processing centers in various locations to process all client data which are routinely audited both by Acxiom and our clients. Regular upgrades to system security are made as technologies change and as new vulnerabilities are discovered.
This is the responsibility of Acxiom’s Chief Security Officer and his team. Sensitive data must be
transmitted in an encrypted manner. Access to all systems is controlled on a user by user basis as defined by the client and Acxiom. The information was transmitted between the client and Acxiom over a private leased network, not the Internet.
Implementing and sustaining a global business system requires a variety of expertise and a tremendous amount of coordination between the vendor and the client. The scenario described in this case study, while one of the more complex when it comes to the movement of data across borders, is representative of where most large global companies are moving. The need to have expertise centralized in as few
locations as possible, to have one system to maintain and support, to leverage the capabilities from more sophisticated offices to less sophisticated ones, to have confidence in the vendors a company uses, to rely on outside experts in areas where the company is lacking, is a common need.
Both Acxiom and the client are working with regulators across the world to help them understand that these kinds of systems can be developed in a manner which protects consumer privacy and allow a company to take advantage of the opportunities that a global business system provides.
