If I use CM, am I technically flouting data laws? A rival solution is suggesting that because I'm in the EU, and sending emails to recipients in the EU, legally i have to use an EU-based ESP. Whaddayathinkothat?
He said this:
In terms of EU Marketing and data protection, you may wish to check out the laws I was referring to and which are set out in the Direct Marketing Association (DMA) web-site – www.dma.org.uk
Further details can be found at www.dma.org.uk. Our Director sits on the Board of Directors of the Email Marketing Council, (details at http://www.email.dma.org.uk/content/home.asp?h=0).
According the Data Protection Act published by the European Commission in 2002, where data protection laws are "inadequate" (The U.S.) the sender must transfer from an overseas data processor to one based within the EU and subject to EU laws.
Some e-marketers have been seen to disregard the penalties for non-compliance, as to date there have only been a very limited number of cases in UK courts. However it is imperative to remember that although there have been very few cases so far, it will certainly not remain this way for long. Indeed, the UK is currently the only European country not to have experienced a significant case of non-compliance, and it is unlikely to remain this way.
With that in mind, here are a number of reasons why you must comply:
£50,000 maximum fine under the "persistent abuse of telecoms system" provisions of Communications Act 2003
10 years maximum imprisonment or a £5,000 fine under the Computer Misuse Act
£5,000 maximum fine under the Data Protection Act (per record)
Unlimited damages awards in the civil courts
Hey Tim, that's a really interesting one there. While other people may be able to give you a better response from a legal perspective, I can confirm we have thousands of customers in the UK alone, and many more across Europe that use us without any problems at all. We have a rock solid privacy and anti-spam policy. I'd be asking for real-world examples for any penalties imposed on a UK business before, otherwise it's all smoke and mirrors.
Just as a followup - here are the frequently asked questions for the Data Protection Act.
Just thought I'd give a followup on research I've done into this, as it's a point I've some concern on myself.
According to DMA's site:
"Individual prior consent must be obtained unless there is another lawful basis for the transfer i.e.:
*the transferee country has been designated by the European Commission as having an "adequate" level of data protection. Please see the up to date list at:
*the transfer is made under a "Safe Harbour" arrangement as set up in the US where individual companies sign up to work under a self regulatory system based on EU operating guidelines. However, the US Safe Harbour Scheme doesn't currently apply to all sectors e.g. US financial services organisations cannot join;
*the transfer is necessary for the performance of a contract between the individual and the Data User or for the implementation of pre-contractual measures taken in response to a request from the individual;
*a written, signed contract exists between the Data User and the recipient of the data ensuring an adequate level of data protection."
Hope this is of help!
That's our understanding too Stormy.
this is my first post on the forum so I would just like to congratulate you on a great product, I hope to be using MailBuild and Campaign Monitor in the UK shortly :)
However, this post is rather alarming; I've been working through the various issues with using MB/CM and the UK/EU data protection laws are not to be taken lightly. I know there must be many thousands of UK businesses that flout the laws everyday, but is that a reason to avoid ensuring compliance?
I checked out the legislation FAQ from the above link.
I'd like to quote Question 12 : Does the Act apply to overseas companies and call centres?
The UK company is required to ensure that the overseas processing company complies with the UK Data Protection Act.
Is this assurance covered by you in the terms/contract somewhere? If not, can it be? I need some legal proof I have done my bit as a UK company. Have you investigated a "Safe Harbour" arrangement (not sure what that is exactly), would it be a good idea or legally necessary?
This would then make me feel far more confident from a legal standpoint and when clients ask if their data is safe. I can inform them that I have indeed done all I can do to ensure it's safety.
On the penalities quoted above I wouldn't want to find out that the smoke and mirrors are actually real.
I'm looking to really push MB/CM with targets of several hundred users so this is an important point.
Once again great product, I hope you can assuage my concerns?
As an Australian company we cannot be part of the Safe Harbour agreements, which are only between specific countries.
So could you set up an EU based server so that you comply with the law and not just the spirit of the law? That must be a shrewd business move....
Edit: I think it's possible to state on your (e.g. the site of the UK entity) that use of the site is subject to acceptance that data is transferred overseas.
Edit 2: <Groan> Post in haste repent at leisure. What I meant was this:
..... so that your EU clients can comply with the law and not just the spirit of the law?
I don't think it is true to say we are only complying with "the spirit of the law" here. As long as we have an adequate level of data protection, then we are covered by the law.
From Campaign Monitor's company perspective there is no issue with being covered by the law as (as far as I can tell) as CM is not an EU based company the laws that pertain in the EU for EU based companies are wholly irrelevant to CM.
This issue is that *clients* of CM who are based in the EU are affected by the EU legislation and (with the exception of the US Safe Harbor scheme) transfers of data overseas e.g. to/from a none EU based server breaches the legislation.
Matching the EU requirements, but in another jurisdiction, does not meet the requirements and leaves all of your EU clients at risk of prosecution (no matter how rigorous CM standards are).
I would welcome some comments from EU based subscribers to this thread. What do you think?
The law is saying that people who are storing data (our customers, and their clients) need to select a place to store that data which meets the laws requirements (even if it is outside of the EU). That is the obligation they are under.
So the laws don't apply to Campaign Monitor directly, but as a location that people store their data, Campaign Monitor meets the requirements of the data protection rules for people who are in the EU.
Having said that, we would always say any of our customers should get their own legal advice regarding their specific situations.
Individual legal advice: Agreed.
Just been doing some additional research. I'm pretty confident that the position set out above is the strict legal position.
However, and this is GOOD NEWS I've just encountered some additional guidance that suggests that there is sufficient wriggle room to use Campaign Monitor without fear of prosecution.
Essential reading for EU based users of Campaign Monitor (pdf File). Page 6 is of particular interest.
That's very helpful, and provides much the same information as provided by Stormy above, and referred to in my replies. "When selecting a processor you need to satisfy yourself that it is reliable and has appropriate security in place." for example.
This is really interesting and something that I've been considering for a while, but not really paid proper attention to...
Re. that post from the govt website it appears to me that there could be data storage issue:
Company A in the UK sends its customer list to company B outside the EEA so that company B, acting as a processor, can send a mailing to company A’s customers. It is likely that adequate protection exists if: - the information transferred is only names and addresses; - there is nothing particularly sensitive about company A’s line of business; - the names and addresses are for one-time use and must be returned or destroyed within a short timescale; - company A knows company B is reliable; and - there is a contract between them governing how the information will be used.
It's the third point that worries me - CM and MB are storing the names and addresses and they're not returned or destroyed. Also, people may be storing more than just names and addresses using the custom field functionality.
As always, you would definitely need to seek your own legal advice as to your obligations depending on what you are storing- we do keep records obviously, although they are not accessed by anyone else of course.
This site http://www.out-law.com/page-8170 has a lot of information about moving data overseas, I am still going through it at the moment but it does cover a lot of the points raised here.
has this ever been resolved?
It still stands as previously. Our understanding of the law is that as we exceed the privacy and security requirements set forth under the law and it's fine (which is what many of our customers have found), but we strongly recommend that everyone speak to their own legal counsel for information on their own specific situation.
Thanks Diana! My understanding is that at a minimum I will have to notify subscribers that their info is being stored outside the EU which should be straightforward in a double opt-in confirmation mail. In that email I would also like to link to your anti-spam and privacy policies. I just checked them out and found them to be B2B-facing (talking to the campaigner). Not exactly something you would want to give your end-user to read. Is there anything that is more end-consumer-facing?
No, you'd really want to have that information on your own site - ours obviously has to refer to Campaign Monitor as a company, since that's the legal entity here.
You as the person collecting the emails could have your own agreement with the person submitting the email, so it would make sense for you to give them your own explanation.