Direct Selling and the new Data Protection Regime

The EU’s General Data Protection Regulation (known as ‘GDPR’) comes into effect across the European Union in May 2018. That will include the UK regardless of the status/outcome of Brexit negotiations at that time. GDPR introduces a new data protection regime which significantly enhances the present rules which have been in place for the last 30 years.

GDPR does not contain any provisions which apply specifically to the direct selling industry, but a number of its provisions which apply to businesses generally will have particular implications for the direct selling industry.

Data Controllers and Data Processors

The current Data Protection Act (‘DPA’) regulates data controllers but not data processors. A data controller is a person who determines the purposes for which and the manner in which any personal data is to be processed, whilst a data processor processes personal data only on behalf of a data controller. The DPA regulates data processors simply by placing the obligation on to data controllers to flow down the relevant compliance requirements under the terms of their contracts with their data processors.

GDPR significantly changes this and will directly regulate data processors as well as data controllers. Data processors’ compliance requirements will include keeping a record of the categories of processing activities they carry out on behalf of a controller and notifying the controller in the event of a data breach.

Direct selling companies have traditionally taken the view that their direct sellers are data processors. So the company registers as the data controller and assumes the relevant DPA obligations whilst the direct sellers collect and process personal data about their customers and leads etc. in accordance with the company’s instructions i.e. as data processors. Some direct sellers might be a bit more autonomous than this in practice, but generally the principle has held good and the company is prepared to accept the responsibilities for that data processing for the benefit of its direct sellers.

What will happen when GDPR regulates data processors as well? How much of a burden will that place on individual direct sellers? We have some ideas as to how companies can make life easier for their direct sellers.

Extra-territorial Effect

GDPR has ‘extra-territorial effect’ which means that compliance will be required by businesses outside of the EU in certain circumstances.

A company based outside the EU will be subject to GDPR if it has an ‘establishment’ in the EU and personal data is processed in the context of the activities of that establishment. The establishment might be an obvious one such as the company’s own subsidiary or bricks and mortar premises, but it can also include a local agent or a sales office carrying out advertising and marketing activities if they are regarded as ‘inextricably linked’ to the processing of personal data.

The question for a direct selling company which does not have one of the more obvious forms of ‘establishment’ in the EU is whether the activities of its direct sellers in the UK will be regarded as inextricably linked wit its processing of personal data and so bring it within the GDPR regime. A topic to which we have already devoted some thought.

Even where no EU presence exists, the GDPR will still apply to a business whenever (i) an EU resident’s personal data is processed in connection with goods/services offered to that person or (ii) the behaviour of individuals within the EU is “monitored”. A direct selling company operating under a remote sales model may therefore still need to comply with GDPR if it offers its products or services to EU residents. So the circumstances in which, for example, online sales made by a US direct selling company to customers from the EU will constitute ‘offering goods and services to EU residents’ will be important in determining the need for GDPR compliance.

Hands Across the Water

GDPR will regulate the transfer of personal data from the EU to a non-EU country such as the US. In principle GDPR preserves the current rules under which data may be transferred if certain conditions are met such as the use of model contracts or binding corporate rules. The consent of the data subject may be harder to obtain however because an explicit consent will be required and GDPR is generally more onerous in terms of what is meant by ‘consent’ and how it is obtained.

However, the data transfer aspects of GDPR are presently being largely over-shadowed by the ramifications of the legal challenges to the transfer of personal data from the EU to the US which have so far seen the overthrow of the ‘safe harbour’ route and its replacement by the ‘privacy shield’ and is current questioning the legal efficacy of the use of model contracts.

Many direct selling companies transfer data from the EU to the US and the manner in which this can be achieved both at present and in the future is a key business consideration.

An Iconic View

Data Protection regulators have frequently been criticised by the business sector for what can seem like a schizophrenic approach to consent: on the one hand they want the consents being sought to be spelled out so that they are clear to the data subject; on the other hand they complain that privacy policies are too long. GDPR resolutely maintains this dichotomy! But, whilst not included within GDPR itself, there is now a proposal to introduce icons as part of a layered approach to provide data subjects with an ‘at a glance’ summary of the consents being sought.

We see the use of icons in conjunction with privacy notices as likely to be of considerable benefit to direct selling companies in obtaining data subjects’ consents particularly where the data subject is using a mobile device.