Reports & Publications

Monday 20 July 2020

Data Protection: Guidance for Publishers

Guidance produced by Rachel Bradley, Partner, IP, IT & Commercial, Cambridge, Penningtons Manches Cooper LLP

Data protection has been amongst the most deliberated compliance issues of recent years.  The coming into force of the General Data Protection Regulation (“GDPR”) in May 2018 imposed additional requirements on all organisations across all sectors in Europe in relation to personal data. Academic and society publishers in the UK must be compliant with the GDPR, and also the new UK Data Protection Act 2018, in all their handling of personal data.  Personal data handled in this sector can cover a particularly broad range of data subjects – from authors, editors, and peer reviewers, to librarians and individual subscribers, employees of the publisher and business contacts at companies that provide services to the publisher.

The core requirements of the GDPR may already be familiar: an increased emphasis on transparency and security when processing personal data, a higher standard for consent, strengthened rights for data subjects and new rules regarding data breaches, as well as increased penalties for non-compliance.

Almost two years after the GDPR came into force, interpretation of some of the new requirements remains unclear. However, as more guidance and enforcement decisions are released, we do have some increased clarity on the approach being taken by regulators in a number of areas. This is therefore a good opportunity to recap on a few of the key considerations for academic and society publishers when complying with data protection and e-privacy legislation.

Cookie Banners in your Journal Websites

The requirement to use website cookie banners is nothing new. However, following the release last July of new guidance from the Information Commissioner’s Office (“ICO”), the majority of organisations should be revisiting their cookie banners (if they have not done so recently) to ensure compliance with the GDPR standard of consent.

It is not enough merely to notify website users that marketing and analytics cookies are being used and to rely on an individual’s continued use of a site as evidence of implied consent. Website operators need to request consent to use cookies and such consent must be freely given, specific and informed (unless the cookie is strictly necessary). The website script should not collect cookies until explicit consent is obtained and, for the consent to be valid, the various purposes of the cookies used must be broken down, with the user given the option to uncheck the cookies they don’t want, and check the cookies they are happy with. Only those cookies that are strictly necessary for the website (such as a cookie used to remember the items a user wishes to buy when they go to the checkout or add goods to their shopping basket) may be pre-checked. Increasingly, best practice involves the use of preference centres to give individuals a more granular level of control over their consents. The ICO also recommends that website operators carry out a “cookie audit” so as to understand the cookies their website uses, and why. Following such an audit, operators should review their mechanisms for cookie consent and their cookie policy in light of the ICO guidance.

Personal Data in the Peer Review Process

By its nature, the peer review process involves the processing of a range of personal data. As well as categories of data such as names, institution and contact details, it is worth remembering that the definition of personal data can include subjective information about an individual, such as opinions about or criticism of them or their work.

In recent years, there have been growing moves towards implementing a more transparent peer review process, with the entire process in some cases made publicly available, from the initial review to the final decision. Proponents argue that this can increase the quality of the process, whilst helping to spread best practice. However, it also raises a number of considerations from a data protection perspective.

Publishers should make sure they are transparent with authors and reviewers from the outset about how the process will operate, what information will be shared at what stage, and whether the authors/reviewers have any say in what information is published.

Privacy Policies

All publishers should now have updated their privacy policies in light of the GDPR. However, they cannot simply be stuck in a drawer (or on a website) and forgotten about. Those policies now need to be regularly reviewed and kept updated to ensure they reflect the organisation’s current practices.

If you start processing new categories of personal data, or doing something new with the personal data in your existing databases, your privacy notices need to be updated to reflect that. You also need to ensure that you have a legal basis for the processing and have considered any potential impacts on individuals’ privacy rights.

You will also need to ensure that your policies are made available to data subjects at the point their data is collected, e.g. when signing up new subscribers. Privacy policies should be layered for ease of use, and be integrated into sign-up systems and procedures, to ensure the policies are disseminated effectively. Privacy policies must be easy to find and, for example, not buried in a link which requires the data subject to scroll to the very bottom of a webpage to find it.

Data Sharing and Hosting

From cloud hosting/storage partners to subscription agents, software service suppliers and marketing firms, publishers engage a variety of third parties to process personal data on their behalf. For each such relationship, publishers need to ask a few key questions: are you authorised to share the data with the third party? Have you notified data subjects about the sharing (e.g. through your privacy policy)? Will the recipient be acting as a data controller or processor? Do you have a suitable data sharing agreement in place with the recipient?

Consideration should be given to the data protection implications before sharing personal data with a new third party, or sharing new data with an existing partner. If you are sharing personal data with a third party who wishes to rely on consent collected by you for the processing it undertakes, then such third party will have to be named in the consent request, and not just in the privacy policy.

Digital Marketing, Marketing databases and Adtech

Direct email marketing in the UK is governed by both the GDPR the Privacy and Electronic Communications Regulations 2003 (the “e-Privacy Regs”).  Although the e-Privacy Regs have been in force for a number of years, publishers can still be caught out by the broad definition of what qualifies as “direct marketing”. Even seemingly anodyne communications such as calls for submissions sent to your author database can fall within the scope of the e-Privacy Regs and may require consent. Event invitations can also be caught, as well as more traditionally “marketing” communications such as requests for individuals to subscribe to new journals or products.

Consent is needed before sending marketing emails to individuals using their private email addresses (or to sole traders or partners in unincorporated partnerships), unless the e-Privacy Regs “soft opt-in” discussed below applies. Where the e-Privacy Regs require consent, such consent must meet the GDPR-standard of consent (including that the consent is a positive action from the individual, it has been freely given, is specific, is well informed and is capable of verification).   In cases where you are communicating with individuals at their institutional email address, then you may not need prior consent to sending the emails, if you are able to establish that you have a lawful basis for sending the marketing communication (such as a legitimate interest).  However, organisations will need to inform data subjects about the proposed communications, and the lawful basis for sending them, in their privacy policies, and enable recipients to easily unsubscribe from the communications.

The e-Privacy Regs soft opt-in provides that organisations which do not have consent from individuals, sole traders or partners, may only send marketing emails if the individual is an existing customer who bought (or negotiated to buy) a similar product or service from that organisation in the past and that organisation gave them a simple way (which they are able to demonstrate) to opt out of the communications, both when the organisation first collected the details, and in every subsequent message sent. In most cases organisations in the publishing sector would not need to rely on this, as frequently publishers will be sending emails to business/institutional email addresses, but you may need to consider whether the “soft opt-in” could apply if you are sending emails to individual subscribers/authors/reviewers using a personal email address. Publishers have, hopefully, already reviewed and updated their marketing databases prior to the GDPR coming into force, but it is worth checking that all forms of direct marketing your organisation engages in have been considered. This is a complex area and specific advice should be sought for any particular email marketing campaign to ensure that it complies with the legal requirements.

It’s worth mentioning that discussions are ongoing in the EU about a proposed replacement of the e-Privacy Regs. The latest revised proposal was published by the EU Council in February 2020, but it is unlikely that the new regulation will be in an agreed form until 2021 at the earliest, and even then it will take at least two years before it is required to be implemented.  It is therefore unlikely that a new regulation will be forthcoming in the near future.

For publishers that rely on online advertising as a source of revenue, the GDPR raises additional issues. The ad-tech industry has come under increasing scrutiny from data protection regulators in recent years. The complex ecosystem of advertisers, platforms and intermediaries that are used to delivering interest-based adverts to consumers are a potential minefield when trying to demonstrate a legal basis for processing, and compliance with the obligation to process data transparently. Standards of compliance vary significantly across the industry and publishers should exercise caution (and carry out some due diligence) when selecting potential advertising partners. You should also ensure you have a suitable agreement in place, protecting your organisation against any breach of data protection legislation by the agency or their contractors. For marketing campaigns involving significant volumes of consumer data or any “bought in” data, it is recommended that you carry out a data protection impact assessment before proceeding.

COVID-19

Many organisations are putting in place exceptional measures in light of the Covid-19 pandemic to protect the health and safety of their employees and customers, while at the same time seeking to preserve business continuity. Such measures may involve collecting and processing new types of personal data and adopting new types of communication. In taking such steps, it is important that publishing organisations continue to meet their data protection obligations. The ICO has published guidance on compliance and has a dedicated hub of information on tackling data protection issues relating to the pandemic. The key message from the ICO is the importance of proportionality. Data protection laws should not hinder organisations in responding to the crisis, but they should still ensure they are processing data lawfully.

Brexit

Finally, the UK’s recent departure from the EU will also potentially have a significant impact on data protection compliance. The UK left the EU on 31 January 2020 with an agreement that provides for a transition period until 31 December 2020, during which negotiations to establish a future with the EU are due to take place. What happens at the end of the transition period depends on the negotiations, but the default position is that the GDPR will be brought directly into UK law as the “UK GDPR”, to sit alongside the Data Protection Act 2018.

There are a number of practical steps organisations should take to ensure that they will be able to continue to share personal data with any business partners and contacts outside the UK in an EU country, following the end of the transition period, when the UK will become a third country from the EU perspective.

The UK government is planning on seeking an adequacy decision from the European Commission for the UK. If granted, this would mean that the UK’s data protection regime would be recognised by the European Commission as “essentially equivalent” to those in the EU. As a result, data will be able to continue to flow freely from the EU/EEA to the UK without the need for businesses or organisations to adopt any other specific measures to allow the international transfer of personal data. However, until an adequacy decision in favour of the UK is in place, UK publishing organisations that want to receive personal data from organisations/institutions established in the EU will need to engage with those EU partners to identify a legal basis for those transfers. For most businesses, the most relevant legal basis to be put in place is the EU Commission’s Standard Contractual Clauses (“SCCs”).  (It is important to note that where used, SCCs must be implemented without any amendment, other than to complete the blank sections).  Towards the end of 2020, it will therefore be important to consider any databases hosted elsewhere in the EU and any contracts with EU business partners.

Transfers of personal data from the UK to the EU/EEA will not be restricted after the transition period and transfers of personal data from the UK to countries outside the EEA are likely to remain similar to the pre-Brexit position. In addition, after the transition period the EU-US Privacy Shield Framework will still be available for UK personal data flows to the US. However, to take advantage of this, Privacy Shield-certified companies in the US will need to re-certify annually and also state expressly in their privacy policies their commitment to applying the Privacy Shield principles to UK personal data.

After the end of the transition period, organisations that do not have a presence in the EU or the UK but intend to offer goods and services and/or monitor individuals located in the UK and the EU/EEA respectively, may require both a UK representative under the UK GDPR and an EU/EEA representative under EU GDPR.

In summary 

Data protection has the potential to touch upon almost every aspect of a publisher’s activities. As the standard of compliance expected continues to rise, we are here to help publishers keep on top of developments. By considering data protection and building in data protection compliance whenever any new activities and systems are planned, publishers can mitigate the risks whilst at the same time improving the experience for authors, staff and customers.

Author details:  

Rachel Bradley, Partner, IP, IT & Commercial, Cambridge, Penningtons Manches Cooper LLP, Rachel.Bradley@penningtonslaw.com

Comments

There are no comments. Why not be the first?

Add your comment