Debate: Can Industry co-regulation offer greater consumer protection than Information Commissioner fines?

by Bryndley Walker, PR Executive at CIM

On 25^th of October, The Chartered Institute of Marketing (CIM) along with the Advertising Association (AA) the Data and Marketing Commission (DMC) and the Data and Marketing Association (DMA) came together along with a host of other leading marketing and advertising professionals and students to discuss data privacy, legislation and whether industry co-regulation was able to offer greater consumer protection than fines levied out by the Information Commissioner. The debate took place in the heart of Parliament infront of 100+ marketing professionals, members of the press and leading figures from across industry.

The motion

The motion set before the house was: “Industry co-regulation will protect consumers more than an Information Commissioner fine ever could”. Arguing in favour of the motion was Amerdeep Somal, Chief Commissioner of the Data and Marketing Commission who began proceedings by asserting that self-regulation does not negate the need for government regulation - the debate was not about whether independent or government regulation ought to exist, but whether, in a functioning market, self-regulation is ideal for the most part.

Somal noted that co-regulation involves both industry and government developing, administering and enforcing a solution, with the industry buying into the arrangements because they want to be part of the solution, including having a say in how members are punished. Continuing, Somal noted that in the sphere of data protection we still live in a global ‘Wild West’, and that policy, laws and government regulation is needed to ensure basic protections, particularly when trading between jurisdictions, for example data adequacy agreements.

In her closing remarks, Somal argued that regulators are part of the solution, but they are not the solution on their own. There were certainly more things the industry could do to clean itself up, raise standards and improve the industry’s image, but experience showed that it's those that don't play by the rules that tarnish the reputation of the industry as a whole.

In opposition:

Opposing the motion, Fedelma Good, PwC’s Data Protection Strategy, Law and Compliance Services Director, asserted that Industry co-regulation would never protect customers more than the Information Commissioner issuing fines ever could because of three key issues: the inherent limits of industry co-regulation; the effectiveness of the Information Commissioner’s Office (ICO) fining regime; and the unsatisfactory outcome of industry co-regulation on the consumer in today’s global digital world.

Looking at the limits of industry co-regulation, Good stressed that accountability was one of the central tenets of the GDPR as seen in its support for codes of conduct. The GDPR allows and indeed encourages the drawing up of codes of conduct for approval by the appropriate regulatory body - the ICO. Companies that sign up must then be supervised by independent monitoring bodies. This is the co-regulatory approach where the private sector draws up the rules, and the public sector (via the data protection authorities) verifies and approves them.

In closing, Good asserted that Data Protection Law is designed to protect individuals, but industry co-regulation can never fully achieve this. Ensuring ongoing faith in an increasingly digital environment would require the most effective form of regulation, and that is the fining regime of the Information Commissioner and collaboration across global markets.

Seconding the motion

Gilbert Hill, Chief Strategy Officer at Pool Data started by stating that despite the rumours, privacy was not dead. He cited a recent DMA survey that consumers are more interested than ever in what happens to their data and noted that the only project to see all the judges of Dragons Den fighting to invest was for a privacy-centric marketing start-up. 

Looking towards a new deal, Hill recognised that consumers don’t want to give up all the benefits of technology and the data economy, which is why we need regulators who focus on the consumer benefits of allowing use of their data, rather than compliance obligations. Here Hill cited brands like IKEA, Superdrug, Unilever and Apple that have made respect for data a key part of their marketing strategy.

Trust is a hugely valuable asset and by moving the conversation beyond compliance to trust, he felt that doing the right thing by data becomes part of customer service. This would enable call-centre operatives to be accountable and proactively answer consumers’ questions around ‘where did you get my data’. For hill, this moved beyond the wordy 99 articles of GDPR which only a few understand to a shared code which can be understood by consumers, marketing practitioners and developers who use data in tech. 

Seconding for the opposition

Chris Combemale, CEO of the Data & Marketing Association, acknowledged that he is known as the industry’s leading advocate of co-regulation. He had spent the past four years developing and gaining approval of Direct Marketing Industry Codes of Conduct in Austria, Poland, Italy, Germany, Luxembourg and the UK, working with the DMC as the industry monitoring body.

Combemale cited one data provider complaining that 70% of their sales manpower was spent persuading customers that their data was compliant and safe to use. He calculated that the consequential effect on GDP would be huge because £1 spent on marketing generates £6 of GDP.

He finally reminded the house that according to the GDPR, the protection of privacy is a fundamental right, not an absolute right, and therefore must be balanced with other fundamental rights such as the right to conduct a business—for which finding customers is fundamental.

To Combemale, what will give companies (and lawyers) more confidence in a Code of Conduct than the DMA’s current guidance is that the Code of Conduct will have the full authority of the regulator.

Thoughts from CIM

James Delves, CIM’s Head of PR and External Engagement present at the debate felt that it was tightly fought between both sides. Whilst there were some compelling arguments for the case of industry co-regulation, in the end, it seems as though whilst not perfect, the current model is the best option that the industry has. A system of co-regulation is unfortunately open to exploitation, and as such, a regulatory body is a more certain method of protection for consumers. The data economy is a vast ecosystem and as it develops further (and consumers become more aware of their rights in relation to data) businesses will be increasingly reliant upon the trust of their consumers. For this to occur, it’s essential that members of the public feel that they have recourse to challenge bad actors and a regulatory body which is looking out for their best interests.

Result: After much discussion and arguments from both sides, the house voted and the motion was defeated.

Key takeaways

• Whilst co-regulation may form part of the solution to this issue, it alone is not enough to ensure the protection of customers data.

• The primary reasons for this are: the limits of industry co-regulation; the effectiveness of the Information Commissioner’s Office (ICO) fining regime; and the unsatisfactory outcome of industry co-regulation.

• Consumers want to be able to make the most of the emerging technology and the data economy, which is why we need regulators who focus on the consumer benefits of allowing use of their data.

• Consumers need an effective regulatory process to ensure that their rights are delivered.