The UPU makes it harder for postal services to sell personal data
At its 25th Congress in Doha in October 2012, the UPU adopted a new personal data protection compliance framework. Adherence to this framework is compulsory for all postal service providers who are designated by a Member State of the Universal Postal Union to fulfil the universal service obligation.
The 25th UPU Congress made it clear:
The global postal network defines personal data as the information needed to identify a postal service user.
The UPU’s data protection compliance framework on personal data conforms to the definitions given in international and regional regulations on the handling of personal data, and adapts them to the postal context.
In terms of the current postal delivery business model, personal data is primarily the information needed to identify the sender and recipient of a postal item (name and physical postal address/delivery point).
The new Article 11bis of the UPU Convention, which came into force on 1 January 2014, states that personal data on users may be deployed only for the purposes for which it was gathered, and must abide by national data protection legislation. This brings data protection compliance regulations on personal data by postal services into line with international and European Community legislation.
As data is currently processed in accordance with the legislation of the country in which it was gathered, the methods of collecting and processing data may vary. Therefore Article 11bis states that:
Where data may enable third parties to identify the postal user directly or indirectly, postal services may only transfer this data where national legislation authorizes them to do so.
The UPU Convention has made clear that this new postal
data protection compliance is a fundamental cornerstone of the postal service
provision, and stresses the confidentiality,
protection & security of personal data.
Essentially, no change here.
However, this effectively pulls the rug out from
beneath the address and list broker industry.
Given the clear and specific declaration that a postal service user’s personal data may be employed only for the purposes for which it was gathered (i.e. for delivering a mail piece), any list privileges, list brokerage, or the reselling of address data which enables third parties to directly or indirectly identify postal services users is, by definition, prohibited.
This is referred to as "purpose limitation".
Where postal services want to continue using their customers’ personal data in this way, a hard "opt-in" is required – postal users must give their express permission for their personal data to be used, after having been fully informed about the exact use that will be made of their data.
Any other use - a contrario - is prohibited. It is easy to imagine that, particularly where there is no financial inducement to the postal user, hard opt-in rates will be neglible.
The European direct marketing business model, however, runs counter to this model of data protection compliance.
Data is currently used to identify postal users from address lists, from traceable and trackable data provided via the Internet, by cross referencing and data mining activities to identify customer interests.
All this falls outside the definition of postal data protection compliance and clear purpose limitation. Postal services will be required to clearly separate themselves from these activities.
Fig.1: Data Selling in Germany - the major players in today's data market. (German article on data selling here.)
The Universal Postal Union, a special UN body
dedicated to the global postal network and serving the needs of governments and
their designated operators, has clearly understood the importance of focusing
on the paradigm of trust in global postal service provision.
Traditionally providing a document-based global communications network, the UPU is currently shifting its activities into the digital realm with the introduction of its own top level domain, .post.
The new data protection compliance framework is part of this move, providing the basis upon which the UPU hopes to establish posts as trusted mediators within a digital communications ecosystem. The data protection compliance framework is a clear and forward-thinking regulation and supports this development.