Providing data subjects with meaningful information regarding the processing of their personal data and their rights with respect to such processing is an axiom of privacy law—and a key requirement under the General Data Protection Regulation (GDPR).
The significance of this principle of transparency was recently highlighted by the European Court of Human Rights (ECHR) in Bărbulescu v. Romania where the court affirmed an employee’s right to privacy when using communications tools in the workplace due, in part, to the employer’s failure to provide adequate notice regarding its internet monitoring activities. This post briefly discusses the principle of transparency under GDPR and its application to the Bărbulescu case.
Transparency under GDPR
Transparency dictates the minimum information that must be provided to data subjects in order to fairly and lawfully process their personal data; establishes the purposes for which personal data may be processed; and provides standards for obtaining data subject consent, among other things.
First, like the current EU Directive, GDPR prescribes minimum information that controllers must provide to data subjects regarding the processing of their personal data in order for such processing to be fair and lawful. This includes, but is not limited to, providing data subjects with notice of the following:
- purposes of processing and legal basis for processing. Notably, when the legal basis is the controller’s “legitimate interest,” the notice must identify the legitimate interest(s) pursued.
- details regarding any data transfers outside the EU, including the transfer mechanism used (g., model clauses, Privacy Shield, etc.)
- retention period for the data and if not possible, then the criteria used to establish such period
- data subject’s access right, right of data portability, right of rectification, right of erasure, right to restrict processing, right to object to processing—and if the processing is based on consent, right to withdraw consent. In addition, the notice must provide instructions on how data subjects can exercise these rights.
- whether there is a statutory or contractual requirement to provide the data and the consequences of not providing the data
- any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data is processed
The exact information to be provided and the timing requirements for providing notice and other communications to data subjects depends, in part, on the processing activity at issue, whether the personal data is collected directly from data subjects, and the rights (if any) being exercised by data subjects.
Second, transparency establishes the purposes for which personal data may be processed by a controller. Pursuant to the purpose limitation principle, personal data must be collected for “specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” Accordingly, once a controller provides notice to data subjects of the purpose of processing, the controller is not allowed to process the personal data for any new, incompatible purpose (unless the controller obtains consent from data subjects to process personal data for such new purpose).
Lastly, transparency is inextricably linked to data subject consent. For consent to be valid, data subjects must be informed about the processing of personal data for which they are agreeing to. A declaration of consent presented to a data subject should be in an “intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.” If the controller includes other information in a consent form (e.g., terms of service), the request for consent must be “presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
In any event, controllers are required to provide all information and communications to data subjects in a concise, transparent, intelligible, and easily accessible manner, using clear and plain language. Where appropriate, visualization through standardized icons should be used.
In Bărbulescu, an employee was terminated after his employer checked chat logs from the employee’s professional Yahoo Messenger account and discovered that the employee had used the services for personal and professional communications, including discussions regarding the employee’s sexual health. The Romanian courts sided with the employer and the employee subsequently appealed to the ECHR, arguing that the lower courts did not properly weigh his right to privacy against the employer’s right to monitor employee activities in order to enforce its policies.
On September 5, the ECHR ruled in favor of the employee based, in part, on its finding that the Romanian courts failed to determine whether the employee had received prior notice from his employer of the possibility that his communications might be monitored, including the fact that the employee had not been informed of the nature or the extent of the monitoring. What this case makes clear is that employee monitoring may be lawful only when the employer is fully transparent with employees regarding its monitoring activities and related processing of personal data. This requires employers to provide notice to employees of the respective monitoring activities in a concise, transparent, intelligible, and easily accessible manner, using clear and plain language.