The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency. Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP 29 working party will issue final guidance. WP29 is an independent European advisory body on data protection and privacy.

This blog post focuses on WP260, the guideline on transparency. Our companion post on WP259, the guideline on consent can be read here.

Transparency has long been a fundamental feature of EU privacy law and is an overarching obligation under the GDPR. The draft guideline notes that a central consideration of the principle of transparency is that the data subject should be able to determine in advance what the scope and consequences of the processing entails. Transparency applies in three central areas:

  • The provision of information to data subjects related to the fair processing of their personal data.
  • How data controllers communicate with data subjects in relation to their rights under the GDPR.
  • How data controllers facilitate the exercise by data subjects of their rights.

Elements of Transparency

Article 12 provides that when communicating important information related to processing personal data to data subjects, it be done so in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.”

To be “easily accessible” the data subject should not have to seek out the information. The draft guideline recommends that websites publish notices that are clearly visible under commonly used terms and that the notices NOT be positioned or in a color scheme that makes the text or link less noticeable. For apps, the information should never be more than “two taps away” and apps should always include a “Privacy/Data Protection” option.

The draft guideline provides examples of language that is not “clear and plain” and notes that phrases such as “may,” “might,” “some,” “often,” and “possible” should be avoided because they are not sufficiently clear as to the purpose of processing. The draft guideline also suggests that paragraphs and sentences be well structured, utilizing bullets and indents to signal hierarchical relationships. Writing should be in the active voice and that excess nouns, as well as legalistic or technical terms, should be avoided.

With respect to “in writing or by other means,” the draft guideline notes that the WP29’s position with regard to written electronic means is that when the controller maintains a website, it prefers the use of layered privacy statements/notices, which allow the website visitors to navigate to particular aspects of the relevant privacy statement that are of most interest to them. Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards.

The WP29 acknowledges that required disclosures may be made orally and clarifies that information must be made available to users or prospective users without requiring them to disclose their identity to the data controller.

The draft guideline also warns that information provided under the transparency requirements cannot be made conditional upon financial transactions; for example, the payment of goods or services.

Information to be Provided to the Data Subject

The GDPR identifies a number of disclosures that it believes must be provided to data subjects, but does not prescribe a specific “modality” by which the information must be presented. As noted in the Guideline on Transparency, it is up to the data controller to take into account all of the circumstances of the data collection and processing when deciding upon the appropriate modality and format for providing the information to the data subjects.

In particular, the WP29 states that controllers should take account of the device used, the nature of the user interfaces, and the limitations that those factors entail. The draft guideline encourages data controllers to identify the most appropriate modality for providing the information, in advance of “going live,” through user testing to seek feedback on how accessible, understanding and easy to use the proposed measures are for users. Documenting this approach should also assist data controllers with their accountability obligations by demonstrating how the tool/approach chosen to convey the information is the most appropriate in the circumstances.

With respect to the timing of disclosures, the draft guideline indicates that when information is collected directly from a data subject, disclosures must be made prior to the collection of that information. If information is not collected directly from the data subject, the disclosures should be provided in a timely manner in order to be transparent. Although the maximum time limit within which Article 14 information must be provided to the data subject (when personal data is not obtained directly from the data subject) is one month, the draft guideline notes that the requirements of fairness and accountability require data controllers to always consider the reasonable expectations of the data subjects.

While the GDPR is silent on the timing requirements and methods that apply for notifications when there are changes to the controller’s privacy practices, WP260 encourages data controllers to carefully consider the circumstances and context of each situation where an update to transparency information is required.

Layered Privacy Notices

The WP29 notes that the use of layered privacy notices can help resolve the tension between completeness and understanding by allowing users to navigate directly to the section of the notice that they wish to read. The draft guideline also provides examples of additional transparency tools that can provided tailored information to the individual data subject in the digital context. For example, push and pull notices; push notices provide “just-in-time” information while “pull” notices facilitate access to information by methods such as permission management, transparency dashboards and “learn more” tutorials.

A privacy dashboard – a single point from which data subjects can view privacy information and manage their privacy preferences, could be particularly useful when the same service is issued by data subjects on a variety of different devices. The draft guideline notes that the use of websites for disclosures is an acceptable approach in many circumstances, but that the data controller may need to also use other modalities and formats to provide the information, such as hard copy paper, telephonic communications and other media. Appropriate means of communication are particularly important in the case of automated decision-making.

Information Related to Further Processing

The GDPR requires data controllers to inform data subject if it intends to further process their personal data for a purpose other than that for which it was collected or obtained. The WP29’s position is that all information required to be provided to data subjects when personal data is first collected must again be provided when the data controller decides to further process the data for a new purpose, unless one or more of the pieces of information is not applicable. If further processing will occur that extends beyond the original purpose, data controllers should provide data subjects with detailed information on when it is no longer applicable.

In addition, in cases where any time further processing that extends beyond the original purpose, data controllers should provide data subjects with detailed information on the compatibility analysis that has been undertaken to determine whether the use is compatible with the purposes(s) for which the information was originally collected.

Visualisation Tools

The draft guideline also provides that the principle of transparency is not limited to being effected simply through language communications. It notes that the provision for information to be provided to a data subject “in combination” with standardized icons encourages the development of icons that will allow for a multi-layered approach. The draft guideline cautions that icons cannot be used to replace information and that when icons are used they must be machine-readable.

The GDPR anticipates the development code of icons and the WP 29 recognizes that the development of such a code should be centered on evidence-based approach and extensive research. In addition to the use of standardized icons, the GDPR also provides for the use of data protection certification mechanisms, data protection seals and marks for the purpose of demonstrating compliance with the GDPR of procession operations and notes that guidelines on certifications mechanisms will be issued in due course.

Exercise of Data Subjects’ Rights

The draft guideline notes that transparency places a triple obligation upon data controllers because they must provide information to data subjects on their rights, comply with the principle of transparency when communicating with data subjects in relation to those rights and facilitate the exercise of data subject’s rights.

The draft guideline provides a good practice example and a poor practice example. The good practice references a health service provider that uses electronic forms on a website that allows data subjects to access requests for personal data online and also provides paper forms at its health center clinic so that the data subjects can also submit requests in person. The poor example is that of a health service provider that has a statement on its website informing all data subjects to contact its customer services department to request access to personal data.

Other Guidance

  • The guidance provides that the exceptions to the obligations to provide information must be narrowly construed.
  • While the WP29 has produced separate Guidelines on Data Breaches, from a transparency perspective, the draft guideline notes that communications of a data breach must satisfy the same transparency requirements in that communication.

Conclusion

While much of the specific content that controllers are required to communicate to data subjects and the circumstances in which those communications are specifically dictated by the GDPR, many of the format and communications issued addressed in this guidance are consistent long standing Federal Trade Commission (FTC) guidance with respect to the making of clear and conspicuous disclosures.

When the FTC evaluates the effectiveness of disclosures, it considers:

  • Prominence – whether the information is prominent enough for consumers to notice and read or hear it.
  • Presentation – whether the information is presented in easy-to-read language that does not contradict other things and is presented at a time when consumers’ attention is not distracted elsewhere.
  • Placement – whether the information is located in a place and conveyed in a format that consumers will read or hear.
  • Proximity – whether the information is placed at a location that makes sense.

For some practical guidance for making clear and conspicuous disclosures, the FTC’s dot.com disclosure guidance provides useful examples on how to make disclosures effective.

Read our companion post on the Guideline on Transparency, WP259, here.