Shortly before the Christmas break, the Article 29 Working Party (WP29) published keenly awaited draft guidelines on transparency and consent under the GDPR.
These guidelines will be closely scrutinised. Privacy notices, requests for consent, how an organisation deals with data subject enquiries regarding the processing of personal data, and how an organisation communicates information in the event of a notifiable personal data breach, as public facing components of an organisation’s privacy programme, represent an easily measurable indicator of an organisation’s compliance (or non-compliance) with the GDPR. As such, it is important to get them right, to avoid unwanted attention.
Many of the guidelines do not add much to what we already know and can derive from the text of the GDPR, including its recitals, or from previous statements from the WP29, but there are some useful clarifications and suggestions to be found. This blog looks at the first set of guidelines, on transparency, and will be followed by another which looks at the guidelines on consent.
Application to existing processing activities
Importantly, the guidelines confirm what is already clear from the text of the GDPR. Where processing is already underway before 25 May 2018, existing privacy notices must be revisited to ensure they meet the enhanced GDPR requirements from 25 May 2018.
How information is presented is equally important to content
Many organisations will approach the amendment of existing privacy notices on a “minimal amendments” basis, seeking to change only what needs to change to align with GDPR. This may involve the addition of a sentence here or there, to capture the enhanced content required of privacy notices under GDPR. The guidelines, however, make it clear that the accessibility and comprehensibility of the information in a privacy notice is as important as its content. As such, a minimal amendments approach may well not be a good idea, where existing notices are overly long or legalistic. A more radical approach, involving creative techniques (such as layering, “just in time” notices, push and pull notifications, icons, and so on) may be preferable.
The guidelines helpfully summarise the key articles in the GDPR, in relation to communication of privacy notices, as follows:
- Information must be concise, transparent, intelligible and easily accessible (article 12.1) – avoid information fatigue, differentiate the information from other information such as contractual provisions, ensure it is comprehensible by the intended audience (e.g. by testing it with a user panel), and in an online context, use layering and ensure the information is clearly sign-posted.
- Clear and plain language must be used (article 12.1) – best practices for clear writing should be followed, avoiding long sentences and complex sentence structures, providing concrete and definitive information rather than abstract or ambivalent terms (e.g. avoid use of terms such as “may”, “might”, “some”, “often” and “possible”), legalistic or technical language, and excessive use of nouns (which would presumably include use of defined terms). Particular care should be taken with translations.
- The requirement for clear and plain language is of particular importance when providing information to children and other vulnerable groups (article 12.1) – if goods or services are utilised by children, the data controller should ensure the vocabulary, tone and style of language used is appropriate and resonates with children. The same applies to other vulnerable members of society, including people with disabilities or accessibility constraints.
- Information must be in writing “or by other means, including where appropriate, by electronic means” (article 12.1) – the default position is that information must be provided in writing. In an online context, “other means” may include the use of techniques such as “just in time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Video or voice alerts, cartoons, info graphics or flowcharts, may also be appropriate in particular circumstances.
- Where requested by the data subject it may be provided orally (article 12.1) – the provision of information orally may be face-to-face, over the telephone, or similar, and may involve automation. The data controller must be able to evidence the request for provision of information by oral means. Where the information provided is in response to the exercise of a data subject right (e.g. of access), then the data controller is required to verify the identity of the individual by non-oral means, to ensure appropriate security, and to be able to demonstrate the same.
- It must be provided free of charge (article 12.5) – information must be provided free of charge, both under articles 13 and 14 (privacy notices) and under articles 15-22 (data subject rights) and 34 (communication of data breaches to data subjects). The provision of transparency cannot be made conditional upon other financial transactions (e.g. payment for goods or services received).
Content of privacy notices
The guidelines clarify that the WP29 regards each of the elements of information required to be provided under articles 13 and 14 as equally important. Some specific points to note:
- Recipients: the guidelines note that the default position is that data controllers should identify specific named recipients. Where this approach is not taken, and a controller just identifies the categories of recipients, it must be able to justify why it is fair for it to take that approach.
- International transfers: the guidelines state that in the interests of fairness, the information should explicitly mention all third countries to which data will be transferred. It is likely this will be difficult for many data controllers to observe, in some cases where data will be hosted or accessible on global platforms or used by global functions.
- Storage/retention: in relation to identification of the period for which data will be stored, it is not enough to state generally that personal data will be kept “as long as necessary for the legitimate purposes of the processing”. Where relevant, different storage periods should be stipulated for different categories of data or processing purposes.
- Joint controllers: there is an interesting note in relation to arrangements involving joint controllers. Noting that article 26(2) requires joint controllers to ensure the essence of the arrangement between the data controllers is available to the data subject, the guidelines note that it must be completely clear to a data subject as to which data controller can be approached in order to exercise their rights under the GDPR.
Manner of provision of privacy notices
It is up to data controllers to decide the appropriate means by which to provide the information. Individuals should not have to take active steps to seek information, but latitude is allowed as to how a notice is provided within the parameters summarised above. This again encourages testing of privacy notices before they “go-live” and documenting the same as evidence of compliance with accountability obligations under the GDPR.
The manner of provision of updates to privacy notices is also equally important. The popular practice of including references in a privacy notice to the effect that the data subject should regularly check the privacy notice for changes or updates is “considered not only insufficient but also unfair”. Changes must be communicated within a time period which is appropriate to the circumstances (i.e. the degree of promptness required depends on how fundamental the change is). Where personal data will be processed for a further purpose (i.e. a secondary purpose other than that for which personal data was originally collected), the WP29’s position is that data subjects should be provided with the data controller’s compatibility analysis carried out under article 6(4).
Information must be provided to data subjects at the outset when personal data is obtained and, where personal data is obtained indirectly (e.g. from a data broker, or publicly available sources), within a “reasonable period” (no later than one month) after obtaining the personal data. Where personal data is obtained indirectly and is to be used for communications with data subjects or is shared with another recipient, information must be provided, at the latest, at the time of the first communication with the data subject or disclosure to another recipient, but in any event within one month after it was obtained.
The guidelines conclude by noting that WP29 typically expects provision of information “well in advance of the stipulated time limits”.
The GDPR allows for an exception to the obligation to provide a privacy notice where information has been obtained directly from the data subject, to the extent a data subject already has the information. This means a data controller might need only to “top-up” information already provided to a data subject. Where information is obtained indirectly, a much wider set of exceptions is available, in particular where provision of information would involve disproportionate effort. Exceptions should be interpreted narrowly and that a data controller should be able to justify reliance on any of them. The GDPR provides under article 23 for further exceptions to be built into national legislation complementing GDPR, but the guidelines make it clear that where relying on such exceptions data controllers should inform data subjects of this, unless doing so would prejudice the purpose of the exception.