On 12 December 2017, the Article 29 Working Party (“WP29”) published draft guidance on the obligation of transparency, to be found here. An important topic, as transparency is intrinsically linked to fairness and the newly introduced principle of accountability under the GDPR. Please find the highlights below.
TRANSPARENCY: KEY ELEMENTS
Chapter III of the GDPR provides the basis of the transparency principle. In particular article 12, which cuts this principle into the following elements:
1. “concise, transparent, intelligible, and easily accessible“
The WP29 explains this requirement as follows: – Information must always be presented efficiently and succinctly, in a way that is clearly differentiated from non-privacy related info (like contractual terms). – The average member of the intended audience must be able to understand the information provided, which audience should be regularly reconsidered. To that end, using user panels are strongly recommended. – Lastly, the individual should immediately become aware of where the relevant information can be found. For apps, necessary information may never be more than “two taps away”, i.e. the information must be included in the app menu.
2. “clear and plain language” – particularly when providing information to children
The WP29 explains this requirement as follows: – Information must be simple and concrete, avoiding complex and technical or ambivalent sentences. Undetermined terms such as “some” or “often” and words like “might” or “may” should be avoided. – Moreover, translations must be provided in the languages spoken by the targeted individuals, which translations must be accurate at all times. – Lastly, where children or other vulnerable groups are targeted, the vocabulary, tone and style of the language shall be appropriate to this audience.
3. “in writing or by other means, including where appropriate, by electronic means“
The WP29 explains this requirement as follows: – Information must be in writing, but GDPR also allows other means. Where electronic means (e.g. websites) are used, the WP29 recommends multi-layered and navigable information rather than displaying such information in a single notice. Factors such as the device used and ‘user journey’ should be taken into account in finding the most appropriate modality. The WP29 strongly recommends the seeking of user feedback in this regard. – Also, (push / pull) pop-up notices, hover-over notices, just-in-time notices and privacy dashboards where privacy preferences can be managed ay be used. The WP29 prefers such dashboards to be tailored to the existing service architecture so that individuals are actually encouraged to use it. – In addition, cartoons, infographics, flowcharts, SMS text messages, media notices and public signage may serve as useful information tools, as well as audio delivery in case of screenless (IoT) tools. – Note that the use of supplementary standardized icons (which must be universally recognized overtime through the development of a code of icons) is strongly encouraged in view of a “multi-layered approach”.
4. “the information may be provided orally“
The WP29 explains that information may be provided orally upon individual’s request, whereby the controller should enable the individual to re-listen pre-recorded notices. Also, where individuals exercise their rights under art. 15-22 and 34, the identity of the individual must be proven by other means before providing the oral information.
5. “free of charge“
As a last element, the WP29 explains that individuals cannot be charged for obtaining information, and the provision thereof may never be conditional upon goods or services.
CHANGES AND EXCEPTIONS
The last important WP29 notes relate to changes in privacy notices and the exceptions to the notification requirement: – Changes must be actually noticed by individuals by using an appropriate modality (e.g. email) specifically devoted to such changes (instead of ‘covered’ in a marketing email). – Important to note is that WP29 explicitly considers references to the effect that individuals must check the privacy notice regularly for changes not only insufficient, but also unfair (art. 5(1)(a) GDPR). – Additionally, even when no changes are at stake, controllers should remind individuals of the applicable privacy notice at appropriate intervals in case of ongoing data processing activities to ensure individuals remain well informed. – With respect to exceptions, the WP29 notes that the exception provided for under art. 14 GDPR must be interpreted narrowly, meaning that – amongst others – information may only be withheld in case the provision thereof is 100% impossible or nullifies the objectives of the processing.
Based on the current version of the guidelines, controllers are promted to revisit all privacy notices currently in place to ensure that they adhere to the transparency requirements laid down in the GDPR. Notably, the WP29 seems to embrace the idea of the use of a multi-layered and navigable information approach, to be accompanied overtime by standardized icons. However, the final version of the guidelines have to be awaited as the current version is open for comments through 23 January 2018.