The Article 29 Working Party has issued guidelines for comments on Transparency. Transparency is a new "principles" in the GDPR that was not part of the outgoing DPA. Transparency has been introduced with the objective to increase data subjects' trust in organisation handling their data. Transparency being somehow a new addition to the data protection law it is interesting to read the guidelines particularly as the regulation itself does not give much detailed indications about what organisation need to do to be more transparent.
This post review some of the elements of the guidelines that we thought were not clear in the GDPR or needed clarifications, we also point out areas that we are dealing with in our daily GDPR work and have deliberately not commented on areas of little interest for us in the work we do at the moment such as “information to children”. So this is not a complete review of the document.
The guidelines states that transparency applies to 3 key areas:
- The provision of information to data subjects related to fair processing;
- How the controllers communicate with data subjects in relation to their rights;
- How data controllers facilitate the exercise by data subjects of their rights.
This is a good reminder that the transparency principles, like other principles, apply to all aspects of the regulation, particularly when directly dealing with data subjects.
Unsurprisingly, a large chunk of the guidelines deal with the information obligations of article 13 and 14, so the privacy notices. The GDPR mandates the provision of a fairly large set of information to the data subject and at the same time be concise, transparent and intelligible. This can appear to be contradictory, specially on the “concise” requirement. It is therefore good to see the guidelines addressing this area in details and not just the “transparency” bit.
The guidelines do not formally define “transparency” further than what is defined in recital 39. It however not just discuss “transparency” itself but all aspect of article 12 including “concise”, “clear and plain language”, “intelligible”, …because article 12 set the tone for any information given to data subjects.
- “Information fatigue”: ensure your notices are going to actually be read by the audience. If they are fatigued then it’s not clear, concise or intelligible.
- “Intelligible” means information should be understood by an “average” member of the intended audience. It might therefore be a good idea to engage with your actual audience and test if the information supplied to them match the requirements. Such tests would constitute a demonstration of compliance, some organisations already do this, and so the guidelines should foster a broader adoption of user testing for notices.
- Scope and consequences of data processing should be communicated upfront to data subjects outside of article 13 and 14 before data is being collected. Clearly spelling out highest risk data processing, separately from the privacy notices is clearly a new requirements of the DPA. In an online environment this could be achieved by “pushing” to the user key information as the data are captured in a form and so not just giving a link to a privacy notice.
- “Clear and and plain language”: as simple as possible, avoiding complex sentences and language structures. Don’t use ambivalent terms, be concrete and definitive. Be clear would mean be sufficiently clear, not leaving the user guessing. A telling example is the avoidance of commonly used notices such as “We may use your personal data to develop new services” because “may” is not definitive and “new services” is not specific enough.
- Easily accessible means data subjects do not have to seek out the information, it should be immediately apparent to them. For example (point 10.) privacy notices on a website or app should either be provided within the form collecting data or a clear link to it.
- Avoid legalistic, technical or specialist language.
Orally provided information
Orally provided information is not only a possibility in person to person environment but can also be used when providing written information is not suited for the context. For example in a context of an iOT device without a screen but with an audio speaker then using voice to provide information is a better fit.
Information in Article 13 and 14
WP29’s opinion is that there is no difference in information requirements for articles 13 and 14. They should contain the same information. Furthermore “A controller should consider appropriate measures for communicating those information in light of the product/service user experience and the limitation that this entails”, this clearly leave room for creativity and adaptation to the particular situation rather than forcing very specific ways of providing the information. Being “accountable” means you have considered user feedbacks when designing and developing notices and documented your approach.
This is a good point to stress again: being accountable for the transparency principle means you have verified with users, when developing and maintaining your services that information provided meets the requirements of the GDPR for those particular users or intended audience.
On the timing for providing information, an interesting point (28) is made: when a data subjects has not used the product or service for a while then he/she might have forgotten the privacy notice and so the controller should “re-acquaint” the data subject with the scope of data processing, this could be done by re-issuing the privacy notice to them.
This would then mean - and that’s our observation - that the controller has a way to communicate with the data subject, which in some situation might not be obvious without collecting specific data for this reason such as an email address.
Layered privacy notices and “push and pull”
To address the issue of providing all information and remaining clear, concise and intelligible the WP29 heavily suggests (point 30, 31) to use layered notices. This would allow the user to easily navigate to section he/she wants to read, also a first layer would allow the user to have the key information about the most impactful processing activities.
Similarly “push and pull” techniques can be used: when information is collected on an online form the information notice for that particular information could be “pushed” to the user as a pop-up. The full notice itself could easily be “pulled” via a web link.
Transparency apply to all the GDPR and so applies to information provided to data subjects when a data breach that requires to be communicated to data subjects occurs.
The guidelines provide a fair amount of details on the application of the transparency principles to information provided to data subjects and there are no conflicts or “at-odds” moments with what the GDPR itself is requiring.
The guidelines clearly call for organisations to be creative with user experience and ways to provide information to data subjects to keep it practical whilst giving all information required by the GDPR and as discussed this can be a challenge and certainly this is an area where one will need to keep an eye on best practices developed over time.