Privacy notices under the GDPR
The new legislation will result in a substantial uplift in potential fines for data protection infringement, moving from the current UK maximum of £500,000 to the greater of €20m / 4 per cent of global turnover.
Many organisations in the UK across various industry sectors will be busily undertaking compliance activities in order to aim for GDPR compliance by the “go-live” date. One of the more onerous obligations the GDPR imposes is in relation to “transparency”, that is, the information organisations must provide to data subjects whose personal data they are using. For example, such as that under a privacy notice placed on an organisation’s website. To this end, the “Article 29 Data Protection Working Party” (WP29) (an organisation composed of representatives of the national data privacy supervisory authorities in EU Member States), has last week published long-anticipated guidance in this area.
This article focuses on the WP29’s transparency guidance (Guidelines) and practical solutions that may be drawn from it and applied to organisations looking to bring their privacy notices to GDPR standard.
What is transparency?
Whilst the text of the GDPR does not define “transparency”, explanatory text to the GDPR (in the form of a “Recital”, no. 39) is informative: “It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent.”
Elements of transparency
The Guidelines consider various ‘elements of transparency’ under a privacy notice including the following requirements:
‘concise, transparent, intelligible and easily accessible’.
Adherence to these requirements is as important as the actual content of a privacy notice and should be clearly differentiated from other non-privacy related information.
- This means the information cannot be included with other terms and conditions and not tagged on to other communications, and individuals should not have to scroll through large amounts of text to find a particular part of a privacy notice.
- For mobile apps, the information should be made available from an online store prior to download and, once the app is installed, the information should never be more than “two taps away”.
Use of clear and plain language.
- The Guidelines emphasise the need to avoid qualifiers such as “may”, “might”, “often” and “possible”. Sentences such as “we may use your personal data to develop new services” would not be acceptable. Use the active voice and simple – non-legal - terminology
- Where the data controller targets individuals in multiple language groups, the controller should provide accurate translations of the communication in all relevant languages.
What must be provided in a privacy notice?
The GDPR text sets out various information their data controllers must provide to individuals at the time personal data is collected. The Guidelines elaborate on these requirements and the following points are particularly noteworthy:
- Data controllers should provide clear contact information as to how data subjects via different methods of communication.
- Online forms should clearly indicate which fields are mandatory and which are not, and what will be the consequences of not filling in the required fields.
- A data controller must indicate any recipients or categories of recipients with whom the controller will share the personal data. The WP29 makes clear that, as a default position, the controller should provide information on actual, named recipients. Where this default position is departed from, a ‘category of recipients’ may be provided, however in this case, the controller must: (i) be able to demonstrate why it is fair for it to take this approach; and (ii) be as specific as possible in the privacy notice about the type of recipient, the industry, sector and sub-sector, and the location of the recipients. The “default” position in naming recipients may be uncomfortable or impractical for some controllers.
- The privacy notice should explicitly state all third (i.e. outside the EEA) countries to which the data controller will transfer to personal data. If data transfers are not determined internally, via the operation of a privacy framework for example, controllers will need to scrutinise where personal data is being transferred, giving the necessary wide interpretation to the term “transfer” (e.g. including regular access via remote desktop).
- “Legitimate interests” (of the controller) is the most flexible lawful basis for processing personal data, but needs careful evaluation by controllers. The Guidelines provide that when a data controller uses legitimate interests, such interests of the controller should be weighed against the fundamental rights and freedoms of the data subject. The WP29 considers it best practice to include information from such a “balancing test” in a privacy notice, which would also assist the controller in demonstrating compliance with its accountability obligation.
- Information in a privacy notice should allow a data subject to assess what the retention period will be for specific data / purposes, and (if appropriate) different storage periods should be stipulated for different categories of personal data. It will not be sufficient for a data controller to state that it will “retain personal data for as long as necessary for its legitimate purposes”.
- A privacy notice must include reference to the various rights of a data subject (the right to request access, the right to rectification, erasure, portability, etc.). In particular, the data controller must explicitly bring to the data subject’s attention the right to object to processing and this right must be presented clearly and separately from any other information.
How should a data controller communicate a privacy notice to data subjects?
Where a data controller has an online presence, the WP29 recommends that the controller provides a privacy notice which is layered. The data subject should have a clear overview of the information available to them and on finding detailed information within the layers of the notice. The Guidelines provide that the first layer should always contain information on the processing which has the most impact on the data subject and processing which could surprise the data subject.
The Guidelines refer to other methods of communicating privacy notices to data subjects. These include privacy dashboards (which would be accessible from a range of applications) and just-in-time notices (which would provide specific privacy information at the relevant points throughout the process of data collection). Where an organisation supplies a range of privacy notices for different services or utilises various technologies (involving the collection and use of differing quantities of personal data), a privacy dashboard may be a good technology to employ.
Use of visualisation tools and icons
The communication of information in a privacy notice may also include visualisation tools and icons where appropriate. In practice, such tools and icons may be useful in the context of dealing with privacy notices for children and other vulnerable groups in order to aid accessibility.
Communicating changes to a privacy notice
If a data controller makes changes to a privacy notice, for example by processing the data for a new purpose, the same principles of transparency apply as with the original privacy notice. The communication should be specifically devoted to the change (and not, for example, included with direct marketing content). Additionally, requiring data subjects to regularly check privacy notices for updates is contrary to the principle of fairness.
Whilst the WP29 guidance on transparency is informative and welcomed, the requirements for transparency under the GDPR will almost certainly be more onerous for data controllers than under the current UK Data Protection Act. This is in major part a consequence of the increased granularity of information that is required and the manner in which privacy notices must be brought to a data subject’s attention.
In practice, data controllers should bear in mind that it would be prudent to first review internal personal data processing prior to having new privacy policies drafted to ensure notices reflect actual processing.