On 12th December 2017, the Article 29 Working Party ("WP29") published the draft Guidelines on transparency under the General Data Protection Regulation 2016/679 (respectively, "Guidelines" and "GDPR"). The Guidelines at stake were published with the related draft Guidelines on Consent, inviting comments to be submitted for both of them by 23rd January 2018.
Transparency is an overarching obligation under the GDPR, intrinsically linked to the new principle of accountability and to the principle of fairness, all in relation to the processing of personal data expressed in Article 8 of the Charter of Fundamental Rights of the European Union.
The concept of transparency is not defined in the GDPR, however Recital 39 of the GDPR is informative as to the meaning and effect of this principle which "[...] requires that any information and communication relating to the processing of those personal data [shall] be easily accessible and easy to understand, and that clear and plain language [is] used. [...] ".
The Guidelines are developed to help data controllers understand how to structure and draft their privacy notices and equivalent documents. Article 12 of the GDPR sets out the general rules, which must be applied to the provision of information to data subjects (under Articles 13 and 14), the communications towards data subjects concerning the exercise of their rights (under Articles 15 – 22), and the communications in relation to data breaches (Article 34).
As required by Article 12 of the GDPR and further explained in the Guidelines, information must be:
- concise, transparent, intelligible and easily accessible. Information must be presented efficiently and succinctly in a way that is clearly differentiated from non-privacy information and in an online context, use layering and ensure the information is clearly sign-posted; this means that the data subject should immediately become aware of where the relevant information can be found, avoiding information fatigue;
- in a clear and plain language, especially when providing information to children/minors. No complex, ambivalent or technical sentences should be used (terms such as "may", "might" and "some" should be avoided). The data controller should ensure the vocabulary, tone and style of language used is appropriate for children and other vulnerable members of society, including people with disabilities;
- in writing or by other means, including electronic means where appropriate. The WP29 notes that in an online context, "other means" may include the use of techniques such as "just in time" contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Information can also be provided in combination with standardised icons, potentially reducing the need for vast amounts of written information to be presented to a data subject. Moreover, video or voice alerts, cartoons, infographics or flowcharts, may also be appropriate in particular circumstances.
- provided orally, where requested by the data subject. Oral information may be face-to-face, over the telephone, or similar, and may involve automation (WP29 recommends that data controller should allow the data subject to re-listen pre-recorded messages). Where the information provided is in response to the exercise of a data subject's rights, the data controller is required to verify the identity of the individual by non-oral means, to ensure appropriate security, and must be able to demonstrate respectively.
- provided free of charge.
The Guidelines clarify that in order to help identify the most appropriate modality for providing the information, in advance of "going live", data controllers may wish to have a trial period for different modalities by a way of user-testing to seek feedback on how accessible, understandable and easy to use the proposed measure is.
As regards to timing of the provision of information, WP29 observes that "[...] providing it in a timely manner is a vital element of the transparency obligation and the obligation to process data fairly [...]". Under Article 13 of the GDPR, which applies to the scenario where the data is collected directly from the data subject, information must be provided at the time when personal data are obtained.
In case of indirectly obtained personal data, under Article 14 of the GDPR, the general requirement is that information must be provided within a reasonable period after obtaining the personal data and no later than one month.
The GDPR allows for strict exceptions to the obligation of providing data subjects with a privacy notice. The only exception to this obligation, for personal data obtained directly from the data subject (Article 13(4)), occurs "where and insofar as the data subject already has the information". Where information is obtained indirectly, the GDPR carves out a much broader set of exceptions, in particular when: the provision of information would involve disproportionate effort (Article 14(5 ) (b)); the data controller is subject to a national law or EU law requirement to obtain or disclose the personal data (Article 14(5 )(c)); the personal data must remain confidential subject to an obligation of professional secrecy regulated by national law or EU law, including a statutory obligation of secrecy (Article 14(5 )(d)).
The GDPR provides, pursuant to Article 23, for further exceptions to be built into national legislations complementing those of the GDPR, but the Guidelines make it clear that when relying on such exceptions, data controllers should inform data subjects of this, unless doing so would prejudice the purpose of the exception.
Finally, the WP29 also provide a schedule at the end of the Guidelines, summarising the categories of information that must be provided under Articles 13 and 14 of the GDPR.
In order to fully comply with the obligation of transparency controllers should:
- review their privacy notices, spelling out not just the scope but also the consequences of processing in unambiguous language;
- remove from their privacy notices any generic and doubtful reference to the purpose of the processing, avoiding use of language qualifiers such as "may", "might", "some", "often" and "possible";
- identify the intended or likely audience, ascertain the average audience member's level of understanding and, if necessary, modify the information and the other privacy documents in order to make the information intelligible and understandable by the intended audience;
- verify the language currently adopted when processing the data of children or vulnerable persons, ensuring that the vocabulary, tone and style of the language used is appropriate;
- take all measures necessary to ensure that any relevant change to their privacy notices will be communicated in advance of the change actually taking effect and in such a way that ensures that most recipients will actually notice the amendment;
- verify what information the data subject already has, how and when they received it and that no changes have occurred since then, rendering that information out of date.