In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the European Union’s General Data Protection Regulation. Now, with the May 25, 2018, GDPR implementation deadline looming, the IAPP is releasing a companion series discussing the common practical organizational responses that our members report they are undertaking in anticipation of GDPR implementation.

This sixth installment in the 10-part series explores the transparency requirements of the GDPR and practical ways in which organizations can go about meeting them, focusing on privacy notices. The first five installments of the series, addressing data mapping and inventory, legitimate bases for data processing, data governance systems, data processing risks, and data retention and record-keeping, can be found here.

Informing data subjects about processing

Perhaps the most common privacy practice followed globally is the familiar “notice and choice” paradigm, which typically involves a statement on an organization’s website explaining its data processing and security practices and the opportunity (in theory) for consumers to avoid those practices. “Choice” has involved, at least, the opportunity not to share data with the organization by not doing business there. Notice is sometimes accompanied by an opt-in option, though opt-outs are also common.

The GDPR term for “notice” is transparency, and it is a central theme of the Regulation. Part of the core principle of accountability set forth in Article 5 is the requirement that “personal data [be] processed in a transparent manner in relation to the data subject.” As set forth in Recital 60, transparency allows data subjects to be informed of the existence and purpose of any processing activity involving their data. Transparency is also about engendering trust in the processes that affect data subjects “by enabling them to understand, and if necessary, challenge those processes." 

Required disclosures

Articles 13 and 14 of the GDPR and associated guidance from the European Commission give the specific information that must be disclosed to data subjects and the required time of disclosure. Which article applies depends on how the data controller comes to possess the personal data. If from the data subject directly, then Article 13 applies. But if the controller receives personal data from a third party – say, by purchasing a list of potential leads or by sponsoring an event and getting the attendees’ names from the event host – Article 14 spells out how and when disclosures should be made.

Taken together, however, the types of information that must be disclosed are similar in both articles. Controllers will need to have a privacy notice – discussed below –that is prominently visible on their websites and available by link in commercial email communications with data subjects. Those communicating with data subjects whose contact information was provided by others may also want to place the information in the body of the first email communication, but at a minimum should include a link to their website’s privacy notice. Finally, much of the information required to be disclosed is similar to what will be needed if a data subject exercises a right of data access, so the transparency disclosure may be used in a variety of different places and contexts.

When data is obtained directly from a data subject, Article 13 requires that disclosure occur “at the time when personal data are obtained” and include:

  • The identity and contact details of the controller and, where applicable, the controller’s representative, as well as the contact details of the controller’s data protection officer.
  • The intended purposes and legal basis of the processing. This information should already be available from the data mapping and inventory exercise conducted early in the GDPR compliance process, but should be explained in plain and unambiguous language in the privacy notice.
  • If applicable, the legitimate interests pursued by the controller or by a third party. This reflects the lawful basis analysis the organization has conducted pursuant to Article 6.
  • Data mapping and inventory as well as Article 30 record keeping efforts will inform the following required transparency disclosures:
    • The recipients or categories of recipients of the personal data.
    • Any transfers of personal data to a third country or international organization and the existence or absence of an adequacy decision for such a transfer, or reliance on Articles 46 or 47, or Article 49(1), as well as references to the appropriate or suitable safeguards.
    • The period for which the data will be stored or the criteria used to determine that period.
  • A description of the existence of the right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing and the right to data portability.
  • If the processing is based on consent, an explanation of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • A description of the right to lodge a complaint with a supervisory authority.
  • Whether the provision of personal data is required by statute or contract, or is a requirement necessary to enter a contract, whether the data subject is obliged to provide the personal data, and the possible consequences of failure to provide such data.
  • The existence of any automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

If a controller intends to process already-collected personal data for a purpose different than the one disclosed when the data was collected, it must inform the data subject of the new purpose, and provide any relevant further information, prior to the new processing. 

Under Article 13, controllers are exempted from disclosure requirements only “where and insofar as the data subject already has the information.” Companies that wish to make use of this exemption should take care — the Article 29 Working Party notes that controllers must document what information a data subject has, how and when it was received, and that no changes have occurred that would put it out of date. Such documentation could be a feature of comprehensive Article 30 record keeping.

When data is obtained from a source other than the data subject, Article 14 requires that controllers meet the same disclosure requirements described in Article 13, and additionally disclose: (a) the categories of personal data concerned in the processing; and (b) the source from which the personal data originated, including whether it came from publicly accessible sources. This must be done “within a reasonable period after obtaining the personal data, but at the latest within one month,” except when the controller communicates directly with the data subject or passes along the information to yet another third party, in which case disclosure must occur right away.

Controllers subject to Article 14 have more exceptions from disclosure than those subject to Article 13, although the Working Party cautions that the exceptions should be interpreted narrowly. Exceptions include the data subject’s prior possession of the information; impossibility of or disproportionate effort in disclosure (such as when personal data is acquired for scientific or historical research purposes or statistical purposes), in which case a publicly available privacy notice should suffice; when member state law provides otherwise; or where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or member state law, including a statutory obligation of secrecy.

For example, historical researchers who have obtained a large dataset collected 50 years ago, which has not been updated since, and does not contain any contact details for data subjects, might qualify for the “disproportionality” exception. A professional secrecy exemption might apply when a bank does not inform an account holder that the bank has passed data to a financial law enforcement authority, in compliance with an anti-money laundering statute making such a “tip-off” a crime. Even in the latter scenario, to comport with transparency principles, the bank should provide “general information” to all new customers that their data may be processed for anti-money-laundering purposes.

Crafting a GDPR-compliant privacy notice

Pursuant to Article 12(1), as well as Recital 39 and Recital 58, privacy notices should be concise, transparent, intelligible, easily accessible, and easy to understand, using “clear and plain language, and where appropriate, visualization.” If the processing relates to a child, the disclosure should be easily understandable by the child. 

The WP29 suggests that compliance with the intelligibility requirement should be regularly checked to ensure that “the information/communication is still tailored to the actual audience” and that user panels could provide an effective mechanism for doing so. “Hall tests” or live user trials should be conducted and documented in advance of processing “going live.” The WP29 cautions against the use of overly complex sentence and language structures, and warns organizations not to phrase policies in “abstract or ambivalent terms, or leave room for different interpretations,” particularly regarding the purposes of and legal basis for the processing of personal data. Organizations are specifically encouraged to avoid using the passive voice or indeterminate qualifiers like “may,” “might,” “some,” “often,” and “possible.” Guidance on creating specific and informed consent may be useful in the broader transparency context, particularly in regard to the intelligibility requirement.

Notices can be presented to data subjects in written form, orally, or in an electronic format, where appropriate. Web-based privacy notices should be clearly visible on each page of the website under a commonly used term such as “Privacy Notice” or “Data Protection Notice.” A website’s layout and format must not be manipulated to make privacy disclosures more difficult to find — for example, altering the size or color of a privacy policy’s hyperlink to make it more challenging to locate will violate the requirement of accessibility.

For the collection of personal data via apps, the Working Party advises that transparency requirements should be met in the online store prior to download, and after installation “should never be more than two taps away.” As a general rule, this means menu functionality should include a “Privacy” or “Data Protection” option that links to the relevant policy.

The WP29 recommends the use of “layered” privacy notices in the online context, which should allow the data subject to navigate to whichever part of the privacy statement they wish to access without being required to scroll through large amounts of text. An effective layered notice is not simply a group of nested webpages — the design and layout of the first layer “should be such that the data subject has a clear overview of the information available to them” and need only expand sections for greater detail. Organizations should take care to avoid providing conflicting information within different layers of a policy. Microsoft’s privacy statement is a good example of a layered privacy notice.

The U.K. Information Commissioner’s Office also provides guidance on how to effectively structure a privacy notice. The ICO reiterates the points that privacy notices should include the identity of the controller, the intended use of the personal data being collected, and the identity of any parties with whom the data will be shared. It’s also wise to prominently identify and provide contact information for the organization’s DPO (or whoever handles subject access requests if you don’t have a DPO).

Alternatives to Layered Notices                      

The WP29 suggests several methods of providing transparency information in lieu of or in addition to a layered privacy notice. These include “just-in-time” push notices, or “pull” notices such as permission management interfaces and “learn more” tutorial options. A “just-in-time” notice will provide specific privacy information when it is most relevant to the data subject — for example, during an online purchase a pop-up next to a field requesting the purchaser’s telephone number might explain that the information is only being collected concerning contact related to the purchase and will only be disclosed to the relevant delivery service.

For organizations supplying services that span multiple devices, a “privacy dashboard” that allows data subjects to access and control the use of their personal data in multiple contexts may be appropriate.

Transparency must always be based on the circumstances of the data collection and processing; although the WP29’s position favors electronic privacy notices for data controllers with a digital or online presence, other formats of disclosure may sometimes be required. Alternatives may include hard copy notices with written explanations or notices included in leaflets, infographics or flowcharts for contracts concluded via post; oral explanations provided via telephone either by a real person or automated system that includes options to access more detailed information; icons, voice alerts, QR codes, SMS messages, or written information included on IoT devices; or visible, real-world signage or newspaper and media notices for real-world recording by CCTV or drone.

Special requirements attach to any processing that qualifies as automated decision-making under Article 22(1). The Working Party has issued guidance that addresses this situation. Broadly, organizations utilizing automated decision-making are obligated to inform data subjects that it is occurring, and “find simple ways to tell the data subject about the rationale behind, or the criteria relied on in reaching the decision.” The Working Party suggests that disclosures should focus on “real, tangible examples of the type of possible effects” of the automated processing. For instance, if a data subject’s age would put them in a specific category for marketing materials, the organization should explain that providing their age will expose them to specific and targeted marketing materials.

Although Recital 60 allows for the use of standardized icons as part of an organization’s transparency disclosures, the use of such icons “should not simply replace information necessary for the exercise of a data subject’s rights.” Icons that are presented electronically should be machine-readable, although the use of icons may be appropriate in other contexts. Examples might include physical paperwork, the exterior of IoT devices or device packaging, or public notices concerning Wi-Fi tracing or CCTV recording. Any use of icons for transparency purposes is dependent on forthcoming decisions by the European Commission standardizing their meaning and permissible use.

Conclusion 

Transparency is one of the central principles of the GDPR. Companies must avoid simply “checking the boxes” regarding the specific disclosures mandated in Articles 13 and 14. Transparency compliance requires that companies not only ensure all the mandated information is included, but that it is presented in a readable, comprehensible format. Ultimately, when meeting transparency obligations, companies should remember that the base-line goal of the GDPR is to provide each data subject necessary information about any processing of his or her personal data and what his or her rights are related to that processing so he or she can determine whether he or she wishes to exercise those rights.

Photo credit: Joe Shlabotnik Notice via photopin (license)