The Article 29 Data Protection Working Party has released its proposed guidelines on transparency, which are open to public comment until Jan. 23, 2018 (via JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr). The guidelines provide “practical guidance and interpretive assistance” regarding transparency obligations under the GDPR and set out “general principles” on the rights of data subjects.

Transparency requirements under the GDPR

Under the accountability principle laid out in Article 5.2, a data controller “must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject.” These transparency obligations begin at the data collection stage and apply “throughout the life cycle of processing.”

While not explicitly defined in the GDPR, transparency takes the form of specific practical requirements on data controllers and processors as outlined in Articles 12-14. Article 12 provides general rules on transparency, which apply to the provision of information (Articles 13-14) and communications with data subjects concerning their rights (Articles 15-22) and in relation to data breaches (Article 34).

These rules stipulate that information or communication to data subjects must be concise, transparent, intelligible and easily accessible, and use clear and plain language, especially when children are the target. In other words, the information should not contain “overly legalistic, technical or specialist language or terminology.” Furthermore, information or communication must be provided to data subjects “in writing, or by other means, including where appropriate, by electronic means” or orally upon request. Lastly, the information or communication must be provided “free of charge,” or not be conditional upon payment for or purchase of a good or service.

What does “concise, transparent, intelligible and easily accessible” mean?

The purpose of this requirement is to reduce “information fatigue” on data subjects. You don't need to be a data protection authority to know that consumers increasingly value businesses that can communicate with them in a concise way, given that, for many of us, the constant bombardment of information has become “one of the biggest irritations in modern life.”

To fulfill this requirement, the WP29 suggests clearly differentiating information to, and communication with, data subjects from other non-privacy-related information, such as contractual provisions. It also suggests, for example, using layered privacy statements/notices online that allow data subjects to navigate to particular sections of interest.

To ensure that information is “intelligible,” data controllers should assess how well the average member of the intended audience understands it, and adjust it as necessary. This can be done through a readability or user study.

As a best practice, data controllers should also “spell out in unambiguous language what the most important consequences of the processing will be” (emphasis is the WP29's). In other words, controllers should ask themselves: “What kind of effect will the specific processing … actually have on a data subject?”

Lastly, data controllers can make information and communication “easily accessible” to data subjects by directly providing, linking to, or signposting it. On a website, a link to the privacy statement/notice should be clearly visible on each page under commonly-used terms, such as “Privacy” or “Privacy Policy.” On an app, it should never be more than “two taps away.” 

What does “clear and plain language” mean?

To meet this requirement, data controllers should adhere to best practices for writing clearly. WP29 refers, for example, to How to Write Clearly, published by the European Commission, provides many helpful hints. Included among these are applying the KISS principle (Keep It Short and Simple or Keep It Simple, Stupid), replacing excess nouns with verbs, and using concrete rather than abstract words.

Another way of understanding what “clear and plain language” means is to look at examples of what it is not. According to the WP29, the phrases below “are not sufficiently clear”:

• “We may use your personal data to develop new services.” To make this statement clear, describe the services or how the data will help to develop them.

• “We may use your personal data for research purposes.” To make this statement clear, explain the kind(s) of research undertaken.

• “We may use your personal data to offer personalized services.” To make this statement clear, describe what the personalization entails.

In addition, data controllers should avoid the use of qualifiers (such as "may" and "might") and strive to use the active voice rather than the passive. 

When the data subject in question is a child, the data controller should adjust the language to ensure that the vocabulary, tone, and style will resonate with them. Examples of what this looks like in practice can be found in the “UN Convention on the Rights of the Child in Child Friendly Language.”

Data controllers should also provide translations if they target people speaking different languages.

What does “in writing or by other means” refer to? 

The default mode of providing information to, or communicating with, data subjects under Article 12 is in writing. Yet, other formats or modalities may also be used. On websites, in addition to layered privacy statements/notices, data controllers can deploy ad hoc or “just-in-time” pop-up notices (which provide specific “privacy information” only when it is relevant for the data subject to read), 3D touch, hover-over notices, and/or privacy dashboards, where users can manually adjust their privacy preferences.

Informing or communicating with data subjects through the use of cartoons, infographics, or flowcharts is also acceptable, as these would all qualify as “by other means.”

What information should be provided to data subjects?

Various types of information must be provided to data subjects. These range from how to contact the data controller, to information about the logic involved in and potential consequences of automated decision-making and profiling, if applicable. A full table detailing each different type of information is provided by the WP29 in a Schedule at the end of its guidelines.

Data controllers are also obligated to provide information to data subject concerning their rights (Article 13.2(b) and 14.2(c)) and to facilitate the exercise of those rights (Articles 15-22). In doing so, they must also comply with the principle of transparency. These general transparency obligations may be lessened, however, by national measures that respect the essence of the fundamental rights and freedoms and “are necessary and proportionate to safeguard one or more of the 10 objectives set out in Article 23.1(a)-(j).” Yet, data controllers should be able to demonstrate how the national provisions apply to them, and inform data subjects of their reliance on national legislation, except when doing so would be prejudicial to the purpose(s) of the legislation.

How should information be provided to data subjects?

Although the GDPR does not prescribe the format or modality by which information needs to be communicated to the data subject, data controllers should take “appropriate measures” to provide such information in a transparent way. What is appropriate will vary by product or service as well as the nature of the user interface or experience.

Most importantly, the data controller “must take active steps” to provide the information to the data subjects. Consequently, data subjects “must not have to take active steps to seek the information … or find it amongst other information.”

When changes are made to a privacy statement/notice, for example, the controller should communicate those changes to the data subject “in a way that ensures that most recipients will actually notice them.” In other words, an email notification about changes to a privacy policy should be solely devoted to communicating those changes, and not lumped together with marketing content. Moreover, requesting that data subjects regularly check a website for changes or updates to the privacy policy is considered “not only insufficient but also unfair in the context of Article 5.1(a).”

When should information be provided to data subjects?

Information must be provided to data subjects “in a timely manner,” although the required timeframe varies according the type of personal data collected by the data controller.

When Article 13 applies (i.e., for the collection of personal data provided by a subject or collected through observation), information must be provided “at the time when personal data are obtained.”

When Article 14 applies (i.e., for the collection of personal data from third-party data controllers, publicly available sources, data brokers, or other data subjects), the information must be provided “within a reasonable period” and no later than one month after obtaining the personal data. This requirement in Article 14.3(a) may be curtailed, however, by Article 14.3(b). If the personal data are used to communicate with the data subject, the information must be provided “at the latest at the time of the first communication with the data subject.” Moreover, Article 14.3(c) can also curtail the one-month time limit in Article 14.3(a). If the personal data are disclosed to a third party, the information must be provided “at the latest at the time of the first disclosure.” Notwithstanding these rules, WP29 recommends that data controllers “provide the information to data subjects well in advance of the stipulated time limits.”

Although the GDPR “is silent” on timing requirements for the notification of changes to information previously provided to a data subject, when a “fundamental change” in processing (e.g., the commencement of transfers to a third country) or a change that may impact upon the data subject occurs, WP29 urges that information about it be provided “well in advance of the change actually taking effect,” using a method that is “explicit and effective.” Data controllers should also explain the likely impact of those changes on the data subject.

Even when a privacy statement/notice goes unchanged for a long period of time, WP29 states that “the controller should re-acquaint data subjects with the scope of the data processing … at appropriate intervals.”

A data controller must also inform a data subject if it intends to further process their data for a purpose other than the one for which it was originally collected. Although processing that is “incompatible” with the original purpose is prohibited, further processing for “compatible” purposes (as laid out in Article 6.4) are subject to the requirements of Articles 13.3 and 14.4. If a data controller finds itself in this scenario, WP29 recommends that it provide information to data subjects on the compatibility analysis it carried out under Article 6.4 “prior to that further processing.” In other words, a “reasonable period” of time should elapse between when the data subjects are informed of it and when the further processing begins, and this window should be longer for more intrusive processing. This period is intended to give data subjects “a meaningful opportunity to consider (and potentially exercise their rights in relation to) the further processing.”

Are there exceptions?

The single exception to a data controller’s Article 13 obligation to provide information occurs “where and insofar as, the data subject already has the information.”

Article 14 carves out a much longer list of exceptions. These include: impossibility, disproportionate effort, serious impairment of objectives, where obtaining or disclosing personal data is expressly laid down in law, and confidentiality by virtue of a secrecy obligation.

Conclusion

As the well-known expression goes, “It’s not just what you say, but how you say it, that matters.” Along these lines, the Article 29 Working Party’s guidelines on transparency are intended to remind data controllers that the accessibility and comprehensibility of information provided to data subjects are as important as its content.

Transparency is a central principle in the GDPR, as it promotes the objective of strengthening individuals’ rights, accountability, and the lawful and fair processing of data. Thus, data controllers should “revisit all information provided to data subjects on processing of their personal data” in light of the WP29’s guidelines on transparency by May 25, 2018, to ensure they are GDPR-compliant.

Photo courtesy mailer_diablo (Self-taken (Unmodified)) [GFDL or CC BY-SA 3.0], via Wikimedia Commons.