The Article 29 Data Protection Working Party has published its “last revised” guidelines on transparency under the General Data Protection Regulation. When the WP29 released its proposed guidelines last December offering “practical guidance and interpretive assistance” regarding transparency obligations, IAPP analyzed the key issues. In addition to a brief summary of the transparency requirements, IAPP’s analysis of the proposed guidelines focused on the meaning of phrases such as “concise, transparent, intelligible and easily accessible” and “in writing or by other means,” as well as what information should be provided and when and how to provide this information to data subjects.

In its revised guidelines on transparency obligations, the WP29 expanded and clarified its advice concerning issues such as the requirement that information be “intelligible,” providing information to children, changes to Article 13 and 14 information that should be provided to data subjects, and layered approaches to privacy statements/notices in digital and non-digital environments.

Practical Guidance and Interpretative Assistance

It is worth noting that the updated guidelines begin by making a general point about how WP29’s guidelines in general ought to be read and used. It explains that the guidelines are “intended to be generally applicable and relevant to controllers irrespective of the sectoral, industry or regulatory specifications particular to any given data controller.” In making these guidelines generally applicable, however, specificity may be lacking. Indeed, the WP29 stresses that its guidelines are fundamentally constrained, in that they “cannot address the nuances and many variables which may arise in the context of the transparency obligations of a specific sector, industry or regulated area.” Nevertheless, the WP29 guidelines on transparency “are intended to enable controllers to understand, at a high level, WP29’s interpretation of what the transparency obligations entail in practice and to indicate the approach which WP29 considers controllers should take to being transparent while embedding fairness and accountability into their transparency measures.”

Another important and related point that is not lost on the WP29 is the “inherent tension in the GDPR between the requirements on the one hand to provide the comprehensive information to data subjects which is required under the GDPR, and on the other hand do so in a form that is concise, transparent, intelligible and easily accessible.” In response to this tension, WP29 advises data controllers to “undertake their own analysis of the nature, circumstances, scope and context of the processing of personal data which they carry out and decide … how to prioritise information which must be provided to data subjects and what are the appropriate levels of detail and methods for conveying the information.”

On informing data subjects about changes made to transparency-related information

The revised guidelines place an added emphasis on making data subjects aware of any changes that are made to the information they are provided as a result of the GDPR coming into effect. The revised guidelines now state explicitly that, “Where changes or additions are made to such information [provided to data subjects to fulfill transparency obligations], controllers should make it clear to data subjects that these changes have been effected in order to comply with the GDPR.” Controllers should, “at a minimum,” make this information available on their websites, but, “if the changes or additions are material or substantive, then … such changes should be actively brought to the attention of the data subject.”

On information being “intelligible”

The revisions also appear to simplify the WP29’s expectations around information being “intelligible,” or “understood by an average member of the intended audience.” Whereas the original guidelines stated that “the controller needs to first identify the intended audience and ascertain the average member’s level of understanding,” this sentence has been removed from the revised version. In its place, the intelligibility requirement is linked to the use of clear and plain language and accountability: “An accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.” This would entail, for example, assuming that working professionals have a higher understanding than children.

Moreover, the original version stated that “the controller should also regularly check whether the information/communication is still tailored to the actual audience.” However, in the updated version, this sentence also has been removed. In its place, the guidelines now read: “If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/notices/policies etc., they can test these” using various mechanisms, which include not only user panels and readability testing, but also “formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies.”

On the use of “clear and plain language”

While the original version provided examples of bad practice concerning the requirement to use “clear and plain language,” the revised guidelines add several good practice examples as well. These good practice examples make clear things such as what types of data will be processed, the type of analysis the controller will undertake, what personalization will entail, and how interests attributed to the data subject will be identified.

On providing information to children and other vulnerable people

The WP29 has also expanded upon its guidelines around providing information to children. It makes clear that “children do not lose their rights as data subjects to transparency simply because consent has been given/authorized by the holder of parental responsibility” apropos to Article 8 of the GDPR. In other words, even when consent for a child has been given, “a child (like any other data subject) has an ongoing right to transparency throughout the continuum of their engagement with a data controller.”

Moreover, the guidelines make it clear that transparency obligations must be directed at the child, not the holder of parental responsibility giving consent for the child, except in cases where the child is “very young or pre-literate.” Thus, data controllers have an obligation to make sure generally that “any information and communication should be conveyed in clear and plain language in or a medium that children can easily understand.”

On providing information “in writing or by other means”

Regarding this requirement, the revised guidelines specify that “the entirety of the information addressed to data subjects should also be available to them in one single place or one complete document (whether in a digital or paper format) which can be easily accessed by a data subject should they wish to consult the entirety of the information addressed to them.”

Related to this, WP29 also recommends that “controllers facilitate data subjects to have continuing easy access to the information to re-acquaint themselves with the scope of the data processing.”

On changes to Article 13 and Article 14 information

The revised guidelines make an important change to recommendations on “appropriate measures” regarding information provided to the data subject pursuant to Articles 13 and 14. These obligations occur throughout the life cycle of processing, not only when personal data is initially collected. Thus, for example, when a data controller changes the contents of an existing privacy statement or notice, it must communicate these changes to data subjects as it would if it were communicating the initial privacy statement/notice to them.

But what types of changes rise to the level of “substantive or material” and must be communicated to data subjects? WP29 states that the relevant factors to consider would be the impact on data subjects, including their ability to exercise their rights, as well as “how unexpected/surprising the change would be” to them. For example, changes that are made to the processing purpose, the identity of the controller, or how data subjects can exercise their rights “should always be communicated to the data subject.” However, corrections of misspellings or stylistic/grammatical flaws would not be considered by WP29 to rise to the level of a substantive or material change.

On layered privacy statements/notices

Regarding what information should be provided in the first modality used to inform data subjects in a layered approach to privacy statement/notice, or the content of the first layer, WP29 specifies that the first layer “should include the details of the purposes of processing, the identity of [the] controller and a description of the data subject’s right,” all of which “should be directly brought to the attention of a data subject at the time of collection of personal data,” via Recital 39. WP29 also takes the position that, in addition to this information, “the first layer/modality should also contain information on the processing which has the most impact on the data subject and processing which could surprise them.”

The WP29’s guidelines regarding layered privacy statements/notices, are not only applicable in digital environments. Transparency information may also be provided via a layered approach in an offline/non-digital context, and come in the form of a combination of information provided by telephone and email. Whatever the format, the first “layer,” or “the primary way in which the controller first engages with the data subject,” should convey “the details of the purposes of the processing, the identity of [the] controller and the existence of the rights of the data subjects, together with information on the greatest impact of processing or processing which could surprise the data subject.”

By mailer_diablo (Self-taken (Unmodified)) [GFDL or CC BY-SA 3.0 ], via Wikimedia Commons