Privacy information notice: how it gets more and more complicated
How can a GDPR compliant privacy information notice provide all the information required and at the same time meet the applicable transparency requirements?
The Article 29 Working Party (WP29) issued its draft guidelines on transparency which require to solve a complex rebus, given the large amount of information to be communicated to individuals through the privacy information notice in a manner that needs to be
“concise, transparent, intelligible and easily accessible” and “clear and in plain language“.
My personal experience is that the drafting of a privacy information notice was a commodity under the EU Directive 95/46, but has now become a very time consuming, difficult and long process with the General Data Protection Regulation, especially when it comes to the processing of customers’ personal data and the data controller
- needs to rely on automated decision making technologies for instance to assess the level of risk in the insurance and finance sectors;
- plans to invest on machine learning or artificial intelligence in order to automate activities that are manually handled at the moment; or
- just wants to have more flexibility in the performance of direct marketing, including profiling, activities and wants to assess for instance the possibility of exploiting legitimate interest for this purpose.
Below are my top takeaways from the WP29 guidelines of the transparency and my position on how the required goal can be achieved in a privacy information notice:
A concise privacy information notice cannot be “short”
The WP29 states that
“The requirement that the provision of information to, and communication with, data subjects is done in a “concise and transparent” manner means that data controllers should present the information/ communication efficiently and succinctly in order to avoid information fatigue“.
The above concept is repeated on and on throughout the guidelines on transparency of the Article 29 Working Party, which however also contain a long list of contents to be included in the privacy information notice, referring to concepts that are difficult to convey in a plain and clear language.
My personal view is that the key to achieve the above is to work on the format in which the privacy information notice is provided. And indeed, also the WP29 makes reference to a “layered” privacy information notice which might be structured as a kind of FAQs very short and with very plain language, with a link to the sections of the quite long privacy information notice where the matter is addressed in detail.
You need to thoroughly monitor the categories of recipients of personal data
The WP29 requires that
“data controller should provide information on the actual (named) recipients of the personal data. Where a data controller opts only to provide the categories of recipients, the data controller must be able to demonstrate why it is fair for it to take this approach.“
It is likely that none will list the recipients of personal data, but will just refer to the categories of recipients, but also in this case the Article 29 Working Party requires that “the information on the categories of recipients should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients“.
The solution to the above cannot be to just identify very broad categories and state that personal data “might” be communicated to them since, according to the WP29, this would impact on transparency requirements. Therefore, during the data mapping exercise, categories of recipients should be identified in detail and such information should be transposed in the privacy information notice.
You cannot quickly change a privacy information notice
A frequent practice was to refer to a website in order to review the most updated version of the privacy information notice. However, this practice is not considered sufficient by the WP29 which requires that if a change to the privacy information notice is
“indicative of a fundamental change to the nature of the processing (e.g. enlargement of the categories of recipients or introduction of transfers to a third country) or a change which may not be fundamental in terms of the processing operation but which may be relevant to and impact upon the data subject, then that information should be provided to the data subject well in advance of the change actually taking effect and the method used to bring the changes to the data subject’s attention should be explicit and effective“.
The above is relevant especially during the transitional phase prior to the effective date of the GDPR which will require to update all the privacy information notices. And my view is that the notification of changes to a privacy information notice should be treated as it is done by banks and financial institutions for updates of Ts&Cs, sending a notification via email of the changes.
Also, it should be considered that under the WP29 guidelines it should be possible to link obtained privacy consents to the relevant version of the privacy information notice and consent form.
Exceptions to the obligation to provide a privacy information notice become more limited?
The position of the WP29 is that the exception to the obligation to provide a privacy information notice in the cases when it would involve “a disproportionate effort” with the option of making “the information publicly available” applies only when personal data is not obtained from the relevant data subjects, given its reference in article 14 of the GDPR.
This interpretation is not in line with recital 62 of the GDPR which does not provide such limitation and hopefully the WP29 will review its position in the final version of the guidelines. Indeed, this provision might be a very useful tool to provide for instance a GDPR compliant privacy information notice to former customers and employees whose personal data is stored just for compliance purposes. And, given the wording of the recital 62, I would not totally remove the possibility to rely on such option.
What is your view on the above? What are other aspects to be considered?
Happy to discuss and you may find also interesting my series of blog posts on the most relevant issues addressed by the GDPR
As usual, if you found this article interesting please share it on your favourite social media.
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at email@example.com or firstname.lastname@example.org or via phone at +39 334 688 1147.