The Article 29 Working Party (WP29) adopted, on 11 April 2018, finalized guidelines on transparency (the Guidelines) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), following its public consultation.
Technology Law Dispatch looked at the draft guidance on transparency earlier this year, so this blog focuses on the key issues and what is new in the final guidelines.
Information being “intelligible”
The updated guidelines link the requirement for information to be intelligible, using plain and clear language, and accountable. The guidelines now state that an “accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.” This includes, for example, assuming working professionals have a higher understanding of certain issues than children or non-specialists. In other words, the data controller is expected to customize its notices and information as appropriate to the applicable audience. The final guidelines also suggest mechanisms by which controllers can test their interfaces, notices and policies for intelligibility and transparency – including the use of industry groups, consumer advocacy groups, readability tests and regulatory bodies.
Informing data subjects about changes to transparency-related information
The guidelines highlight the necessity of making data subjects aware of changes that have been made to information notices they are provided, brought about by the GDPR coming into effect. Controllers should, at a minimum, make the information available on their websites, but should also actively notify data subjects where the changes are material or substantive.
Information should be available to data subjects in one single place or complete document (digital or paper format). This should be easily and continuously accessible, rather than temporarily provided for a one-time review.
Providing information to children
The guidelines are clear that children do not lose their rights as data subjects to transparency, just because consent has been authorized by a responsible parent. Their rights are ongoing, “through the continuum of their engagement with a data controller.” Transparency obligations must be directed to the child, unless they are very young or preliterate. Therefore, controllers should make sure that communications are conveyed in clearly and simply, in a medium children can easily understand.
Clear and plain language
The final guidelines provide examples of good practices to adopt, as well as bad practices to avoid. An important requirement of transparency is to employ straightforward language that a data subject easily understands. The guideline examples are clear on what types of data will be processed, the type of analysis the controller undertakes, what personalization entails and how interests attributed to a data subject are identified.
Changes to Article 13 and 14 information
The final guidelines amend the recommendations on “appropriate measures” regarding information provided to data subjects, pursuant to GDPR Articles 13 and 14. The level of changes falling under the “substantive or material” category (and therefore need to be communicated to data subjects) includes issues such as the impact on data subjects, their ability to exercise their rights and how unexpected the change would be.
Layered privacy statements and notices
The first layer of privacy notices “should include the details of the purposes of processing, the identity of [the] controller and a description of the data subject’s right,” all of which “should be directly brought to the attention of a data subject at the time of collection of personal data.” It should also detail the processing that has the most impact on the data subject and which could surprise them. This approach should also be taken in the non-digital context. The guidelines also recommend considering privacy reminders.
WP29 recognizes the tension in the GDPR between the requirements to, on the one hand, provide comprehensive information to data subjects, and on the other hand, to do so in a concise, transparent, intelligible and easily accessible manner. In response to this, WP29 advises controllers to undertake their own analysis of the nature, circumstances, scope and context of personal data processing they carry out, and decide, based on GDPR requirements and guidelines, how to prioritize information provided to data subjects and the appropriate levels of detail.