On 12 December 2017, Article 29 Working Party (WP29) published its draft guidelines on transparency under the GDPR. As with the draft guidance on consent, published on the same day, WP29 invites comments to be submitted by 23 January 2018.
The guidelines are split into the following sections:
- The meaning of transparency
- Elements of transparency under the GDPR
- Information to be provided by the data subject (Article 13 & 14)
- Information related to further processing
- Visualisation tools
- Exercise of data subjects’ rights
- Exceptions to the obligation to provide information
- Restrictions on data subject rights under Article 23
- Transparency breach obligations
The guidelines broach the subject of information fatigue. The message is that the onus is on controllers to present information to data subjects and communicate efficiently and succinctly in order to avoid this issue. Privacy information should be clearly differentiated from non-privacy information. In an online context this means that data subjects should not find themselves in a position where they have to scroll through large amounts of text in order to try to search for a particular issue. The guidelines state that the use of a layered privacy notice/statement is recommended by WP29 as it is a way of enabling the data subject to navigate to particular sections and avoid an information overlaod.
The guidelines reference apps when covering how information must be ‘easily accessible’. An example provided is that once an app is installed, the data privacy information must never be more than “two taps away”. For many apps this will involve adding a ‘privacy/data protection’ option under the menu function.
WP29 also provides some examples of phrases that would not be considered “clear and plain language”. These examples are as follows:
“We may use your personal data to develop new services” – it is unclear what these services are or how the data will be used to develop them;
- “We may use your personal data for research purposes” – it is unclear what type of research this refers to; and
- “We may use your personal data to offer personalised services” – it is unclear what the personalisation entails.
The guidelines state that qualifiers such as “may”, “might” and “possible”, as well as writing in the active instead of passive form should be avoided.
The guidelines include a Schedule which summarises the categories on information that must be provided under Articles 13 and 14. WP29 states that for clarification purposes, all information in the sub-articles of Articles 13 and 14 are viewed as being of equal importance and must be provided to the data subject.
In relation to the use of icons (the use of which is provided for under Article 12(7)), the guidelines state that their effective use is dependent upon their standardisation. In this respect, WP29 states that an evidence based-approach must be taken and extensive research conducted with industry and the wider public in the development of a code of icons.
Our Data Protection & Cybersecurity team and our EU Public Policy experts are carefully monitoring developments and will be looking at these guidelines in further depth. Watch this space for further information.