The WP29 Draft Guidelines on Transparency in Review

The WP29 released last week its new draft guidelines on transparency (the same day its draft guidelines on consent also came out). These guidelines highlight the key role that transparency plays under the GDPR in fostering trust and accountability, by enabling individuals to both understand how their personal data is processed and hold organisations accountable for it.

The draft guidelines address all main aspects of the transparency obligation, including how to understand terms such as “easily accessible” information or “clear and plain language;” the timing and modalities under which the information should be communicated; how visualisation tools can help achieve transparency; and the scope of the exceptions to the transparency obligation. The draft guidelines also contain practical examples of good and poor practices.

The draft guidelines also come with a schedule that lists all categories of information that must be provided to individuals under Articles 13 and 14 of the GDPR.

The main aspects of these draft guidelines are summarised below.

Communicating the Required Information

Articles 13 and 14 of the GDPR list the information items that organisations must provide to individuals. In both articles, the list is, however, spread across two separate paragraphs, which has led some organisations to wonder whether different weight should be given to each of them. The WP29 now confirms that, despite this difference of structure, all information listed in these articles, whether in paragraph one or two, are of equal importance and must be provided to individuals.

The WP29 also provides some guidance in its schedule on how to interpret each information item. For instance, the schedule provides that organisations should not only disclose the legitimate interest on which the processing is based (where applicable,) but also, as a best practice, information on the balancing exercise carried out to ensure that the legitimate interest is not overridden by the fundamental rights of the individuals.

The schedule also provides that organisations should, by default, individually name each recipient of the data. If an organisation chooses to communicate only categories of recipients instead, it should demonstrate why it considers this approach fair and provide detailed information about each category (e.g. the type of recipient by reference to its activities, its industry, sector, sub-sector, and location.)

In addition to the information required under articles 13 and 14 GDPR, the WP29 also recommends informing individuals of the most important consequences (e.g. effects and/or impacts) of the processing for them. The draft guidelines however lack further guidance on what this means in practice.

Using a Clear and Plain Language

The WP29 also insists on the need to use clear and plain language when drafting privacy notices, and to avoid legal or technical jargon. It notably recommends using concrete and definite language and discourages the use of terms such as “may,” “might,” “some,” “possible,” etc.

The WP29 gives concrete examples of wordings that do not satisfy the new clarity and intelligibility standard. This includes wordings such as:

The WP29 indeed considers that none of these purposes is spelled out in a sufficiently clear way.

A lot of the privacy notices that exist today use a wording similar to those ones. In practice, this means that all these privacy notices will now have to be revised to remove any such kind of general purpose descriptions, and organisations will have to replace them by a detailed description of each processing purpose.

Translating the Privacy Notice in Other Languages

The draft guidelines also state that organisations that target individuals speaking other languages need to offer a translation of their privacy notice in those other languages.

The WP29 does not distinguish between consumer data subjects and those acting in a business capacity. Organisations that interact with data subjects in a B-to-B relationship in a given business language (often English) may legitimately wonder whether this statement now prevents them from providing a privacy notice in the same business language, regardless of the individuals’ native language. The WP29 did not elaborate on this issue.

Selecting the Right Communication Modality

The draft guidelines also contain practical recommendations on the manner and format in which organisations should provide the required information to individuals. In deciding on the most appropriate way to convey the information, organisations should consider all the circumstances of the data processing at stake. The WP29 gives some practical examples.

Digital Context – Layered Notices: In the digital context, the WP29 recommends using layered notices. However, it warns organisations to use “true” layered notices, e.g. the first layer must already contain key information about the processing activity. Simply offering a notice with nested pages is not a layered notice.

Digital Context – Pull and Push Notices: Organisations may also consider using just-in-time notices, e.g. contextual pop-ups providing information relevant to the specific element being reviewed, or privacy dashboards, that offer individuals a unique point of access to view and manage their privacy preferences.

Telephone Environment: Information could be provided orally by a real person, or through a pre-recorded message. This pre-recorded message should however offer options to hear more detailed information and individuals should be able to re-listen to the message.

Paper Environment: Information could be provided through any form of hard copy documentation.

Person-to-Person Environment: Organisations could either distribute a hard copy of the privacy notice or give the required information orally.

Screenless IoT Devices: Organisations should consider inserting a privacy notice as part of the hard copy instruction manual, or displaying the URL address or a QR code in a visible manner, e.g., on the packaging, that directs individuals to the online privacy notice. In addition, organisations should consider using complementary means of information, such as a voice alert on the device, icons, etc. as a supplement, but not a substitute, to the privacy notice.

Apps: According to the WP29, a privacy notice needs to be no more than “2 clicks away” from the app users. This means, in practice, making sure that the privacy information and/or settings is immediately available in the functionality menu.

Relying on Visualisation Tools

Since the adoption of the GDPR, organisations have been considering using icons as a possible means to simplify the information process. The WP29 confirms in these draft guidelines that icons could be used to inform individuals, but only as a complement to the privacy notice. Icons should not be used as a substitute to it.

The WP29 also emphasises on the fact that, to be effective, icons need to be standardised and understood the same manner across the whole EU. According to the GDPR, it is up to the EU Commission to develop these standardised icons, but the WP29 states that the EDPB will likely issue its own opinion on the matter as well.

User Panels for Testing Intelligibility of the Privacy Notice

The WP29 also attempts to resolve the difficult task for organisations of having to both devise privacy notices that are understandable by individuals, and be able to demonstrate that the notices are indeed understandable.

According to the WP29, organisations should assess the intelligibility of their privacy notices from the perspective of the average member of their audience, which, of course, requires the organisation to have identified and understood its audience.

In practice, the WP29 recommends creating user panels composed of various members of the targeted audience and testing with them different privacy information wordings, formats, and communication modalities to assess which ones are the most appropriate for the audience. It also recommends documenting this whole process for accountability purposes.

Conclusion

These draft guidelines confirm that the development of a privacy notice will become much more cumbersome under the GDPR. If they not have done so yet, organisations need to carefully review each of their privacy notices ahead of 25 May 2018. When doing so, organisations should keep in mind that they not only need to add paragraphs to their privacy notices to cover the additional categories of information now contained in Articles 13 and 14 GDPR. They must also reassess their communication process as a whole to ensure that their privacy notice is made available to individuals in a language, format, and modality that also complies with the GDPR.

The draft guidelines are open for consultation until 23 January 2018.

How OneTrust Helps

OneTrust helps organisations to easily automate and document their obligations under the GDPR. Our data mapping and PIA & DPIA automation tools include tailored questions that help organisations document the information about their processing, such as the source of personal data and whether individuals are provided with appropriate information. They also allow organisations to attach relevant documentation, such as a privacy notice, to the questionnaires to demonstrate compliance with their obligations.