By Mark Young, Joseph Jones and Ruth Scoles Mitchell
The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent. We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think will be of interest to clients and other readers of InsidePrivacy. The draft guidance is open for consultation until 23 January 2018.
Updating existing notices. The guidance is clear that if processing already is underway, “a data controller should ensure that it is compliant with its transparency obligations as of 25 May 2018.” In other words, notices need to be updated to include all of the information set out in Articles 13 and 14.
Content of notices. A schedule in the guidance sets out all of the required information (under Articles 13 and 14) and WP29’s corresponding comments, such as: notices preferably should include different means to communicate with the controller; notices should specify the “relevant” legal bases; and categories of recipients should be as specific as possible (and the default should be to “provide information on the actual (named) recipients”).
Clear language. The guidance emphasizes the need to use clear language, and states that expressions such as the following are not sufficiently clear: “’We may use your personal data to develop new services’ (as it is unclear what the services are or how the data will help develop them); ‘We may use your personal data for research purposes’ (as it is unclear what kind of research this refers to); and ‘We may use your personal data to offer personalised services’ (as it is unclear what the personalisation entails).”
Website notices. The guidance includes some specific pointers on providing notice on websites and in other online contexts, and making sure that notices are easily accessible. In relation to websites, for example, it states, “Positioning or colour schemes that make a text or link less noticeable, or hard to find on a webpage, are not considered easily accessible.”
App notices. The guidance acknowledges that it can be difficult to provide notice but that users should not have to go searching for it. In the app context, it states that, “once the app is installed, the information should never be more than ‘two taps away’. Generally speaking, this means that the menu functionality often used in apps should always include a ‘Privacy’/ ‘Data Protection’ option.”
Notices to children. Language should be tailored to the audience. When processing children’s data, the language should be age-appropriate. The guidance notes that, “A useful example of child-centred language used as an alternative to the original legal language can be found in the ‘UN Convention on the Rights of the Child in Child Friendly Language’.”
Means of providing notice. Providing information in writing is the default method, and the guidance refers to various options, including layered privacy statements/ notices, “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Additional “means” include “videos and smartphone or IoT voice alerts . . . , cartoons, infographics or flowcharts” (see WP29 Opinion 8/2014 on Recent Developments in the Internet of Things). The guidance goes on to set out recommendations for each of these methods of providing information, including for providing notice orally and in-person.
Icons. The guidance clarifies that icons should not replace all of the information required under Articles 13 and 14, but should be used in combination with such information (citing Article 12(7)). The draft guidance recognizes that “the development of a code of icons should be centred upon an evidence-based approach and in advance of any such standardisation it will be necessary for extensive research to be conducted in conjunction with industry and the wider public as to the efficacy of icons in this context.”
Free services and notice. Where free services are being provided, “information must be provided prior to, rather than after, sign-up given that Article 13(1) requires the provision of the information ‘at the time when the personal data are obtained’.” The guidance also states, “information provided under the transparency requirements cannot be made conditional upon financial transactions, for example the payment for, or purchase of, services or goods.”
Changing notices. Going forward, “a notification of changes should always be communicated by way of an appropriate modality (e.g., email/ hard copy letter etc.) specifically devoted to those changes (e.g., not together with direct marketing content).” Further, “References in the privacy statement / notice to the effect that the data subject should regularly check the privacy statement /notice for changes or updates are considered not only insufficient but also unfair in the context of Article 5.1(a).” Although the GDPR is silent on timing requireme..