GDPR - Transparency update
As we edge closer to GDPR-Day further guidance is being issued by the Article 29 Working Party (“WP29”), with a recent one on transparency (“the Guidance”). Their original guidance on this was adopted on 29 November 2017; this document was open to consultation until 23 January 2018. We, along with many others, provided responses to the request for consultation. Despite the consultation the Guidance has not been substantially changed; this notwithstanding, the Information Commissioners Office (“the ICO”) seems, now, to be interpreting GDPR independently and providing solutions to GDPR problems, a change from its previous approach.
What does the WP29 Guidance Tell Us?
It drills down into the detail required in Article 13 and 14 Notices (“the Notices”). Article 13 Notices need to be provided to the data subject where personal data is collected from the data subject and Article 14 Notices where the personal data is not obtained from the data subject. The detail can be found in Articles 13 and 14, Paragraphs 1(a-f) and Article 13 Paragraphs 2(a-f) and Article 14 Paragraphs 2(a-g). These include, for example, information on the identity and contact details of the controller, the purposes of the processing and the period for which the personal data will be stored.
The Guidance further emphasises the very limited circumstances where a controller would be exempt from providing these Notices. The only exemption applicable to the requirement to provide Article 13 Notices is where the data subject “already has the information” that would be provided in the Notice. The article 14 Notice exemptions extend this exemption, allowing controllers to be exempt where “the provision of such information proves impossible or would involve disproportionate effort, in particular for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.” The Guidance does however provide examples of when exemptions could apply that possibly may be extended and applied in practice.
It also makes a very strong suggestion that the Notices could be “provided” by an online privacy statement and that layering the Notice, so that readers need only read that which is relevant to them, would help towards being compliant with the GDPR Notice provisions. Layering should be used to make the statements easily accessible to any reader; this could be by adding a contents page or links within a basic Notice to other more detailed sections.
The Guidance starts by answering the question asked by many people: “Do I need to provide Notices to customers/clients that were customers/clients prior to GDPR-Day, including those that are not currently active clients?” According to the Guidance and Recital 171 GDPR, you do, unless you have already provided a statement/Notice that would be considered GDPR compliant; unlikely of course. The Guidance suggests that controllers should review their current privacy statements/notices, make the necessary changes for them to be GDPR compliant and then inform the data subject of these changes. The minimum a controller must do to inform a data subject is to make the changes publically available on their website. Organisations only need to inform the data subject of material or substantive changes, the only changes however that do not need actively to be brought to the attention of the data subject are, for example, correction of spelling or grammatical errors.
Further detail is provided as to what constitutes a compliant online Notice, stating that it must be easily accessible with a link, provided on every page of the website, and it cannot be obscured by position or colouring, so no longer will you be able to have the link to a privacy statement at the bottom of the page in tiny font and in a colour slightly lighter than the page itself. The Guidance makes it clear that it is good practice to have the Notices online enabling ‘future users’ (customers/clients) to view the Notice before contacting the organisation or buying the product. This contradicts the Notices content requirements, for example the period for which the personal data will be stored. In many circumstances it would be impossible for a controller to provide sufficiently specific information without there being any interaction between the controller and the data subject. Until now we have believed that Notices need to be specific to the data subject, the latest Guidance suggests however that a broader Notice relevant to multiple data subjects is acceptable.
The Guidance provides detail on Notices for children. For this to be understandable some background information is required. Consider consent: the age a child can legally give consent to processing (where needed), as stated in the draft Data Protection Bill, is thirteen years old. Any younger and parental/guardian consent on the child’s behalf would be required. Now consider the Notices: who are they to be directed to, the parent or the child? The Guidance states that a child that is literate and could understand what is being said to them should be provided with the Notices. Children under the age of thirteen should thus be provided with Notices regarding processing to which they are not legally allowed to consent. The Guidance further states that such Notices should be provided in a format a child would understand such as in a comic or cartoon. We think that the requirement of providing a Notice as a comic or cartoon depends on the complexity of the processing being undertaken. A child signing up to a social media website will not be aware of the complex processing of their data. Explaining such processing in writing would be confusing to a child and the Notice would not serve its purpose, in these circumstances the use of a comic or cartoon could be very effective. If the processing of their data is very simple, for example holding data regarding food allergies, it would be acceptable to provide a Notice in written form, i.e. not a comic or cartoon.
There are many different formats that could be used to provide Notices; GDPR does not specify what should be used. As with the rest of GDPR however, the way you do provide Notices and the process undertaken to decide which way to provide such Notices should be documented.
Interestingly the Guidance also extends what should be included in the Notices, adding details of the arrangements between joint controllers and information on data protection impact assessments, by virtue of Article 26.2 and Recital 39 GDPR.
As, already highlighted, the circumstances in which an Article 13 or 14 exemption might apply are rare. The Guidance did provide a useful example of what would constitute a disproportionate effort for sending an Article 14 Notice: when a hospital has patients attending the hospital throughout the day, each providing next of kin details, it would require disproportionate effort to expect the hospital to provide Article 14 Notices to each of the next of kin during the day. Next of kin details are given in various circumstances, for example an employee gives their employer details of their next of kin, usually their name, relationship to the employee and their telephone number. Many employers would argue that to provide Article 14 Notices to all next of kin requires a disproportionate effort. We are inclined to agree with this view; it is however the fact that the hospital has hundreds of different people a day providing different next of kin details that allows the hospital to rely on the exemption. It is not the fact that the controller has very limited data on the data subject, the data held is enough to make contact with the data subject, and thus a Notice should be provided. It is, however, much harder to provide such Notices when the only contact detail is a telephone number. Presumably the only way to send a Notice to a telephone would be to send the link allowing the data subject to access the Notice online, but not all phones have the ability to access the internet, not all people do. At which point it seems impossible to provide the Notice. In these circumstances it is our opinion that if you do decide to not send the Notice on the grounds of impossibility or the requirement of disproportionate effort you must document your decision and your reasoning behind it.
In our previous article, ‘Demystifying Transparency – What Do the GDPR, Articles 13 and 14 GDPR Really Mean?’ we provided a example, which if GDPR is read literally, ultimately led to a plethora of Notices being sent between businesses (“B2B”) engaged in ordinary day to day communications. In our response to the request for consultation on the transparency guidelines we raised this example. The Guidance does not consider the ridiculous outcome of Notices being sent back and forth and clearly states that Notices should be provided, unless an exemption applies, if the data is obtained from the data subject, at the time the data is collected, and for data collected from someone other than the data subject such data subject should be provided with a Notice no later than one month after collecting the data. It has been suggested that a link included in the email footer will be sufficient to provide such Notice. This would be an automatic addition to every email and removes the requirement to actively send it to data subjects whose data is being processed.
What approach are the ICO taking?
Approximately a month ago we spoke with an ICO Officer and the above example of an almost never ending loop of Notices being sent was raised, as well as the question of whether or not it would be necessary to send Notices to pre-existing customer/clients/contacts. At the time the ICO Officer was adamant that the Notices would need to be provided, even B2B, notwithstanding the fact that it lead to a ludicrous outcome. They were however planning on not requiring Notices to be sent to pre-existing customers/clients/contacts. In light of the Guidance the ICO have decided to change their view and advise that Notices should be sent to all data subjects, whether their data was held prior to GDPR-Day or not.
After trawling through the Guidance we phoned the ICO and asked the exact same questions, specifically we gave an example where a company being required to send Notices to its pre-existing customers/clients/contacts would need to send thousands of individually written emails, and suggested that this would require disproportionate effort. The ICO Officer stated that whilst she agreed that it would take time, it would in fact be necessary to send such Notices. It is our opinion that it will be impossible for most small business to be compliant with this ICO guidance as they would need to employ extra people just for the purpose of providing Notices. It would not be commercially viable or practical and the requirement could be viewed as disproportionate.
We then provided the other example, the plethora of Notices being sent B2B, where we were immediately informed that this would not be the case due to the fact that despite employee emails containing personal data they were ’corporate subscribers’. The ICO define a corporate subscriber as “a corporate body with separate legal status including companies, limited liability partnerships, Scottish partnerships, and some government bodies”. The ICO Officer, on the phone, extended this definition to include a work email address containing personal data i.e. firstname.lastname@example.org (“an identifiable business address”) and therefore it was not necessary to provide Notices on every communication to different contacts at an organisation. The ICO Officer stated that it was more than acceptable to have a simple very broad Notice on the business website, and due to the fact that all businesses have such Notices (currently privacy policies) it would not even be necessary to send specific emails providing the link to the online Notice, as all businesses would “know” where to find it.
A broad Notice contradicts the requirements of Article 13 and 14 GDPR as it is impossible to have a ‘one Notice fits all’ that is specific to each data subject. We asked the Officer how an organisation could have a broad Notice and be GDPR compliant, and the Officer stated that it was fine to state that the “processing was being undertaken for business purposes”. She stated that the requirements set out in Articles 13 and 14 were more applicable to ‘individual subscribers’ defined by the ICO as “individual customers (including sole traders) and other organisations (e.g. other types of partnership)”
The ICO guidelines on transparency are very helpful in comparison to some of their other guidance on GDPR; a more sensible approach is being applied the nearer we get to GDPR-Day. In our opinion we think it is necessary to send Notices to all current customers/clients/contacts that are consumers and considered ‘active’. That is those that are contacted on a regular basis, those that have recently been involved in business transactions, are sent newsletters, or have recently purchased goods or services. We do not think that Notices should be sent to those customers that are not considered ‘active’, for example customers that purchased goods or services some time ago and will not be contacted again, as the requirement to do so is a disproportionate outcome of GDPR and cannot be what was intended. There are businesses that have, for example, a statutory obligation to continue storing (processing) personal data or maintain a customer record; it could require disproportionate effort to expect Notices to be sent to all those past clients. If businesses conclude that the sending of Notices to all ‘active’ and ‘non-active’ consumers is necessary businesses may end up reviewing their processing activities, particularly where data is automatically stored. This could mean businesses start to consider whether or not it is even necessary to continue processing (storing) such ‘non-active’ data.
Whilst the ICO state that Notices should be sent to all data subjects whose data is being processed, it is possible that the ICO have not fully considered the financial impact, specifically on smaller organisations, of having to send such Notices.
The ICO guidance on Notices and B2B communications has been long awaited, and is gratefully received: businesses can now provide broader Notices and their inboxes will not be filled with them on a daily basis. Businesses that deal with consumers however must adhere to the requirements of Article 13 and 14 GDPR and provide Notices with far more detail. It will not be necessary to email the Notice but the data subject must be made aware, in a very clear manner, of where they can find the Notice.
We hope over the next few weeks that the ICO website will be updated in accordance with the most recent telephone guidance provided to us today and that the definition of ‘corporate subscriber’ will be amended to include an identifiable business address. Maybe the ICO will continue with this more pragmatic and achievable approach to GDPR across the board, allowing businesses that are trying hard to be compliant to have a chance of managing to do so.
Gemma Briance and Geoffrey Sturgess
Warner Goodman LLP
8 College Place
This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.