Privacy & Information Security Law Blog

On January 29, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its Guidelines on Transparency (the “Guidelines”). The Guidelines were adopted by the Working Party on November 28, 2017, for public consultation.

CIPL acknowledges and appreciates the Working Party’s emphasis on user-centric transparency and the use of layered notices to achieve full disclosure, along with its statements on the use of visualization tools and the importance of avoiding overly technical or legalistic language in providing transparency. However, CIPL also identified several areas in the Guidelines that would benefit from further clarification or adjustment.

In its comments to the Guidelines, CIPL recommends several changes or clarifications the Working Party should incorporate in its final guidelines relating to elements of transparency under the EU GDPR, information to be provided to the data subject, information related to further processing, exertion of data subjects’ rights, and exceptions to the obligation to provide information.

Some key recommendations include:

• Clear and Concise yet Comprehensive Disclosure: The Guidelines should more clearly acknowledge the tension between asking for clear and concise notices and including all of the information required by the GDPR and recommended by the Working Party. CIPL believes Articles 13 and 14 of the GDPR already require sufficient information, and the risk-based approach gives organizations the opportunity to prioritize which information should be provided.
• Consequences of Processing: The Working Party should amend their “best practice” recommendation that controllers “spell out” what the most important consequences of the processing will be. The Working Party should clarify that in providing information beyond what is required under the GDPR, controllers must be able to exercise their judgement on whether and how to provide such information.
• Use of Certain Qualifiers: CIPL recommends removing the Working Party's statement that qualifiers such as “may,” “might,” “some,” “often” and “possible” be avoided in privacy statements. Sometimes these terms are more appropriate than others. For instance, saying certain processing “will occur” is not as accurate as “may occur” when it is not certain whether the processing will in fact occur.
• Proving Identity Orally: The Guidelines state that information may be provided orally to a data subject on request, provided that their identity is proven by other non-oral means. CIPL believes the Working Party should revise this statement, as voice recognition or verbal identity confirming questions and answers are valid mechanisms of proving one’s identity orally.
• Updates to Privacy Notices: The Working Party should remove its suggestion that any changes to an existing privacy statement or notice must be notified to individuals. CIPL believes communications to individuals should be required only for changes having a significant impact.
• Reminder Notices: The Working Party should remove the recommendation that the controller send reminder notices to individuals when processing occurs on an ongoing basis, even when they have already received the information. This is not required by the GDPR and individuals may feel overwhelmed or frustrated by such constant reminders. Individuals should, however, be able to easily pull such information from an accessible location.
• New Purposes of Processing: The Guidelines should amend the statement and example suggesting that in addition to providing individuals new information in connection with a new purpose of processing, the controller, as a matter of best practice, should re-provide the individual with all of the information under the notice requirement received previously. CIPL believes this could potentially distract individuals from focusing on any new key information which could undermine transparency, and it should be up to the data controller to determine whether the re-provision of information would be useful.
• Active Steps: The Working Party should clarify its statement that individuals should not have to take “active steps” to obtain information covered by Articles 13 and 14 of the GDPR, to the effect that clicking links to access notices would not constitute taking an “active step.”
• Compatibility Analyses: The Working Party states that in connection with processing for compatibility purposes, organizations should provide individuals with “further information on the compatibility analysis carried out under Article 6(4).” CIPL believes such a requirement undermines transparency, as the information would provide little benefit to an individual’s understanding of the organization’s data processing, and burden organizations who have to reform, redact, compose and deliver such information.
• Disproportionate Efforts: The Guidelines should acknowledge that the disproportionate efforts clause (Article 14(5)(b)) can be relied upon by controllers for purposes other than archiving in the public interest, scientific or historical research purposes or for statistical purposes (e.g., confirming identity or preventing fraud). The Working Party should also revise its statement that controllers who rely on Article 14(5)(b) should have to carry out a balancing exercise to assess the effort of the controller to provide the information versus the impact on the individual if not provided with the information. The GDPR does not require this and the disproportionality at issue refers to the disproportionality between the effort associated with the provision of such information and the intended data use.

To read the above recommendations in more detail along with all of CIPL’s other recommendations on transparency, view the full paper.

CIPL’s comments were developed based on input by the private sector participants in CIPL’s ongoing GDPR Implementation Project, which includes more than 90 individual private sector organizations. As part of this initiative, CIPL will continue to provide formal input about other GDPR topics the Working Party prioritizes.