On January 29, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its Guidelines on Transparency (the “Guidelines”). The Guidelines were adopted by the Working Party on November 28, 2017, for public consultation.
CIPL acknowledges and appreciates the Working Party’s emphasis on user-centric transparency and the use of layered notices to achieve full disclosure, along with its statements on the use of visualization tools and the importance of avoiding overly technical or legalistic language in providing transparency. However, CIPL also identified several areas in the Guidelines that would benefit from further clarification or adjustment.
In its comments to the Guidelines, CIPL recommends several changes or clarifications the Working Party should incorporate in its final guidelines relating to elements of transparency under the EU GDPR, information to be provided to the data subject, information related to further processing, exertion of data subjects’ rights, and exceptions to the obligation to provide information.
Some key recommendations include:
- Clear and Concise yet Comprehensive Disclosure: The Guidelines should more clearly acknowledge the tension between asking for clear and concise notices and including all of the information required by the GDPR and recommended by the Working Party. CIPL believes Articles 13 and 14 of the GDPR already require sufficient information, and the risk-based approach gives organizations the opportunity to prioritize which information should be provided.
- Consequences of Processing: The Working Party should amend their “best practice” recommendation that controllers “spell out” what the most important consequences of the processing will be. The Working Party should clarify that in providing information beyond what is required under the GDPR, controllers must be able to exercise their judgement on whether and how to provide such information.
- Use of Certain Qualifiers: CIPL recommends removing the Working Party's statement that qualifiers such as “may,” “might,” “some,” “often” and “possible” be avoided in privacy statements. Sometimes these terms are more appropriate than others. For instance, saying certain processing “will occur” is not as accurate as “may occur” when it is not certain whether the processing will in fact occur.
- Proving Identity Orally: The Guidelines state that information may be provided orally to a data subject on request, provided that their identity is proven by other non-oral means. CIPL believes the Working Party should revise this statement, as voice recognition or verbal identity confirming questions and answers are valid mechanisms of proving one’s identity orally.
- Updates to Privacy Notices: The Working Party should remove its suggestion that any changes to an existing privacy statement or notice must be notified to individuals. CIPL believes communications to individuals should be required only for changes having a significant impact.
- Reminder Notices: The Working Party should remove the recommendation that the controller send reminder notices to individuals when processing occurs on an ongoing basis, even when they have already received the information. This is not required by the GDPR and individuals may feel overwhelmed or frustrated by such constant reminders. Individuals should, however, be able to easily pull such information from an accessible location.
- New Purposes of Processing: The Guidelines should amend the statement and example suggesting that in addition to providing individuals new information in connection with a new purpose of processing, the controller, as a matter of best practice, should re-provide the individual with all of the information under the notice requirement received previously. CIPL believes this could potentially distract individuals from focusing on any new key information which could undermine transparency, and it should be up to the data controller to determine whether the re-provision of information would be useful.
- Active Steps: The Working Party should clarify its statement that individuals should not have to take “active steps” to obtain information covered by Articles 13 and 14 of the GDPR, to the effect that clicking links to access notices would not constitute taking an “active step.”
- Compatibility Analyses: The Working Party states that in connection with processing for compatibility purposes, organizations should provide individuals with “further information on the compatibility analysis carried out under Article 6(4).” CIPL believes such a requirement undermines transparency, as the information would provide little benefit to an individual’s understanding of the organization’s data processing, and burden organizations who have to reform, redact, compose and deliver such information.
- Disproportionate Efforts: The Guidelines should acknowledge that the disproportionate efforts clause (Article 14(5)(b)) can be relied upon by controllers for purposes other than archiving in the public interest, scientific or historical research purposes or for statistical purposes (e.g., confirming identity or preventing fraud). The Working Party should also revise its statement that controllers who rely on Article 14(5)(b) should have to carry out a balancing exercise to assess the effort of the controller to provide the information versus the impact on the individual if not provided with the information. The GDPR does not require this and the disproportionality at issue refers to the disproportionality between the effort associated with the provision of such information and the intended data use.
To read the above recommendations in more detail along with all of CIPL’s other recommendations on transparency, view the full paper.
CIPL’s comments were developed based on input by the private sector participants in CIPL’s ongoing GDPR Implementation Project, which includes more than 90 individual private sector organizations. As part of this initiative, CIPL will continue to provide formal input about other GDPR topics the Working Party prioritizes.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code