On 6 October, Ireland’s Data Protection Commissioner (DPC) published a draft decision in respect of a GDPR complaint centred on the user journey for accepting Facebook’s terms and conditions. The complainant argued the process amounted to Facebook’s seeking of consent for using personal information which, because of the nature of the user journey, meant consent was not validly given.
Meeting transparency requirements
Much has been made of the DPC’s conclusions in respect of how Facebook can rely on contract necessity for its use of personal information. However, the draft decision also includes two useful insights into the DPC’s views on how the transparency requirements set out in Articles 12 and 13 of the GDPR should be met by organisations that collect and use personal information (in GDPR speak: “controllers”).
Layering
Layering of the information to be provided to users in respect of how their personal information will be used is to be encouraged to facilitate the requirements of Article 12 (the requirement that information is communicated in a concise, transparent, intelligible, and easily accessible form). However, there is no requirement that all the information mandated to be provided by Article 13(1) be present in each layer of information provided to users. Instead, what is critical is that all the layers, assessed cumulatively, contain the requisite information.
Lawful basis of processing
The transparency requirements in Article 13(1)(c) require that users be provided with details of “the purposes of the processing for which the personal data are intended as well as the legal basis for processing”.
We have frequently seen this requirement being addressed by controllers through a privacy statement (or privacy policy) that lists the purposes of processing, but which then separately lists all the lawful bases of processing that are applied by the controller under Article 6(1), but without any cross reference to the processing purposes. This is what the Facebook privacy policy currently does, meaning that users cannot identify (or cross reference) what lawful basis of processing applies to which processing activity.
Despite Facebook’s arguments to the contrary, through a systematic review of the requirements of the GDPR, the DPC concluded that “there should be a clear link between the specific category/categories of data, the purpose(s) of the specified [processing] operation(s) and, the legal basis being relied on to support the specified operation(s).”
Having reached this conclusion, the DPC found that from the Facebook Privacy Policy it was:
“… impossible to identify what processing operations will be carried out in order to fulfil the objectives that are repeated throughout the documents and the legal basis for such operations. In the absence of such information, the user is left to guess as to what processing is carried out on what data, on foot of the specified lawful bases, in order to fulfil these objectives…in relation to the correct interpretation of Article 13(1)(c) GDPR, this is insufficient information.”
Consequences for getting it wrong
In Facebook’s case, if the draft decision is finally adopted, Facebook will be given three months to make their privacy statement compliant. However, they will also incur an administrative fine which, for the failure to properly meet the requirements in providing transparency in the collection and use of personal information, will be between €28 million and €36 million.
What should you do now?
In the light of both this and the recent WhatsApp decision, now is a good time to review your organisation’s privacy statements (often referred to as a Privacy Policy or Privacy Notice) to ensure they meet the requirements of both Articles 12 and 13 of the GDPR. Importantly, the notices must properly reflect your organisation’s use of personal information (so should not be template driven), and if your privacy statement(s) in any way read like a legal document or are hard to read, the chances are you will not have met the Article 12 requirements.
Getting help
Impact Privacy has extensive experience in ensuring privacy statements are drafted and presented in a way that meets the requirements of the GDPR. We would be delighted to help you in the review of your privacy statements, or indeed your wider privacy programme.
Further information You can read the DPC’s draft decision at: https://noyb.eu/sites/default/files/2021-10/IN%2018-5-5%20Draft%20Decision%20of%20the%20IE%20SA.pdf
