Data Protection – How compliant is your Privacy Notice?

14 Jan 2022

Since the EU General Data Protection Regulation (GDPR) became law back in 2018 many businesses have undertaken significant work to achieve compliance with data protection laws. What compliance looks like though is not always clear with the goal posts shifting as law and regulatory guidance develops.

Recent high-profile decisions/opinions from the European Data Protection Board (EDPB) and Irish Data Protection Commission in respect of WhatsApp have raised further uncertainty, this time in relation to privacy notices and other transparency information provided to individuals.

WhatsApp have launched a legal challenge in the matter which is no surprise given the decisions resulted in a fine which increased from an initial €30-50million to €225million (the second largest fine to date under the GDPR), however it is likely to take a long time for this to play out through the courts and in the meantime many businesses will want to look again at the information they provide to individuals about the personal data they hold.

Businesses should by now be familiar with the requirement to provide individuals with certain information such as how and why they collect and use personal data. The GDPR specifically states that such information should be provided “in a concise, transparent, intelligible and easily accessible form” but there is an inherent tension between providing enough information and providing it in a concise and intelligible manner. The WhatsApp case highlights this tension and suggests that the EDPB at least considers that current practices need to change so that privacy notices contain much more specific detail.

The WhatsApp decisions raise many interesting points but some key take-aways for businesses will be the need to now look at providing more detail on matters such as:

  1. Who personal data is shared with and where it is transferred to. It has been common practice for businesses to include within privacy notices general statements that personal data may be shared with third parties and transferred outside of the EEA (or the UK if looking at the decision from a UK perspective) but the decisions found that this is not compliant and that specific details need to be included.
  2. The processing operations it undertakes. For businesses identifying all processing operations/activities is no small task, but the WhatsApp decisions highlight an expectation that privacy notices should provide a high level of detail on all processing operations including details of what categories of data are concerned and what lawful basis is relied on for each category of process.
  3. Data subject rights. The decisions also acts as a reminder of the need to give careful and accurate details to individuals about their rights, how they can exercise them and any possible unintended consequences of exercising them such as the data controller not being able to provide their goods or services.

The background to these decisions also highlights a lack of consensus between EU member states as to how the GDPR should be applied/enforced. In the UK, post Brexit, although the decisions are not binding, they are likely to be influential and many businesses will need to comply with both the UK and EU regimes so it will be interesting to see how businesses and the UK Information Commissioner’s Office approaches such issues in the future.

If you would like any help or assistance in reviewing your privacy notices or any other data protection matter please contact our Data Protection Team on 0800 2800 421 or contact us here and we will be pleased to help.

Author

Susie Sanusi

Associate