Transparency at the heart of democracy

The ICO has published the findings from its investigation into the use of personal data and practices of political campaigning in the digital age. The underlying message being that as technologies rapidly develop and the data ecosystem becomes more complex, controllers and processors are still required to take responsibility for their activities and ensure that they comply with data protection obligations, including transparency. 

It is now common knowledge that in both the Brexit referendum and the last General Election, several mainstream political parties took their campaigns to social media. And this makes sense: social media platforms provide an effective medium to interact with the UK population, require much less resource that the traditional door-to-door campaigns and greater return on investment than television and radio advertising. The Reuters Institute/YouGov survey in 2018* reported that 39% of its UK survey population source their news from social media sites. Therefore, digitalising politics is a logical extension, enabling  a wider population reach and more effective engagement with individuals.  

What was the issue? 

Well, in short, the campaigns employed analytic techniques which are designed for online marketing and micro targeted individuals based on their profiles. This was the first (known) use of such technologies being used to disseminate political campaign messages, and came as a "shock" to most. In its investigation the ICO found "a significant shortfall in transparency and provision of fair processing information" around the use of personal data in these campaigns.  

Whilst this finding is not ground breaking, it is a helpful reminder that the transparency obligation is stand alone and, although processing activities may be lawful, companies must not forget the obligation to notify individuals of such activities and, where appropriate, provide individuals with a choice.

What does transparency mean? 

Under the accountability principle laid out in Article 5.2, a controller "must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject." These transparency obligations begin at the data collection stage and apply "throughout the life cycle of processing."

While transparent manner is not explicitly defined in the GDPR, Recital 39 of the GDPR provides some clarity, explaining that individuals should know what "personal data concerning them [is] collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed". 

Transparency takes the form of specific practical requirements on controllers and processors which are set out in Articles 12-14.

The GDPR provides that information or communication to data subjects must be concise, transparent, intelligible and easily accessible, and use clear and plain language. Companies should ensure that notices do not contain "overly legalistic, technical or specialist language or terminology." 

""Effectively, controllers should put themselves in the position of the data subjects and ask: "what would I want to know about this processing activity?""

Finally, controllers should make information and communication "easily accessible" to data subjects by directly providing, linking to, or signposting it. On a website, a link to the privacy statement/notice should be clearly visible on each page under commonly-used terms, such as "Privacy" or "Privacy Policy." On an app, it should never be more than "two taps away."

How should information be provided to data subjects?

Although the GDPR does not prescribe the format by which information needs to be communicated to the data subject, controllers should take "appropriate measures" to provide such information in a transparent way. What is appropriate will vary by product or service as well as the nature of the user interface or experience.

Most importantly, the controller "must take active steps" to provide the information to the data subjects. Consequently, data subjects "must not have to take active steps to seek the information … or find it amongst other information." 

Changes to a privacy statement/notice should also be notified to data subjects "in a way that ensures that most recipients will actually notice them." In practice this means an email notification about changes to a privacy policy should be solely devoted to communicating those changes, and not lumped together with marketing content. 

When should information be provided to data subjects?

Information must be provided to data subjects "in a timely manner," although the required timeframe varies according the type of personal data collected by the controller.

Despite these rules, the Article 29 Working Party (WP29) recommends that controllers provide the information to data subjects well in advance of the stipulated time limits.

Controllers must also notify individuals of fundamental changes in their processing (or where  a change impacts the data subject occurs). Any notification of changes should include the same level of information as in the original notice, for example, include an explanation of the likely impact of those changes on the data subject.

WP29's guidance makes the importance of transparent clear: it says that, even when processing remains unchanged for a long period of time, the controller should re-acquaint data subjects with the scope of the data processing at "appropriate intervals".

Are there exceptions?

Where a controller is obtaining the personal data directly from data subjects, no exceptions apply (other than the controller does not need to give data subjects information that they already have). 

Where a controller is obtaining personal data from a third party, some exceptions apply. These include: impossibility, disproportionate effort, serious impairment of objectives, where obtaining or disclosing personal data is expressly laid down in law, and confidentiality by virtue of a secrecy obligation.

Conclusion

Transparency is a central principle in the GDPR, as it promotes the objective of strengthening individuals’ rights, accountability, and the lawful and fair processing of data. Thus, data controllers should regularly review their activities and ensure that their notice reflect their practices. 

The recommendations in the ICO's report act as a helpful reminder that the use of analytics and big data, in themselves, is not an issue, but controllers must be clear about how analytics are used, the impact on individuals and the outcome of the processing.  

As the well-known expression goes, "it’s not just what you say, but how you say it, that matters". Along these lines, the ICO's findings should be a warning to controllers that the accessibility and simplicity of information they give to data subjects are as important as its content.

Byte-sized news

EU and Japan agree to reciprocal adequacy. Almost a year after issuing a joint declaration to support the free flow of information to promote EU/Japanese trade, the EU and Japan concluded their talks on reciprocal adequacy and have agreed to recognise each other's data protection systems as 'equivalent'. This is the first time the EU and a third country have agreed on a reciprocal recognition of the adequacy of data protection. Japan has committed to implementing additional safeguards to protect EU citizens' personal data before the EU Commission formally adopts the adequacy decision. These include:

• A set of rules which would be binding on Japanese companies importing data from the EU. The rules will provide individuals in the EU whose personal data are transferred to Japan with additional safeguards concerning sensitive data, onward transfer of data from Japan to a third country and data subject rights.
• A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities.  This new mechanism will be administered and supervised by the Japanese independent data protection authority.

The EU Commission is planning on adopting the adequacy decision in autumn 2018. The Commission has unilaterally adopt adequacy decisions for: Andorra, Argentina, Canada (partial adequacy), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States (partial adequacy).

ICO annual report reveals largest fines in history. The ICO recently released its 2017-18 annual report which revealed that the largest number and amount of civil monetary penalties in the ICO's history were issued over the course of the year.  This included 26 penalties totalling £3.28m for breaches of electronic marketing laws, 11 fines totalling £1.29 million for serious security failures under the Data Protection 1998 and 19 criminal prosecutions resulting in 18 convictions. The ICO noted that there was a 15 percent increase in data protection complaints and a 30 percent increase in self-reported data breaches. It was also revealed in the report that the ICO is expecting fee income from its new fee structure to increase to over £32,000,000 this financial year (up from £21,300,000 in 2017-2018). This increase indicates that organisations should be prepared for further potential increases in enforcement activities. 

EDPB reveals 100 cross-border cases under investigation. The European Data Protection Board ("EDPB") recently released a statement concerning cross-border cooperation between European supervisory authorities in relation to enforcement of the GDPR following its second plenary meeting. The EDPB noted that the first cross-border cases were initiated on the IT platform used to facilitate cooperation and consistency between supervisory authorities on 25 May 2018 and there are now around 100 cross-border cases under investigation. During the plenary meeting, supervisory authorities shared their first experiences of the One-Stop-Shop mechanism, which involves a lead supervisory authority acting as the main point of contact with a controller or processor in a cross-border case and drafting a decision to be agreed with other relevant supervisory authorities, as well as the 'Consistency Mechanism' under which the EDPB issues opinions or binding decisions to arbitrate in the case of disputes between supervisory authorities. The EDPB Chair, Andrea Jelinek, stated that the first results of these new procedures to deal with cross-border cases should be expected in a few months from now.

Brexit communication released by Commission. The European Commission recently adopted a communication (the "Communication") to various institutions of the European Union including the European Parliament, the European Central Bank and the European Council outlining its ongoing work on the preparation for all outcomes of the United Kingdom's withdrawal from the European Union. The Communication text notes that important issues which remain open in relation to the withdrawal preparations include the standards of the protection of personal data transmitted to United Kingdom while it is a Member State. The Commission also advised companies to assess whether measures are necessary to ensure that their transfers of personal data remain possible in the absence of an adequacy decision allowing for the transfer of personal data to the United Kingdom without restrictions once it becomes a third country.

With special thanks to Tom Brookes for his contribution.

^{*http://media.digitalnewsreport.org/wp-content/uploads/2018/06/digital-news-report-2018.pdf?x89475}