Authored by Lynn Goldstein and Peter Cullen
Last December the European Union’s Article 29 Data Protection Working Party (Working Party) issued draft guidance relating to two key aspects of the General Data Protection Regulation (GDPR) addressing Consent and Transparency, both essential to the effective operation of the GDPR. The Working Party invited comments, and the Information Accountability Foundation (IAF) responded to both the Consent and Transparency drafts (collectively and singly Draft Guidance). In short, the IAF believes there are some significant challenges related to the Draft Guidance that may have the unintended impact of limiting the beneficial uses of data and potentially limiting the longer-term goals of providing data protection against the full rights and interests of individuals as the beneficial uses of data grow. IAF’s comments on the Draft Guidance broke down into two main themes:
- The Draft Guidance has an apparent narrowing of some of the plain language and flexibility contained in the GDPR text
- The complexity of the Draft Guidance will be challenging for even the most sophisticated and resourced organizations to meet
The GDPR is part of the European Union strategy for a Digital Single Market that is an engine for employment and economic growth. The GDPR is intended to create both legal certainty and a platform for the free flow of data in a suitably protected manner. This strategy is responsive to all the stakeholder rights and interests articulated in the treaties that have established the European Union.
There are various provisions in the GDPR that are intended to create flexibility for discovering new knowledge, including new and better means for achieving stakeholder objectives. There are examples of “narrowing” in the Draft Guidance, particularly related to Scientific Research.
For example, the Draft Guidance quotes GDPR Recital 159 that states “For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner.” But the Draft Guidance then goes on to say, “however the WP29 considers the notion may not be stretched beyond its common meaning and understanding that ‘scientific research’ in this context means a research project set up in accordance with relevant sector-related methodology and ethical standards.” The GDPR words “should be interpreted in a broad manner” links to the full range of fundamental rights and interests articulated by the various European Union treaties and the European Union strategy for a Digital Single Market that is an engine for employment and economic growth.
The Draft Guidance on Transparency focuses on the need for organisations to be very specific in stating all the purposes and the legal basis for all such purposes. In research, new processing may develop over time that is not inconsistent with the original purposes. The GDPR was not intended to stifle innovation through work flow improvements that are not inconsistent. The IAF is concerned that the Draft Guidance may create disincentives for knowledge creation related to new processing that is not incompatible with the initial processing. In short, the flexibility built into the GDPR for research and related activities should not be prematurely limited by the Draft Guidance.
The second thematic area of concern relates to the complexity of the Draft Guidance. For example, the Draft Guidance on Transparency identifies a basic conundrum associated with the challenge of making transparency simple and concise on the one hand and complete on the other hand. The conundrum lies not in the objectives for transparency but rather in the details deemed necessary to achieve those objectives. The Draft Guidance includes a table with 14 numerous factors necessary for compliant transparency. A table with 14 factors seems contradictory to concise and simple.
To meet the Draft Guidance expectations, organisations of all sizes and complexity will need skills, resourcing and differing capabilities and capacity to achieve the preferred transparency. For example:
- Communications specialists with expertise in data protection to describe data processing activities and user rights, in simple age- and consumer-appropriate language;
- Consumer research staff to test timing and efficacy of language and transparency delivery including multi-language translations;
- Experienced designers and programmers to create the needed online and in-product experiences, product flow and visual design that are ‘just-in-time’ or to describe further data processing activities when they arise.
Experience from businesses that have complex relationships with customers that are exercised primarily online is that developing an approach that requires numerous notifications and separate consents requires a large cross functional team of product developers, designers, usability testers, data protection experts and lawyers.
It will be equally critical for organisations to put into place new business processes to ensure consistency across the recommended communications channels recommended by the Draft Guidance. A limited number of organisations have these skills in place, but most do not. Putting such resources in place will require a substantial investment that needs to be balanced against other expectations, with the knowledge that only the most motivated individuals will have the time to absorb the communications. These cross functional teams are the exception, not the rule, at many organisations. This staffing approach means the resources required by organisations to execute on the Draft Guidance will be a challenge for most and certainly for smaller ones.
In addition to the narrowing of the GDPR’s intent and the complexity challenge, in IAF’s view, Draft Guidance should not inadvertently become secondary regulation. It should, however, provide a commentary on legal requirements mandated by the GDPR that go into effect in May. Guidance should provide an interpretive view on the objectives of the GDPR and how best to meet both the letter and spirit of the GDPR. IAF’s feedback on the Draft Guidance was to take care not to over engineer these requirements to the point that they may be quite challenging for organizations to implement and negate a key part of the European Union strategy for a Digital Single Market that is an engine for employment and economic growth.