Background
Articles 13 and 14 of the GDPR
set out the requirement to send data subjects information about their personal
data and how is it being processed. Articles 13 and 14 are very specific and
there is little room for movement when it comes to complying with the
obligations required by them.
Replacement of the Standard Privacy Statement
Under GDPR, it will no longer be
possible to have a single privacy statement; from 25 May 2018 Article 13 and/or
Article 14 Notices will need to be provided, and different circumstances will
require different Notices. Both Articles clearly set out what must be included
in these Notices; the detail required is considerable, for example including
information on the purposes of the data processing (Art 13.1(c), Art 14.1(c)),
the recipients of the personal data (Art 13.1(e), Art 14.1(e)) and the period
for which the personal data will be stored (Art 13.2(a), Art 14.2(a)). For
reasons explained further on in this article, if followed literally, in some
circumstances sending Article 13 and 14 Notices could be a disproportionate outcome
and could not be what GDPR intends.
When do Article 13 and Article 14 Notices need to be sent?
Article 13 Notices are required
when personal data is collected from the data subject and should be sent at the
time the personal data is received. Article 14 Notices are used in situations
where the personal data is collected from someone other than the data subject. There
are very narrow exemptions for Article 14 Notices (Art. 14.5) and Article 13
Notices (Recital 62), all of which can rarely be applied, let alone on a daily
basis. (The Information Commissioner’s Office state on their website that the
relevant recitals to these Articles are Recitals 58-62. Recital 62 contains
very similar wording to Article 14.5, but according to the ICO website it is applicable
to Article 13 as well.) Simply receiving an email from a new data subject triggers
the requirement for an Article 13 Notice and possibly an Article 14 Notice. The
following example combined with a literal interpretation of these Articles highlights
one of many common situations where it would be disproportionate to have to
provide Article 13 and 14 Notices.
The
Managing Director of an organisation contacts another organisation by email. Her
email address makes her identifiable, i.e. it is not info@company.com or similar. Once that email is received the
personal data of the sender is stored because the email is stored in the
recipient’s IT system. This
makes it necessary to send an Article 13 Notice. There is no exception for when
the personal data is received where the data subject initiated the
communication with the intention of providing their data to the controller. If
the mail is copied to the Managing Director’s colleagues (so their email
addresses would also be stored), they would all need to be sent Article 14 Notices.
In response to
the initial correspondence the recipient asks his personal assistant to reply and
provide the relevant Notices to the Managing Director and her colleagues.
Initially the personal assistant would need to check whether or not a Notice
had previously been sent to any of those individuals and, if so, for what type
of processing. If no appropriate Notices had been sent previously the personal
assistant would then need to choose the correct type of Notice, ie that it
related to the specific type of processing anticipated and stated the period
for which the data would be held.
Upon receipt
of the response from the personal assistant, the Managing Director and her
colleagues would also have to check whether an appropriate Notice had been sent
to the personal assistant previously. If not, they would then need to decide
amongst themselves who would send a Notice to her.
Whilst this sounds unrealistic, it is one example
of how simple tasks will be over-complicated by the requirements of these Articles.
There is unfortunately little guidance as to when, specifically, these Notices need
not be sent. Although there is a lot of commentary on GDPR and its various
sections, it seems very few people are willing to comment on this topic and the
potentially ludicrous outcomes which could flow from literal interpretation.
info@company.com or SamSmith@company.com
If receiving information from info@company.com Article 13 and/or 14 Notices are not
required by virtue of the fact that the email address does not make the sender
personally identifiable; however SamSmith@company.com will trigger
the requirement for Article 13 and/or 14 Notices to be provided. In our view a
proportionate approach would make a distinction between individuals providing
data for their personal requirements and individuals that provide their data in
a business context. New data is sent, in a business context, on a daily basis
and it is our view (unlike the current ICO view) that B2B communications should
not be limited to meaning communications sent to generic addresses. Of course
the distinction can only be made provided the content of the communication is ‘business
relevant’. The ICO have made it clear that any address, electronic or
otherwise, using a named individual cannot be treated in the same way generic
addresses can be. We have raised this issue and others in response to the
Article 29 Working Party request for consultation on Guidelines on Transparency.
The
Narrow Exemption – when can it actually be relied upon?
There is no specific exemption for Article
13, however Recital 62 does provide exemptions that may apply, for example ‘where the provision of information to the
data subject proves to be impossible or would involve disproportionate effort’,
however an example is then given expanding what that actually means, ‘processing carried out for archiving
purposes in the public interest, scientific or historical research purposes or
statistical purposes’. That is clearly not relevant to our example. An exemption is needed in order to
prevent the circular sending of Notices as demonstrated above – an exemption
applicable to day-to-day business to business communications.
For Article 14 there is an exemption
written into the Article (Article 14.5(a-d)) with a wider application. The wording
from Recital 62 is repeated and the exemption is extended to include ‘[where the] obligation [to send Article 14
Notices] is likely to render impossible or seriously impair the achievement of
the objectives of that processing’. Pre-GDPR guidance was provided in ‘Guidelines
on Transparency under Regulation 2016/679 (wp260)’ by the Article 29 Working
Party. The examples provided in that guidance to demonstrate when the exemption
might be applicable further narrow its potential usage down to very limited
situations. The guidance states that, when seeking to rely on ‘Impossibility of providing the source of the
data’ that ‘the mere fact that a
database comprising the personal data of multiple data subjects has been
compiled by a data controller using more than one source is not enough to lift
the requirement [to send Article 14 Notices] if it is possible (although time
consuming or burdensome) to identify the source from which the personal data of
[an] individual data subject [is] derived’. The Guidelines also state that
seeking to rely on impossibility in Article 14.5(b) has an ‘all or nothing approach’, ie it is
impossible or it is not, ‘there are no
degrees of impossibility’. Whilst those exemptions would not assist in our
example, they highlight that there are very few situations where the exemption
could be used. The inclusion of the words ‘although
time consuming or burdensome [for the data controller]’ demonstrates how
strictly the Article 29 Working Party want these Articles to be adhered to.
ICO Guidance
The ICO has provided guidance on
their website, however all they have done is write out both Article 13 and 14
in a tabular format, and at the very bottom state that the information to be
provided to the Data Subject in accordance with Article 13 should be ‘provided at the time the data was obtained’
and in relation to Article 14 ‘within a
reasonable period of having obtained the data (within one month); [or] if the
data are used to communicate with the individual, at the latest, when the first
communication takes place; or if disclosure to another recipient is envisaged,
at the latest, before the data are disclosed’.
With their limited guidance in
mind, we decided to contact the ICO helpline for further clarity. Our above
example was provided and the ICO Information Officer informed us that they were
using a literal interpretation of GDPR and that their current view was that Article 13 and 14 Notices would need to be
sent in our example and similar situations. Further examples were provided to
the Information Officer, highlighting the disproportionate outcome when Article
13 and 14 are strictly adhered to. After some consultation with her senior
colleagues the Information Officer said that while the ICO would take a literal
approach to interpreting these Articles they understand that data controllers
need to use a proportionate approach. The ICO await further guidance from the
Article 29 Working Party and will update their website accordingly.
A Continuing Quandary
The Article 29 Working Party
Guidance on Transparency is currently under consultation and the ICO, and many
others, await its outcome; the consultation period however only ended on 23
January 2018. Having regard to the length of time it will likely take for the
updated guidance to be published we are unlikely to know the answers to these
questions before 25 May 2018.
Our View
Our example demonstrates how, if Articles
13 and 14 are read literally, there would be a disproportionate outcome which
would create obligations on data controllers that will be impossible to adhere
to. Perhaps not ‘impossible’ as described in the Article 29 Working Party
Transparency Guidelines but impossible in the sense that it is not commercially
viable to spend the time creating specific Article 13 and 14 Notices to provide
to various data subjects on a daily basis. It is still not clear, though it
should be, under what circumstances the sending of Notices is mandatory. It is
our view that the requirement to send either Article 13 and/or 14 Notices needs to be more realistic when
dealing with B2B situations than it does in B2C situations, their purpose
surely must be to protect the individual in their private life. Can the
requirement to send these Notices be limited then to B2C scenarios, with
particular focus on when businesses are ‘gathering’ data on people? We hope
that the Article 29 Working Party will provide some clarity on this.
Whilst
the ICO will not at present accept that an identifiable email address used in a
business context with business relevant content should
be treated any differently to any other personal data, the Information Officer we
approached did agree that further guidance is required. It is our view that a
distinction should be made in order to prevent a plethora of Notices being sent
in all directions. This would also help substantially with the requirement that
no marketing emails can be sent, even B2B, without prior consent of the
recipient.
The ICO
have stated that Articles 13 and 14 of GDPR need to be read literally; the
Information Officer said that the ICO understands a proportionate approach
needs to be applied. If a more proportionate approach is not applied everyone’s
inboxes will be full
of Notices and no one will have the time or
inclination to read each one, rendering the Notices useless.
We await the updated guidance on
Transparency from the Article 29 Working Party, hopefully providing clarity on
the issues we have raised. We will then be able to update this article
accordingly.
Gemma Briance and Geoffrey Sturgess are both solicitors in the
commercial and tech team at Warner Goodman, Southampton: GemmaBriance@warnergoodman.co.uk
GeoffreySturgess@warnergoodman.co.uk