[2024] UKUT 105 (AAC)

Section 3 of Chapter VII of the GDPR creates a European Data Protection Board (“EDPB”). Article 70 tasks the EDPB with ensuring consistent application of the GDPR, including by issuing guidelines. The GDPR’s references to EDPB have been removed in UK GDPR.

The EDPB’s “Binding Decision 1/2021 on the dispute arising on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR” (2 September 2021) considered the inter-relationship between the obligations in Article 5(1)(a) and Articles 12-14 GDPR. The decision is persuasive rather than binding upon us. The EDPB’s analysis including the following:

“190.

Thus, it is apparent that, under the GDPR, transparency is envisaged as an overarching concept that governs several provisions and specific obligations...

191.

... it is important to differentiate between obligations stemming from the principle of transparency and the principle itself. The text of the GDPR makes this distinction, by enshrining transparency as one of the core principles under Article 5(1)(a) GDPR on the one hand, and assigning specific and concrete obligations linked to this principle, on the other one...

192.

On the basis of the above considerations, the EDPB underlines that the principle of transparency is not circumscribed by the obligations under Articles 12-14 GDPR, although the latter are a concretisation of the former. Indeed, the principle of transparency is an overarching principle that not only reinforces other principles (i.e. fairness, accountability) but from which many other provisions of the GDPR derive...

193.

That being said, the EDPB is of the view that an infringement of the transparency obligations under Articles 12-14 GDPR can, depending on the circumstances of the case, amount to an infringement of the transparency principle.”

In Rondon v Lexisnexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB), Collins Rice J stated at [87] that guidelines produced by EDPB “have weight which goes beyond expert commentary on the primary text. They do not constitute law but are an important indicator of whether or not ambiguity genuinely exists and, if it does, the best approach to understanding it. They have to be given commensurate weight”.

The “Article 29 Working Party”, an independent European advisory body equivalent to the EDPB for present purposes, was set up under Article 29 of Directive 95/46/EC (a predecessor of GDPR). Its guidelines on transparency under the GDPR, revised and adopted on 11 April 2018, were to provide “practical guidance and interpretive assistance” on the “new” obligation of transparency concerning the processing of personal data under the GDPR. In this appeal, the Information Commissioner drew attention to the following paragraphs of those guidelines:

“4.

Transparency, when adhered to by data controllers, empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data by, for example, providing or withdrawing informed consent and actioning their data subject rights. The concept of transparency in the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processors in a number of articles. The practical (information) requirements are outlined in Articles 12-14 of the GDPR. However, the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects.

…

10.

A central consideration of the principle of transparency outlined in these provisions is that the data subject should be able to determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used. This is also an important aspect of the principle of fairness under Article 5(1) of the GDPR and indeed is linked to Recital 39 which states that “[n]atural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data...” In particular, for complex, technical or unexpected data processing, WP29’s position is that, as well as providing the prescribed information under Articles 13 and 14 (dealt with later in these guidelines), controllers should also separately spell out in unambiguous language what the most important consequences of the processing will be: in other words, what kind of effect will the specific processing described in a privacy statement/ notice actually have on a data subject? In accordance with the principle of accountability and in line with Recital 39, data controllers should assess whether there are particular risks for natural persons involved in this type of processing which should be brought to the attention of data subjects. This can help to provide an overview of the types of processing that could have the highest impact on the fundamental rights and freedoms of data subjects in relation to the protection of their personal data.

11.

The “easily accessible” element means that the data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fill in an online form, or in an interactive digital context through a chatbot interface, etc. These mechanisms are further considered below, including at paragraphs 33 to 40.

…

Layered approach in a digital environment and layered privacy statements/ notices

35.

In the digital context, in light of the volume of information which is required to be provided to the data subject, a layered approach may be followed by data controllers where they opt to use a combination of methods to ensure transparency. WP29 recommends in particular that layered privacy statements/ notices should be used to link to the various categories of information which must be provided to the data subject, rather than displaying all such information in a single notice on the screen, in order to avoid information fatigue. Layered privacy statements/ notices can help resolve the tension between completeness and understanding, notably by allowing users to navigate directly to the section of the statement/ notice that they wish to read. It should be noted that layered privacy statements/ notices are not merely nested pages that require several clicks to get to the relevant information. The design and layout of the first layer of the privacy statement/ notice should be such that the data subject has a clear overview of the information available to them on the processing of their personal data and where/ how they can find that detailed information within the layers of the privacy statement/ notice. It is also important that the information contained within the different layers of a layered notice is consistent and that the layers do not provide conflicting information.

36.

As regards the content of the first modality used by a controller to inform data subjects in a layered approach (in other words the primary way in which the controller first engages with a data subject), or the content of the first layer of a layered privacy statement/notice, WP29 recommends that the first layer/modality should include the details of the purposes of processing, the identity of controller and a description of the data subject’s rights. (Furthermore this information should be directly brought to the attention of a data subject at the time of collection of the personal data e.g. displayed as a data subject fills in an online form.) The importance of providing this information upfront arises in particular from Recital 39. While controllers must be able to demonstrate accountability as to what further information they decide to prioritise, WP29’s position is that, in line with the fairness principle, in addition to the information detailed above in this paragraph, the first layer/modality should also contain information on the processing which has the most impact on the data subject and processing which could surprise them. Therefore, the data subject should be able to understand from information contained in the first layer/modality what the consequences of the processing in question will be for the data subject (see also above at paragraph 10).” (Emphasis in original text.)