Gemma Briance and Geoffrey Sturgess drill down into the obligations imposed by the GDPR, Articles 13 and 14 and advocate a proportionate interpretation of inflexible requirements
Articles 13 and 14 of the GDPR set out the requirement to send data subjects information about their personal data and how is it being processed. Articles 13 and 14 are very specific and there is little room for movement when it comes to complying with the obligations required by them.
Replacement of the Standard Privacy Statement
Under GDPR, it will no longer be possible to have a single privacy statement; from 25 May 2018 Article 13 and/or Article 14 Notices will need to be provided, and different circumstances will require different Notices. Both Articles clearly set out what must be included in these Notices; the detail required is considerable, for example including information on the purposes of the data processing (Art 13.1(c), Art 14.1(c)), the recipients of the personal data (Art 13.1(e), Art 14.1(e)) and the period for which the personal data will be stored (Art 13.2(a), Art 14.2(a)). For reasons explained further on in this article, if followed literally, in some circumstances sending Article 13 and 14 Notices could be a disproportionate outcome and could not be what GDPR intends.
When do Article 13 and Article 14 Notices need to be sent?
Article 13 Notices are required when personal data is collected from the data subject and should be sent at the time the personal data is received. Article 14 Notices are used in situations where the personal data is collected from someone other than the data subject. There are very narrow exemptions for Article 14 Notices (Art. 14.5) and Article 13 Notices (Recital 62), all of which can rarely be applied, let alone on a daily basis. (The Information Commissioner’s Office state on their website that the relevant recitals to these Articles are Recitals 58-62. Recital 62 contains very similar wording to Article 14.5, but according to the ICO website it is applicable to Article 13 as well.) Simply receiving an email from a new data subject triggers the requirement for an Article 13 Notice and possibly an Article 14 Notice. The following example combined with a literal interpretation of these Articles highlights one of many common situations where it would be disproportionate to have to provide Article 13 and 14 Notices.
The Managing Director of an organisation contacts another organisation by email. Her email address makes her identifiable, i.e. it is not firstname.lastname@example.org or similar. Once that email is received the personal data of the sender is stored because the email is stored in the recipient’s IT system. This makes it necessary to send an Article 13 Notice. There is no exception for when the personal data is received where the data subject initiated the communication with the intention of providing their data to the controller. If the mail is copied to the Managing Director’s colleagues (so their email addresses would also be stored), they would all need to be sent Article 14 Notices.
In response to the initial correspondence the recipient asks his personal assistant to reply and provide the relevant Notices to the Managing Director and her colleagues. Initially the personal assistant would need to check whether or not a Notice had previously been sent to any of those individuals and, if so, for what type of processing. If no appropriate Notices had been sent previously the personal assistant would then need to choose the correct type of Notice, ie that it related to the specific type of processing anticipated and stated the period for which the data would be held.
Upon receipt of the response from the personal assistant, the Managing Director and her colleagues would also have to check whether an appropriate Notice had been sent to the personal assistant previously. If not, they would then need to decide amongst themselves who would send a Notice to her.
Whilst this sounds unrealistic, it is one example of how simple tasks will be over-complicated by the requirements of these Articles. There is unfortunately little guidance as to when, specifically, these Notices need not be sent. Although there is a lot of commentary on GDPR and its various sections, it seems very few people are willing to comment on this topic and the potentially ludicrous outcomes which could flow from literal interpretation.
If receiving information from email@example.com Article 13 and/or 14 Notices are not required by virtue of the fact that the email address does not make the sender personally identifiable; however SamSmith@company.com will trigger the requirement for Article 13 and/or 14 Notices to be provided. In our view a proportionate approach would make a distinction between individuals providing data for their personal requirements and individuals that provide their data in a business context. New data is sent, in a business context, on a daily basis and it is our view (unlike the current ICO view) that B2B communications should not be limited to meaning communications sent to generic addresses. Of course the distinction can only be made provided the content of the communication is ‘business relevant’. The ICO have made it clear that any address, electronic or otherwise, using a named individual cannot be treated in the same way generic addresses can be. We have raised this issue and others in response to the Article 29 Working Party request for consultation on Guidelines on Transparency.
The Narrow Exemption – when can it actually be relied upon?
There is no specific exemption for Article 13, however Recital 62 does provide exemptions that may apply, for example ‘where the provision of information to the data subject proves to be impossible or would involve disproportionate effort’, however an example is then given expanding what that actually means, ‘processing carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’. That is clearly not relevant to our example. An exemption is needed in order to prevent the circular sending of Notices as demonstrated above - an exemption applicable to day-to-day business to business communications.
For Article 14 there is an exemption written into the Article (Article 14.5(a-d)) with a wider application. The wording from Recital 62 is repeated and the exemption is extended to include ‘[where the] obligation [to send Article 14 Notices] is likely to render impossible or seriously impair the achievement of the objectives of that processing’. Pre-GDPR guidance was provided in ‘Guidelines on Transparency under Regulation 2016/679 (wp260)’ by the Article 29 Working Party. The examples provided in that guidance to demonstrate when the exemption might be applicable further narrow its potential usage down to very limited situations. The guidance states that, when seeking to rely on ‘Impossibility of providing the source of the data’ that ‘the mere fact that a database comprising the personal data of multiple data subjects has been compiled by a data controller using more than one source is not enough to lift the requirement [to send Article 14 Notices] if it is possible (although time consuming or burdensome) to identify the source from which the personal data of [an] individual data subject [is] derived’. The Guidelines also state that seeking to rely on impossibility in Article 14.5(b) has an ‘all or nothing approach’, ie it is impossible or it is not, ‘there are no degrees of impossibility’. Whilst those exemptions would not assist in our example, they highlight that there are very few situations where the exemption could be used. The inclusion of the words ‘although time consuming or burdensome [for the data controller]’ demonstrates how strictly the Article 29 Working Party want these Articles to be adhered to.
The ICO has provided guidance on their website, however all they have done is write out both Article 13 and 14 in a tabular format, and at the very bottom state that the information to be provided to the Data Subject in accordance with Article 13 should be ‘provided at the time the data was obtained’ and in relation to Article 14 ‘within a reasonable period of having obtained the data (within one month); [or] if the data are used to communicate with the individual, at the latest, when the first communication takes place; or if disclosure to another recipient is envisaged, at the latest, before the data are disclosed’.
With their limited guidance in mind, we decided to contact the ICO helpline for further clarity. Our above example was provided and the ICO Information Officer informed us that they were using a literal interpretation of GDPR and that their current view was that Article 13 and 14 Notices would need to be sent in our example and similar situations. Further examples were provided to the Information Officer, highlighting the disproportionate outcome when Article 13 and 14 are strictly adhered to. After some consultation with her senior colleagues the Information Officer said that while the ICO would take a literal approach to interpreting these Articles they understand that data controllers need to use a proportionate approach. The ICO await further guidance from the Article 29 Working Party and will update their website accordingly.
A Continuing Quandary
The Article 29 Working Party Guidance on Transparency is currently under consultation and the ICO, and many others, await its outcome; the consultation period however only ended on 23 January 2018. Having regard to the length of time it will likely take for the updated guidance to be published we are unlikely to know the answers to these questions before 25 May 2018.
Our example demonstrates how, if Articles 13 and 14 are read literally, there would be a disproportionate outcome which would create obligations on data controllers that will be impossible to adhere to. Perhaps not ‘impossible’ as described in the Article 29 Working Party Transparency Guidelines but impossible in the sense that it is not commercially viable to spend the time creating specific Article 13 and 14 Notices to provide to various data subjects on a daily basis. It is still not clear, though it should be, under what circumstances the sending of Notices is mandatory. It is our view that the requirement to send either Article 13 and/or 14 Notices needs to be more realistic when dealing with B2B situations than it does in B2C situations, their purpose surely must be to protect the individual in their private life. Can the requirement to send these Notices be limited then to B2C scenarios, with particular focus on when businesses are ‘gathering’ data on people? We hope that the Article 29 Working Party will provide some clarity on this.
Whilst the ICO will not at present accept that an identifiable email address used in a business context with business relevant content should be treated any differently to any other personal data, the Information Officer we approached did agree that further guidance is required. It is our view that a distinction should be made in order to prevent a plethora of Notices being sent in all directions. This would also help substantially with the requirement that no marketing emails can be sent, even B2B, without prior consent of the recipient.
The ICO have stated that Articles 13 and 14 of GDPR need to be read literally; the Information Officer said that the ICO understands a proportionate approach needs to be applied. If a more proportionate approach is not applied everyone’s inboxes will be full of Notices and no one will have the time or inclination to read each one, rendering the Notices useless.
We await the updated guidance on Transparency from the Article 29 Working Party, hopefully providing clarity on the issues we have raised. We will then be able to update this article accordingly.