Privacy notices post-WhatsApp

What should controllers be doing in 2023 to ensure their privacy information meets the required transparency standard?

In September 2021, the Irish Data Protection Commissioner (DPC), following the EDPB's binding decision issued under the GDPR cooperation and consistency mechanism, imposed a €225 million GDPR penalty against WhatsApp Ireland Limited (the "WhatsApp decision"). The DPC found that WhatsApp's privacy information, set out in its privacy notice, had not met the GDPR transparency requirements (in particular, in relation to accessibility, granularity and clarity).

In applying the GDPR requirements and WP29 transparency guidelines, the DPC made it clear that the approach taken in WhatsApp's privacy notice (typical for privacy notices at the time and still not unusual today) did not satisfy the GDPR transparency standards. WhatsApp's unsuccessful arguments about its privacy notice being in line with the approach in the market, illustrate that the regulators are unlikely to be influenced by a common market practice. In this blog, we consider whether the WhatsApp decision has instead influenced the relevant market practice. What lessons can controllers take from the decision?

1. Accessibility – the decision reminds us that Article 12(1) GDPR requires information to be "easily accessible". That does not mean sacrificing on detail or specificity (far from it), but means that controllers should help data subjects access and understand how their personal data is processed. Controllers updating their privacy notices should consider adopting a layered approach to their privacy information, using a contents section (with hyperlinks), and making use of linked cross references. Long unbroken pages of text or multiple documents, requiring navigation to and consideration of multiple pages (which might make it difficult to know when the information on a particular issue is complete) should be avoided.
2. Granularity – the information provided in privacy notices must enable data subjects to understand how their personal data will be used in practice. Crucially (as reinforced in the DPC's recent decisions against Meta Ireland), there needs to be a link between each category of personal data, purpose for which it will be processed and the relevant lawful basis. Controllers must also provide sufficiently detailed information so that individuals can understand which of their information will be shared with which third parties, and on what basis. When information is transferred internationally, controllers must explain how it will be protected (by reference to specific transfer mechanisms, including links where appropriate (e.g. to a specific adequacy decision)). All other information required under GDPR (e.g. on how long data will be kept) should also be granular.  The challenge is to make this detailed information easily accessible at the same time.
3. Clarity – the information provided should be precise, which means removing any conditional or vague language (like "may", "including" or "such as").

Complying with these requirements is necessary to enable individuals to maintain control over their data and to exercise their data protection rights. As stressed by the regulators in a number of decisions, transparency underlines and enables fairness of processing. In practice, it means that controllers can no longer rely on high-level, generic privacy information to meet the transparency requirements under GDPR.

Controllers must understand what personal data they collect and how they process it, must keep this information updated, and communicate this in a meaningful and accessible format to data subjects – no small feat.  

How is the market reacting?

We have seen a general market practice shifting towards more detailed privacy notices (at least the external facing ones, which are likely to be updated ahead of the employee notices).

As is typical with GDPR compliance, controllers who have successfully fostered a privacy compliance culture, with properly resourced compliance functions, have already taken up the gauntlet thrown down by the DPC and have uplifted their privacy notices to the post-WhatsApp standard.

In practice, a certain level of data protection maturity is a prerequisite to providing transparency information at the required level of granularity (and keeping it up to date). It will require taking a detailed look at properly maintained records of processing activities and translating that detail into accessible privacy notices.

However, privacy pros know it is rarely that simple. It is not enough to simply publish granular information; that information must remain accurate (controllers should avoid statements which may be considered misleading, as this could expose them to legal and regulatory risks). To investigate, record and maintain a proper understanding of an organisation's processing activities is a challenge which is near impossible without proper investment in people, tools and process. This means the shift to the post-WhatsApp privacy standard cannot happen overnight.

Since the WhatsApp decision, there have been a number of other enforcement decisions focused on transparency failures, notably the DPC's recent decisions against Meta Ireland (which re-enforce the need for granular information linking each category of data with specific processing operations and lawful basis for processing). Even with this enforcement activity, it is possible that a broader shift to the post-WhatsApp privacy notice standard will not accelerate until regulators start enforcing transparency requirements against a wider range of organisations and not just the tech giants.

What can controllers do?

Controllers should take steps to increase the granularity and accessibility of their privacy information. Do the groundwork to understand your processing and try to translate that understanding into accessible text – think plain language, layered notices, just in time notices, hyperlinks and tabular design where helpful. Innovative approaches would of course be welcome – short videos, animations or even games are some of the options that organisations are experimenting with. Remember who your audience is and adjust the tone of your notice accordingly (avoiding unnecessary legalese where possible) – any privacy notices directed at children would need to provide privacy information in an age appropriate way.