Picture2

Transparency obligation and data controllers: enforcement across Europe

Much ink has been spilled on the September 2021 decision issued by the Irish Data Protection Commission (DPC) to impose a fine of €225 million on WhatsApp, the second heaviest fine under the General Data Protection Regulation (GDPR). It is noteworthy that the decision was issued after the activation of the dispute resolution mechanism of GDPR article 65, and the necessary intervention of the European Board given that eight National Supervisory Authorities (NSAs) triggered the draft decision of the DPC. However, the DPC decision was not an isolated incident. Rather, other examples, including enforcement action by CNIL and the Spanish NSA (AEPD) indicate that organisations need to take transparency seriously to avoid the attention of Supervisory Authorities. This exactly is the purpose of the present article to highlight the significance of transparency obligations and encourage data protection controllers to pay high attention to their compliance.

The recent example of WhatsApp

As mentioned in our September piece on the WhatsApp fine, the DPC held that WhatsApp infringed the transparency obligations of articles 13 and 14 of the GDPR by not providing the necessary information to WhatsApp users as well as to non-WhatsApp users. Specifically, in relation to non-WhatsApp users, the DPC commented that their personal data was processed every time a WhatsApp user was notified which of his or her contacts was also a WhatsApp user. Additionally, the DPC concluded that WhatsApp violated GDPR article 12 because of its failure to provide information in an “easily accessible form” to its users. Finally, transparency obligations were once again infringed because of the lack of provision of information regarding the data sharing between WhatsApp and the other Facebook Companies. For all these reasons, DPC pointed out that WhatsApp violated the transparency principle as set out in GDPR article 5 (1) (a).

CNIL vs. Google LLC

Nevertheless, other Supervisory Authorities are also considering the violation of transparency obligations and have been doing so since at least 2019. Back in 2019, the French National Commission on Informatics and Liberty (CNIL) imposed a fine of €50 million on Google LLC among others for not complying with transparency obligations. Namely, CNIL held that “essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions”.

AEPD and transparency infringements 

Moreover, the Spanish NSA has issued at least 14 decisions from June-October 2021 invoking the non-compliance of data controllers with transparency obligations of GDPR articles 13 and 12. These have included findings against organisations such as Future Vinline S.L., Intersumi S.C, and BAZTANDIS S.L.

Conclusions

These examples demonstrate that transparency obligations are essential for organisations to get right, irrespective of their market power and size. Specifically, it is clear that both the Supervisory Authorities and non-governmental organisations, and activist groups are paying close attention to any gaps and deficiencies at data protection level.

To avoid negative impacts, including fines, loss of reputation and loss of customers, organisations should review their privacy policies and the information provided to data subjects. These should include the provision of:

  • easily accessible information without multiple linked documents and buttons
  • convenient ways for the data subjects to understand they have read all the necessary information even when a multi-layer approach is adopted, or many documents are combined.
  • all different pieces of information as laid down in GDPR articles 12-14

Trilateral’s Data Governance and Cyber-Risk Team has extensive experience working with organisations to ensure that they remain up to date with and comply with the latest developments in data protection. Please feel free to contact our advisors, who would be more than happy to help.

Panagiota Kourti

Panagiota Kourti is Associate Data Protection Advisor at Trilateral Research.

Sign up for our newsletter

Join our mailing lists to receive updates about our latest research and to hear about our free public events and exhibitions.  If you would like to find out more about how we manage your personal information please see our privacy policy.