What comprises a proper Article 13 or Article 14 notification?

Introduction

Since a few weeks prior to the coming into effect of the GDPR most of us have been receiving e-mails from banks, insurance companies, energy suppliers, retailers and so on announcing, typically a change to their privacy policy.

Some have included a link which the user is encouraged to follow in order to find out how these new changes affect him or her.

The question is whether these e-mails amount to a proper Article 13 or Article 14 notification.

Article 13

Article 13 commences thus: “Information to be provided where personal data are collected from the data subject”.

Article 13(1) provides that: “1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:” and there follows a list of information to be provided.

Article 13(2) provides that: “2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:” and there follows a list of additional information to be provided.

Article 13(3) provides that further information is to be provided where further processing is envisaged that goes beyond the processing originally proposed. This is not directly relevant to this note.

Article 13(4) provides that Article 13(1) to (3) do not apply “where and insofar as the data subject already has the information”. It is submitted that this does not only refer to the information provided by the data subject to the controller but, in addition, applies to all of the information about the processing that the controller must supply in order to comply with Articles 13(1) and 13(2).

Article 14

Article 14 commences in exactly the same terms as Article 13. Similarly, Article 14(1) and Article 14(2) use the same words prior to the list of information as Article 13(1) and Article 13(2) namely “the controller shall provide the data subject with the following information:” and “where and insofar as the data subject already has the information:”.

What comprises a notification?

It is submitted that the most important words in Article 13(1) and 13(2) and Article 14(1) and Article 14(2) are “shall….provide”.

It is further submitted that the word “shall” indicates that the requirement is mandatory; and the word “provide” indicates that the relevant information must be given to the data subject, rather than requiring the data subject proactively to secure the information themselves by an act of commission – which might be construed as embracing all the flaws of ‘opt-out’ consent’ and expanding their scope to the other legal bases.

It follows, therefore, that a valid Article 13 or Article 14 notice must be a document (and electronic documents are permitted) addressed to the data subject (otherwise the information cannot be provided) with all of the relevant information within it.

A link, therefore, to be followed by the data subject, cannot comply with the Article 13 or the Article 14 duty. Moreover, such a process not only requires the data subject to be connected to the internet in order to find the information but the data subject is also supposed to assimilate the information provided by the controller and determine for himself or herself how that applies to him or her.

Have they complied?

It is submitted that no purported Article 13 or Article 14 notice which is not addressed personally to the data subject can comply with the requirement. This may not be the case where the notification is provided directly to the data subject and where the data collected and its use follows a standard process for that data controller (ie the same data is collected and used in the same way for each data subject).

Further no such notice which requires the data subject to follow links and assimilate for themselves how the information on a web site apply to their personal information can possibly comply. At the least the information has not been “provided”; and in addition the requirement for the data subject to play detective to work out how their information is being used offends the fundamental requirement of clarity and transparency laid down throughout the GDPR.

So any data controller reliant on such notices has not complied with the GDPR and potentially faces claims from data subjects and/or regulatory penalties from any supervisor seized with a complaint from a data subject.

Is there a remedy?

Article 13 requires the notification to be provided at the time that the data is collected.

Article 14 requires the notification to be provided no later than one month after the data is obtained from a third party.

There is no provision in either Article 13 or Article 14 for a data controller to remedy a failure in compliance. However, it is likely in practice that a supervisory authority is likely to consider remedial compliance as being sufficient to justify a warning rather than a penalty given that the legislation has not been applicable for very long.

It is thought that there may be a honeymoon period during which supervisors will take a more relaxed view. However, with a seemingly increasing propensity for data breaches concerning a significant number of data subjects to occur, it is not likely that this honeymoon period will last for very long.

Conclusions

Few electronically provided Article 13 or Article 14 notifications are likely to have complied with the GDPR and none that are not addressed to the data subject in person or provided directly to the data subject are likely to have complied. The same applies to notifications provided in print where the data subject is required to take any additional action (such as referring to a web site) to determine the information. Under such circumstances the data subject has arguably not been provided with the information.

While there is no formal provision in the GDPR permitting a remedy of such an oversight it is suggested that the supervisory authorities are likely to be accepting of late service of a remedial notification although it is thought unlikely that this will apply once the GDPR has been applicable for a number of months.

Data controllers should review their “notifications” and remedy any defects as soon as possible. The insurers might want to consider auditing the businesses that they insure to determine whether risk has been adequately assessed.

X