The principle of transparency requires that controllers are open and honest about what they do with data subjects’ personal data and that they communicate that in a simple way. The problem is that what is simple for me as a lawyer, is not necessarily simple for everyone.
Although the GDPR clearly asks for simplicity, we lawyers are ignoring that requirement flashily. Let’s admit it, lawyers love to use legalese, we have spent years in college to learn it and we are not ready to give it up.
The root of the problem
Lengthy and complex privacy notices help controllers tick the box “I have complied with Article 13 and 14 of the GDPR” and in many cases to offer a preface of legality to their processing activities. Written from lawyers to lawyers, in order to protect their clients (controllers) from liability, they completely ignore the “end-reader” which is the data subject.
The result is that although the privacy notice is there to enhance transparency and help data subjects proceed to an informed consent, in practice it has the exact opposite effect; they pass unnoticed. Data subjects often get discouraged by the length of the privacy notices, and even the brave ones who will give it a try, get lost in the “legalese”. In any case, the one who is supposed to be protected by the privacy notice is the one to suffer by it.
I will borrow an example which I found really interesting, from complicated Terms and Conditions to make my point more clear. The British retailer Gamestation added an “immortal soul clause” to their terms and conditions as part of an experiment. This clause stated that customers grant the company the right to claim their soul. Customers who read the clause and chose to opt-out received a £5 discount on their next video game purchase. Only 12% did, proving Gamestation’s point that most people agree to terms and conditions without reading them. The same could easily be done in a privacy notice, don’t you think?
Efforts to address the problem (so far)
Many discussions are taking place lately to address this topic and more and more voices are calling to “kill” the standard privacy notices. DPAs have noticed the problem as well, with the Italian DPA launching a contest, calling software developers, tech professionals, experts, lawyers, designers, university students, and anyone interested in this topic, to send a set of symbols or icons that can represent all the items that must be contained in a privacy notice. Also, the ICO’s recommended privacy notice template is as simple as it can be.
Three years after the enforcement of the GDPR we are still witnessing privacy notices that are not providing all the information required by Article 13/14 (I have seen privacy notices which still mention Safe Harbour-not even Privacy Shield!), so going one step further and asking for simplicity may not seem a priority. Many data protection practitioners – especially the ones with a legal background – think that they fulfil their transparency obligations by drafting super lengthy and full legal jargon notices. But this shouldn’t be the case at all!
How to write a notice that anyone can read
Transparency requires that you keep it simple! Here are some tips I use every time I draft a privacy notice:
- Simple and clear language: Think that you are writing something that an everyday person can understand and not for your peers. When I draft a privacy notice, I make my mother read it. If she gets it, it is good, if she starts asking questions or looks at me as I speak Greek (or Chinese, since we are both Greek) to her, then I redraft it. Try the same, it always works!
- Keep it short: I really like the layered approach. As the ICO explains, it typically consists of “providing people with a short notice containing key information, such as the identity of your organisation and the way you use the personal data. It may contain links that expand each section, revealing a second layer, or a single link to more detailed information. These can, in turn, contain links to further material that explains specific issues, such as the circumstances in which personal data may be disclosed to the police.” This way you keep it short and tidy and whoever needs more information on a specific topic, they are one click away.
- Dare to make it fun! Most of the time, privacy notices can be super boring to read,even for lawyers. No matter how well written they are, it is not that you will have a privacy notice on your reading list for your holiday. Dare to use modern and smart language, use icons and “give life” to it. The purpose of this document is to be read by individuals, so be creative and make people cast an eye on them-by any means (use of slang/everyday laguage, icons, even use self sarcasm (I once read one privacy notice starting by saying “You are about to read a boring text, so serve yourself a coffee or a glass of wine-whatever works best for you- before you start”. It got my attention immediately!)
The most important thing when you draft a privacy notice is to get over yourself. Skip what you have learnt at university and make sure what you write is understood by everyone. This is how you comply with your transparency requirements and not the other way around!