Definitely maybe: drafting privacy notices for uncertain situations

Drafting a privacy notice can both be easy and difficult to do.  At its core, the notice should (1) tell individuals how and why you will collect, use (and re-use), share and store their personal data, as well as informing them about their rights in relation to the data, and (2) do so concisely and intelligibly.  

But anyone who has written — or read — privacy notices knows that transparency and digestibility are not always natural bedfellows.

Inspired by a recent enforcement action of the Spanish data protection authority (AEPD), this post looks at an aspect of privacy notice drafting that is often overlooked: the use of generic language generally, and language qualifiers specifically (e.g., may, might, some, often, possible).  In finding against the controller in this case, the AEPD cited European Data Protection Board (EDPB) guidance that such qualifiers should be avoided — and where controllers do use indefinite language, “they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing”. 

The AEPD’s fine was small (€5,000 out of a total €25,000 for additional GDPR violations), but it’s a timely reminder that the small things matter when informing individuals about how you will use their personal data.  Transparency and trust go hand in hand, after all.

And yet, despite the rebuttable presumption against using language qualifiers, almost all privacy notices do so — including those issued by the regulators themselves (see the Irish Data Protection Commissioner (here) and the UK Information Commissioner’s Office (here). 

For the record, I don’t have an issue with the use of qualifiers, within reason.  Take the following example: an employer has historically never had to share an employee’s personal data with the emergency services in the event of an accident at work.  Should its privacy notice say that it “may” do, or that it “will” do?  Strictly speaking, both can be true.  On balance, I think that “may” is likely to be more reflective of the reality of the processing.  If your notice uses “will”, but your personal data are never used in this way, is that misleading? 

I appreciate that we may have gone too far down the rabbit hole, but the AEPD’s fine shows that controllers should take the time to ensure that their privacy notices are not simply a series of blanket statements about data processing that may or may not take place.  As the EDPB guidance makes clear, “the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects”.

There is a school of thought that no one reads privacy notices, so it really doesn’t matter what they contain.  Needless to say, I don’t subscribe to that thinking.  Instead, I suggest taking the inverse approach to William Purkey’s advice to dance like no one is watching: draft privacy notices like everyone is reading.  You never know who might be doing just that.