By: Aastha Bhandari
(This post is the second of a two part series on the topic – ‘The Transparency Principle in Data Privacy: An Analysis of the Autoritiet Persoonsgegevens’s Decision on Tiktok Inc.’s Privacy Policy’)
AN ARGUMENT FOR ELIMINATION OF SUBJECTIVITY: NECESSITY FOR INTRODUCTION OF STANDARD ELEMENTS
Explaining The Need For Standardisation
At the outset, the author wishes to address the simple question: how can the data controller make the data subject understand the reasons for processing? The provisions of the General Data Protection Regulation (hereinafter ‘GDPR’) tell us that this can be done by communicating in a “clear and plain language.” However, this raises further questions as to what such a language may entail. Since the GDPR is a heavily penalising regulation, data controllers like Tiktok Inc. (hereinafter ‘the Company’), in this case, can be substantially fined for not meeting the threshold.
The author argues that there is a sizeable amount of subjectivity connected to each data subject’s understanding. A language that is clear and plain for one subject may not be so for another depending on their particular characteristics. The exercise of categorisation of children by the Office of the Information Commissioner of the United Kingdom (hereinafter ‘ICO’) does not solve problems of subjectivity because it puts all children belonging to a certain group into one equal standing and assumes that they will behave and understand in one way. The application of such a straight-jacket formula goes against the basis of the transparency principle as it creates ambiguity and subjectivity. This raises questions of: if A as a data controller has communicated its privacy policy in an intelligible, clear, and plain language and this policy is understood by some data subjects but not by others, then would A be deemed to be compliant with the GDPR? What if it is only a minority of 5% that does not still understand the policy, then what would be the consequences for A? The author argues that these ambiguities as a result of different levels of understanding can only be removed by developing an objective standard through the process of standardisation.
In the current case, the Autoritiet Persoonsgegevens (hereinafter ‘AP’) held that a change in the language of the script from English to Dutch would increase the understanding of the Terms of Service and Privacy Policy (hereinafter ‘Policy’) by Dutch children. This implies that had the Policy been provided in Dutch they would have understood better as language plays a crucial role in the understanding of the data subject. The Company diverged by arguing that the children could understand in English. However, the author highlights that both parties missed the point of the transparency principle by solely focusing on understanding based on different scripts. It is submitted that understanding cannot be guaranteed by the language of the script but fairly through an objective standard of content.
The ICO attempted to take a step in the right direction by expanding the ambit of language to include audio and visual content. However, its strategy of categorisation cannot be successful to further the principles of data privacy of children as it assumes that all children belonging to a certain age group understand in the same manner.
RECOMMENDATIONS RELATED TO STANDARDISATION
A. Within the GDPR:
According to Article 12(7) of the GDPR, the information provided to the data subjects can be in the form of standardised icons, to implement the transparency principle. Further, Article 12(8) states that the European Commission is allowed to adopt delegated acts to decide the procedure for providing standardised icons as well as the information to be presented by the icons.
B. Within Existing Literature:
In their work on the standardisation of data privacy disclosures, Arianna Rossi and Gabriele Lenzini indicate that standardised graphical symbols are meant to establish a common code that crosses languages and literacy levels to become universally recognisable when consistently employed. They interpret the legal requirements in Article 12(7) concerning standardised icons broadly to mean: visibility, legibility comprehensibility, culture-independence, style, quality, semantic transparency, completeness of the icon decision and machine readability.
COMPARATIVE ANALYSIS OF THE FOUR GIANTS
AnalysisTable 1.2
The author undertakes a comparative analysis between four major corporations operational in the Netherlands to illustrate the differences in the content, placement, and presentation of the cookie settings on their websites. It is to be noted that the analysis has been deliberately limited to that of cookie settings as it was publicly accessible. Further, the corporations have been chosen as they have a commonality of having operations in the Netherlands and are highly recognised worldwide.
The following significant points of distinction are to be noted:
- The placement of the pop-up containing the cookie settings is different for three out of four corporations.
- The Header of the Pop-up is differently worded for every corporation.
- Some corporations do not mention the involvement of third parties in their cookie settings while some do.
- The options, symbols and default settings of all corporations are significantly different.
- Only two out of four corporations explicitly mention in the pop up that the cookie preferences can be changed at any time by the data subject.
It is evident from the cookie settings of the above corporations that a certain level of legalese will be inevitably used in them. Adding to this, the ambiguity created by the usage of vague phraseology for example “cookies to provide the best user experience” is sizeable. Lastly, there is no uniformity in these policies. Zara has sub-divided its cookies into four categories whereas KLM only mentions the term “functional and analytical cookies” without an accurate description of what they mean. The author wishes to convey that the huge number of distinctions in a small sample size of merely four corporations adds to the subjectivity in the understanding of different data subjects.
SUGGESTING A ROBUST FRAMEWORK
In this part of the article, the author attempts to suggest a broad framework for the standardisation of how the data subject navigates through the information provided through the Policy. The GDPR already provides for use of standardised icons and existing literature even describes the requirements that the icons must meet to communicate the reasons for processing to the data subject in an intelligible and transparent manner. However, there is no global consensus on how this standardisation must be pursued. Thus, the author argues that one cannot leave the matter hanging at this juncture and as such there needs to be standardisation of the placement of the standardised icons. This will enable universal uniformity and effectively enhance the understanding of the data subject. The element of subjectivity will be reduced to a minimum.
CONCLUDING REMARKS AND WAY FORWARD
It is interesting to note that the investigation on Tiktok Inc. may still not have come to an end. The AP has transferred its investigation to the Irish Data Protection Authority. This may not be the end of the imposition of substantial fines on the Company on account of breach of data privacy. Data controllers must tread cautiously in their communication to the data subjects. It is in the interests of all the stakeholders that a process of standardisation be initiated under the GDPR in order to remove barriers to the autonomy of the data subjects over their own data. A universal and uniform approach in the current case will pave the path for an immensely smooth implementation of data privacy legalisations worldwide.
(Aastha is a law undergraduate at O.P Jindal Global University. The author may be contacted via email at 19jgls-aastha.b@jgu.edu.in)
Cite as: Aastha Bhandari, ‘The Transparency Principle in Data Privacy: An Analysis of the Autoritiet Persoonsgegevens’s Decision on Tiktok Inc.’s Privacy Policy (Part 2)’ (The RMLNLU Law Review Blog, 08 April 2022) <https://rmlnlulawreview.com/2022/04/08/transparency-principle-2/> date of access
The RMLNLU Law Review Blog 