By: Aastha Bhandari
AN ARGUMENT FOR ELIMINATION OF SUBJECTIVITY: NECESSITY FOR INTRODUCTION OF STANDARD ELEMENTS
Explaining The Need For Standardisation
At the outset, the author wishes to address the simple question: how can the data controller make the data subject understand the reasons for processing? The provisions of the General Data Protection Regulation (hereinafter ‘GDPR’) tell us that this can be done by communicating in a “clear and plain language.” However, this raises further questions as to what such a language may entail. Since the GDPR is a heavily penalising regulation, data controllers like Tiktok Inc. (hereinafter ‘the Company’), in this case, can be substantially fined for not meeting the threshold.
The ICO attempted to take a step in the right direction by expanding the ambit of language to include audio and visual content. However, its strategy of categorisation cannot be successful to further the principles of data privacy of children as it assumes that all children belonging to a certain age group understand in the same manner.
RECOMMENDATIONS RELATED TO STANDARDISATION
A. Within the GDPR:
According to Article 12(7) of the GDPR, the information provided to the data subjects can be in the form of standardised icons, to implement the transparency principle. Further, Article 12(8) states that the European Commission is allowed to adopt delegated acts to decide the procedure for providing standardised icons as well as the information to be presented by the icons.
B. Within Existing Literature:
In their work on the standardisation of data privacy disclosures, Arianna Rossi and Gabriele Lenzini indicate that standardised graphical symbols are meant to establish a common code that crosses languages and literacy levels to become universally recognisable when consistently employed. They interpret the legal requirements in Article 12(7) concerning standardised icons broadly to mean: visibility, legibility comprehensibility, culture-independence, style, quality, semantic transparency, completeness of the icon decision and machine readability.
COMPARATIVE ANALYSIS OF THE FOUR GIANTS
The author undertakes a comparative analysis between four major corporations operational in the Netherlands to illustrate the differences in the content, placement, and presentation of the cookie settings on their websites. It is to be noted that the analysis has been deliberately limited to that of cookie settings as it was publicly accessible. Further, the corporations have been chosen as they have a commonality of having operations in the Netherlands and are highly recognised worldwide.
The following significant points of distinction are to be noted:
- The placement of the pop-up containing the cookie settings is different for three out of four corporations.
- The Header of the Pop-up is differently worded for every corporation.
- Some corporations do not mention the involvement of third parties in their cookie settings while some do.
- The options, symbols and default settings of all corporations are significantly different.
- Only two out of four corporations explicitly mention in the pop up that the cookie preferences can be changed at any time by the data subject.
It is evident from the cookie settings of the above corporations that a certain level of legalese will be inevitably used in them. Adding to this, the ambiguity created by the usage of vague phraseology for example “cookies to provide the best user experience” is sizeable. Lastly, there is no uniformity in these policies. Zara has sub-divided its cookies into four categories whereas KLM only mentions the term “functional and analytical cookies” without an accurate description of what they mean. The author wishes to convey that the huge number of distinctions in a small sample size of merely four corporations adds to the subjectivity in the understanding of different data subjects.
SUGGESTING A ROBUST FRAMEWORK
In this part of the article, the author attempts to suggest a broad framework for the standardisation of how the data subject navigates through the information provided through the Policy. The GDPR already provides for use of standardised icons and existing literature even describes the requirements that the icons must meet to communicate the reasons for processing to the data subject in an intelligible and transparent manner. However, there is no global consensus on how this standardisation must be pursued. Thus, the author argues that one cannot leave the matter hanging at this juncture and as such there needs to be standardisation of the placement of the standardised icons. This will enable universal uniformity and effectively enhance the understanding of the data subject. The element of subjectivity will be reduced to a minimum.
CONCLUDING REMARKS AND WAY FORWARD
It is interesting to note that the investigation on Tiktok Inc. may still not have come to an end. The AP has transferred its investigation to the Irish Data Protection Authority. This may not be the end of the imposition of substantial fines on the Company on account of breach of data privacy. Data controllers must tread cautiously in their communication to the data subjects. It is in the interests of all the stakeholders that a process of standardisation be initiated under the GDPR in order to remove barriers to the autonomy of the data subjects over their own data. A universal and uniform approach in the current case will pave the path for an immensely smooth implementation of data privacy legalisations worldwide.
(Aastha is a law undergraduate at O.P Jindal Global University. The author may be contacted via email at email@example.com)