Privacy notices – the ICO follows the lead of the EU data protection authorities in their interpretation of Article 13 UK GDPR

Introduction

On 15 May, the ICO published the monetary penalty notice (MPN) in relation to the £12.7 million fine it imposed on TikTok in April. This MPN and its accompanying annexes set out details of TikTok’s non-compliance with data protection law and the reasons why the ICO considered that a fine was appropriate.

Whilst a significant part of the MPN is focussed on TikTok’s non compliance with the rules around processing children’s personal data, the MPN also clarifies how the ICO interprets the requirements in Article 13 of the UK GDPR more generally. For the most part the ICO’s position tracks that of the EU data protection authorities (as reflected in the DPC’s 2021 and 2022 Whatsapp, Facebook and Instagram decisions), demonstrating that the ICO also expects a greater level of detail and specificity than is seen in some privacy notices.

The ICO’s views on Article 13

The ICO’s detailed position on the Article 13 provisions is set out in Annex 3 of the MPN. Taking each discussed element of Article 13 in turn:

• The requirement to provide “the contact details of the data protection officer, where applicable” (Art 13(1)(b)): Organisations do not need to specifically name the individual DPO or provide a personal email address for the DPO in their privacy notices. However, where a DPO is appointed, it must be clear how the DPO specifically (as opposed to the privacy team or data controller generally) is to be contacted. Where a generic email address (e.g. privacy@ xyz.com) is used, the fact that this is the contact detail for the DPO must be made clear.

• The requirement to detail “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing” (Art 13(1)(c)): Organisations must present this information in such a way that there is a clear link between: (a) the specified category or categories of data; (b) the purposes of the specified processing operation(s); and (c) the legal basis being relied upon to support the processing operation. High level and generic descriptions of the different legal bases relied on is not sufficient, as this does not provide data subjects with sufficient clarity around which legal basis applies to the specific processing of specific personal data. Separately, in contrast to the DPC’s position, the ICO does not say that specific laws need to be cited when companies rely on the “legal obligation” legal basis.

• The requirement to detail “the legitimate interest pursued” where processing is based on that lawful basis (Art 13(1)(d)): The MPN does not specifically deal with how much information has to be detailed in the privacy notice in relation to the legitimate interests pursued nor TikTok’s representation that its description of the legitimate interests pursued was consistent with examples previously given by the ICO. Instead, the ICO: (a) reiterated that TikTok had failed to demonstrate that a data subject could determine which categories of personal data were processed on the basis of legitimate interests; and (b) noted that, due to the way in which the processing purposes were presented, there was conflicting information around which lawful basis was being relied upon in relation to certain processing activities and when legitimate interests actually was relied upon.

• The requirement to detail “recipient or categories of recipients of the personal data” (Art 13(1)(e)): Vague, broad lists of categories of recipients are not sufficient. Instead, the ICO’s preferred approach is for actual named recipients to be listed. However, if controllers opt to provide categories of personal data they must provide at least sufficient detail on the categories of recipients so that data subjects are able to know who holds their personal data. The ICO provides an extract from the EDPB’s transparency guidance to support its position, which states that the information should indicate the type of recipient (by reference to its activities), the industry, sector and sub-sector and location of the recipients. It does not, however, go as far as the 2021 WhatsApp decision, where the DPC noted that users should be able to identify what categories of his/her personal data will be received by identified categories of recipients.

• The requirement to detail “transfers of personal data to a third country or international organisation” (Art 13(1)(f)): Looking at the different versions of TikTok’s privacy policy, the ICO makes a number of comments in relation to this requirement. In particular, (i) in order for information provided about data transfers to be meaningful, the third countries to which data is transferred should generally be named; (ii) references to “model clauses” and/or “standard contractual clauses” are not sufficient on their own to provide a data subject with the requisite information on the existence or absence of an adequacy decision or the suitable safeguards that are in place because non-specialists are unlikely to understand their implications; (iii) data subjects should be told what further information they can obtain about data transfers (rather than just stating that more information is available); and (iv) whilst not explicit, the ICO’s commentary on the TikTok privacy policies suggests that the categories of user data that is transferred should be detailed.

• The requirement to specify the period for which, or the criteria used to determine the period for which, the personal data will be stored (Art 13(2)(a)): The ICO firstly questioned why TikTok was unable to provide users with a clear period for which their personal data would be stored. Turning to TikTok’s efforts to detail the “criteria”, the ICO criticised TikTok for using “broad and general” language about how long data will be kept for, for not providing practical examples and for not explaining what is meant by data being kept in “aggregate and anonymised format”.

• The requirement to detail data subject rights (Art 13(2)(b) and (c)): Organisations must provide sufficient detail to allow data subject to fully and properly exercise their rights including information about when the different rights arise. The ICO also linked this issue to their findings on Articles 13(1)(c) and (d) above, noting that “TikTok’s failure to provide the requisite information [relating to which legal basis applied] undermined the data subjects’ ability to exercise their rights” as they couldn’t work out when certain rights would arise.

As a general point, the ICO disagreed with TikTok’s representations that the level of detail that the ICO suggests is needed is at odds with the obligation to be “concise”, noting that this requirement is not intended to curtail the requirement to provide the information in Article 13.

Our take

Clearly TikTok, as with the Meta companies, processes significant amounts of consumer personal data and undertakes complex profiling of users in order to present relevant content and advertising. This is not the case for most companies and so some of the MPN should be read with that in mind. Nevertheless, this MPN does show how the ICO interprets Article 13 and its overarching view – that companies must provide sufficient information about their processing activities and the legal bases relied upon so that individuals understand how their personal data is used and what rights they have – is relevant to all.

Companies would therefore be advised to revisit their privacy notices with a critical eye to see whether improvements ought to be made to better align with the decisions of the EU and UK data protection authorities. Given that many organisations need to review their privacy notices in the context of their actual or proposed use of AI (among other things), now may be the perfect time to do this.