I submitted comments to the Working Party 29 in response to their recently published Guidelines on Transparency under Regulation 2016/679 (aka GDPR). One of the points I highlighted was their promotion of Recital 39 which stipulates “Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.” Unfortunately, this stipulation doesn’t quite correlate with Articles 13 and 14 which lay out the specific notification requirements for data subjects. Only in regard to automated decision making does Article 13 and 14 make clear the need to include consequences in the notice.

Current practice in privacy notices is to discuss how a data controller processes data but few, if any, illuminate the risks to the data subject. Coming on the heals of the FTC’s Workshop on Informational Injury, it’s apparent there are lots of adverse consequences that can result from privacy violations. The categories at left are partially based on FPF’s chart of harms from Automated Decision Making. However, since current practices do not include indications of risks and consequences, I thought it was important to ask the WP29 for additional guidance on the form and structure of this.

You can read my full comments here.


Once the final guidelines are published, I’ll be releasing an updated version of the GDPR Privacy Notice Generator, taking into account any changes necessary under the guidelines. Current purchasers have access to all future versions of the tool, which will also include multiple languages and standardized icons once issued.