A duty of assistance to make sense of privacy notices: Lessons from financial services regulation

The average length of a privacy notice has constantly increased in the last few years. If data controllers are putting out there longer and longer privacy notices, should not they also be helping data subjects in making sense of them? With data-intensive activities getting more and more complex, we can only expect this to impact negatively on these documents. At this stage, we can compare them to complex financial documents such as a prospectus of a publicly-traded company or a mortgage application.

While GDPR asks for concise and easy-to-read language, it is possible that the complexity of the operations cannot be simplified, which calls for researching alternatives. For this, we can draw inspiration from the financial services industry to address this ever-growing complexity. In this sense, the financial services industry has developed a duty of assistance to help clients in certain scenarios when complex documents, such as prospectus or credit sheets, are involved.

Therefore, the purpose of this contribution is to explore how this duty could be grounded in current European data protection regulations, particularly GDPR, and how it should be implemented to ensure that data subjects are assisted in their choices. As part of this discussion, the article shall address the notion of nudging and compare it with the notion of assisting to argue why an assisted consent would still meet the GDPR requirements for valid consent.

If such a duty can be grounded under GDPR, it can be addressed one of the most criticized topics in data protection: the notice and consent model. By doing so, the relationship between data subjects and data controllers could change dramatically towards a more engaged interaction between the two to accommodate the more data-intensive activities. In this respect, it is foreseeable a more participatory model for governing personal data.