Let’s answer the question up front: nowhere in UK or EU data protection law is it written that you have to call any document a Privacy Policy or Privacy Notice. GDPR doesn’t even use the term notice. It’s fake news!
This distinction of internal/external simply does not exist in the world of GDPR or Privacy. As we’ll see, it’s the obligation to give information – and that applies as much to data subjects who are employees as customers.
The bottom line is there’s no legal rule on this in Privacy law – the important thing is you provide data subjects with the information you’re meant to, when you’re meant to.
The dominant practice historically has been to call the document on your website ‘Privacy Policy‘. But calling it ‘notice’ is totally fine, too. Let’s look at the law and practice (references to website usage by regulators and other entities is as at 20 July 2022).
Not only does the term ‘Privacy Notice’ not appear in GDPR – ever – the word ‘notice’ only appears once in GDPR, in Recital 103 about when the Commission can give notice to revoke an adequacy decision.
Here’s the relevant parts of Article 13 and Article 14 from GDPR – no reference to the word ‘notice’ at all. It’s about giving information.
And Article 12 of GDPR, which goes into transparency of the information to be given, doesn’t use the word ‘notice’ either.
Articles 10 and 11 in the 1995 Data Protection Directive before GDPR were the same. And the word ‘notice’ didn’t appear at all, zero, in the 1995 Data Protection Directive. Not even in a recital.
As to UK law, the word ‘notice’ isn’t used in UK GDPR either and isn’t used in this sense in any of the 1984, 1998 or 2018 UK Data Protection Acts.
‘Notice’ appears 417 times in the 2018 UK DPA – we’ve looked at each one to check (!) – and it’s all about enforcement notices or penalty notices, not information to be given to the data subject.
Right. We’ve established that nowhere in EU or UK law does it say to use Privacy Policy or Privacy Notice. It doesn’t even use the word ‘notice’ itself, it just says ‘give this information to the data subject’.
You’re free to call the document whatever you want.
That’s the law. Let’s look at what the UK and EU regulators use, starting with the UK regulator, the ICO.
Back in 1995, the UK ICO itself just ‘Privacy’ in its website footer in 1995, which linked to a document they themselves called a ‘privacy policy’.
In 2007, they had changed to use ‘Privacy Statement’ in their footer, which still linked to a document they themselves called a ‘privacy policy’.
In July 2022, post-GDPR, the UK ICO uses ‘Privacy Notice’ in its footer and that links to a document they call a ‘privacy notice’. So the UK ICO used ‘policy’ for decades then switched to ‘notice’. Fine, but they didn’t need to.
Looking at EU regulators, starting with the French regulator, CNIL, CNIL uses donnée personnelle, or ‘personal data’, in their footer. And this links to what they call their Politique de protection des données or ‘Data Protection Policy’.
‘Privacy Policy’ is also used by the Danish DPA, the Norwegian DPA, the Spanish, the Polish… The Romanian authority uses ‘cookie policy’ and ‘Information on processing’ which then refers to policy. We stopped at that point, seems pretty clear.
Do all these national data protection regulators have it wrong? Of course not.
Interestingly the European Data Protection Board, the EDPB, the evolution of the Article 29 Working Party, uses ‘General Data Protection Notice’. In 2018, they used ‘Data Protection Notice’.
And this is interesting for 2 reasons. First the European Commission, the CJEU and the European Parliament all use ‘Privacy Policy’.
And secondly the EDPB itself endorsed and adopted the Guidelines on transparency under GDPR issued by its predecessor, the Article 29 Working Party, on 11 April 2018, page 8 of which says:
So, are the supranational Article 29 Working Party and EDPB wrong? Again, no they don’t.
You can call the document whatever you want. ‘Policy’ is perfectly good, and not only recognised by Europe’s top regulators but recommended and used by them. Notice is fine too!
We’ve looked at the laws and regulators, all pretty clear. Let’s now look at some leading law firms.
Probably the top UK firm on data protection is Bird & Bird – in July 2022 they use ‘Privacy Policy’. Ashurst, uses ‘Policy’.
Outside Europe, the leading Australian firm Minter Ellison uses ‘policy’, as does the leading US firm Wilson Sonsini.
These are great global firms. And they’re not wrong either.
So where did ‘notice’ come in if it’s not mentioned in GDPR?
In practice, regulators and Privacy pros have long spoken about ‘Data Collection Notices’, the information you give to satisfy your information obligations. Typically it was layered. combining a short notice, just in time at the point of collection, with a link to your longer Privacy Policy.
But the word ‘notice’ is just a descriptor of the one or more ways combined in which you give the required information to the data subject. Everyone in the UK and EU used Policy.
The debate seems to have started after GDPR came in in 2018 and it may be related to GDPR being thrown at IT and Security professionals. Security has good reason to like tight nomenclature, for example to be able to differentiate between internal and external, or differentiate to secure different information appropriately. All perfectly reasonable – but again, it’s not a rule in UK or EU-level Privacy law, there is no official rule.
‘Privacy Notice’ isn’t in ISO 27001, which only mentions Privacy once, and it’s not in ISO 27701 (although 27701 does use the word ‘notice’ with a small ‘n’ on 4 pages, when it talks about ‘Openness, transparency and notice’). It also talks of ‘Privacy Policy’ on 4 pages.
Well, surely ISO itself, the organisation, uses ‘Notice’? Nope, it uses ‘Policy’.
Well, what about NIST? They use ‘cookie policy’ and, in their footer, ‘Site Privacy’. When you click Site Privacy you go to a page setting out the information and referring to the Privacy Policies of other sites you visit and Google’s Privacy Policy.
Which brings us onto commercial entities.
Microsoft use ‘Privacy Statement’. Apple uses ‘Privacy Policy’. And we’ve seen Google uses ‘Policy’.
So, if someone tells you it has to be ‘Privacy Policy’ for internal and ‘Privacy Notice’ for external for UK or EU GDPR compliance, they’re wrong. EU regulators confirm it can be ‘Policy’, ‘Notice’, ‘Information’, ‘Statement’, anything you want.
‘Privacy Notice’ appears precisely nowhere in GDPR. Regulators endorse and use ‘Policy’. Leading law firms use ‘Policy’. Major organisations use ‘Policy’, ‘Statement’ and ‘Notice’. And nowhere in the world of UK and European Data Protection is there a legal rule about Notice vs Privacy for internal vs external use, or otherwise.
You can call it what you want.
Here at Keepabl we make operationalising Privacy simple and intuitive, from data mapping to breaches, with instant insights. And we have a great Privacy Policy Pack to give you an instant Privacy Policy – or Notice 😉 – saving you a lot of time and cost.
If you’re ready to get your Privacy governance into gear for your business, why not request a demo or free trial of our Privacy Management Software?
Google’s recently announced that – due to Brexit – it’s changing data controller for UK users from Google Ireland to Google USA. This has led to some alarmist reporting. What’s…
We’re very excited that Keepabl will be attending and sponsoring Privacy Space this November! Keeping our 100% track record of sponsorship, we look forward to visiting Leamington Spa for the…