201. Considering the format in which the Privacy Policy and Legal Basis Notice is presented to the user in light of the above, it is clear that, once a user reaches the Page, he/she is presented with a significant amount of text; this will be immediately apparent to the user, from the scroll bar running down the side of the Page. While the Privacy Policy and Legal Basis Notice only account for approximately 43% of the total text length, the user has no way of knowing this or of knowing, at first instance, whereabouts on the Page these are located. The use of this format to deliver the information prescribed by Article 13 of the GDPR risks dissuading the user from reading the Privacy Policy and Legal Basis Notice on the basis of a perception, on the part of the user, that he/she may be required to review a considerable length of text. In this way, the format of presentation risks creating a barrier between the prescribed information and the data subject. 202. Accordingly, and with a view to ensuring, insofar as possible, that users receive the information that WhatsApp is required to provide, I included proposed directions, in the Preliminary Draft, requiring WhatsApp to take action such that: a. the Legal Basis Notice is incorporated into (such that it forms part of) the Privacy Policy; and b. the Privacy Policy (with incorporated Legal Basis Notice) is separated from the remainder of the policies/notices that make up the Page and presented on a page of its own. 203. I note, however, that WhatsApp has since taken the action required to address the substance of my concerns, in this regard, and, accordingly, the proposed directions are no longer required. 204. For the avoidance of doubt, I note that the Investigator, by way of Conclusion 3, expressed the view that “the format of the Online Documents in one continuous scrolling document is not in line with the accessibility requirement contained within Article 12.1 of the GDPR, as this scrolling [renders] specific information more difficult to find.” As detailed further below, I will approach the required assessment by reference to the individual categories of information that are prescribed by Article 13. Accordingly, I do not intend to propose any finding by reference to Conclusion 3 of the Final Report.
Methodology for Part 2: Assessment and Questions for Determination 205. Having established how WhatsApp provides information to its users, I must now consider the extent to which the measures implemented achieve compliance with the requirements of Article 13, read in conjunction with Article 12(1). 206. As set out above, Article 13 prescribes the information that must be provided to the data subject while Article 12(1) sets out the way in which this information should be provided. Thus, in order to achieve compliance with Article 13: a. The data controller must provide the required information; and b. Provide it in a manner that is “concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.” 207. In other words, compliance with Article 13 requires both of the above elements to be satisfied in each case.
68
