If French is the language of love (Italians: don't @ me), and music is a universal tongue, where does that leave English? Besides the obvious and universally loved cultural touchstones (Charles Dickens, Alfred Hitchcock, Alan Partridge), it's also become the lingua franca for privacy notices.
Last week, the Dutch DPA fined TikTok €750,000 for failing to provide a copy of its privacy notice in Dutch (in addition to English). That wasn't even the first time a European DPA has penalised a data controller under the GDPR for publishing a single-language (i.e., English) privacy notice. It’s a low effort exercise for regulators: unlike a company's internal compliance documentation, which is necessarily difficult to assess, non-compliance with a language requirement can be easily identified and reported by any Jose, Yusuf or Giuseppe Bloggs.
English is the dominant language for many global organisations, including in their offices in non-English speaking countries. The expectation is that employees are sufficiently fluent in English to understand the content of a privacy notice, such that it doesn’t also need to be provided in the employees’ native language. The same approach often extends to the company’s customers or users, particuarly in countries where English is commonly used. But the risks of doing this are twofold:
- There is a legal or regulatory requirement to provide the notice in both (or more than two) languages, which is not met if the notice is available only in English; and
- The non-compliance is identified, whether by a regulator or individual.
To compound matters, an individual for whom English is not a first language may claim that they were unable to understand the scope of the processing as set out in the privacy notice — such that the processing is not transparent for the purposes (for example) of Article 5(1)(a) of the GDPR and therefore unlawful. That’s an outcome which could have been remedied easily and cheaply by providing a local language copy of the privacy notice.
Charlemagne said that to have another language is to possess a second soul. I'm not sure I'd go that far — but it certainly is good compliance practice.
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.