Deontic Modality in the GDPR Based Finnish Privacy Notices in the Light of the Transparency Principle

Since its inception the General Data Protection Regulation has introduced a number of rights and obligations that relate to the personal data processing. As the Regulation requires that all information about data subjects’ rights be conveyed in a clear and plain language (transparency principle), this study focuses on the linguistic means of expressing rights and obligations in the GDPR based privacy notices. The article aims at scrutinising the features and context of deontic expressions which may influence the clear message. The research corpus consists of fourteen privacy notices of Finnish design companies which were analysed in order to identify deontic expressions. They were juxtaposed with the GDPR text and some discrepancies were found in their frequency and modal patterns. The qualitative analysis of the expressions with the help of Easy Language Meter criteria for Finnish revealed that privacy notices show simplifying tendencies like choice of modal expressions, the use of certain subjects and the way of addressing the reader. These comply with the Plain Language principles and thus the transparency principle highlighted in the GDPR.

of personal data and harmonises privacy laws across Europe. The character of the regulation, unlike directive, allows the indirect implementation of the provisions in the member states. Furthermore, the GDPR facilitates the free movement of data throughout the EU [5,15]. Enforcement and compliance with data protection legislation are ensured by a number of measures, among others by levying high penalties for not complying with the GDPR's provisions [13]. This could be considered a major enhancement in data security since the preceding major legal act, European Data Protection Directive, which was passed in 1995. The GDPR's provisions can be perceived as evolutionary rather than completely radical for those entities who were already acquainted and compliant with the provisions of the 1995 Directive [13].
The GDPR consists of two parts: the non-normative recitals and the enacting terms, i.e. the article part which forms the core of the provisions. The recitals are a supplementary section that clarifies and justifies the reasons of the articles. They are often deemed 'vague' and 'indeterminate' [13]. Despite their non-normative function in the legal act, however, it is important to bear in mind that the validity of a legal act results from the integrity of all its parts, including the non-normative parts. Principles or general values mentioned in the recitals thus belong to the soft law. It can be understood as an oxymoron due to the conceptual opposition of an adjective 'soft' on the one hand, and the idea of 'hard law' on the other. Nevertheless, soft law impacts the interpretation of other legally binding parts of a legal act [2].
The right to the protection of personal data is considered a fundamental right as expressed in the Charter of Fundamental Rights of the European Union (Article 8(1)) [4]. The same stance is reiterated in the GDPR (Art. 1 (2)). Perhaps it is a result of the reinforced role of personal data protection in the European Union law [24]. For the sake of terminological clarity, when referring to the GDPR the term 'data protection' will be used according to the meaning constituted in the European law, as opposed to the concept of 'information privacy', used in the American tradition [13].
In the GDPR text the main subjects of rights are data subjects who are granted possibility to access and manage the data they passed to different entities on various occasions. Any action of providing personal information in the online environment constitutes the basis for application of GDPR provisions. On the contrary, the subjects of obligations are mainly data controllers and processors. A controller is defined in the GDPR as a "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data" (Art. 4(7)), while a processor is a "natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller" (Art. 4 (8)). The rights and obligations of these subjects are expressed through deontic expressions which are a significant feature of the legal texts, and will be scrutinised further in this article.
As a consequence of the application of the GDPR information on data protection approached users' mailboxes [13,46]. This made the language specialists from the Institute for the Languages of Finland (Kotus) choose the term tietosuoja-asetus, meaning 'the Data Protection Regulation', as their 'word of the month' (i.e. a new word of growing frequency in language over a period of time) in May 2018 [43]. On account of breaches of this fundamental right to the protection of personal data, this regulation seemed inevitable [9].
The aim of this study is to investigate the features of the privacy notice in connection to deontic modality and transparency principle. In other words, it is investigated which deontic modals are typical for the GDPR and the privacy notices and whether there exist any differences between them. In case of discrepancies, it was examined, whether they have weakened or strengthened deontic modality. Additionally, the focus of the analysis is on examining whether these potential modifications may be a consequence of Plain Language tendencies to simplify the content of the legal provisions.
The Finnish version of the General Data Protection Regulation was selected as a research material in this study due to the salient role of the GDPR in setting data protection law worldwide [15]. Therefore, the GDPR was subject to multiple research studies, especially in the domain of law [13,15]. Moreover, this regulation might be considered an interesting research material for linguistic analysis, in particular in the area of deontic modality. This study, examining how the modifications from the legislative language into the language of notices on the websites are made, contributes to linguistic analyses of this new type of text. Furthermore, in Finland and other Nordic countries efforts have been made lately towards even clearer administrative language [25] which further justifies the investigation into whether the transparency principle is visible also in the corporate documents.
The point of departure is the analysis of deontic modality means in the Articles 15-21 of the GDPR and privacy notices, respectively. Compliance with the transparency principle is examined by checking the clarity of modal expressions and comparing them to each other, comparing the subjects of the rights and obligations in both genres, as well as investigating forms of addressing the reader. These three criteria refer to the requirement of clarity formulated amongst others in the Article 5 of the GDPR. Further aim is also to preliminarily examine whether means of expressing modality constitute an idiosyncratic feature of the privacy notices.
This study focuses on the rights of data subjects and obligations of the entities, as formulated in the Articles 15-21. Core rights are: the right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to restriction of processing (Art. 18), right to data portability (Art. 20), and the right to object (Art. 21).
In the light of the broad literature on the definitions of the language of law [25,42] in this paper some synonymous terms are used only in reference to the language of legislative texts. The terms used interchangeably include 'legal language' and 'language of law'. They refer to the text of the GDPR contrary to the non-legal informative text, i.e. the text of a privacy notice. The meaning applied in this article is thus narrowed in comparison to the broader understanding of the legal language having many subgenres [25].

Privacy Notice as a Source of Rights and Obligations
The pivotal task of the texts of law is to impose rights and obligations thus conferring power [35]. The GDPR introduces a catalogue of such rights of the individuals and obligations of certain entities, and privacy notices summarise them.
First and foremost, it is vital to clarify what the term 'privacy notice' refers to. It can be broadly perceived as a public document that certain entities are obliged to provide to the data subjects to be compliant with the GDPR. Issuing such a notice means adhering to the 'right to be informed' or in other terms to the controller's obligation to inform data subjects (e.g. customers of an online shop) about the details of processing of their data. Such obligation is formulated under the Articles 13 and 14 of the GDPR [9]. The other term used on companies' websites to denote the same document as privacy notice is 'privacy statement'.
However, there is another term under a similar name, 'privacy policy'. On the one hand, the terms 'privacy notice' and 'privacy policy' are sometimes used synonymously [9] but on the other, they should be treated as separate documents. The difference is that a 'privacy notice' is a public document issued for the data subjects, whereas the 'privacy policy' can be described as a rather internal document for the entity's employees which holistically describes the company's mission [14]. The Finnish equivalent of 'privacy notice' is tietosuojaseloste or tietosuojalauseke and 'privacy policy' is tietosuojakäytäntö.
Nevertheless, it has to be stressed that no such terms as 'privacy notice' or 'privacy policy' are mentioned in the GDPR. Instead, a simple reference to 'information' is used, e.g. "the controller shall (…) provide the data subject with all of the following information" (Art. 13). Hence, the information can be included in a privacy notice or can be communicated in another form provided it is compliant with the GDPR's requirements [15].
All in all, the term 'privacy notice' will be used in this study due to the lack of a legal definition of the terms 'privacy notice' or 'privacy statement'. The meaning of the term will refer to any public document issued by the company which fulfils the informative obligation of the entity towards its customers (data subjects).

Deontic Modality
The GDPR as a text of law conveys obligations, permissions and certain rights. These are expressed with linguistic means that belong to deontic modality. Broadly speaking, modality results from certain norms that refer to intentional agents [50]. It is clear that norms conveyed in legal provisions are based on power relations and can be thus called 'heteronomous norms' according to von Wright, as opposed to 'autonomous norms' stemming from one's own needs [49].
In Finnish legal texts deontic modality can be expressed with different linguistic means. The most common expressions of permission, competence and rights are verbs voida 'can, may', saada 'may, have the permission' and the phrases on oikeus 'have the right'. Additionally, obligation is expressed with a necessive construction on tehtävä 'it has to be done' (on is the 3rd person singular of the verb 'to be' and a complement verb that is formed from a passive present participle ending in -vA where the last letter is subject to Finnish vowel harmony) and an obligation verb tulee (the 3rd person singular of the verb tulla). Besides, phrases like olla velvollinen 'to be obliged to' and on velvollisuus 'have the obligation to' are sometimes used. Forms of imperative mood, so called jussive mood, can also appear, but especially in older legal acts.
Interestingly, the usage and frequency of the aforementioned expressions differ depending on the genre of the text (e.g. the Criminal Code of Finland 'Rikoslaki' uses a stronger necessive construction on tehtävä not the verb tulee to impose obligation) and the language register. Therefore, there is a different set of modal forms in general language and in the language of law. The first vast overall review of Finnish modality was based on the corpuses of general Finnish [16], but the use of different modal patterns in law have been so far a subject of quite few studies. This notwithstanding, some recent studies should be mentioned. Nurmi & Kivilehto [28] have studied the obligation expressions using corpus-assisted approach to Finnish-Swedish translations in the light of official guidelines for translators. Piehl and Mikhailov [26] who study the Finnish Eurolect within the Eurolect Observatory Project also mention the occurrence of the necessive construction on tehtävä. On the basis of their broad comparable corpus of Finnish directives and on the other hand, the corpus of measures of Finnish national implementation, they conclude that the frequency of this necessive construction is higher in the corpus of Finnish directives. This may be due to the EU guidelines for translators which most often recommend using on tehtävä as an equivalence of the English verb shall [34,39].
Rydzewska-Siemiątkowska [33] examined the synonymy of the aforementioned obligation verb tulee and the necessive construction on tehtävä basing on a survey among Finnish natives and showed that despite the same normative character and near-synonymous meaning of these forms, the expression on tehtävä was perceived more obligatory by the informants. This might partly result from the fact that this expression is commonly used both in general language, as well as in legislative genre, although in the latter its frequency is lower, as Kanner has shown [17]. He researched modal expressions with the corpus of EU texts and juxtaposed them to the national Finnish legislation.
Additionally, rights and obligations can be expressed with indicative forms of present tense. These non-modal means have been studied in Finnish legislative language by Attila [1] who has shown that they are and should be commonly understood as normative.
From the point of view of the topic of this article, deontic modality will also be described shortly in the light of the recent studies devoted to Easy and Plain Language in Finland. Both terms will be deepened in the following section, but here some issues will be raised.
As for the English-speaking countries, it is broadly known that the modal verb shall has been a subject of a heated Plain Language debate. The frequency of the verb has declined considerably during the years after it had been "the most important word in the world of legal drafting". It almost disappeared from the U.K. legislation, as the outcome of Plain Language experts' efforts to replace it with other linguistic means amongst others due to its ambiguous meaning [3,8]. Still, it is commonly used in the EU legislation and is present in the drafting guidelines (for a wide overview of the literature and discussion on the subject see Garzone [8]).
In Finland the intersection of Plain Language and deontic modality can be found in the studies of amongst others Kulkki-Nieminen [18,19] and Laine [20], although their research perspective is focused mainly on modifying techniques of the Plain Language. Both case studies examine the process of simplifying texts into Plain and Easy Language -Kulkki-Nieminen analyses simplified news pieces and Laine Finland's Disability Policy Programme (VAMPO). Laine has shown that the aforementioned necessive construction on tehtävä is widely used in the simplified texts whereas the obligation verb tulee is a prevalent modal form in the original version of the official document. She assumes that it can be perceived as a more categorical and explicitly binding modal means [20]. However, interestingly, quite the opposite observation has made Rydzewska-Siemiątkowska in her survey study where the verb tulee was regarded by informants as imposing 'weaker obligation' and not implying legal sanctions for evading one's duties [33]. Furthermore, Kulkki-Nieminen has found that sometimes deontic modality may be subject to become weakened as a result of simplifying, i.e. the obligation to do something can become a possibility which, in result, gains rather a prescriptive than normative character [18].

Plain Language Background and Principles
Plain Language is a language that uses clear structures and design and thus conveys clear message for the readers who are then able to "easily find what they need, understand what they find, and use that information" [31]. In Finnish, Plain Language is called selkeä kieli 'clear language' or selkeä yleiskieli 'clear general language' [22].
Plain Language movement in Europe has had a long tradition. At the beginning, in the 1970s the use of Plain Language was encouraged in English-speaking countries at the initiative of consumer organisations. The movement has promoted the ideas of making official language more understandable for vast majority of readers by eliminating some heavy style constructions [25]. During the years, the quality of the official texts has improved greatly thanks to numerous projects in single countries, as well as in the whole European Union, just to mention Clear Writing Campaign, style manuals with certain guidelines, clear language associations like Clarity International and conferences [23,25].
The ideas of Plain Language spread along to other countries, including Finland. Nevertheless, the approach towards clearer language of legislation and legal practice was present in Finland since it became independent in 1917. As Finland was firstly under Swedish rule for over six hundred years, its legal culture was shaped by the Swedish legal heritage. Swedish was the only official language throughout the whole Swedish rule in Finland [25]. Finnish legal language was also remarkably influenced by Swedish syntax and vocabulary as Finnish was predominantly translated language at that time [29]. Coining Finnish based legal terminology in the first half of the 20th century was the first sign of language purism. There were discussions held on language-related matters and new terms were introduced for example in the "Lakimies" journal, as well as the first dictionaries of law terms in Finnish were published. Since the 1930s the quality of enacted acts has been verified on an institutional level by regularly assembled expert committees [29].
Today, Finland has two official languages, that is Finnish and Swedish. They have equal status when it comes to the significance and validity of administrative texts and their wording should match in both language versions after translation. Plain Language in Finland has been discussed in the context of communication between authorities and the general public [30]. It is enhanced by the national legislation, specifically by the Administrative Procedure Act (Hallintolaki 434/2003) which states that an authority's language should be "appropriate, clear and comprehensible" [11,22,45]. The task to develop it in this direction at different administration levels is a responsibility of the public agency Institute for the Languages of Finland (Kotimaisten kielten keskus) [22,30]. Therefore, the position of the Plain Language in Finland is well-established nowadays.
The Finnish name for Plain Language, selkeä kieli, is close to selkokieli, which is a compound word denoting an easier variation of the plain language, namely the so called Easy Language. Easy Finnish is defined by the Finnish Centre for Easy Language as follows: "easy Finnish is easier to understand than standard Finnish. It is a form of Finnish that has been adapted so that it is easier to read and understand than standard Finnish in terms of content, vocabulary and structure. It is targeted at people who have difficulties with reading or understanding standard Finnish"[36]. In Finland it has been developed for a long time, however until recently has it been more widely recognised [22,48]. For over 20 years now, the Finnish Centre for Easy Language (Selkokeskus) has been doing research on Easy Language and implementing the principles into practice, i.e. publishing materials for target groups.
The similarity of names may cause common misunderstanding. A near-synonym 'easy-to-understand language' adds some confusion as well, but it can be conceived as a hypernym for "comprehensibility-enhanced varieties of natural languages, that is, for Easy and Plain Languages" [12]. Leskelä highlights that it is really difficult to differentiate between the two variants of easy-to-understand language, because they form a kind of continuum rather than clear-cut and separate categories. The continuum starts from a very easy language and ends at the most demanding language variant [22].
An apt summary of the nuances of these two varieties is given also by Hansen-Schirra and Maaß [12]. There, Plain Language may be compared to other language varieties according to text complexity on the one hand, and comprehensibility on the other. Easy Language is the simplest language form with enhanced comprehensibility and lower complexity than other forms. However, comprehensibility in Plain Language is enhanced as well, but plain format is additionally said to be less stigmatising for the target groups than Easy Language when it comes to the linguistic means and layout [12]. Leskelä calls Plain Language the "most demanding part of Easy Language" [22].
The easiness in comprehending also results from planned targeting of the texts at certain groups of people with language barriers [21]. Research studies confirm that translating of the specialised texts into easy languages, the specialised texts being situated on the far right end of the above continuum regarding their complexity, plays important role for the immigrants. A good example can be transforming of administrative texts for second language (L2) Finnish learners [6]. Nevertheless, it should be stressed that legislative and administrative texts have not been simplified as much as other texts [19].
While there has been no legislation on the status of Easy Finnish, the significance of the two language varieties for the Finnish society is also clearly emphasised for the first time in the Finnish government resolution from 2021. It states that: "The aim is to increase the use of Easy Finnish and Easy Swedish in the activities of ministries and administrations, in communication and event planning, as well as it is to increase the competences concerning the Easy Language and Plain Language" 1 [27]. Hence, they both contribute to a more inclusive society where communication is made easily accessible. The same has been noticed for other languages like German [12].
Nevertheless, not only do the two simpler language versions exist, but also Finnish experts indicate that it is justified to distinguish even more variations within the Easy Language itself which results from heterogeneous groups of people who need it. Therefore, a detailed three-step-division into Simple, Basic and Advanced Easy Finnish highlights the varying levels of comprehension difficulty. Plain Language is close to the Advanced Easy Finnish which is the most demanding version of Easy Language [22].
In the light of an increasing interest in the topic and growing needs of the target groups attempts have been made to evaluate these different levels of difficulty by developing criteria for identifying the Easy Language features in a text. The so-called Easy Language Meter (selkokielen mittari) was published in 2018, including 106 such criteria. They are based on three different groups of features: textual, structural, and lexical [21]. To a great extent the criteria and other guidelines of simplifying texts seem universal and applicable to the Plain Language, as well Suominen concludes that the recurring principles of both varieties are taking target group of readers into account, order of presenting the facts, choice of words, sentence length and text cohesion [40]. Nevertheless, according to Tiililä there are far more modifications in Easy Language than in Plain Language on account of the special needs of target groups [47].

Principle of Transparency in the GDPR
Transparency belongs to the Plain Language principles. It has been recognised also in the European Union law since Treaty on European Union but was not a fundamental principle until recently (besides only mentioned shortly in the Directive 95/46/EC, the predecessor of the GDPR) [10]. In the GDPR the requirement of transparency is declared on a number of occasions, both in recitals (39, 58, 60) and articles (5,12,34) [32].
Transparency is said to be a supreme obligation under the GDPR because of its comprehensive application to processing of personal data [10], intertwined with two other fundamental principles, i.e. lawfulness and fairness (Art. 5) [32]. Moreover, together with other principles it falls under the principle of accountability (Art. 5). Transparency thus concerns mainly data controllers' communication with data sub-jects, provision of information to data subjects, as well as facilitating the exercise of data subjects' rights.
Given the aforementioned facts, this principle draws on openness and trust which are achieved when certain rights have been made accessible and properly communicated. From this perspective the idea of transparency can be holistically seen as "user-centric rather than legalistic" [10]. On the other hand, principle of transparency draws on the way in which certain rights and obligations should be expressed which is of no lesser significance. A detailed way of compliance with the transparency rule can be found in Recital 39 which states that [32]: "[t]he principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
Furthermore, children are mentioned as a special group of subjects who should be provided with information in the clear and plain language (Rec. 58 and Art.12).
In addition, according to the transparency principle, information should be provided "in a concise, transparent, intelligible (…) form", and that form can be either written, electronic, or even oral in exceptional situations (Art.12.1, controller's obligation). Moreover, where needed, visualisation is mentioned as a means of providing consistency to such transparency for example on a website (Rec. 58). The principle of transparency may be therefore linked both to language means and to the visual side of the information.
Giving consent to data processing is also subject to the transparency principle. The text of such a written consent is desired to be "presented in a manner which is clearly distinguishable from the other matters". It should also underlie the aforementioned requirements of clear language (Art. 7). Giving consent as well as withdrawing consent should be as easy as possible which stresses the importance of transparency on different levels of data processing.
All things considered, complying with the principle of transparency is often a matter of constant bargaining which an apt remark illustrates: [t]here is an inherent tension in the GDPR between the requirements on the one hand to provide the comprehensive information to data subjects which is required under the GDPR, and on the other hand do so in a form that is concise, transparent, intelligible and easily accessible [10,15].
These requirements are clearly close to the Plain Language principles which were highlighted in the previous section.

Data and Methodology
The research material for this study consists of a corpus of fourteen design companies' privacy notices. The companies of this line of business were chosen because Finnish design is well-known across the world for its quality and functionality. Moreover, given the digitalisation of business processes, including sales and marketing, companies utilise their websites as important means of conferring information on conditions of ther services, among others the data privacy management.
The main line of business of the companies included into the analysis is manufacturing of ceramic household and decorational articles ("keraamisten talous-ja koriste-esineiden valmistus" in Finnish) and bears the Standard Industrial Classification number 23,410. Design companies in this study thus form a homogenous group. The code is issued by the Finnish national statistical institution Statistics Finland (Tilastokeskus) [38] and under this classification the businesses are registered in the Finnish Trade Register [7]. However, it is not possible to search the Register by company's main line of business. Hence, the list of the companies under this classification was retrieved from the Yritystele webpage [52] which is an online database updated basing on the Finnish Trade Register. The search gave 228 hits which were then scrutinised for relevance for the study. The list of companies for the analysis excluded businesses that either did not have their own webpage or did not include any privacy notice on their webpage at all. For this reason the list was eventually narrowed to 14 companies. The methods used in this analysis were mainly qualitative but a small-scale corpus analysis was carried out complementarily. It is only to be noted that outside the scope of this analysis are non-modal forms of indicative mood in present tense. Other deontic modal expressions are the subject of this work. In order to examine how transparency was achieved linguistically in the notices the following analysis was conducted. Firstly, the GDPR text was analysed with the AntConc software in order to identify most common modal expressions. Secondly, the corpus of Finnish companies' privacy notices was scrutinised for deontic modality. Thirdly, the results were juxtaposed in order to state any similarities and differences between these two different types of texts. Furthermore, the modal expressions in the privacy notices were scrutinised and analysed against chosen criteria of the Easy Language Metre developed for Finnish which are connected with the deontic expressions. The aim of this analysis was to determine any Plain Language principles present in the notices. The chosen criteria of the Easy Language Meter are [37]: • Criterion 7 -States that certain and specific subjects and agents are used (human subjects, e.g. applicant, police) to describe a topic of the text instead of abstract nouns like plan, openness. In other words, an agent of the sentence may play an important role in simplifying the sentence structure. • Criterion 12 -Stipulates that the text addresses the reader in a direct way by using personal pronouns, imperative mood or possessive endings in nouns, which is typical for Finnish. • Criterion 61 -States that difficult infinitive and participle structures should be avoided, i.e. especially those ending with -matta, -ma; -nUt participle, -mäisillä.
Since the necessive construction on tehtävä is also a participle structure, the objective of the analysis was to examine how it is used in privacy notices.
The criteria were applied in the analysis of especially the Articles 15-21 in which the main rights of the subject are formulated. These are the right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to restriction of processing (Art. 18), right to data portability (Art. 20), and the right to object (Art. 21). Privacy notices mentioned exactly those rights, hence they were included into the analysis.

Linguistic Analysis of Rights and Obligations in the GDPR
In this section the occurrence of deontic expressions in the GDPR is analysed. The raw text of the GDPR without recital part, only with the enacting terms (article part), was included for the analysis in AntConc software. The analysis is twofold. Firstly, modal expressions were searched for in the whole part of enacting terms. Moreover, the Articles 15-21 that refer to single rights of the data subjects were scrutinised. (Sect. 7.1). Afterwards, the analysis of the deontic expressions in privacy notices was conducted (Sect. 7.2).

Modal Patterns in the GDPR
The GDPR introduces a number of rights of data subjects which simultaneously constitute a number of responsibilities of the data controllers and processors. The Table 1 below shows the summarised occurrences of identified explicit deontic expressions in the whole text of the GDPR and in the Articles 15-21. Additionally, the last column on the right shows what share of all GDPR occurrences of certain modal expressions can be found in the Articles 15-21.
The Table 1 shows that only 5% of all occurrences of the necessive construction on tehtävä in the GDPR text is situated in the chosen Articles and at the same time 65% occurrences of the phrase on oikeus 'have the right' appear in this part. This observation is supported by the occurrence of the conjugated verb voida and the passive form voidaan which is derivated from it. This highlights the focus of privacy notices on conveying rights.  Furthermore, the Table 2 shows the summarised occurrences of identified explicit deontic expressions in the whole GDPR divided according to the subject they appear with. The second column presents English equivalents from the source text of the GDPR since the Finnish version is of course a translation. N/A stands for 'not applicable' since passive forms do not take subjects.
In the whole Finnish GDPR text obligation was expressed most commonly with the use of the necessive construction on tehtävä. It is a direct translation equivalent of English shall. Such equivalence results from the European Union guidelines on translating EU texts into Finnish [10]. The phrase occurs 321 times and it refers either to controller, processor, supervisory authority or it includes no subject. However, it is worth noting that data subject (rekisteröity, literally 'registered' in Adessive case), does not have any obligations formulated explicitly with the hypothethical phrase rekisteröidyn on tehtävä 'data subject has to'.
First and foremost, the controller must inform data subjects on their certain rights on data processing. This obligation results from the Articles 13 and 14. Below is an excerpt from the Article 13: FI: Kerättäessä rekisteröidyltä häntä koskevia henkilötietoja rekisterinpitäjän on silloin, kun henkilötietoja saadaan, toimitettava rekisteröidylle kaikki seuraavat tiedot: EN: Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: (Art. 13).
Still quite often controller and processor appear together as the subjects of obligation like in the following passage:   When it comes to means of conveying rights or competence, a catalogue of rights of the data subject is enumerated in detail particularly in Articles 15-21. There a conjugated verb voida 'may, can' is used most frequently, together with a passive form voidaan 'may be' + past participle' which is derivated from it: FI: Määräaikaa voidaan tarvittaessa jatkaa enintään kahdella kuukaudella EN: That period may be extended by two further months where necessary (Art.

12)
Moreover, the most frequent subjects of the verb voida are entities rather than a data subject. They are presented in the Table 3 below and these include supervisory authority, Commission and member states. Their minimum frequency taken into account here equals four or more. Included are subjects which are left collocates for the finite forms of voida, i.e. voi (3rd person singular) and voivat (3rd person plural). On the contrary, the most common modal pattern that concerns data subject's rights is the expression jollakulla on oikeus, 'somebody has the right to' which is an equivalent of 'somebody shall have the right to', where two modal vehicles are used at the same time, i.e. modal verb 'shall' and 'have the right to'. These forms in English can be called a "modal harmony" in terms introducted by the Great Finnish Grammar [50]. All hits apart from one single refer to the data subject, in Finnish rekisteröity. The example is as follows: FI: Rekisteröidyllä on oikeus saada rekisterinpitäjältä vahvistus siitä, että häntä koskevia henkilötietoja käsitellään tai että niitä ei käsitellä (...) L1 collocates Frequency valvontaviranomainen 'supervisory authority' 11 komissio 'Commission' 9 jäsenvaltio 'member state' 9 se 'it' 5 rekisterinpitäjä 'controller' 5 tietosuojavastaava 'data protection officer' 4 Table 3 Left collocates for voida 'may' EN: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed (…) (Art. 15) Additionally, once there was a reference to the data subject, henkilö 'person' with the 3rd person pronoun hän 'he/ she' which results from the subordinate clause before the main clause. In English there is no subordinate clause: FI: Jos henkilölle aiheutuu tämän asetuksen rikkomisesta aineellista tai aineetonta vahinkoa, hänellä on oikeus saada rekisterinpitäjältä tai henkilötietojen käsittelijältä korvaus aiheutuneesta vahingosta. EN: Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. (Art. 82) Sometimes the high frequency of the noun oikeus 'right' in the GDPR text is an outcome of legal norms which follow the pattern of listing the necessary information to be provided by the controller to the data subject. The right to something is then this kind of information and it is not used in the phrase jollakulla on oikeus 'somebody has the right' but rather as a part of an enumerative list. The illustrative example is given below: FI: rekisterinpitäjän on toimitettava rekisteröidylle seuraavat tiedot (...): e) oikeus tehdä valitus valvontaviranomaiselle EN: The controller shall provide the data subject with the following information (…): e) the right to lodge a complaint with a supervisory authority (Art. 14(2)).
Nevertheless, such occurrences of right are not included in the Tables 1 and 2.
In the aforementioned analysis some irrelevant hits were found as well and they are as follows. Some hits were clearly of no deontic meaning like in the case of the verb tulee 'to come'. It appeared only four times in a non-normative meaning, tulee voimaan 'comes into force'(3) and tulee kyseeseen 'is relevant' (1). It is striking that no normative occurrence of this obligation verb was found.
Furthermore, the verb 'saada' was used in the meaning 'receive' rekisteröity saa 'data subject receives' instead of its deontic meaning 'to be permitted, to be allowed'. As expected, no hits for deontic pitää 'must' were found but instead only the nondeontic verb clusters like pitää yllä, pitää voimassa 'to maintain'. Moreover, there was no occurrence of täytyy 'must' nor any occurrence of olla velvollinen 'be obliged' in a normative sense.

Corpus Analysis of Modality in Privacy Notices
The corpus of privacy notices was analysed in order to find the most common patterns of expressing deontic modality. The aim of this was to juxtapose the results to the original GDPR text and find any similarities and differences. They are illustrated in the Table 4 below.
Privacy notices are characterised by the use of the verb voida 'may' and the phrase on oikeus 'shall have the right' which emphasises the expressing of the rights of the data subjects. Moreover, even more occurrences of the verb voida appear with the terms 'controller' or 'processor' which suggests that their competences are highlighted as well. In this respect these modal expressions are similar to those from the GDPR. One assumption is that some of the occurrences of the phrase on oikeus may be a result of copying the literal passages from the GDPR without modifying the wording of the sentence.
However, interestingly, one out of fourteen privacy notices does not include the phrase on oikeus at all. Instead, a verb voida 'may' in 2nd person singular (a) or a phrase jollakulla on mahdollisuus 'somebody shall have the possibility' (b) is used. The latter phrase is not as typical means of conveying rights in legal language. a. Voit myös pyytää henkilötietojesi poistoa. 'You may also request the deletion of your personal data.' b. Kaikilla käyttäjillä on mahdollisuus nähdä, muokata ja poistaa omia henkilötietojaan milloin vain. 'All users shall have the possibility to view, edit and delete their personal data at any time.' Besides, the form 'voidaan' is used, which is a passive form of the verb voida. It can get objects like henkilötietoja (-si), evästeet, hash, hyväksyntä, käyttäjä, kielto, sivustoamme and thus forms different collocations.
As far as the obligation is concerned, it is striking that the necessive construction on tehtävä has only a couple of hits and thus does not play a significant role in expressing obligation. On the other hand, one of the patterns is, surprisingly, the use of tulee in deontic meaning 'shall, must', although it does not appear in the Finnish version of the GDPR at all. Tulee is often used with reference to the data subject (the example below) unlike in the GDPR, where data subjects' obligation is not expressed explicitly.
FI: Rekisteröidyn tulee ottaa yhteyttä rekisteriasioista vastaavaan henkilöön tiedon korjaamiseksi. EN: The data subject shall contact the person responsible for the register to correct the information.
Only one privacy notice included the expression jollakulla on velvollisuus: "Rekisterinpitäjällä on tietosuoja-asetuksen mukaan velvollisuus informoida selkeällä tavalla rekisteröityjä." 'According to the General Data Protection Regulation, the controller shall have the obligation to inform data subjects in a clear way.' This only confirms that it is not the most typical modal expression of obligation (Ketola 2002 as cited in [28]).
Besides, it has to be noted that the Finnish privacy notices use numerous subjects' names. The following are the words for a 'data subject'. Some of them are rather formal and other are more informal: rekisteröity, literally 'registered', henkilö 'person', rekisterissä oleva henkilö 'person in the register', asiakas 'customer', käyttäjä 'user', sinä 'you', vierailijat 'guests'. On the contrary, the terms for a 'controller' are just few, the one that appear in the GDPR most often, rekisterinpitäjä 'data controller', then verkkosivuston ylläpitäjät 'website moderators' and informally me 'we'. Such a variety of synonymous terms may cause confusion, especially when are used within one notice interchangeably (see the first example in 7.3.2.).

Analysis According to Certain Rights Under the GDPR
Following is the analysis of the most significant rights of the data subjects from the Articles 15-21 and the way they are formulated in the privacy notices. The choice of these articles is motivated by the fact that the privacy notices mentioned their provisions. Firstly, deontic expressions in Finnish and English from the GDPR passages are highlighted. Then they are followed by chosen modal patterns from different privacy notices. The English translations are the author's.

Right of Access (Art. 15 GDPR)
FI: Rekisteröidyllä on oikeus saada rekisterinpitäjältä vahvistus siitä, että häntä koskevia henkilötietoja käsitellään tai että niitä ei käsitellä, ja jos näitä henkilötietoja käsitellään, oikeus saada pääsy henkilötietoihin sekä seuraavat tiedot: (…) Rekisterinpitäjän on toimitettava jäljennös käsiteltävistä henkilötiedoista. Jos rekisteröity pyytää useampia jäljennöksiä, rekisterinpitäjä voi periä niistä hallinnollisiin kustannuksiin perustuvan kohtuullisen maksun. EN: 'The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information (…) The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
The following examples present two opposite approaches of addressing the reader -the first example is more indirect in the sense of Plain Language rules and the second one is official and is based on the wording of the GDPR.
Below the standard use of the verb voida 'may' is adapted. The name of the data subject is rekisteröity, as in the GDPR, but at the same time the possessive suffix -mme is added to the construction tallentamamme, meaning 'stored by us', thus showing some modification towards the original passage of the GDPR: FI: Rekisteröity voi tarkistaa tallentamamme henkilötiedot. EN: The data subject may check the personal data we have stored.
Copied directly from the original Finnish Personal Data Act is the next example which is rather neutral and official in style: FI: Rekisteröidyllä on (...) oikeus tarkastaa, mitä häntä koskevia tietoja henkilörekisteriin on tallennettu. EN: (…) the data subject has the right to verify what data concerning him/her have been stored in the person register.
On the other hand, in a customer-friendly and customer-centred way the pronouns me 'we' and sinä 'you' were used, as well as again the possessive suffix was added, but this time refering to the 2nd person singular -si 'your'. FI: Voimme käsitellä henkilötietojasi seuraavia tarkoituksia varten: EN: We can process your personal data for the following purposes: In this way the distance between the entity and the data subject becomes shortened. This also shows a good way of simplifying the language structure and making it more accessible and understandable.
A quite surprising way of combining of two different names of the data subject (first addressing him/ her with rekisteröity 'data subject' and afterwards with sinä 'you') can be observed within one sentence and additionally within two adjacent sentences which can cause confusion: FI: Rekisteröidyllä on (...) oikeus tarkastaa, mitä tietoja olemme sinusta keränneet. Sinulla on oikeus lain sallimissa puitteissa vaatia virheellisen, tarpeettoman, puutteellisen tai vanhentuneen henkilötiedon korjaamista tai poistamista. EN: The data subject has the right to verify what data we have collected about you. To the extent permitted by law, you have the right to request the correction or deletion of incorrect, unnecessary, incomplete or outdated personal information.
Interestingly, on the one hand, the original passage of the Article 16 includes a phrase on oikeus which concerns the right to obtain rectification of inaccurate personal data from the controller. The modified extract from one privacy notice uses the synonymous verb voida 'may, can' in the 2nd person singular: FI: (...) voit ottaa yhteyttä asiakaspalvelutiimiin joka oikaisee tai poistaa virheelliset, tarpeettomat tai vanhentuneet tiedot (...) EN: (…) you can contact our customer service team to correct or delete any inaccurate, unnecessary, or outdated data (…) On the other hand, there were three privacy notices in which this right was transformed into an obligation in the case of one wanting to rectify the data. The obligation was expressed with the verb tulee: FI: Korjauspyynnön toteuttamiseksi rekisteröidyn tulee olla yhteydessä yhteyshenkilöön. EN: In order to execute a request for rectification, the data subject shall contact the contact person.
Interestingly, in over 50% occurrences of the verb tulee in the corpus of privacy notices it is used in connection with an inanimate object like written requests, complaints or other applications. The sentence either has a subject as above (rekisteröity, 'data subject') or has no object (so called 'zero person', nollapersoona) like in the phrase Kielto tulee tehdä kirjallisesti 'Denial shall be done in a written form'. To sum up, in this case the right was not weakened but strengthened and changed into obligation which enables the rectification process.

Right to Erasure (Art. 17 GDPR)
FI: Rekisteröidyllä on oikeus saada rekisterinpitäjä poistamaan rekisteröityä koskevat henkilötiedot ilman aiheetonta viivytystä, ja rekisterinpitäjällä on velvollisuus poistaa henkilötiedot ilman aiheetonta viivytystä, edellyttäen että jokin seuraavista perusteista täyttyy: (…) EN: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: The controller's obligation which is formulated in a clear explicit way in the GDPR with the phrase rekisterinpitäjällä on velvollisuus 'controller shall have the obligation' in the privacy notice can be modified into a passive voice without any modal: FI: (...) epätarkat, virheelliset tai vanhentuneet henkilötiedot poistetaan tai oikaistaan viipymättä. EN: (…) inaccurate, incorrect or outdated personal data will be deleted or rectified without delay (…) One commonly followed pattern uses direct form of addressing the reader, the 2nd person singular of sinä 'you' with a conjugated verb voida. At the same time the company describes itself as we. The message is thus clear and straightforward: FI: Voit pyytää meitä poistamaan henkilötietosi järjestelmistämme. Suoritamme pyyntösi mukaiset toimenpiteet, mikäli meillä ei ole oikeutettua syytä olla poistamatta tietoa. EN: You can ask us to delete your personal data from our systems.
On the one hand, the aforementioned structures and word order make the content simpler, but on the other, there is a formal collocation suoritamme toimenpiteet, literally 'we will perform the measures' [51]. The same pattern was used to formulate provisions from Article 18 on the right to restriction of processing: FI: Voit pyytää meitä rajoittamaan tiettyjen henkilötietojesi käsittelyjä (...) EN: You can ask us to restrict the processing of your certain personal data (…) The following example shows combining the rights from Articles 15-17 into one piece of information. The message is then more concise than the original, and besides it uses clearer reference to the subject of the action, i.e. the users. Moreover, the structure on mahdollisuus 'have the possibility' makes the line less formal: FI: Kaikilla käyttäjillä on mahdollisuus nähdä, muokata ja poistaa omia henkilötietojaan milloin vain. EN: All the users have the possibility to see, edit and delete their own personal data anytime.
Below is an example of modal harmony described as co-occurrence of two types of modality at a time. The expression of the right is weakened [50].
FI: Rekisterinpitäjällä voi olla lakisääteinen tai muu oikeus olla poistamatta pyydettyä tietoa. EN: The controller may have a statutory or other right to from deleting the data in question.
The Article 18 on the right to restriction of processing and Article 20 on the right to data portability have not shown any new modal patterns but they use already mentioned linguistic means.

Right to Object (Art. 21)
FI: Rekisteröidyllä on oikeus henkilökohtaiseen erityiseen tilanteeseensa liittyvällä perusteella milloin tahansa vastustaa häntä koskevien henkilötietojen käsittelyä (…) Rekisterinpitäjä ei saa enää käsitellä henkilötietoja (…) EN: The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her (…) The controller shall no longer process the personal data (…) Here, the right is expressed either with the same pattern as in the original line, i.e. Rekisteröidyllä on oikeus or with changing the subject, e.g. sinulla 'you'/ asiakkaalla 'the customer' on oikeus 'has the right'. The prohibition targeted at the controller to refrain from using the data ei saa enää 'shall no longer' is modified by the company into Present Simple, i.e. Jos peruutat suostumuksesi, päivitämme viipymättä tietokantamme emmekä enää lähetä suoramarkkinointiviestejä.

Other Remarks
Surprisingly, the corpus of privacy notices revealed some occurrences (6) of the verb saattaa. Saattaa has not been mentioned earlier in this study because it most often expresses epistemic possibility 'can' and it has deontic meaning 'may' only exceptionally [16], as in the following passage: FI: Saatamme ulkoistaa jotain henkilötietojen käsittelyä, kuten henkilötietojen tallennukseen ja käsittelyyn käytetyt tietojärjestelmät. EN: We can/may outsource some of the processing of personal data such as the information systems used to store and process the personal data.
Moreover, it can have a non-modal meaning 'to bring' and 'to place' and in this meaning it appeared just a couple of times in the GDPR. For the same reason it was not included into the analysis of Finnish Eurolect by Piehl and Mikhailov either [26]. Saattaa is thus ambiguous. Therefore, in the above example the verb saattaa seems to weaken the competence of the controller because this passage could use a clearly deontic and more typical phrase on oikeus 'have the right' or the verb voida 'may/ can' instead.
Some other linguistic means that can impact the transparency of the wording were also identified in the privacy notices. Below are the examples of explanatory means like tämä tarkoittaa, 'this means', esimerkiksi 'for example', and eli 'that is': FI: Henkilötietojen säilytysjakson pituus vaihtelee siis tiedoista riippuen. Tämä tarkoittaa myös sitä, että saatamme säilyttää henkilötietojasi, vaikka sopimussuhteesi meihin olisi päättynyt. EN: The length of the retention period of personal data therefore varies depending on the data. This also means that we may retain your personal data even if your contractual relationship with us has ended.
A similar way to explain the content is using esimerkiksi 'for example' which was found in six different privacy notices: Voimme myös harjoittaa suoramarkkinointia esimerkiksi sähköpostitse tai näyttämällä digitaalisia mainoksia 'We can also exercise direct marketing for example by e-mail or by showing digital commercials' and using the conjunction eli 'that is': Sinulla on oikeus siirtää tiedot järjestelmästä toiseen, eli siirrättää henkilötietosi (…) toiselle rekisterinpitäjälle 'You have also the right to transfer the data portability that is to let transfer your personal data (…) to another controller'.

Discussion
The aim of the article was to examine the most common indicators of deontic modality in the GDPR text and in the Finnish privacy notices. Furthermore, the objective was to identify any simplifying tendencies that contribute to the transparency of the texts and thus comply with the Plain Language principles. Since there has been no research on deontic modality strictly limited to privacy notices so far, such an approach seems significant.
The analysis showed that the set of the Finnish modal expressions in the GDPR is typical for the legal language. Although privacy notices use similar deontic structures, on the contrary, they revealed features which are untypical for the language of law. It can be concluded that modality is often expressed in a more direct way than in the legislative text. In case of Finnish a good example can be addressing the reader with imperative mood which is impossible in the GDPR text. The only imperative construction that is possible in Finnish legislative language is jussive mood, but it is generally found only in older legal texts and thus, it does not apply to the GDPR [28]. Also the lack of the obligation verb tulee in the GDPR on the one hand, and its many occurrences in privacy notices, on the other, constitute a distinctive feature between privacy notices and a legislative text in which there is a tendency to avoid the use of explicit modal expressions to impose obligation [17].
A further observation of different modal patterns may be the low frequency of the necessive construction on tehtävä in privacy notices. It is argued, that it is not a prevalent modal means of obligation in the corpus, albeit it is commonly used both in everyday language, as in legal language. It should not be stigmatised in any way. Although the Easy Language Meter (criterion 61) states that difficult infinitive and participle structures should not be used in the simplified texts, it does not mention the necessive construction on tehtävä which indeed is a participle structure [37]. This can be confirmed by the Easy Language study that describes on tehtävä as a clear means of expressing obligation in the process of simplifying the texts which makes it obviously understandable and not difficult to understand [20].
In reference to Kulkki-Nieminen's [18,19] discussion about possible weakening or strengthening of obligation in simplified texts, on the basis of the corpus analysis of the privacy notices it can be concluded that at least the possibility verb saattaa can be an indicator weakening the competence of a subject because it only rarely has a deontic meaning.
Another principle of Plain Language is addressing the reader directly. It is recommended especially in the criterion 12 of the Easy Language Meter [41]. The analysis showed that addressing the reader with sinä 'you' and referring to the company and its employees with the pronoun me 'we' is quite often. This is a common way of approaching the readers and the potential customers. Specifying the subject, in other words, formulating rights and obligations by using definite agents in the sentence plays a vital role in simplifying the language which is recommended in the criterion 7 of the Easy Language Meter. The study proved that on many occasions the subjects of the rights and obligations from the GDPR were modified in order to simplify the wording of the policy, e.g. by using käyttäjä 'user' or asiakas 'customer' instead of the 'data subject'. This can certainly help follow and understand the content of the rights and obligations. This also belongs to the crucial principles promoted by the Easy and Plain Language [37].
All things considered, privacy notice seems to be a separate text genre, which is characterised by some specified content, which results from the GDPR's provisions. These stipulate what kind of information privacy notice should convey to addressees. At the same time, it is important to remember that the term 'privacy notice' is not mentioned in the text of the GDPR at all. Moreover, no single form of such information has been specified, nor the stylistic side. Only some general prerequisites are indicated that recommend using clear and plain language which is inclusive. Hence, privacy notices do not form a homogenous group when it comes to the stylistic features because they use different modal patterns and sometimes vocabulary that is often typical for a general language. In this way they seem partly simplified and thus show some features of Easy or Plain Language texts. However, despite the recommendation of using clear language, it is important to avoid changing of the meanings of the legal text (Bhatia 1993 as cited in [40]).
All in all, a privacy notice may be perceived as a text belonging to a 'juristic language', i.e. especially in Polish legal tradition understood as a language that is a metalanguage towards the legislative language [25]. It functions as an excerpt of the GDPR. Moreover, it can be concluded that a privacy notice has a summarising function in relation to the GDPR similarly to some source texts like protocols that are later adapted onto websites [40]. The modifications observed in the privacy notices may be seen in Tiililä's terms as an interpretative relation (tulkintasuhde) between general language and language of law. Amongst other four distinguished relations the interpretative relation occurs when the wording of one text is modified to make another text simpler [44]. This situation may be simplifying the legal act into an informative flyer which features clear bulleted sentences that include less legal jargon [40].

Final Remarks
This study provides useful insight into the deontic modality in the new type of an informative text which is the privacy notice and shows how the language of law can be made more accessible.
The analysis drew upon identifying and comparing several patterns of deontic modality with regard to two different text genres and language registers and additionally referring to some Plain Language principles. The first genre is the legislative text of the GDPR, and the second one, a privacy notice. Since the GDPR does not specify the only correct form and style of the privacy notice, nor does it even mention its name, the language of privacy notices may differ significantly. The GDPR's recommendation to use clear and plain language while informing the data subjects of their rights may seem insufficient. Eventually, due to flexibility in this respect it depends on the entities whether to formulate the information in an easy-to-understand manner or in a more formal and less simplified way.
Although this study provided only a preliminary linguistic analysis on modality, it has revealed certain modal patterns in privacy notices. Some attempts were observed at clear and straightforward way of expressing rights and obligations by choosing certain constructions and addressing readers directly, thus making privacy notices more accessible. These are related to enhancing transparency.
However, the conclusions made in this study are preliminary because of a limited corpus of data. Therefore, in future research it would be necessary to investigate the modal expressions and features of privacy notices with the help of a much larger corpus. This would enable to verify the observations and assumptions made in this study and would allow to draw universal conclusions. Additionally, it may also be worth including the visual side of the notices into analysis, since it is a part of the transparency principle. Comparative analysis in other languages would be valuable, as well. All things considered, a privacy notice is a new and an interesting text genre which is yet to be explored, with its modal means and its potential to become more accessible in the spirit of Plain Language principles.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/ licenses/by/4.0/.