Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

 Findings of International Privacy Sweep 2016 published

 
·        International study reveals six out of ten ‘Internet of Things’ developers failing to communicate properly with customers on data protection rights
·        Irish Data Protection Commissioner’s Office to step up audits of technology devices
 
22nd September, 2016
A global investigation into the privacy conditions of more than 300 ‘Internet of Things’ smart devices has found alarming shortfalls in the management of personal data by developers and suppliers.
The study – involving twenty-five data protection authorities – looked at the ways in which companies communicated with their customers regarding the security of their personal data. In Ireland, the Office of the Data Protection Commissioner (DPC) investigated nine devices, ranging from smart electricity meters to fitness trackers, and its national findings were broadly in line with global trends (See Note for Editors below).
The international report into company communications with customers about data privacy rights showed that:
  • 72% failed to explain how customers could delete their information.
  • 68% failed to properly explain how information was stored.
  • 60% failed to adequately explain to customers how their personal information would be collected and processed.
  • 38% failed to include easily identifiable contact details if customers had privacy concerns.
 
The regulatory authorities involved are now considering what action is to be taken against those who are found to be in breach of legislation.
John Rogers, Senior Investigations Officer, who coordinated the Irish sweep said:
“There can be no doubt as to the benefits of modern technology in our everyday lives, but the introduction of this technology must be done in a clear and transparent manner and not adversely impact on privacy rights. The findings of our sweep show that much more needs to be done to meet data protection standards.
“Companies making these devices must make it clear to consumers about how their personal information is being collected and used and how consumers may delete their information if they wish.
“The Office of the Data Protection Commissioner is planning to scale up investigative and audit work in this area in 2017 and we have already begun to schedule audits of devices in the technology sector. The purpose of these audits will be to gauge compliance with the Data Protection Acts and to work with companies to ensure that their products are meeting the required standards.”
The sweep was coordinated by the Global Privacy Enforcement Network (GPEN). GPEN is an informal network of data protection agencies from around the globe. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market.
ENDS
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Note for Editors
 
Overall results - Ireland
Total number of devices/organisations examined:
9
(Indicator 1) Number of devices/orgs that fail to explain to users how their personal information is collected, used and disclosed?
5
(Indicator 2) Number of devices/orgs that fail to explain to users how the information collected by the device is stored? (SAFEGUARDS)
5
(Indicator 3) Number of websites with easily identifiable contact details for privacy-related matters?
8
(Indicator 4) Number of devices/orgs which did not explain how a user can delete their personal information from the device?
5
 
(Indicator 5 – OPTIONAL) Number of devices/orgs who failed to provide a timely, adequate and clear response to questions?
3
Number of devices/companies for which you are considering follow-up action[1]
9 (Further investigations)
 
 
 
 
Collection, use & disclosure
Number of privacy policies that were not specific to the device
5
Number of devices which indicated personal information would be disclosed to third parties
6
Number of devices which failed to address whether personal information would be disclosed to third parties
3
Number of devices/companies that failed to mention the use of security safeguards to keep unauthorised users from accessing the device or date
6
Number of devices which failed to advise customers to change the default settings of the device
7
 
Storage
Number of companies who failed to advise customers whether their personal data collected by the device is stored in an encrypted form
5
 
Deletion
Number of companies that included information about tools to help users clear the device of personal data when they come to sell it
2
Number of companies that included information about tools to help users wipe their data remotely
0
 
GPEN Privacy Sweep 2016 – Final International Results
 
Total number of devices/companies looked at: 314
Total number of DPAs who submitted results: 25
 
 
Indicators
Percentage
1.       Number of devices/companies whose privacy communications failed to explain to users how their personal information was collected, used and disclosed
59%
2.       Number of devices/companies that failed to inform users about how personal information collected by the device is stored and whether they had implemented safeguards to prevent loss of data
68%
3.       Number of devices/companies whose privacy communications failed to provide contact details for users with privacy-related concerns
62%
4.       Number of devices/companies who failed to explain how a user could delete their personal information
72%
5.       Number of companies who failed to provide a timely, adequate and clear response
43%
Collection, use and disclosure
Percentage
Number of devices/companies whose privacy communications were not specific to the device
69%
Number of companies who indicated personal data would be disclosed to third parties
54%
Number of devices/companies who failed to say if they disclosed data
48%
Number of devices/companies who failed to advise about default settings
86%
Number of devices which collected the following information on either a mandatory or optional basis
Percentage
Name
84%
Username
54%
Address
53%
Phone number
55%
Email address
83%
DOB/Age
64%
Location
68%
Photo/video/audio file
41%
Unique device identifier
61%
Medical details *
23%
Weight/height *
45%
Health/fitness info (e.g. heartrate) *
50%
Storage of data
Percentage
Number of companies who failed to advise whether data was stored in an encrypted format
 
68%
Number of devices/companies who failed to mention security safeguards
49%
Deletion of data
 
Number of companies that included information about tools to help users clear the device of personal data when they come to sell it
17%
Number of companies that included information about tools to help users wipe their data remotely, should they lose their device
13%
 
*Note: This information mainly related to medical devices and health/fitness-related devices.
 
Participants in the 2016 Sweep
 
Results were submitted by the following agencies:
 
Albania
Information and Data Protection Commissioner
Australia
Office of the Australian Information Commissioner
Australia, Victoria
Office of the Commissioner for Privacy and Data Protection(CPDP)
Canada
Office of the Privacy Commissioner of Canada
Canada, Alberta
Office of the Information and Privacy Commissioner of Alberta
Canada, British Columbia
Office of the Information and Privacy Commissioner for British Columbia
Canada, Nova Scotia
Office of the Information and Privacy Commissioner for Nova Scotia
Canada, Ontario
Office of the Information & Privacy Commissioner, Ontario, Canada
China, Hong Kong
Office of the Privacy Commissioner for Personal Data, Hong Kong
Colombia
Superintendence of Industry and Commerce of Colombia
Estonia
Estonian Data Protection Inspectorate
France
Commission Nationale de l'Informatique et des Libertés
Germany, Baden-Württemberg
State Commissioner for Data Protection Baden-Württemberg
Germany, Bavaria
Data Protection Supervisory Authority of Bavaria
Germany, Hessen
Data Protection Commissioner of Hessen
Gibraltar
Gibraltar Regulatory Authority
Ireland
Office of the Data Protection Commissioner
Israel
Israeli Law, Information and Technology Authority
Italy
Garante per la protezione dei dati personali (Italian Data Protection Authority)
Mexico
Federal Institute for Access to Information and Data Protection
New Zealand
Office of the Privacy Commissioner
Norway
Norwegian Data Protection Authority
Singapore
Personal Data Protection Commission
United Kingdom
Information Commissioner’s Office
USA
Federal Trade Commission
 
 


[1] Examples of follow-up include: conducting a more detailed assessment or investigation, contacting the data controller for information or education purposes (if not already done as part of the sweep activity), and/or taking enforcement action.