Data Protection Commissioner
Data Protection Commissioner
 
 
Press Release
                       
 
International data protection authorities’ enforcement operation finds website privacy notices are too vague and generally inadequate
 
  • Significant room for improvement in terms of specific details contained in online privacy communications and notices.
  • Organisations need to be more open, honest and transparent in their online privacy notices about how they handle people’s personal data.
  • 455 websites/organisations reviewed globally, 23 by the Irish Data Protection Commissioner (DPC).
  • DPC to publish guidance around the use of e-receipts.
  • DPC to audit some travel organisations, and engage with representative associations, to raise awareness of obligations under current data protection legislation and also under the GDPR.
 
24 October 2017
 
The Global Privacy Enforcement Network (GPEN) has today published findings from an international study showing that organisations need to be more open, honest and transparent in their online privacy notices about how they handle people’s personal data.
 
GPEN, which is an informal international network of data protection agencies from around the globe, including the Irish Data Protection Commissioner (DPC), found that there is significant room for improvement in terms of specific details contained in privacy communications.
 
Following its review of privacy notices, communications and practices of 455 websites and “apps” (23 websites/organisations were reviewed by the DPC) in many sectors including retail, finance and banking, travel, social media, gaming/gambling, education and health, GPEN came to the following conclusions:
  • Privacy communications across the various sectors tended to be vague, lacked specific detail and often contained generic clauses;
  • The majority of organisations failed to inform the user what would happen to their information once it had been provided;
  • Organisations were generally quite clear on what information they would collect from the user;
  • Organisations generally failed to specify with whom data would be shared;
  • Many organisations failed to refer to the security of the data collected and held - it was often unclear in which country data was stored or whether any safeguards were in place; and
  • Just over half the organisations examined made reference to how users could access the personal data held about them.
 
GPEN, whose aim is to foster cross-border cooperation among privacy regulators in an increasingly global market, also found that some organisations still referred to outdated legislation and frameworks, while many of those providing services at international level seemed to be unclear as to which legislation or jurisdiction was applicable. It was also noted that the retailers who issue e-receipts generally failed to provide any information about them on their website, while banking websites did not contain much detail in their general privacy policies.
 
John Rogers, Senior Investigations Officer, who coordinated the sweep on behalf of the Irish Data Protection Commissioner said:
“The Sweep found that in 94% of cases, retailers offering e-receipts to customers provided no information on their websites with regard to the processing or deletion of e-mail addresses gathered for this purpose.
 
In conjunction with the Sweep, the DPC has carried out a series of audits in order to assess how organisations gather and process personal data in the course of providing e-receipts to customers. In a number of cases we found evidence of e-mail addresses, gathered for the purpose of issuing e-receipts, being used to subsequently issue marketing material. Following on from these audits, we will shortly publish guidance on our website around the use of e-receipts to assist retailers adhere to best practise in this regard. From what we’ve found so far, it appears that some organisations are not undertaking business in compliance with the law.”
 
The DPC also examined the practices of travel organisations regarding how they obtain personal data online, their communication with users on their data processing operations and the ease with which users can exercise their rights in the course of using online travel services in Ireland. The Sweep established a general lack of transparency towards individuals regarding the processing of their personal data. A key provision of the GDPR is the strong emphasis on transparency and the information that must be provided to data subjects. The DPC is concerned that some organisations are not communicating the details of personal data processing to data subjects in a concise, transparent, intelligible and easily accessible form.
 
The DPC intends to conduct an audit exercise on these travel organisations and will also engage with representative associations to ensure travel organisations are aware of their specific obligations under current data protection legislation and also under the GDPR.
 
 
ENDS
 
 
For media related queries, please contact Graham Doyle, Head of Communications, Office of the Data Protection Commissioner on 087-9392359
 
 
 
Notes for editors
  
 
 

Overall results - Ireland

Total number of websites/organisations examined:

 

23

 

 

 
 
Number of websites/apps which do not contain clear and easy to understand privacy communications
16
Number of websites/apps which failed to specify what information it collects
17
Number of websites which fail to gain consent from users to collect or use personal data
1
Number of websites/apps that advise users whether they have any safeguards in place (i.e. encryption)
3
Number of websites/apps that fail to specify where data is stored (i.e. which country)
22
Number of websites/apps which failed to address whether personal information would be disclosed to third parties
16
Number of websites/apps that do not specify with whom the data is shared.
21
Number of websites/apps that provide instructions on how to remove personal data
3
Number of websites/app which specify whether they have a retention period (with regards to dormant/inactive accounts)
0
Number of websites where the user’s data is easily accessible by them
7
Number of websites which allow users to transfer their data easily to another data controller
0
Number of websites/apps which fail to specify whether any decisions are made by automated means
6
Number of websites/apps that make it clear to users how to contest a decision / request human intervention (where automated decisions are made)
1