Most organisations are unclear about data storage and transfer arrangements, say privacy watchdogs

Out-Law News | 26 Oct 2017 | 12:28 pm | 2 min. read

Most privacy notices displayed on websites and mobile apps do not explain to consumers the country in which collected personal data is stored, according to a study carried out by data protection authorities based around the world.

The Global Privacy Enforcement Network (GPEN) sweep 2017 (7-page / 308KB PDF) looked at user controls over personal information on websites and mobile apps in sectors such as retail, financial services and banking, gaming and gambling, health, education, travel and social media. In total, 24 data protection authorities submitted results from their observations on a total of 455 websites and apps. The sweep was led by the UK's Information Commissioner's Office (ICO).

The ICO said that 67% of the websites and apps assessed "failed to specify where data is stored". The sweep also identified failings in the information contained in privacy notices about the overseas transfer of consumers' personal data, it said.

"Details around the international transfer of data was often unclear," the ICO said in its report summarising the results of the sweep. "For example, many organisations would note that data may be ‘transferred outside the EEA,’ but did not specify where or for what purpose."

A couple of websites made reference to the now-defunct EU-US Safe Harbour agreement, which previously facilitated data transfers between businesses in the EU and US, despite the fact the framework was revoked by the Court of Justice of the EU (CJEU) in 2015, the ICO's report said.

According to the report, the data protection authorities also said that 23% of the websites and apps assessed "failed to specify in their privacy communications exactly what information would be collected from the user", and that around 17% of the operators did not have the consent necessary to collect the data.

Overall, the sweep from that privacy notices across the different sectors "tended to be quite vague, and often contained generic clauses", the report said.

The ICO said: "The majority of organisations failed to inform the user what would happen to their information once it had been provided. It is important that it is clear to users how they can control their information online. It is difficult for a user to exercise their controls when they are not well informed on how to do so."

"Users need to be better informed in relation to how they can access or remove the information they provide online, whether the information will be shared and with whom, and whether the information they provide will be stored in a sufficiently secure manner," it said.

Adam Stevens, ICO intelligence and research group manager, said businesses that fail to take corrective measures risk breaching the EU's new General Data Protection Regulation (GDPR), which will apply from 25 May 2018.

"The GDPR is coming in May 2018 and from what we’ve found so far, organisations which want to do business or operate in the EEA have a lot of work to do if they don’t want to be breaking the new law," Stevens said.

Under the GDPR, businesses could be hit with fines of up to 4% of their annual global turnover, or €20 million, whichever is the highest, for non-compliance with the new rules.

The ICO published a new privacy notices code of practice last year to give businesses guidance on what information to display to consumers about the handling and use of their personal data, including best practice advice on how to best display that information.