International enforcement operation

International enforcement operation finds website privacy notices are too vague and generally inadequate

Organisations need to be more open, honest and transparent in their online privacy notices about how they handle people’s personal data, an international study has found.

The study, or Privacy Sweep in data protection terms, was conducted by the Global Privacy Enforcement Network (“GPEN”), and included input from 24 data protection regulators from around the world, including the Gibraltar Regulatory Authority (GRA), in its role as Data Protection Commissioner.

The GPEN Privacy Sweep, which was led by the UK’s Information Commissioner’s Office, concluded that ‘there is significant room for improvement in terms of specific details contained in privacy communications’.

The privacy notices, communications and practices of 455 websites and apps in sectors including retail, finance and banking, travel, social media, gaming/gambling, education and health were assessed to consider whether it was clear from a user’s perspective exactly what information was collected, for what purpose, and how it would be processed, used and shared. The GRA focused its attention on local websites and mobile applications.

Overall, the GPEN Privacy Sweep came to the following conclusions:

  • Privacy communications across the various sectors tended to be vague, lacked specific detail and often contained generic clauses.
  • The majority of organisations failed to inform the user what would happen to their information once it had been provided.
  • Organisations were generally quite clear on what information they would collect from the user.
  • Organisations generally failed to specify with whom data would be shared.
  • Many organisations failed to refer to the security of the data collected and held – it was often unclear in which country data was stored or whether any safeguards were in place.
  • Just over half the organisations examined made reference to how users could access the personal data held about them.

The GPEN Privacy Sweep found that some organisations still referred to outdated legislation and frameworks, while many of those providing services at international level seemed to be unclear as to which legislation or jurisdiction was applicable. It was also noted that the retailers who issue e-receipts generally failed to provide any information about them on their website, while banking websites did not contain much detail in their general privacy policies.

Steven Sanchez, Information Rights Manager at the GRA said: “In an age where online platforms are collecting more and more personal data, the control that individuals can exercise over their personal data online is increasingly significant. Consequently, it is concerning that people do not seem to be informed of what happens to their personal data after it has been collected by organisations online.”

Going forward, individual GPEN members may contact data controllers in their own jurisdictions to assess what remedial action they need to take to improve user controls over their personal information.

About GPEN

The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border co-operation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of over 60 privacy enforcement authorities in 39 jurisdictions around the world.

As always, the GRA is available to anyone wishing to discuss matters which affect their privacy, or feel that their data protection rights are not being correctly addressed. For further information please contact the GRA by telephone on +350 200 74636 or by email on privacy@gra.gi.