‘You are unauthorized’: Nearly 50% of EU organizations deny access to personal data
The international study, conducted by experts from the University of Sheffield, has inspected at least 327 organizations across Europe, including the UK, Norway and Germany.
“Our online behavior is monitored, analyzed, stored and used. The challenge for all of us is that our information is often kept from us, despite the law and despite our best efforts to access it,” says Professor Clive Norris, a specialist in the sociology of surveillance, who led the study.
According to the report, the research found that in almost 20 percent of cases, “it was simply not possible to locate a data controller.” The report added that in the places where the controllers could be located, the quality of information varied enormously.
In the best cases, information was thorough and followed legislative guidelines closely and in the worst cases, the data was “very basic, often failing to explain how to make an access request or indeed what an access request actually is.”
The most reliable and efficient way of locating data controllers turned out to be online as it gave relevant contact details in nearly two thirds of cases (63 percent). The information was achieved in less than five minutes over half of the time (61 percent).
Other methods, apart from online searching, were unsuccessful in most cases.
“In the majority of cases, when contacting organizations by telephone, members of staff lacked knowledge concerning subject access requests,” says the research, “As a result, answers were often incorrect, confusing and contradictory.”
When it was possible to locate the data controller, the process of submitting an access request was often problematic. Data controllers were “employing a range of discourses of denial which restrict or completely deny data subjects the ability to exercise their informational rights,” says the paper.
The study also investigated how international corporations responded to providing personal data, saying that Google and Facebook “are particularly restrictive in allowing citizens to exercise their rights.”
“In over 50 percent of cases, they [Facebook and Google] failed to disclose personal data or provide a valid reason for not doing so, and they were similarly reluctant to disclose information regarding third party data sharing practices…,” says the study.
It goes on to describe one case when the researches sent two letters to Google’s HQ, but the letters were returned with a notice that “the recipient had not taken delivery.”
The national offices refused to process the requests saying that Google’s US HQ was the data controller. But when requests were sent to Google’s American head office, all but one case resulted in silence.
Facebook also didn’t hurry to reveal personal data to its users.
“Five out of eight requests obtained no reply while the remaining three were simply referred to Facebook’s self-download online tool,” says the study.
Meanwhile, Nearly 1 in 5 sites (18 percent of cases) of CCTV cameras didn’t display any kind of signal. Seven out of ten requests for CCTV footage were met “by restrictive practices from data controllers or their representative,” says the research.
“Staff approached in person lacked expertise and frequently reacted to queries with suspicion and skepticism, questioning why one would wish to access their personal data,” it adds.
Overall, there were few satisfactory responses concerning all aspects of the sent requests.
In 56 percent of all cases, no adequate response was received, while in over 71 percent, automated decision making processes were either not addressed or not addressed in a legally compliant manner, says the document.
The report found that the spirit of the European Data Protection Directive has frequently been undermined.
“Most concerning of all is that many of the findings detailed above, such as the high occurrences of absence of CCTV footage, demonstrate practices which are in contravention of both the spirit and, more tangibly, the letter of European and national legislation,” says the research.
According to Norris, companies must ensure that they conform to the law and to make it clear “who is responsible for dealing with requests from citizens.”
“Organizations need to train their staff so they are aware of their responsibilities under law; and they need to implement clear and unambiguous procedures to facilitate citizens making access requests. Finally, national data protection authorities must have the legal means and organizational resources to both encourage and police compliance,” he added.