Skip to main content

Four out of every 10 citizen data requests in Europe breaks the law

Over 40 per cent of all European organisations are failing to adhere to continent-wide rules governing how to handle citizen data requests as many organisations won’t inform citizens how data is used, shared and processed.

Related: Major telecoms firms likes Vodafone and BT supplying citizen data to GCHQ, say new Snowden docs

The Engineering and Technology Magazine reports that citizen data access requests were submitted from 10 European countries to 184 public and private organisations with a range of information requested.

Every single request asked that those controlling the data disclose anything personal being held, explain if any third parties had been aparty to the data and whether the data has been subjected to any automated decision making processes.

43 per cent didn’t result in any personal data being sent back or the subjects involved didn’t receive a valid reason for the data not being disclosed with 56 per cent of cases resulting in no adequate or legally compliant response received regarding third party data sharing.

“We are selectively marketed to, our locations are tracked by CCTV and automated licence plate recognition systems and our online behaviour is monitored, analysed, stored and used. The challenge for all of us is that our information is often kept from us, despite the law and despite our best efforts to access it,” stated Professor Clive Norris from the University of Sheffield who lead the study.

When it came to dealing with the requests, 71 per cent of the requests for information on automated decision making processes were either completely ignored or not dealt with in the correct way in a legal sense.

Even when requests for data were successful, the process was often complicated and time consuming plus in 31 per cent of cases the data provided was incomplete and researchers had to probe for more information.

Worse was the fact that in 20 per cent of cases it wasn’t even possible to locate a data controller to handle the request and CCTV footage requests were the hardest to carry out with seven in 10 requests dealt with restrictively.

The public sector was more helpful than the private one with just 43 per cent partaking in restrictive practices whereas 62 per cent of private firms were found to be restrictive.

“In our view, there is an urgent requirement for policymakers to address the failure of law at the European level and its implementation into national law. Organisations must ensure that they conform to the law. In particular, organisations need to make it clear who is responsible for dealing with requests from citizens; they need to train their staff so they are aware of their responsibilities under law; and they need to implement clear and unambiguous procedures to facilitate citizens making access requests,” Norris added.