Broad Inadequacy of Online Privacy Notices Identified
TECHNOLOGY, INNOVATION, LAW AND TAX
By Elena Vassileva and Sarah Slevin
On Wednesday, the Global Privacy Enforcement Network (“GPEN”) published its findings from its 2017 “Sweep”. The GPEN is an informal international network of data protection agencies from around the globe, including the Irish Data Protection Commissioner (the “DPC”), which aims to facilitate and encourage co-operation between national data protection agencies on a global level.
As part of this investigation, 24 separate data protection agencies examined a total of 455 websites and applications across a broad spectrum of sectors. The purpose of this investigation was to examine “privacy communications and practices in relation to user controls over personal information” (essentially, online privacy notices and other types of communications with users on matters of data protection and privacy) to determine how clear it was, from a user’s perspective, what data was being collected, the purpose of the collection of the data and how this data was being processed, used and shared. The contribution of the DPC to this investigation focused on the use of e-receipts (i.e. seeking customer email addresses to provide receipts for online purchases) and on travel organisations as a specific sector.
Online privacy notices will be familiar to anyone using online services; they are a public and obvious declaration of how the organisation applies data protection principles to user data gathered and processed on its website across the various elements/stages of the website itself. The need for these notices in Ireland derives from various pieces of legislation, including falling under the principle of “fair processing” of personal data.
The investigation found that, generally, privacy communications tended to be quite vague and generic. Most organisations failed to inform users what would happen to their information once it had been provided, failed to specify with whom data would be shared, failed to refer to the security of the data, did not say where data was stored (i.e. which country), and failed to outline how users could access their personal data. The report concluded that “users need to be better informed in relation to how they can access or remove the information they provide online, whether the information will be shared and with whom, and whether the information they provide will be stored in a sufficiently secure manner”.
The shortcomings identified by this investigation will become even more significant following the introduction of the GDPR on 25 May 2018. The GDPR will place greater obligations on data controllers and data processors at all stages of data’s life cycle, including the basis for data collection, transparency, provision of information to data subjects and the rights of data subjects with respect to their personal data.
From an Irish perspective, following its particular role in this investigation the DPC is to publish guidance on the use of e-receipts and will initiate a specific audit of travel organisations to raise awareness of obligations under current data protection legislation and also under the GDPR.
Organisations with an online presence need to ensure that communications with their users with respect to privacy meet current data protection laws and should review them further to bring them in line with the impending GDPR.
For more information in relation to requirements under Irish law with respect to online privacy statements, as well as privacy policies, data protection and the GDPR generally, contact Elena Vassileva or any member of RDJ’s Cyber and Data Protection team.
A thoughtful and thorough business plan is essential for presenting your ideas to potential business partners and finance providers.Read More
What kind of company should you form? As a new venture, it's vitally important that you choose the right business structure.Read More
Funding is a critically important topic for all new startups. Learn about the options available for financing your business idea.Read More
Just like any business, a startup needs to pay its taxes. Getting tax advice as early as possible can avoid problems down the road.Read More
For the vast majority of knowledge-based startups, intellectual property (“IP”) is the business’s most important asset.Read More
Once a new company has been formed, a number of key legal agreements and documents must be put in place.Read More
Ronan Daly Jermyn regularly hosts events and workshops with a focus on education, mentorship and networking. Topics of discussion include early stage financing, licensing, contracts, employment and tax issues.Learn more