The study, led by Sheffield University, investigated 327 organisations in the public and private sectors in 10 European countries, finding widespread “malpractice and obfuscation”. In a fifth of cases it was not possible to identify a data controller at the organisations, and when one was found researchers claim that they were often met with replies that “restrict or completely deny data subjects the ability to exercise their informational right”.
In nearly half of all cases (43 per cent) personal data was not disclosed or no “legitimate” reason was given to withhold it, according to the report. More than half of the organisations (56 per cent) gave no adequate response about what third-party data sharing took place.
Those who are familiar with recent debates and court decisions around commercial use of personal data – both in Europe and the UK – will know that this kind of practice won’t go unpunished for much longer. There is an undoubted legal movement towards greater restrictions on data use and greater rights to access for members of the public.
In June, a UK county court ordered John Lewis to pay damages for sending marketing emails to a Sky News journalist, rejecting the retailer’s argument that a failure to opt out was the same as giving consent. There was also the much-publicised European Court of Justice ruling against Google in May, which means the search engine must comply with requests to remove search results containing old or inaccurate personal information.
And as a background to all this, the EU’s general data protection regulation is in its final stages of refinement. Among other things, it is likely to require companies to have a data protection officer and to release information held about a particular person back to them in usable formats. In short, the winds of change are blowing, and the 40 per cent of organisations travelling in the opposite direction will not get very far by resisting.
Businesses will feel aggrieved at the administrative burden of hiring new data controllers and complying with more access requests, but at this point it’s looking unavoidable.