The Global Privacy Enforcement Network (GPEN) has found that organisations should be more open, honest and transparent in their online privacy notices on how they use personal data. According to GPEN, privacy communications and notices should be less vague and more specific in terms of how personal data is used and shared. A review of over 400 websites and apps formed the basis of these results and recommendations.

We identify the key insights from the findings.

Background

GPEN is an alliance of data protection authorities (DPAs) from around the world, which carries out an annual ‘privacy sweep’ (Sweep) through participating members. In the past, GPEN has explored trends or issues including children’s apps and websites, internet of things, and mobile privacy.

This year’s Sweep was aimed at privacy communications and practices regarding user controls over personal data. GPEN recently published the results of the Sweep, having reviewed privacy notices, communications and practices of 455 websites and apps. As a participating member, the Office of the Irish Data Protection Commissioner (DPC) contributed to this year’s Sweep and examined 23 websites / organisations across various sectors.

Findings and insights

Overall, the findings of Sweep suggest that users of the websites and apps are generally not well-informed about what happens to their data once collected. Specifically, the Sweep found that:

  • Privacy policies often referred to data or categories of data that ‘may’ be collected and information on how personal data would be used was often generic
  • There was a general trend, across various sectors, where privacy communications failed to advise users on how or where their data would be stored and with whom it would be shared
  • Some websites/apps made no reference to the collection of information through cookies, despite collecting this information in practice
  • The retailers who issue e-receipts generally failed to provide any information about them on their website. The DPC has since published specific guidance on this issue
  • In the Irish context, no website/organisation examined by the DPC allows users to transfer their data easily to another data controller.

GPEN advocates a “layered” approach to privacy statements, which is clear and easy for a user to understand. GPEN also observed that in addition to a written privacy policy, some websites contained a video, which explained the privacy policy in simple, plain language.

Implications and next steps

GPEN’s publication is timely, particularly for websites and businesses getting ‘GDPR-ready’. The concept of transparency is an intrinsic element of the GDPR and one of the core principles that must be kept in mind by controllers when collecting and using personal data. In particular, the GDPR requires that the information about a controller’s data processing activities be “easily accessible and easy to understand” and provided in “clear and plain language”. With websites and apps having the potential to collect large amounts of personal data, it is important that are transparent about the way in which data is collected, used, and shared.

During the Sweep, the DPC examined travel organisations’ practices regarding their collection of personal data online and how they describe their data processing operations to users. The DPC expressed concern that some organisations are not communicating the details of personal data processing to data subjects in a concise, transparent, intelligible and easily accessible form.

With this in mind, the DPC signalled the intention to audit certain travel organisations. This will involve engaging with representative associations to ensure travel organisations are aware of their obligations under current data protection legislation and also under the GDPR.