EU firms ‘obstructing access’ to customer data

Many organizations in Europe may be failing in their legal responsibilities when it comes to sharing the information they have on customers, either because they are not aware of their requirements or through deliberate obfuscation.

This is according to a study conducted by the University of Sheffield, which submitted requests to 327 companies throughout the EU asking them for access to their personal data – something European law requires businesses to respond to.

However, researchers found the process of obtaining their data was often "complex, confusing and unsuccessful". In 43 percent of cases, businesses failed to disclose personal data, or did not provide data subjects with a legitimate reason for the failure to disclose their personal data.

One in five attempts found it impossible to locate a data controller, while the quality of the response when these individuals were contacted varied enormously.

Although some companies performed well in this regard, providing thorough information and following legislative guidelines closely to provide citizens with an unambiguous pathway to exercise their right of access, this was not always the case. In the worst cases, researchers found the information provided was very basic, while companies often failed to explain how to make an access request or indeed what an access request actually is.

Professor Clive Norris, a specialist in the sociology of surveillance and social control from the University of Sheffield who led the study in partnership with his colleague Dr Xavier L'Hoiry, stated that with the amount of personal data being gathered by companies increasing all the time, it is vital that organizations are able to demonstrate they use this information responsibly.

He said: "We part with our personal data on a daily basis, creating vast and invisible reservoirs of actionable personal information. We are selectively marketed to, our locations are tracked by CCTV and automated licence plate recognition systems and our online behavior is monitored, analysed, stored and used. The challenge for all of us is that our information is often kept from us, despite the law and despite our best efforts."

The research also found there are variations between sectors in how companies responded to requests for information – some of which may reflect the different types of data that companies value and how easy these are to disclose. Loyalty card scheme operators, for instance, were generally facilitative in disclosing personal data (86 percent of cases), but they did not perform as strongly in providing information about automated decision making processes (only 50 percent of cases). 

Meanwhile, requests made to banks did not yield much information about third-party data sharing, with only 30 percent of responses disclosing this. Requests for CCTV footage proved particularly problematic, with seven out of ten such requests may be restrictive practices from data controllers.

Prof Norris said the study illustrates there is an urgent need for lawmakers to address the failure of data disclosure laws, while organizations also need to make it clear who within their company is responsible for managing data and dealing with any requests.

"They need to train their staff so they are aware of their responsibilities under law and they need to implement clear and unambiguous procedures to facilitate citizens making access requests," he continued. "Finally national data protection authorities must have the legal means and organisational resources to both encourage and police compliance."