On Wednesday, the Global Privacy Enforcement Network ("GPEN") published its findings from its 2017 "Sweep". The GPEN is an informal international network of data protection agencies from around the globe, including the Irish Data Protection Commissioner (the "DPC"), which aims to facilitate and encourage co-operation between national data protection agencies on a global level.
As part of this investigation, 24 separate data protection agencies examined a total of 455 websites and applications across a broad spectrum of sectors. The purpose of this investigation was to examine "privacy communications and practices in relation to user controls over personal information" (essentially, online privacy notices and other types of communications with users on matters of data protection and privacy) to determine how clear it was, from a user's perspective, what data was being collected, the purpose of the collection of the data and how this data was being processed, used and shared. The contribution of the DPC to this investigation focused on the use of e-receipts (i.e. seeking customer email addresses to provide receipts for online purchases) and on travel organisations as a specific sector.
Online privacy notices will be familiar to anyone using online services; they are a public and obvious declaration of how the organisation applies data protection principles to user data gathered and processed on its website across the various elements/stages of the website itself. The need for these notices in Ireland derives from various pieces of legislation, including falling under the principle of "fair processing" of personal data.
The investigation found that, generally, privacy communications tended to be quite vague and generic. Most organisations failed to inform users what would happen to their information once it had been provided, failed to specify with whom...