Data Storage and transfer arrangements

Privacy watchdogs say most organisations unclear about data storage

According to a study carried out by data protection authorities around the world in Oct 2017, privacy notices on mobile apps and websites do not explain in which country personal data that has been collected is stored.


The Global Privacy Enforcement Network (GPEN) did a ‘sweep’ in 2017 that looked at the user controls of mobile apps and website in many sectors including gaming and gambling, financial services and banking, retail, health and education and social media and travel media.


The UK’s information Commissioner’s Office (ICO) led the sweep.  There were 24 data protection authorities observing 455 websites and apps who entered their result.

The iCO said that 67% of those looked at “failed to specify where data is stored”.  They also said that failings in information in privacy notices about the overseas transfer of data had also been identified.


In its report, the ICO said “Details around the international transfer of data was often unclear. For example, many organisations would note that date may be ‘transferred outside the EEA,’ but did not specify where or for what purpose.”

There were references made, on a couple of websites, to the EU-US Safe Harbour Agreement which used to facilitate data transfers between EU and US businesses but is now defunct, its framework having been revoked by the EU Court of Justice in 2015.


Also, in the report, it says that 23% of the websites and apps looked at “failed to specify in their privacy communication exactly what information would be collected from the user.”  I also stated that around 17% did not have the necessary consent to collect data.  The report also said that privacy notices “tended to be quite vague, and often contained generic clauses”


The ICO said: “The majority of organisations failed to inform the user what would happen to their information once it had been provided. It is important that it is clear to users how they can control their information online. It is difficult for a user to exercise their controls when they are not well informed on how to do so.”

“Users need to be better informed in relation to how they can access or remove the information they provide online, whether the information will be shared and with whom, and whether the information they provide will be stored in a sufficiently secure manner.”


With the new EU’s General Data Protection Regulation (GDPR) coming into effect on 25th May 2018, businesses failing to take the correct measures risk being in breach of the new regulation said Adam Stevens, ICO intelligence and research group manager.

“The GDPR is coming in May 2018 and from what we’ve found so far, organisations which want to do business or operate in the EEA have a lot of work to do if they don’t want to be breaking the new law,” Stevens said.


The ICO published a new privacy notices code of practice last year. This is aimed at businesses to give guidance on what information to display to consumers about the handling and use of their personal data and includes best practice advice on how to best display that information.


Under the GDPR, businesses could face with fines of up to 4% of their annual global turnover, or €20 million, whichever is the highest, for the most serious breaches, 2% for less serious breaches for non-compliance with the new rules.