EU firms ignore more than 40% of customer data requests
EU companies are ignoring more than four out of ten data requests from their customers, it is claimed

European businesses are ignoring laws that require them to let customers see their data.
More than 40 per cent of firms tested by researchers made the process of obtaining citizen data "complex, confusing and unsuccessful". A University of Sheffield team made 184 data requests to companies across 10 European countries, with 43 per cent resulting in non-disclosure.
In more than half of cases, no response was received concerning how the companies shared customer data with third parties.
"We part with our personal data on a daily basis, creating vast and invisible reservoirs of actionable personal information," said study leader Professor Clive Norris. "We do this actively and passively, and our experience of the world is reshaped in ways that we don't appreciate.
"We are selectively marketed to, our locations are tracked by CCTV and automated licence plate recognition systems and our online behaviour is monitored, analysed, stored and used.
"The challenge for all of us is that our information is often kept from us, despite the law and despite our best efforts to access it," he added.
The university study forms part of a project funded by the EU looking into citizen interactions with surveillance in health, transport, employment, finance, leisure security and criminal justice.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
In 71 per cent of cases, the requests for information sent by the researchers were not addressed in a legally compliant manner, while in only 34 per cent cases an acknowledgement letter was received. Even when a company did reply to the requests, the team said the process was often time-consuming and complex.
Public sector bodies performed far better than their commercial counterparts, while loyalty card scheme operators disclosed their data 86 per cent of the time. Only 30 per cent of banks disclosed information about third-party access.
The team actually found it impossible to locate a specific officer or department for data requests in 20 per cent of cases. Requests for CCTV footage were particularly problematic; seven out of ten of data requests regarding it were blocked or held up.
"In our view, there is an urgent requirement for policymakers to address the failure of law at the European level and its implementation into national law," said Norris.
"They need to train their staff so they are aware of their responsibilities under law; and they need to implement clear and unambiguous procedures to facilitate citizens making access requests."
-
What is polymorphic malware?
Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the company
Opinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
Forcing Apple to allow alternative app stores might cause major security risks
Analysis Apple will be forced to allow third-party marketplaces on its devices, but some experts have raised serious security concerns
-
Why bolstering your security capabilities is critical ahead of NIS2
NIS2 regulations will bolster cyber resilience in key industries as well as improving multi-agency responses to data breaches
-
New EU vulnerability disclosure rules deemed an "unnecessary risk"
News The vulnerability disclosure rules in the Cyber Resilience Act could also cause a “chilling effect” on security researchers
-
Are you ready for NIS2?
WEBINAR Find out what you should be doing to prepare for the EU’s latest data protection regulation and UK equivalent with our free webinar
-
EU regulators are digging their heels in despite big tech’s Data Act pushback
Analysis EU regulators are no strangers to big tech regulatory push back, so why do companies still persist?
-
Microsoft's EU Data Boundary will begin staggered rollout in January 2023
News Public sector and commercial customers will be the first to benefit when the rollout begins on 1 January across all of Microsoft's core services
-
India’s new data protection bill continues to “facilitate state surveillance”
News Although data localisation requirements have now been removed, it’s down to the Indian government to select which countries data is allowed to be sent to
-
EU watchdog fights against rules permitting Europol's ‘unlawful’ data practices
News The pushback follows allegations that Europol was allowed to write its own rules when it came to handling sensitive data