European businesses are ignoring laws that require them to let customers see their data.
More than 40 per cent of firms tested by researchers made the process of obtaining citizen data "complex, confusing and unsuccessful". A University of Sheffield team made 184 data requests to companies across 10 European countries, with 43 per cent resulting in non-disclosure.
In more than half of cases, no response was received concerning how the companies shared customer data with third parties.
"We part with our personal data on a daily basis, creating vast and invisible reservoirs of actionable personal information," said study leader Professor Clive Norris. "We do this actively and passively, and our experience of the world is reshaped in ways that we don't appreciate.
"We are selectively marketed to, our locations are tracked by CCTV and automated licence plate recognition systems and our online behaviour is monitored, analysed, stored and used.
"The challenge for all of us is that our information is often kept from us, despite the law and despite our best efforts to access it," he added.
The university study forms part of a project funded by the EU looking into citizen interactions with surveillance in health, transport, employment, finance, leisure security and criminal justice.
In 71 per cent of cases, the requests for information sent by the researchers were not addressed in a legally compliant manner, while in only 34 per cent cases an acknowledgement letter was received. Even when a company did reply to the requests, the team said the process was often time-consuming and complex.
Public sector bodies performed far better than their commercial counterparts, while loyalty card scheme operators disclosed their data 86 per cent of the time. Only 30 per cent of banks disclosed information about third-party access.
The team actually found it impossible to locate a specific officer or department for data requests in 20 per cent of cases. Requests for CCTV footage were particularly problematic; seven out of ten of data requests regarding it were blocked or held up.
"In our view, there is an urgent requirement for policymakers to address the failure of law at the European level and its implementation into national law," said Norris.
"They need to train their staff so they are aware of their responsibilities under law; and they need to implement clear and unambiguous procedures to facilitate citizens making access requests."
