Europees onderzoek naar het bewustzijn bij de burgers over gegevensbescherming (en)

Met dank overgenomen van Europese Commissie (EC), gepubliceerd op donderdag 17 april 2008.

National laws on data protection demand good data management practices on the part of the entities that process data: the “data controllers”. These include the obligation to process data fairly and in a secure manner, and to use personal data for well-defined and legitimate purposes. National laws also guarantee a series of rights for data subjects, such as

  • the right to be informed when personal data is processed
  • the reason for such data processing
  • the right to access the data and
  • (if necessary) the right to have the data amended or deleted.

This Flash Eurobarometer survey on Data Protection in the EU (No 226) measures perceptions about data protection among data controllers in the 27 EU Member States.

The survey sample was selected randomly but disproportionally, according to two criteria: country and company size (20-49, 50-249, 250+). 4,835 randomly-selected “data controllers” throughout the 27 EU Member States were interviewed.

Perceptions about the current data protection legislation

A majority of people responsible for data protection issues within companies (56%) said they were somewhat familiar with the provisions of the data protection law. However, only 13% claimed to be very familiar with this law.

An equally large proportion of respondents (56%) considered the protection level offered to citizens by their respective national data protection laws as ‘medium’. Twenty-eight percent said the protection level was ‘high’ and only 11% indicated that it was ‘low’.

Half of the respondents in the EU believed that legislation could not cope with the increasing amount of personal information being exchanged. Only 5% of respondents thought that the existing legislation concerning data protection was very well suited.

Individuals responsible for data protection issues generally made a positive evaluation of the requirements of the data protection laws: 91% rather agreed that the requirements of the data protection law were necessary in order to guarantee a high level of protection for consumers and the fundamental rights of citizens, only 35% thought that the requirements of the data protection law were too strict and 28% believed that the requirements of the data protection law were unnecessary except for certain sectors of activity.

Concerning the implementation and interpretation of the national data protection laws across the EU, opinions were divided: 38% agreed there was sufficient harmonisation of data protection laws – across Member States – to allow personal data to be freely exchanged within the EU, compared to 33% who did not agree; a third (33%) thought that the data protection law was interpreted and applied more rigorously in their country than in other Member States, while a quarter (25%) said the opposite.

A significant group of respondents were not able to judge if Member States’ data protection laws were adequately harmonised (29%) or found it extremely difficult to assess whether their national data protection laws had been introduced more rigorously than in other Member States (42%).

In-house practices relating to data protection and personal data transfer

The usage of privacy enhancing technologies (PETs)

More or less half of the data controllers interviewed throughout the EU (52%) stated that they used Privacy Enhancing Technologies (PETs) in their company. Fourteen percent said that PETs were not used because they had never heard of them.

Transfer of personal data via the Internet

Two-thirds of respondents throughout the EU (65%) indicated that their company transferred personal data via the Internet. One in three respondents (32%) admitted that their company did not take any security measures when transferring personal data over the Internet.

Transfer of personal data to countries outside of the EU

Only a minority of respondents indicated that their company transferred personal data to countries outside of the EU (10%).

Among companies that transferred personal data to non-EU countries, almost half of respondents (46%) indicated that this data mostly concerned clients’ or consumers’ data for commercial purposes, and 27% said it was human resources data for HR purposes.

Emails were by far the most preferred channel for the transfer of personal data to countries outside of the EU; 78% of respondents said that in their company, personal data was transferred via email.

Only one in three respondents, who had indicated that their company transferred data to non-EU countries, were familiar with the expression – “standard contractual clauses” (34%).

Recent experiences with privacy policy and data protection

Companies’ experiences with access requests and complaints

Almost half of the interviewees (46%) indicated that their company had received requests for access to personal data last year, but only a minority of them said that their company had received more than 50 such requests.

Only 3% of respondents answered that their company had received complaints from individuals whose data was currently being processed.

Privacy policy notices

Four out of 10 respondents in the EU (41%) answered that their company maintained and updated a privacy police notice and 17% of interviewees said that their company monitored how frequently their privacy policy notice was examined by the public.

Contacts with the national data protection authority

At the EU27 level, 13% of interviewees said they were in regular contact with the national data protection authority in their country.

The largest groups of respondents said they were either looking for advice when contacting their national data protection authority (60%) or that they had made contact in regard to notifications (56%).

The future of the legal framework on data protection

Four out of ten respondents (38%) approved each of the five listed actions to improve and simplify the implementation of the data protection legal framework. Only 9% of respondents said they were only in favour of one proposed action, or none at all.

The action most favoured in order to improve and simplify the implementation of the legal framework on data protection was the call for more harmonised rules on security measures (84% of respondents were in favour of this), while the least favoured action (56%) was the introduction of data protection legislation specific to each sector of activity.

[ Figures and graphics available in PDF and WORD PROCESSED ]

Data protection in the light of international terrorism

In the eyes of most respondents, the fight against international terrorism was an acceptable reason to restrict data protection rights. A majority of respondents agreed that it should be possible to monitor passenger flight details (80%), telephone calls (70%) and Internet and credit card usage (73% and 69%, respectively) if these actions served to combat terrorism.

However, there was suspicion about any provisions that would allow the authorities to relax data protection laws. Most respondents, in favour of some relaxation (of the kinds mentioned above), said this should be within clearly-defined limits: around 30% of respondents stressed that only suspects should be monitored, while between 19% and 30% of respondents wanted even stricter safeguards, e.g. monitoring supervised by the judiciary.