Global Regulators to Issue New Privacy Guidance After Online Sweep

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Peter Menyasz

An international privacy audit sweep of websites and mobile applications has prompted a push for new privacy guidance, privacy regulators told Bloomberg Law.

Twenty-four regulators from across the globe participated in the review of 455 education, travel, retail, health, social media, gaming, and financial websites and apps. The sweep uncovered improper privacy policies and references to outdated legislation. It also found international e-commerce sites that didn’t make clear which legislation or country jurisdiction applied to their business, according to statements from the regulators.

The new guidelines will urge companies to improve their privacy practices, particularly to ensure that they are better prepared for the May 2018 effective date of the new European Union privacy regime, the General Data Protection Regulation (GDPR), the regulators said.

The 2017 Global Privacy Enforcement Network sweep found that companies generally provide information on what personal information they collect, but not how that data is stored, whether it is shared with third parties, and how it can be deleted or removed, Adam Stevens, manager of intelligence and research with the U.K. Information Commissioner’s Office (ICO), told Bloomberg Law Oct. 26.

The GDPR demands transparency from companies on how they intend to use personal data, Stevens said.

Country Results

The U.K. ICO’s review of 30 websites found that 26 didn’t specify how and where data would be stored, and were vague about whether data would be transferred internationally, Stevens said. Likewise, 26 organizations failed to adequately explain whether they share information with third parties and 24 didn’t provide users a clear way to delete or remove their personal information from the site, he said.

In Canada, a review of online apps used in classrooms found that some encouraged children to provide more personal information than necessary, according to an Office of the Privacy Commissioner of Canada Oct. 24 statement. The federal Canadian privacy office, supported by provincial privacy offices in Ontario and Alberta, released a report outlining takeaways for online educational services.

Albania’s Office of Information and Data Protection Commissioner said Oct. 25 that it reviewed three Albanian travel websites and found serious deficiencies on information they provide on safeguards and encryption, where data is located, and how to delete data. The agency didn’t indicate how it would address its concerns.

New Zealand’s Office of the Privacy Commissioner said Oct. 25 that it reviewed eight websites, finding particular issues with retail sector sites not advising consumers how their information would be stored, and retaining discretion to share data with third parties. There is no excuse for online retailers or other organizations that interact with the public through websites not to have clear privacy statements explaining what happens with customers’ personal information, New Zealand Privacy Commissioner John Edwards said in a statement.

To contact the reporter on this story: Peter Menyasz in Ottawa at correspondents@bna.comTo contact the editor responsible for this story: Donald Aplin at

For More Information

The Canadian privacy agency's report is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security