Scientists from the Karlsruhe Institute of Technology (KIT) and the University of Regensburg have analyzed services on the internet and found massive deficiencies. Their result: Adequate data protection legislation exists, but nobody cares whether it is observed.
Within the framework of an interdisciplinary analysis of the data protection behavior of 100 service providers on the internet, the group of researchers headed by Professors Klemens Böhm and Jürgen Kühling found major deficiencies. Using various juridical evaluation criteria, the scientists studied online shops, auction platforms, information portals, and search engines. The results of their study suggest a clear deficit in compliance with data protection: “Just about five providers of 100 completely comply with the legislation”, says Kühling. The results of the study are particularly relevant to the present discussion of new laws. Kühling continues: “The question arises whether new laws make sense, if basic legal requirements concerning the right of informational self-determination are not fulfilled”.
The service providers to be analyzed were selected depending on the number of registered users, the size of the enterprise, and the age group addressed. Evaluation was based on the Telemedia Act of 2007 and the Federal Data Protection Act. The study focused on the extent to which the customer is informed on what happens with his personal data. “A customer should know who uses which data for which purpose at what time”, underlines Professor Klemens Böhm.
The study clearly demonstrates that reality is far away from this ideal. The compulsory data protection declaration may be easily accessible on the platforms of nearly all providers studied, but its content is often incomplete or even wrong. 31 providers only make very general statements as to which data are compiled, six keep completely silent in this respect. According to the study, one third of the providers does not offer any information on how long the data are stored. 15 do not even indicate the purpose of data collection. When the technology operates in the shadow, e.g. in cookies, entries into the file directory of computers, it is legally required to inform about the type, scope, and purpose of the data collected. One fourth of the providers does not supply any information on the cookies used. Nearly all remaining providers give insufficient information, some provide even wrong information.
According to legislation, further processing of data beyond the purpose of providing the service requires the consent of the user. This applies to the setup of person-related profiles, for instance. More than two thirds of the providers process data for purposes beyond the mere service. Twelve of them do not ask the user for consent. 18 providers do not inform about the right to withdraw consent.
The scientists also studied whether the user can find out to whom his personal data are transmitted. According to the study, more than two thirds of the providers transmit data. While this may be required for the service in some cases, more than one fourth of the providers do not inform about the reasons why data are transmitted. For 20% of the providers, it is not clear to whom the data are transmitted.
According to data protection legislation, customers may ask their providers which personal data are stored about them and to whom these were transmitted. Furthermore, the data must be deleted, if this is desired by the user. “This is a very useful mechanism, but unfortunately hardly observed according to our study”, underlines Jürgen Kühling. More than 35% of the providers ignore their obligation to inform their customers and do not delete the personal data. Klemens Böhm is rather alarmed about the reasons given by the internet providers. Some state that the deletion of the data is technically impossible, others say that users are not even registered.
Being “The Research University in the Helmholtz Association”, KIT creates and imparts knowledge for the society and the environment. It is the objective to make significant contributions to the global challenges in the fields of energy, mobility, and information. For this, about 9,600 employees cooperate in a broad range of disciplines in natural sciences, engineering sciences, economics, and the humanities and social sciences. KIT prepares its 23,300 students for responsible tasks in society, industry, and science by offering research-based study programs. Innovation efforts at KIT build a bridge between important scientific findings and their application for the benefit of society, economic prosperity, and the preservation of our natural basis of life. KIT is one of the German universities of excellence.