Brussels, 17 April 2008
Eurobarometer survey measures perceptions
amongst European data controllers
National laws on data protection demand good data management practices on the
part of the entities that process data: the “data controllers”.
These include the obligation to process data fairly and in a secure manner, and
to use personal data for well-defined and legitimate purposes. National laws
also guarantee a series of rights for data subjects, such as
- the right to be informed when personal data is processed
- the reason for such data processing
- the right to access the data and
- (if necessary) the right to have the data amended or deleted.
- This Flash Eurobarometer survey on Data Protection in the EU
(No 226) measures perceptions about data protection among data
controllers in the 27 EU Member States.
The survey sample was
selected randomly but disproportionally, according to two criteria: country and
company size (20-49, 50-249, 250+). 4,835 randomly-selected “data
controllers” throughout the 27 EU Member States were interviewed.
Perceptions about the current data protection legislation
- A majority of people responsible for data protection issues within companies
(56%) said they were somewhat familiar with the provisions of the data
protection law. However, only 13% claimed to be very familiar with
- An equally large proportion of respondents (56%) considered the
protection level offered to citizens by their respective national data
protection laws as ‘medium’. Twenty-eight percent said
the protection level was ‘high’ and only 11% indicated that it was
- Half of the respondents in the EU believed that legislation could not
cope with the increasing amount of personal information being exchanged.
Only 5% of respondents thought that the existing legislation concerning data
protection was very well suited.
- Individuals responsible for data protection issues generally made a
positive evaluation of the requirements of the data protection laws: 91%
rather agreed that the requirements of the data protection law were necessary in
order to guarantee a high level of protection for consumers and the fundamental
rights of citizens, only 35% thought that the requirements of the data
protection law were too strict and 28% believed that the requirements of the
data protection law were unnecessary except for certain sectors of
- Concerning the implementation and interpretation of the national data
protection laws across the EU, opinions were divided: 38% agreed there was
sufficient harmonisation of data protection laws – across Member States
– to allow personal data to be freely exchanged within the EU, compared to
33% who did not agree; a third (33%) thought that the data protection law was
interpreted and applied more rigorously in their country than in other Member
States, while a quarter (25%) said the opposite.
- A significant group of respondents were not able to judge if Member
States’ data protection laws were adequately harmonised (29%) or found it
extremely difficult to assess whether their national data protection laws had
been introduced more rigorously than in other Member States (42%).
In-house practices relating to data protection and personal
The usage of privacy enhancing technologies (PETs)
- More or less half of the data controllers interviewed throughout the EU
(52%) stated that they used Privacy Enhancing Technologies (PETs) in their
company. Fourteen percent said that PETs were not used because they had never
heard of them.
Transfer of personal data via the Internet
- Two-thirds of respondents throughout the EU (65%) indicated that their
company transferred personal data via the Internet. One in three respondents
(32%) admitted that their company did not take any security measures when
transferring personal data over the Internet.
personal data to countries outside of the EU
- Only a minority of respondents indicated that their company transferred
personal data to countries outside of the EU (10%).
- Among companies that transferred personal data to non-EU countries, almost
half of respondents (46%) indicated that this data mostly concerned
clients’ or consumers’ data for commercial purposes, and 27% said it
was human resources data for HR purposes.
- Emails were by far the most preferred channel for the transfer of personal
data to countries outside of the EU; 78% of respondents said that in their
company, personal data was transferred via email.
- Only one in three respondents, who had indicated that their company
transferred data to non-EU countries, were familiar with the expression –
“standard contractual clauses” (34%).
Companies’ experiences with access requests and complaints
- Almost half of the interviewees (46%) indicated that their company had
received requests for access to personal data last year, but only a minority of
them said that their company had received more than 50 such requests.
- Only 3% of respondents answered that their company had received complaints
from individuals whose data was currently being processed.
- Four out of 10 respondents in the EU (41%) answered that their company
maintained and updated a privacy police notice and 17% of interviewees said that
by the public.
Contacts with the national data protection
- At the EU27 level, 13% of interviewees said they were in regular contact
with the national data protection authority in their country.
- The largest groups of respondents said they were either looking for advice
when contacting their national data protection authority (60%) or that they had
made contact in regard to notifications (56%).
The future of
the legal framework on data protection
- Four out of ten respondents (38%) approved each of the five listed actions
to improve and simplify the implementation of the data protection legal
framework. Only 9% of respondents said they were only in favour of one proposed
action, or none at all.
- The action most favoured in order to improve and simplify the implementation
of the legal framework on data protection was the call for more harmonised
rules on security measures (84% of respondents were in favour of this),
while the least favoured action (56%) was the introduction of data protection
legislation specific to each sector of activity.
[ Figures and
graphics available in PDF and WORD PROCESSED ]
Data protection in the light of international terrorism
- In the eyes of most respondents, the fight against international terrorism
was an acceptable reason to restrict data protection rights. A majority of
respondents agreed that it should be possible to monitor passenger flight
details (80%), telephone calls (70%) and Internet and credit card usage (73% and
69%, respectively) if these actions served to combat terrorism.
- However, there was suspicion about any provisions that would allow the
authorities to relax data protection laws. Most respondents, in favour of some
relaxation (of the kinds mentioned above), said this should be within
clearly-defined limits: around 30% of respondents stressed that only suspects
should be monitored, while between 19% and 30% of respondents wanted even
stricter safeguards, e.g. monitoring supervised by the judiciary.