It is an accepted truth that Europeans care more about their privacy than most. We take it for granted that because the European Union has created the General Data Protection Regulation (GDPR) – an admittedly world-leading piece of privacy legislation – that citizens in the EU must care more about their data protection rights.
The European agency for Fundamental Rights, FRA, recently carried out a survey to investigate if this assumption is true and to assess how much the average citizen really knows about the GDPR.
The first question got straight to the heart of matters: “Which of the following types of personal information would you be willing to provide to use a service offered by a (1) private company or (2) public administration?”
The multiple options included: home address, citizenship, date of birth, sexual orientation, religion or belief, political views, fingerprint scan, facial image and none of the above.
More than one in five respondents (23 %) do not want to share any of this information with public administrations and in particular their political views – only 7% would be happy to share that data.
But a far greater number – 41% – do not want to share any personal data with private companies. Only about one in 20 is willing to share their facial images (6 %), political views (5 %) or fingerprint scan (4 %) with corporations. With fingerprint scans and facial recognition being touted as the must-have feature on all smartphones, it is possible that there is a mismatch between what companies develop and what people say they want. Of course, what people say in surveys and what they do in practice are often very different things.
The FRA report notes that the percentage of people willing to share different types of personal data merely “indicates how comfortable people generally are when sharing their data. Even though some people are not willing to share some of their personal data, they might still do so for various reasons.”
Germany, Poland and Romania appeared to be the most protective of their data, while the biggest difference between public administration and privacy company trust was in Cyprus – 65% would share their personal data with public bodies, but only 3% with companies!
The FRA survey drew on responses from 35,000 people across all EU Member States, North Macedonia and the United Kingdom. The survey ran from January to October 2019.
In terms of online activity, most people who use the internet are concerned that criminals or fraudsters might access the personal information they share on the internet without their knowledge (55%). Only 30% are either not strongly concerned or not concerned at all.
The behavioural advertising business model was also a marginally greater concern than foreign governments – 31% and 30% respectively said they were worried. Fewer people were anxious about their own country’s intelligence services (26 %), law enforcement agencies (17 %) or employers (17 %) using their data.
The next section concerned smartphone use where a gender gap in privacy knowledge became apparent: 21% of men do not know how to check privacy settings, compared to 27% of women. But, 23% of women do not know how to turn off location settings, compared to 16% of men. In general people knew three times more about the privacy settings on their own devices (72% ) than on third party apps (24%).
A third of respondents admitted to never reading the terms and conditions when using online services compared with 22% who always read them. Given that, according to a study by the Norwegian Consumer Council (NCC) in 2016, “the average consumer could easily find themselves having to read more than 250,000 words of app terms and conditions,” one can hardly blame them.
The NCC has downloaded the terms of service and privacy policies for apps that you would find on an “average” mobile. “Together they exceed the New Testament in length – and would take more than 24 hours to read out loud. For most people this is an impossible task, and consumers are effectively giving mobile apps free rein to do almost whatever they want,” explained the organisation.
A relatively impressive 69% of those surveyed know about the GDPR. A similar number know their national data protection supervisory authority (71%). But only around half are familiar with some of the details – for example that they have the right to access their personal data held by companies. The highest awareness of the GDPR is in Poland where 95% of people have heard of it. Meanwhile in Czechia most respondents are aware of their national Data Protection Authority (90%). In Belgium, few people have heard about their DPA (44%) and even fewer in the United Kingdom (35%).
All in all the survey reveals what you might expect to find. Europeans are definitely data protection-aware, but not to the degree often hyped in some circles. That people act in ways they are not comfortable with is likewise no great surprise, but is something companies should bear in mind when dealing with users in the EU, particularly as the trust in companies falls far short of that in public bodies.