Amazon accused of breaking data protection laws

British consumers denied their right to say "no" in the transmission of their personal data, says action group
Written by Wendy McAuliffe, Contributor

Retail giant Amazon.co.uk has been accused of violating data protection laws by sending private data on British consumers to its US headquarters Friday. An open letter from independent action group Privacy International condemns the Internet book retailer for transmitting data to self-regulated countries without adequate levels of protection.

Amazon's decision to share customer information with America has angered privacy campaigners owing to the absence of a definitive agreement on data protection laws between the US and European Union. Privacy International's letter states "Amazon's substandard practices set a poor example for an industry leader, and bring disrepute to electronic commerce in the eyes of online customers."

In response to the accusation, the Electronic Privacy Information Centre has issued a statement Monday announcing their decision to sever all ties with Amazon. In a letter sent out over the Internet today, executive director Marc Rotenberg said "in the absence of legal or technical means to assure privacy for Amazon customers, we have decided that we can no longer continue our relationship with Amazon". EPIC had previously sold its publications and the publications of others in association with the Seattle-based retailer.

"Amazon is in breach of EU regulations that prohibit the transmission of personal data to a country that has a lower standard of security protection," argued Alan Stevens, head of digital services at the Consumer Association. The independent consumer body has received several complaints from Amazon subscribers, and is planning to investigate the situation. "As an Amazon visitor myself, I received the email alerting me to the fact that they can sell my private information, which I'm very unhappy about," Stevens confessed.

The Data Protection Commissioner is however confident that the Safe Harbour Agreement, drawn up in July by the EU and US Department of Commerce, is sufficient to protect the transmission of British consumers' data to America. Safe Harbour principles enable a UK business to send personal data to a US company that is part of the agreement, with European customers being able to seek legal redress if things go wrong. "Safe Harbour strikes the right balance, but it remains to be seen if this will work in practice," said David Smith, assistant commissioner to the Data Protection Commissioner, but admits that "there is clearly some risk involved".

"We have a legal hiatus where Safe Harbour has been agreed but not fully implemented," argued Stevens, pointing out that no list has yet been issued of companies who have signed up to the scheme. "It is a voluntary and self-regulating scheme that has been agreed in principle, but isn't up and running yet. In a strict legal sense, companies are still not allowed to transmit data to countries outside of Europe."

Amazon has been a hotspot for controversy since its decision to share personal customer information with other organisations in early September. Within its recent change of policy it stated "as we continue to develop our business, we might sell or buy stores or assets. In such transactions, customer information generally is one of the transferred business assets." The company has a customer base in excess of 20 million, serving over 160 countries.

Amazon UK refused to comment.

Take me to the e-commerce special.

To have your say online click on the TalkBack button and go to the ZDNet News forum.

What do you think? Tell the Mailroom. And read what others have said.

Editorial standards