Amazon case triggers data protection confusion

Privacy groups have accused Amazon.co.uk of breaking the DPA by transferring customer data to the US, where protection rules are less stringent. The online retailer also stands accused of being unable or unwilling to remove customer details from its database.

One of the seven guiding principles of the DPA is that data should not be held for "longer than necessary" - a rule which privacy groups claim Amazon is breaking.

But Amazon has defended its position, pointing out that under UK VAT rules, retailers must keep all consumer transaction records for six years.

A spokesman for Customs & Excise confirmed the claim, but did add that although it required the time, date and amount of each transaction, personal details were not required.

"If you buy from a high-street shop you don't need to give your address," the spokesman pointed out. "We just need a credit trail for tax purposes."

Amazon.co.uk also claims to keep customer records to help prevent credit card fraud - an increasingly expensive problem for online retailers.

Steven Philippsohn, fraud specialist at Philippsohn, Crawfords & Berwald, said it is standard practice to use data to track fraud, but most illegal activity will show up within two or three months.

He said: "You're pretty well guaranteed that after four months you're in the clear. After that I'd think you might be in breach of the DPA."

The Data Protection Commissioner says each case is judged on an individual basis. But according to Sarah Haden, associate at law firm Arnold & Porter, this has left online retailers confused.

"Data protection hasn't had enough airtime, there is a very low awareness. Unless organisations are told about the rules and penalties, they won't do anything about it."

During the current confusion, online retailers need to be especially cautious, as Haden pointed out.

"When you design a website you must think through beforehand what the data will be used for. You must be up front about it," she said.