PI Letter to Amazon 12/00

December 2000

Dear Steve,

Sorry about the delay in forwarding my most recent correspondence with the Data Protection Commissioner. This is set out below.

On the other points you have raised:

1. The "admission" refered to by media stems initially from correspondence between Paul Misener, VP, Global Public Policy at Amazon.com, and my colleague Jason Catlett, president of Junkbusters Inc. In his email of 27 November Misener states :

"The last issue you raised was deletion of customer information. As we discussed at the meeting, this function is not something that our systems were designed to accommodate easily, in large part because requests to delete customer information are so rare. Currently, when customers ask us to close their accounts, we suppress their information in our systems so that it is no longer accessible to or viewable by the customer or, of course, by any other Amazon.com visitor. Closed accounts also are partially obscured from access by customer service and other Amazon.com personnel (though it is still possible for internal personnel to obtain records, including billing address and shipping address information) for individual past transactions. If a customer specifically asks us to delete a credit card number from our systems, we will do so upon verification of identity by the requesting party. This is done manually and is very time consuming.
Plainly, this is more than U.S. law requires and, in our experience, more than most customers expect. We currently are exploring the feasibility of enhancing our "suppress" capability so as to render certain types of Customer information for closed accounts even less accessible to people inside the company in the ordinary course of business. (The difficulty of doing this is in part due to the need to retain transaction information and to prevent and detect fraud.) Given the heavy demand for IT resources during the holiday retail season, however, we will not be able to complete this assessment this year, and even next year this project will require significant time and thought. We are interested in hearing your views about how best to implement a procedure that will satisfy privacy concerns while still permitting us to retain appropriate business and financial records, and I hope you will continue to work with us on that project (as well as the new feature that we discussed)."

There are three aspects here that directly relate to amazon.co.uk operations. First, amazon.co.uk does transmit customer data to the US. Second - as you acknowledged during our recent phone conversation - there is a degree of integration of Amazon systems, and therefore amazon customer data. Third, the inability of amazon.com to delete customer data constitutes a lesser level of protection than would be required under UK law, and and any data flows would therefore be subject to the constraints of UK law.

When you mention press reporting of an "admission" I suspect you may be refering to the following item in ZDnet, which said in part :

"Director of Privacy International Simon Davies says that when challenged Amazon confirmed it is unable to supply customers with their personal data or have that data deleted, as required by the Data Protection Act. "We have secured an admission from Amazon that it cannot comply with United Kingdom data protection laws. In the letter of the law, they must be shut down," says Davies. "

You will note that I have not directly mentioned Amazon.co.uk.The written admission came from amazon.com However, as mentioned above, you suggested that there exists a degree of integration of systems. When I raised the prospect of prohibition of export of data, you agreed this may create difficulties for your system in that such data may not be easily separated from other data.

2. I have been quoted in several press articles saying that amazon.co.uk is in direct violation of UK law in that it failed to respond to my complaints within the required time. This is - by your companies own admission - a matter of fact. To proclaim to media that amazon rigorously applies the law to its practices is not correct - certainly not in my case.

3. UK law requires that you provide information relating to the logic of your systems. When I asked for a meeting to discuss the specific technologies and data flows within amazon, you clearly stated on two occasions that you were (a) not prepared to discuss this ("if you ask one technical question that will be the end of the meeting), and (b) you were not in possession of that knowledge ("even I don't know that stuff").

These are just a few of the aspects I would like to raise with you in detail.

In summary, the position as I see it is as follows:

1. Amazon has breached the UK DP act in the course of my action;

2. Amazon.co.uk shares information with amazon.com and its systems, thus bringing into question the legality of its processing operations;

3. Amazon.co.uk is prepared to offer little more than general assurances of compliance based on good faith.

Please do let me know if I am misguided on any of these points.

Best wishes

Simon Davies