On November 8th, Privacy International (PI) filed complaints under the GDPR with data protection regulators in UK, France and Ireland against data brokers Oracle and Acxiom, credit reference agencies Experian and Equifax, and advertising technology companies Criteo, Quantcast and Tapad.
What are the complaints?
The complaints raised are wide-ranging and the documentation is detailed. In a nutshell, though, PI alleges that the targets of its complaints are all violating the law by not getting the proper consent from people before recording and using their personal information. PI also challenges “legitimate interest” as the lawful basis for processing consumer data. They further complain that companies are not transparent or fair about the way they use people’s data and that they don’t adhere to rules around accuracy and minimising the amount of data they collect. PI is asking that these companies should be further investigated as to their compliance with the rights and safeguards in GDPR.
What could be the impact?
The potential impact of these complaints are significant. Not only do they put the activities of these specific companies under scrutiny, but also hundreds of other similar companies. Furthermore, any outcome could impact on the incredibly diverse range of organisations who utilise and rely upon the products and services that data brokers, credit reference agencies and AdTech companies provide.
What has been the reaction?
Experian and Criteo have released statements reaffirming their confidence in their privacy arrangements post GDPR:
Criteo said: “Whilst disappointed that they have chosen to take this action, we have complete confidence in our privacy practices and we remain open to answer any questions that Privacy International may have”
Experian said: “We have worked hard to ensure that we are compliant with GDPR and we continue to believe that our services meet its requirements”
Privacy International legal office Ailidh Callendar said, “The data broker and ad-tech industries are premised on exploiting people’s data. Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives. GDPR sets clear limits on the abuse of personal data. PI’s complaints set out why we consider these companies’ practices are failing to meet the standard – yet we’ve only been able to scratch the surface with regard to their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account.”
Who are Privacy International?
Privacy International is a registered charity, which is active in defending and promoting the right to privacy across the world through advocacy and litigation.
If anyone feels like a little bedtime reading the full complaints are here.
The fact that these complaints have been submitted to three separate Supervisory Authorities means that under a harmonised GDPR approach the French CNIL, Irish DPC and the UK’s ICO are likely to address these with a joined-up approach. How this is tackled will no doubt be watched with widespread interest.
Julia Porter, November 2018
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.