ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Massive firms in the spotlight for GDPR non-compliance

Privacy International today announced that it has filed complaints against seven large firms it alleges are in breach of European privacy laws. Formal complaints have been raised with data protection authorities in France, Ireland, and the UK. 

According to the leading UK advocacy group, all seven firms have been flouting the EU’s GDPR legislation, which came into effect in May. The complaints are the first solid evidence that large firms may be systematically exploiting consumer data, despite the introduction of General Data Protection Regulations designed to protect them. Commenting on the accusations Privacy International said:

“Our complaints target companies that, despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged.”

GDPR Compliance advert

Getting away with it, 'til now

Among the GDPR rules that were introduced back in May 2018 - firms must be able to demonstrate a legal basis for the way they use people’s data. According to Privacy International (PI), it analyzed over fifty Data Subject Access Requests to uncover troublesome holes in a number of sizeable firm's practices. The research has led PI to file official complaints against the following companies:

  • Data brokers: Acxiom, Oracle

  • Ad-tech firms: Criteo, Quantcast, Tapad

  • Credit referencing agencies: Equifax, Experian

PI alleges that all seven of the firms are breaking the principles of transparency, fairness, lawfulness, purpose limitation, data minimization, and accuracy - all of which are a legal requirement for processing consumer data in the EU. PI feels confident that what it has uncovered is only “the tip of the iceberg.” The organization anticipates that regulators will discover “wide-scale and systematic infringements of GDPR” during the course of their investigations.

Encouraging signs

PI has already claimed a degree of success with its campaign; the UK’s Information Commissioner's Office (ICO) has issued assessment notices to Acxiom, Equifax, and Experian. Now, PI is hoping to convince the ICO to widen its investigation to include Criteo, Oracle, Quantcast, and Tapad. If PI is correct, it should be easy for data protection authorities to uncover the breadth of systematic failures alleged to be occurring.

PI has reason to believe that further investigation will reveal that some - or all of the firms in question - have neither the consent nor legitimate interest required to process the data they possess. In addition, PI alleges the firms do not have a proper legal basis for processing "special category" personal data. 

That data refers to sensitive information that includes people’s race and ethnic origin, religious or philosophical beliefs, political opinions, trade union memberships, biometric data used to identify an individual, genetic data, health data and data related to sexual preferences, sex life, and/or sexual orientation.

“Where they claim that consent is a valid basis for processing they fail to demonstrate how it was collected and that the consent was freely given, specific, informed, and unambiguous. Where they rely on legitimate interest they have moulded this to fit their self-determined interests without demonstrating the necessity nor sufficient consideration of the impact on individuals’ rights.”

ICO homepage

Massive fines possible

If the seven firms in question are found guilty of breaking the GDPR, they could face fines of up to €20 million - or 4% of their annual global turnover (whichever is higher). 

Just last month, the UK’s ICO found Facebook guilty of breaking privacy regulations during the Cambridge Analytica scandal. However, Zuckerberg and co. got lucky because the investigation was already underway before GDPR officially came into effect. Thus, the ICO was only able to fine Facebook the pre-GDPR maximum of £500,000. If found guilty, the firms PI has filed complaints against may not be so fortunate.

Join the campaign

Finally, PI believes it has uncovered evidence that consumers are facing obstacles when it comes to invoking their data protection rights. This includes the rights to information (Article 13 and 14 of GDPR), to access (Article 15), to erasure (Article 17), and in relation to automated decision-making - including profiling (Article 22 GDPR). 

With this in mind, PI has today launched a campaign that seeks to make it easier for people to demand that companies properly process and delete their data when requested to do so. Anybody interested in the campaign is encouraged to visit Privacy International’s website. PI Legal Officer Ailidh Callander commented:

"The data broker and ad-tech industries are premised on exploiting people's data. Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives. GDPR sets clear limits on the abuse of personal data. PI's complaints set out why we consider these companies' practices are failing to meet the standard - yet we've only been able to scratch the surface with regard to their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account.”

Image credits: SB_photos/, arretera/

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 


There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service