Privacy International today announced that it has filed complaints against seven large firms it alleges are in breach of European privacy laws. Formal complaints have been raised with data protection authorities in France, Ireland, and the UK.
According to the leading UK advocacy group, all seven firms have been flouting the EU’s GDPR legislation, which came into effect in May. The complaints are the first solid evidence that large firms may be systematically exploiting consumer data, despite the introduction of General Data Protection Regulations designed to protect them. Commenting on the accusations Privacy International said:
“Our complaints target companies that, despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged.”
Getting away with it, 'til now
Among the GDPR rules that were introduced back in May 2018 - firms must be able to demonstrate a legal basis for the way they use people’s data. According to Privacy International (PI), it analyzed over fifty Data Subject Access Requests to uncover troublesome holes in a number of sizeable firm's practices. The research has led PI to file official complaints against the following companies:
Data brokers: Acxiom, Oracle
Ad-tech firms: Criteo, Quantcast, Tapad
Credit referencing agencies: Equifax, Experian
PI alleges that all seven of the firms are breaking the principles of transparency, fairness, lawfulness, purpose limitation, data minimization, and accuracy - all of which are a legal requirement for processing consumer data in the EU. PI feels confident that what it has uncovered is only “the tip of the iceberg.” The organization anticipates that regulators will discover “wide-scale and systematic infringements of GDPR” during the course of their investigations.
PI has already claimed a degree of success with its campaign; the UK’s Information Commissioner's Office (ICO) has issued assessment notices to Acxiom, Equifax, and Experian. Now, PI is hoping to convince the ICO to widen its investigation to include Criteo, Oracle, Quantcast, and Tapad. If PI is correct, it should be easy for data protection authorities to uncover the breadth of systematic failures alleged to be occurring.
PI has reason to believe that further investigation will reveal that some - or all of the firms in question - have neither the consent nor legitimate interest required to process the data they possess. In addition, PI alleges the firms do not have a proper legal basis for processing "special category" personal data.
That data refers to sensitive information that includes people’s race and ethnic origin, religious or philosophical beliefs, political opinions, trade union memberships, biometric data used to identify an individual, genetic data, health data and data related to sexual preferences, sex life, and/or sexual orientation.
“Where they claim that consent is a valid basis for processing they fail to demonstrate how it was collected and that the consent was freely given, specific, informed, and unambiguous. Where they rely on legitimate interest they have moulded this to fit their self-determined interests without demonstrating the necessity nor sufficient consideration of the impact on individuals’ rights.”
Massive fines possible
If the seven firms in question are found guilty of breaking the GDPR, they could face fines of up to €20 million - or 4% of their annual global turnover (whichever is higher).
Just last month, the UK’s ICO found Facebook guilty of breaking privacy regulations during the Cambridge Analytica scandal. However, Zuckerberg and co. got lucky because the investigation was already underway before GDPR officially came into effect. Thus, the ICO was only able to fine Facebook the pre-GDPR maximum of £500,000. If found guilty, the firms PI has filed complaints against may not be so fortunate.
Join the campaign
Finally, PI believes it has uncovered evidence that consumers are facing obstacles when it comes to invoking their data protection rights. This includes the rights to information (Article 13 and 14 of GDPR), to access (Article 15), to erasure (Article 17), and in relation to automated decision-making - including profiling (Article 22 GDPR).
With this in mind, PI has today launched a campaign that seeks to make it easier for people to demand that companies properly process and delete their data when requested to do so. Anybody interested in the campaign is encouraged to visit Privacy International’s website. PI Legal Officer Ailidh Callander commented:
"The data broker and ad-tech industries are premised on exploiting people's data. Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives. GDPR sets clear limits on the abuse of personal data. PI's complaints set out why we consider these companies' practices are failing to meet the standard - yet we've only been able to scratch the surface with regard to their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account.”