PRESS RELEASE: Privacy International files complaints against seven companies for wide-scale and systematic infringements of data protection law

Today, Privacy International has filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK. Privacy International urges the data protection authorities to investigate these companies and to protect individuals from the mass exploitation of their data.

Our complaints target companies that, despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged. In tandem with the complaints, we have today launched a campaign to seek to empower people and make it easier to demand that these companies delete our data.

Key points

• Our complaints argue that the way these companies exploit people's data, in particular for profiling, is in contravention of the General Data Protection Regulation (GDPR), which took effect on 25 May 2018.

• Our complaints are based on over 50 Data Subject Access Requests to these companies, as well as information that these companies provide in their marketing materials and in their privacy policies. As such, our assertions are based on evidence that represents only the tip of the iceberg. We expect and anticipate the regulators will be able to delve more deeply into our concerns regarding wide-scale and systematic infringements of the GDPR.

• PI is encouraged that the UK's Information Commissioner's Office (ICO) has issued assessment notices to Acxiom, Equifax, and Experian. We are asking the ICO to take into account our submissions in the context of their ongoing investigation and urge the ICO to widen its investigation to include Criteo, Oracle, Quantcast, and Tapad.

• As part of our campaign, PI has made it easier for people to write to companies and demand they delete their data.

Complaint Arguments

Acxiom, Criteo, Equifax, Experian, Oracle, Quantcast, and Tapad:

• Do not comply with the Data Protection Principles, namely the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy. 

• Do not have a legal basis for the way they use people's data, in breach of GDPR. Neither consent nor legitimate interest are satisfactory conditions for processing by these companies. They also do not have a basis for processing special category (sensitive) personal data. 

• Should be further investigated as to their compliance with the rights and safeguards in GDPR.

PI Legal Officer Ailidh Callander said:

"The data broker and ad-tech industries are premised on exploiting people's data. Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives. GDPR sets clear limits on the abuse of personal data. PI's complaints set out why we consider these companies' practices are failing to meet the standard - yet we've only been able to scratch the surface with regard to their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account.

PI Data Exploitation Programme Lead Frederike Kaltheuner said:

"The world is being rebuilt by companies and governments so that they can exploit data. Without urgent and continuous action, data will be used in ways that people cannot now even imagine, to define and manipulate our lives without us being to understand why or being able to effectively fight back. We encourage journalists, academics, consumer organisations, and civil society more broadly, to further hold these industries to account."

Notes to editors

More detailed complaint arguments

(1) GDPR requires that personal data be processed in compliance with the principle of lawfulness under Article 5.  Such processing shall only be lawful if a lawful basis under Article 6 applies and, in the case of special category personal data a condition under Article 9. In our complaint, we assert these companies do not have a valid lawful basis for their processing of personal data for the activities outlined in the complaint, in particular profiling. The way these companies process personal data does not fulfil the requirements for either consent or legitimate interest. Where they claim that consent is a valid basis for processing they fail to demonstrate how it was collected and that the consent was freely given, specific, informed, and unambiguous. Where they rely on legitimate interest they have moulded this to fit their self-determined interests without demonstrating the necessity nor sufficient consideration of the impact on individuals’ rights.

(2) The processing of personal data by these companies also fails to comply with the other Data Protection Principles in Article 5 of GDPR, namely the principles of transparency, fairness, purpose limitation, data minimisation, accuracy and confidentiality and integrity. These companies' processing activities are opaque and there is no direct relationship with individuals. They amass vast amounts of data about millions of individuals, repurpose these data to infer (profile) more data (accurate and inaccurate) about individuals, then share this data with a multitude of third parties for innumerable purposes. Many have also had data breaches in the past.

There are obstacles to individuals exercising their data subject rights under GDPR against these companies, including the rights to information (Article 13 and 14 of GDPR), to access (Article 15), to erasure (Article 17) and in relation to automated decision-making, including profiling (Article 22 GDPR).  More investigation is required as to the effects on individuals of the processing by these companies and their respect for individuals' rights.