Letter to the DCMS Sub-Committee on Disinformation - data brokers need to be investigated
Dear Chair and Committee colleagues,
Privacy International is an international NGO, based in London, which works with partners around the world to challenge state and corporate surveillance and data exploitation. As part of our work, we have a dedicated programme “Defending Democracy and Dissent” where we advocate for limits on data exploitation throughout the electoral cycle.
We have been closely following the important work of the Committee. Prompted by the additional evidence provided to the Committee by Brittany Kaiser, published on 30 July 2019, we would like to draw your attention to aspects of her submission that stood out to us and related points:
The ways in which Cambridge Analytica has used segments and inferences is strikingly similar to the techniques we have observed in the data broker industry.
In November 2018, Privacy International complained about seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) to data protection authorities in France, Ireland, and the UK. As evidenced in the documentary “The Great Hack”, Acxiom is one of the companies, as well as Facebook, that Cambridge Analytica used as a data source. Many of these companies are also involved in or linked to the use of data for political purposes.
Our complaints show that these companies fail to comply with data protection law and in some cases seem to work under the assumption that derived, inferred and predicted data and behavioural or demographic segments do not count as personal data, even if they are linked to unique identifiers or linked to or used to target individuals.
We noted with concern that the final report of the Committee on Disinformation and‘fake news’ stated that “’inferred data’ is not protected” under GDPR. While we very much agree with your recommendation to extend privacy laws to close existing gaps in this regard, we respectfully disagree with your conclusion that ‘inferred data’ is currently not protected. ‘Inferred data’ does not always fall under the definition of personal data,yet inferences that may be linked to identifiable individuals do constitute personal data.
A new aspect of GDPR is an explicit definition of profiling in Article 4(4): “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
Data brokers, ad tech companies, and credit referencing agencies amass vast amounts of data from different sources (offline and online) in order to profile individuals, derive, and infer more data about them and place individuals into categories and segments. The law is clear that there must be transparency and limits, including relating to requirements such as legal basis, fairness and purpose limitation. However, our investigation shows that many companies fail to comply with data protectionrequirements with far reaching consequences for people’s rights.
The pervasive nature of data brokers is demonstrated by an example related to anotherof the Committee’s inquires, where you have looked at the way reality TV shows have used targeted advertising on Facebook. In this regard it is important to consider how advertising on television is becoming increasingly targeted, and the role that data brokers play as data sources.
We urge the Committee to look into the profiling practices used by commercial data brokers (including those that also operate as Credit Reference Agencies) and the role this industry plays in the use of personal data for political purposes and beyond.
We look forward to hearing from you in relation to this request. Should you require any further information or have any questions please do let us know.
Image: screenshot from The Great Hack