Challenge to Hidden Data Ecosystem

UK Information Commissioner (ICO)
Irish Data Protection Commissioner (DPC)
Commission nationale de l’informatique et des libertés (CNIL)

Status: Open

On 8 November 2018, Privacy International filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France (CNIL), Ireland, (DPC) and the UK (ICO).

The EU’s General Data Protection Regulation (GDPR) strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement. Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people's data. Despite exploiting the data of millions of people, are on the whole non-consumer facing and therefore rarely have their practices challenged. Privacy International complained about these companies in the context of wider campaigns to uncover the hidden data ecosystem and empower people to ask companies to stop exploiting their data.

Our complaints are based on over 50 Data Subject Access Requests to these companies, as well as information that these companies provide in their marketing materials and in their privacy policies. As such, our assertions are based on evidence that represents only the tip of the iceberg – what these companies say they do. We called on regulators to delve more deeply into our concerns regarding wide-scale and systematic infringements of the GDPR. 

Privacy International's submissions to the data protection authorities set out why we consider the practices of each of these companies, in particular their profiling, fall far short of the requirements of GDPR. We argue that these companies do not comply with the Data Protection Principles, namely the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy. Furthermore, they do not have a legal basis for the way they use people's data. Neither consent nor legitimate interest are satisfactory conditions for processing by these companies. They also do not have a basis for processing special category personal data.  These companies should be further investigated as to their compliance with the rights and safeguards in GDPR.

Updates:

In May 2019, the Irish DPC announced a statutory inquiry into Quantcast following Privacy International’s submission.

In January 2019, the ICO confirmed its focus on the AdTech industry in the coming year, and in June 2019 published an update report into adtech and real time bidding, citing Privacy International’s submission, which sets out that many of the sector’s practices are unlawful.

In March 2020, the CNIL confirmed that it is investigating Criteo following Privacy International's complaint. In August 2022, the CNIL proposed a €60 million fine for various breaches of the EU GDPR. The preliminary notice is subject to a contradictory procedure and consultation with other European data protection authorities. A final decision is expected in 2023.

In November 2020, the ICO took enforcement action against Experian in relation to its offline marketing services, ordering the company, amongst others, to revise its privacy notices to better inform data subjects about its direct marketing processing, cease using credit reference derived data for any direct marketing purposes, and send data subjects an Article 14-compliant privacy notice. Experian appealed the ICO's enforcement notice, and in February 2023 the First-Tier (Information Rights) Tribunal overturned parts of the enforcement notice. It found that Experian had not processed the personal data of over 5 million individuals transparently, fairly or lawfully, and ordered that Experian send a privacy notice to these individuals, but rejected the ICO's view that Experian couldn't rely on legitimate interests as a legal basis for processing credit reference agency information for direct marketing purposes. The ICO is considering appealing the judgment.