Challenge to Hidden Data Ecosystem
October 2020 update: the UK regulator issued an enforcement notice against Experian, one of the companies we targeted. The regulator also forced changes in practice against TransUnion and Equifax.
Privacy International filed complaints with multiple data protection regulators to investigate potential GDPR infringements by data brokers, ad-tech companies and credit referencing agencies.
UK Information Commissioner (ICO)
Irish Data Protection Commissioner (DPC)
Commission nationale de l’informatique et des libertés (CNIL)
On 8 November 2018, Privacy International filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France (CNIL), Ireland, (DPC) and the UK (ICO).
The EU’s General Data Protection Regulation (GDPR) strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement. Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people's data. Despite exploiting the data of millions of people, are on the whole non-consumer facing and therefore rarely have their practices challenged. Privacy International complained about these companies in the context of wider campaigns to uncover the hidden data ecosystem and empower people to ask companies to stop exploiting their data.
Our complaints are based on over 50 Data Subject Access Requests to these companies, as well as information that these companies provide in their marketing materials and in their privacy policies. As such, our assertions are based on evidence that represents only the tip of the iceberg – what these companies say they do. We called on regulators to delve more deeply into our concerns regarding wide-scale and systematic infringements of the GDPR.
Privacy International's submissions to the data protection authorities set out why we consider the practices of each of these companies, in particular their profiling, fall far short of the requirements of GDPR. We argue that these companies do not comply with the Data Protection Principles, namely the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy. Furthermore, they do not have a legal basis for the way they use people's data. Neither consent nor legitimate interest are satisfactory conditions for processing by these companies. They also do not have a basis for processing special category personal data. These companies should be further investigated as to their compliance with the rights and safeguards in GDPR.
In May 2019, the Irish DPC announced a statutory inquiry into Quantcast following Privacy International’s submission.
In January 2019, the ICO confirmed its focus on the AdTech industry in the coming year, and in June 2019 published an update report into adtech and real time bidding, citing Privacy International’s submission, which sets out that many of the sector’s practices are unlawful.
In March 2020, the CNIL confirmed that it is investigating Criteo following Privacy International's complaint.