Challenge to Hidden Data Ecosystem
In October 2022, the UK regulator issued an enforcement notice against Experian, one of the companies we targeted. The regulator also forced changes in practice against TransUnion and Equifax. The enforcement notice against Experian was appealed, with the Tribunal partly supporting the regulator's position.
In June 2023, the French regulator inflicted a €40 million fine against Criteo for various breaches of the EU GDPR, in particular for not having ensured that data subjects provided their consent to Criteo's data collection and processing.
Privacy International filed complaints with multiple data protection regulators to investigate potential GDPR infringements by data brokers, ad-tech companies and credit referencing agencies.
UK Information Commissioner (ICO)
Irish Data Protection Commissioner (DPC)
Commission nationale de l’informatique et des libertés (CNIL)
On 8 November 2018, Privacy International filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France (CNIL), Ireland, (DPC) and the UK (ICO).
The EU’s General Data Protection Regulation (GDPR) strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement. Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people's data. Despite exploiting the data of millions of people, are on the whole non-consumer facing and therefore rarely have their practices challenged. Privacy International complained about these companies in the context of wider campaigns to uncover the hidden data ecosystem and empower people to ask companies to stop exploiting their data.
Our complaints are based on over 50 Data Subject Access Requests to these companies, as well as information that these companies provide in their marketing materials and in their privacy policies. As such, our assertions are based on evidence that represents only the tip of the iceberg – what these companies say they do. We called on regulators to delve more deeply into our concerns regarding wide-scale and systematic infringements of the GDPR.
Privacy International's submissions to the data protection authorities set out why we consider the practices of each of these companies, in particular their profiling, fall far short of the requirements of GDPR. We argue that these companies do not comply with the Data Protection Principles, namely the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy. Furthermore, they do not have a legal basis for the way they use people's data. Neither consent nor legitimate interest are satisfactory conditions for processing by these companies. They also do not have a basis for processing special category personal data. These companies should be further investigated as to their compliance with the rights and safeguards in GDPR.
In May 2019, the Irish DPC announced a statutory inquiry into Quantcast following Privacy International’s submission.
In January 2019, the ICO confirmed its focus on the AdTech industry in the coming year, and in June 2019 published an update report into adtech and real time bidding, citing Privacy International’s submission, which sets out that many of the sector’s practices are unlawful.
In March 2020, the CNIL confirmed that it is investigating Criteo following Privacy International's complaint. In August 2022, the CNIL proposed a €60 million fine for various breaches of the EU GDPR. Following a hearing in March 2023, a final decision was pronounced In June 2023, inflicting a €40 million fine on Criteo (nearly half the maximum possible sanction amount taking account of Criteo's annual turnover, and one of the highest fines pronounced by the CNIL). It found in particular that Criteo didn't have anything in place to ensure that data subjects had consented to Criteo's data collection and processing through its 40,000+ partner websites.
In November 2020, the ICO took enforcement action against Experian in relation to its offline marketing services, ordering the company, amongst others, to revise its privacy notices to better inform data subjects about its direct marketing processing, cease using credit reference derived data for any direct marketing purposes, and send data subjects an Article 14-compliant privacy notice. Experian appealed the ICO's enforcement notice, and in February 2023 the First-Tier (Information Rights) Tribunal overturned parts of the enforcement notice. It found that Experian had not processed the personal data of over 5 million individuals transparently, fairly or lawfully, and ordered that Experian send a privacy notice to these individuals, but rejected the ICO's view that Experian couldn't rely on legitimate interests as a legal basis for processing credit reference agency information for direct marketing purposes. The ICO is appealing the judgment.