Equifax, Experian, data brokers and ad tech companies face investigation under GDPR

internationalCampaigning charity Privacy International has filed complaints with data protection authorities in France, Ireland, and the UK against seven data brokers, ad-tech companies and credit reference agencies.

It said that Equifax and Experian, data brokers Acxiom and Oracle, and ad-tech firms Criteo, Quantcast, and Tapad, should be investigated “to protect individuals from the mass exploitation of their data”.

The charity added: “Our complaints target companies that, despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged. In tandem with the complaints, we have today launched a campaign to seek to empower people and make it easier to demand that these companies delete our data.”

UK-based Privacy International’s complaints argue that the way these companies “exploit people’s data, in particular for profiling”, is in contravention of the General Data Protection Regulation (GDPR), which took effect in May this year.

The complaints are based on more than 50 subject access requests to the companies, as well as information in their marketing material and privacy policies.

“As such, our assertions are based on evidence that represents only the tip of the iceberg. We expect and anticipate the regulators will be able to delve more deeply into our concerns regarding wide-scale and systematic infringements of the GDPR,” said Privacy International.

The UK’s Information Commissioner’s Office (ICO) has already issued assessment notices to Acxiom, Equifax and Experian. “We are asking the ICO to take into account our submissions in the context of their ongoing investigation and urge the ICO to widen its investigation to include Criteo, Oracle, Quantcast, and Tapad,” said the charity.

As part of its campaign, Privacy International said it had made it easier for people to write to companies and demand they delete their data.

“The data broker and ad-tech industries are premised on exploiting people’s data,” said Ailidh Callander, its legal officer. “Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives.

“GDPR sets clear limits on the abuse of personal data. Privacy International’s complaints set out why we consider these companies’ practices are failing to meet the standard – yet we’ve only been able to scratch the surface with regard to their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account.”

The GDPR strengthens rights of individuals in relation to the protection of their data and imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers. Privacy International said that the real test for GDPR will be in its enforcement.

Frederike Kaltheuner, its data exploitation programme lead, said: “The world is being rebuilt by companies and governments so that they can exploit data.

“Without urgent and continuous action, data will be used in ways that people cannot now even imagine, to define and manipulate our lives without us being to understand why or being able to effectively fight back. We encourage journalists, academics, consumer organisations, and civil society more broadly, to further hold these industries to account.”