ASSAULT AGAINST DATA BROKERS LAUNCHED BY PRIVACY INTERNATIONAL COMPLAINTS ALLEGING GDPR NON-COMPLIANCE
ASSAULT AGAINST DATA BROKERS LAUNCHED BY PRIVACY INTERNATIONAL COMPLAINTS ALLEGING GDPR NON-COMPLIANCE
Privacy International, a UK-based activist group, complained in early November 2018 that a number of data brokers, ad-tech companies and credit-reference agencies are in violation of the General Data Protection Regulation (GDPR). The group filed three complaints with the data protection authorities in France, Ireland and the UK against Experian, Equifax, Oracle, Acxiom, Criteo, Quantcast, and Tapad as follows:
1) against general data brokers, i.e., Axciom and Oracle
2) against credit reference data brokers, i.e., Experian and Equifax
3) against ad tech data brokers, i.e., Criteo, Quantcast and Tapad
While the first two complaints (against the general data brokers and credit reference data brokers) were filed only with the data protection authority in the UK, the Information Commissioner’s Office (ICO) because all four of these entities have their main European operations located in the UK. The third complaint against the ad tech data brokers was filed with the ICO, the Ireland Data Protection Commissioner (DPC) and the French data protection authority (CNIL) because Tapad is based in the UK, Quantcast’s main European operation is in Ireland, and Criteo is headquartered in France. In short, Privacy International filed the complaints where it would be easiest for regulators to investigate these companies and have indisputable authority to do so. The ICO has already issued assessment notices to data broker Acxiom, as well as credit rating agencies Equifax and Experian. Through its complaint, Privacy International has urged the UK data regulator to widen its ongoing investigations to include the other four firms.
The complaints primarily allege that the seven named companies do not comply with GDPR because 1) do not have a valid legal basis for the way they use people’s data and 2) these businesses fail to comply with the GDPR principles of transparency, fairness, accuracy and limiting the use of data to what is strictly necessary.
As to the first allegation, Article 6 of the GDPR lists six ways that personal data may be lawfully processed. The companies targeted by the Privacy International complaints generally rely on two of these: consent and “legitimate interest”, i.e., the processing is necessary to achieve an important business objective. Both the ICO and the Court of Justice of the European Union (CJEU) have indicated (in March 2018 and May 2017, respectively) that reliance on “legitimate interest” as a lawful basis for processing personal data requires the application of a three-part test:
1) Purpose – is there a legitimate interest behind the processing?
2) Necessity – is the processing necessary for that purpose?
3) Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
Data brokers, such as those mentioned in the Privacy International complaints, aggregate personal data they receive themselves and from third parties — for instance, websites visited or credit card records — to create complex profiles of individual data subjects. The profiles may include potentially sensitive personal data such as political leanings, socioeconomic status, age, store purchases, and household data, among other things. The data can then be sold to third parties like ad exchanges, brands, or social networks. Consumers often don’t hand data directly to these third parties so it may be difficult for them to know who has data about them and how it may be being used. This makes it difficult for them to provide informed consent for how their data may be processed when they have the option to do so and arguably makes it difficult for companies to rely on a legitimate interest as the lawful basis for processing data as an alternative to consent as well. In the complaint against ad-tech companies, Privacy International noted its concern with Acxiom products InfoBase, Personicx and LiveRamp IdentityLink. Privacy International has also taken issue with the Oracle Data Cloud.
According to a statement from Privacy International, “Neither consent nor legitimate interest are satisfactory conditions for processing by these companies.” In its complaints, the group argues that there is no way for a regular person to fully understand where and how their data is being sourced, who’s sourcing it, and what happens to it down the chain – so there is no way to provide informed consent or for data brokers to process personal data in a transparent manner.
For example, under its Marketing Services umbrella, Equifax promotes products that combine data assets collected at least in part by its credit profiling business to, e.g., create segments of people in the market for a home, or to allow its customers to use its data to identify, profile and segment their marketing lists. Privacy International believes this constitutes a violation of GDPR because these marketing activities exceed credit reference agencies’ legitimate interest in developing credit profiles on consumers from a comprehensive set of data. In other words, while the personal data collected by these entities is necessary to develop credit profiles that can be relied upon when determining an individual’s credit worthiness, the same does not hold true when the data is processed to profile consumers for marketing purposes. Such processing, according to Privacy International, violates the key principles of the GDPR (transparency, fairness, data minimization, accuracy, etc.) and cannot be based on “legitimate interest” because the rights, interests, and freedoms of data subjects would override the interests of Equifax and Experian in the marketing context.
As another example, Tapad, one of the parties named in the ad tech data broker complaint, develops and markets software and services for cross-device advertising and content delivery. It uses algorithms to analyze internet and device data to predict whether two or more devices are owned by the same person. It sources data from billions of devices; purchases and licenses data from publishers, SDKs and ecommerce providers; gathers info from data providers, like BlueKai and eXelate; ingests telco data from its parent company Telenor’s 250 million subscribers; and derives other data points from its more than 130 integration partners, including a slew of RTB exchanges and supply-side providers. While it provides the ability for individuals to opt-out of its database, most consumers are unlikely to even be aware of the fact Tapad may have data about them, where that data comes from, with whom it is shared and how, exactly, it may be used.
Indeed, all three complaints contend that the seven entities they target need to do a better job of informing data subjects about the existence of profiling, what data they use to make inferences, the source of that data, any inferences about sensitive preferences and characteristics, who the profiles are shared with and the legal basis for each of these processing operations.
Privacy International’s accusations follow similar complaints in Austria and France earlier this year against the way Apple, Facebook, Google and other major tech companies seek permission from users to handle their data. Acxiom, Equifax and Experian are already subject to audits by the ICO under the GDPR, and a report with its finding is expected by the end of the year.
As companies are still feeling out just how the law is going to be enforced, test cases like the complaints brought by Privacy International bear watching. Facebook and Google have already faced complaints under GDPR and attracted unprecedented criticism for their approaches to data privacy following the Cambridge Analytica scandal. Google was also caught up in controversy last month after it emerged that the company had withheld details about a leak of user data after a staffer argued that publicizing the leak could cause political problems for the company.
A spokesman from the Data Protection Commission in Ireland, where many American tech firms keep European headquarters, said the regulators have already received 2,500 breach notifications and 1,200 complaints related to the GDPR since May.
Key Takeaways/Talking Points
The complaints make several incorrect assumptions about ad tech. Through tools like AdChoices and cookie preferences, consumers do have the ability to control how their data is collected, used, and shared. Many ad tech companies also provide individuals with access to their data and the ability to correct it (LiveRamp) the opportunity to opt-out of having their data shared (see, e.g., Tapad website).
The complaints fail to adequately acknowledge all the players in the digital advertising ecosystem, so while companies like the seven named in the Privacy International complaints may collect, analyze and segment data, other entities purchase that data to target their marketing efforts.
YOU MIGHT ALSO LIKE
GDPR for Payments GDPR is an important EU wide regulatory mandate. It provides increased protection of individual privacy and gives individuals more control over the information they share. In our view GDPR is an important element of building a scalable data centric...read more
US Supreme Court repeal of PASPA On Monday, May 14, 2018, the Supreme Court of the United States held in the Murphy v. National Collegiate Athletic Association case that the federal Professional and Amateur Sports Protection Act (“PASPA”) violated the Tenth Amendment...read more
MasterCard introduces changes for subscription and card on file transactions that will help to significantly increase online merchant’s revenues Recurring (subscription) and returning (card on file) transactions are a growing part of online merchant revenue streams....read more
GROPAY'S 5 TIPS FOR THE HOLIDAY SEASON With all the preparations for the holiday, last week deadlines, the multitude of drinks, parties, last minute shopping as well as high expectations from family and friends, it is easy to get lost in this busy time before the...read more
THE PAYMENT CHALLENGES OF OTAs Who hasn’t used an online travel agency (OTA) in the last 12 months? They are an integral part of our lives and are part of a colossal $600 billion + a year online travel market. The OTA industry is at a juncture where it faces some...read more
Strong Customer Authentication (SCA) - Impact on Online Merchants The details around the European Banking Authority (EBA’s) proposal for Strong Customer Authentication (SCA) are final and the requirements for SCA are expected to come into force by February 2019. What...read more
Did Star Trek predict bitcoins and what does it mean for the future? If you are like me, a Star Trek fan then it’s interesting to note that many of the futuristic technologies and gadgets used on the show have come true or are close to coming true. This is likely more...read more
India Makes Important Advances in Biometric Payments In India it’s already possible for a consumer to authorise and authenticate a payment with their fingerprint or iris scan. As a largely cash based economy India has leapfrogged the use of Cards and Smart Phones for...read more
How do bitcoins impact online merchants? There’s a lot that has been said and written about bitcoins. They are the talk of the town these days. Undoubtedly bitcoins and related distributed ledger technologies will have a lasting impact on payments and financial...read more
PSD2 What Will Really Change? There has been a lot written about the PSD2 and rightly so, it is important regulation soon to be enacted into legislation that will bring significant innovation and change to electronic payments. But what will actually change in the day...read more
SafeCharge 3 Years After IPO In this post we look at SafeCharge, a medium sized payment processor and recently formed acquirer. We look at the following items; history, the IPO, recent performance, drivers of growth so far, recent strategic moves and execution...read more
The Stamina of Clinton Or Trump There have been lot of comments made by presidential candidate Donald Trump triggering a lot of media attention and public debates recently. Not the most notorious comment, but still one that made me pause in the work I was doing....read more
GDPR - Data Protection Gets Serious On 14 April 2016, the EU Parliament adopted the long awaited General Data Protection Regulation (GDPR) The GDPR will have considerable impact on all companies that provide goods or services to Europe, regardless of the company’s...read more
Authentication - Payer! Reveal Thyself EPC releases results of latest consultations for e-mandate today: what does this mean for authentication and your online business? Earlier today, 5 April 2016, the European Payments Council (EPC) announced the launch of the...read more
Fantasy Sports - It's All A Fantasy Fantasy Sports continue to gain popularity California recently introduced a bill to allow online sports betting. The motivation of this bill is believed to be the increasing popularity of fantasy sports. Although, the bill has yet...read more
Cash - Kicking The Habit There was an interesting article in The Economist recently about strikes on the London Underground (Tube). Such strikes are commonly believed to have a short term net cost to the economy. However the article quoted a study by Oxford and...read more
Data Protection - To Russia With Love Data Protection Russia Russia’s new data protection law came into effect on the 1st of September 2015. It’s now required by law to store personal details of Russian citizens on servers physically located in Russia. Copies of the...read more
I had a manager once who was a real mover and shaker in HR, brilliant in strategy and amazing to work with. Although visionary in his business outlook, there were some basic things that could really set him off when meeting new people: things like scruffy shoes. You...read more
Are Tattoos ever OK at work? I was HR Director at a large organization when I suddenly completely got caught by a curb ball thrown by one of my main stakeholders. “What is our HR policy on tattoos?” I had to take a two second pause before responding with a gigantic...read more
Wirecard with a market value of $ 5.2 billion made a $9 billion bid for Worldpay. Is this a serious bid? What will Wirecard do with Worldpay? Wirecard has extensive experience with M&A and also in acquiring companies larger than itself and making it a success; as...read more
Changing jobs - How long should you stay in your current job? In this day and age, most employees are not even aware that organisations used to have tenure incentives like a fancy watch, a toaster or at least a bunch of flowers when you reached your 20 or 25 years of...read more
Distracted Living Psychology Today published an interesting blog on distracted living. Distracted living is where you miss out on much of your life because you generally aren’t paying attention, or your attention is so torn in many directions that your really do not...read more
Is Visa worried about Paypal? Visa recently published a report on Visa Checkout in which they stated that Visa Checkout delivers 17% better conversion than Paypal. One of the interesting points about this report is that Visa considers Paypal as enough of a threat to...read more
How do I deal with my company going through a merger or acquisition? Working in the payments sector? There is a big chance that your company is engaged in a merger, is taking over another company or is about to become an acquisition. 2014 was a big year for payments...read more