Data brokers and credit scorers accused of GDPR breaches

Updates | 11/11/18

European regulators have been asked to investigate several data brokers, credit rating agencies and adtech companies to see if they are breaching the EU’s new data protection laws.

Privacy International, the campaign group, filed a series of complaints to the British, Irish and French data regulators on Thursday against data broker Acxiom, software giant Oracle, credit rating agencies Experian and Equifax and adtech companies Criteo, Quantcast and Tapad.

The campaign group claims that the businesses, which buy and sell the data of millions of online consumers, do not have a legal basis to amass such information.  “Part of their business models are about fundamentally exploiting data and therefore clash with many of the provisions [of the EU’s General Data Protection Regulation],” said Ailidh Callander, legal officer at Privacy International.  “We put most of our attention on the bigger companies with which people have a direct relationship, like Facebook and Google, but then there are these other companies that most people have never heard of, and wouldn’t expect to have a huge amount of data about us.”

Facebook and Google have already faced complaints under GDPR and attracted unprecedented criticism for their approaches to data privacy following the Cambridge Analytica scandal.  Google was also caught up in controversy last month after it emerged that the company had withheld details about a leak of user data after a staffer argued that publicising the leak could cause political problems for the company. But the latest complaints from Privacy International highlight growing concern about a little-known ecosystem of data brokers, adtech companies and credit rating businesses that have also built business models around buying and selling data online. Private web browser Brave filed a similar complaint last month with the UK data regulator and the Irish data protection watchdog against Google and the adtech industry. Ms Callander said the data collection practices of such companies fell foul of GDPR’s principles of transparency, “data minimisation” and purpose limitation.

The companies argue they anonymise data and obtain individuals’ consent for using their information, but Privacy International said that by amalgamating large amounts of anonymous or “pseudonymous” information, the businesses were able to infer sensitive facts such as political affiliation, religious beliefs and ethnicity.

Criteo said the company had a “proven record of ensuring [its] technology has high levels of data privacy and security” and had “complete confidence” in its practices under GDPR. Acxiom said it participated in data security and privacy tests led by industry bodies and had a 50-year history “leading the ethical use of data and technology to deliver more relevant marketing and better consumer experiences from respected brands”.

Experian said it would review the allegations: “We have worked hard to ensure that we are compliant with GDPR and we continue to believe that our services meet its requirements.” Equifax, Quantcast and Oracle declined to comment. Tapad did not respond to a request for comment. The UK’s Information Commissioner’s Office said it was “aware of concerns raised about the compliance of data protection laws by big tech companies, data brokers and credit referencing agencies”. It added it would work with other European data protection authorities and the European Data Protection Board “to consider the facts and support any possible joint work or inquiries in other jurisdictions”.

Privacy International raised concerns about a number of Acxiom’s products, including InfoBase, which claims to cover 90 per cent of UK households and provide more than 3,500 specific behavioural insights. It also called on regulators to look into Oracle’s Data Cloud for “segmenting” users based on categories such as politics and immigration. Political opinions are deemed “sensitive” information under GDPR and subject to stricter controls.

In one of its submissions, Privacy International singled out Experian’s Mosaic product, which categorises users into segments such as “crowded kaleidoscope” for “multi-cultural households with children renting social flats in over-crowded conditions” and “Asian heritage” for targeting “large extended families in neighbourhoods with a strong South Asian tradition”. GDPR also classes racial and ethnic information as sensitive. The Cambridgeshire Constabulary and Lancashire Police have contracts to access Mosaic data.  Neither police force responded to a request for comment.

The complaints called on the ICO to investigate whether there had been “serious and systematic” infringements of British and European data protection laws.  Earlier this week, the ICO said it had issued assessment notices, which require companies to conduct audits, to Experian, Equifax and Callcredit, as well as data brokers Acxiom, Data Locator Group and GB Group over the services they offer political parties.