NGO calls for international data broker, credit scoring and ad tech investigations

NGO calls for international data broker, credit scoring and ad tech investigations

Privacy International has complained to three European data watchdogs that several data brokers, credit referencing agencies and ad tech companies are in breach of the GDPR.

The group filed complaints against data brokers Acxiom and Oracle, credit scorers Experian and Equifax, and ad tech companies Tapad, Quantcast and Criteo to data protection watchdogs in the UK, Ireland and France today.

In a statement, Privacy International said the data broker and ad tech industries are “premised on exploiting people’s data”, and that their non-consumer facing nature means their practices are rarely challenged.

The NGO has referred Acxiom, Oracle, Equifax and Experian to the UK Information Commissioner’s Office. It has also called for the Irish and French enforcers to cooperate with the ICO in investigating Criteo, Quantcast and Tapad; the group said all three companies are present in UK but that ad tech operators Quantcast and Criteo respectively have their main European operations in Ireland and France.

In its complaint against the ad tech brokers to multiple watchdogs, Privacy International said: “Given that it is likely that the companies engage in cross-border processing, it is imperative that the competent authorities of each of these jurisdictions consider the matters set out in this submission.”

The complaints allege the companies fail to stick to GDPR principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy due to the opacity of their processing and the lack of any direct relationship with individuals. The organisation also said the use of consent and legitimate interests as legal bases for processing was invalid.

“Where they claim that consent is a valid basis for processing they fail to demonstrate how it was collected and that the consent was freely given, specific, informed and unambiguous,” the complaints say. “Where they rely on legitimate interest they have moulded this to fit their self-determined interests without demonstrating the necessity nor sufficient consideration of the impact on individuals’ rights.”

The complaints are based on more than 50 data subject access requests to the seven companies, as well as their privacy policies and the information they provide in marketing materials. Privacy International said that their assertions are based on evidence which represents “only the tip of the iceberg”.

As part of its 6 November report into data use in politics, the ICO said it had issued assessment notices to Acxiom, Equifax and Experian. Privacy International has requested that the ICO’s investigation be extended to include the other named companies.

An ICO spokesperson said: “We are aware of concerns raised about the compliance of data protection laws by big tech companies, data brokers and credit referencing agencies.”

“These concerns have been raised with regulators in different EU countries and the ICO will be working with the relevant data protection authorities, and the new European Data Protection Board, to consider the facts and support any possible joint work or inquiries in other jurisdictions,” they said.

Ireland’s Data Protection Commission also said it is aware of the concerns raised about the ad tech sector's data practices.

A spokesperson for the Irish watchdog said: “[The ad tech sector] represents a very complex ecosystem with multiple players established across the EU, from ad agencies to ad exchanges to publishers. Given the range of controllers, joint controllers and processors in every EU member state and beyond … coordination across the EU data protection authorities will be required and the [Data Protection Commission] will be working with our fellow DPAs in this regard, where appropriate.”

A spokesperson for Experian said: “We have worked hard to ensure that we are compliant with GDPR. While we have not been provided with the specific allegations being made by Privacy International, we will review the details closely once they are made available to us, and will respond accordingly.

Acxiom, Oracle, Criteo, Tapad and Equifax did not respond to requests for comment. CNIL and Quantcast declined to comment.

In a separate set of complaints in September, privacy campaigners urged the ICO and Ireland’s Data Protection Commission to investigate the ad tech industry, claiming companies in the sector collect more information than they need and share data with third parties that go beyond what data subjects understand or consent to.

The ICO fined data broker and credit referencing agency Equifax the maximum available amount under its pre-GDPR framework – £500,000 (€565,000) – in September for what it called “systemic” security failures, and a UK-US data processing agreement that contained inadequate safeguards.








  • 08.11.2018-Final-Complaint-AdTech-Criteo,-Quantcast-and-Tapad.pdf

  • 08.11.18-Final-Complaint-Experian-&-Equifax.pdf

  • 08.11.18-Final-Complaint-Acxiom-&-Oracle.pdf