UK data protection and privacy advocacy group Privacy International has submitted complaints to European watchdogs suggesting GDPR violations at several US firms including Oracle, Equifax and Experian.
The complaints have been submitted to regulators in the UK, Ireland and France, bringing the data broker activities of Oracle and Acxiom into question, as well as ad-tech companies Criteo, Quantcast and Tapad, and credit referencing agencies Equifax and Experian. The complaints are specifically focused on the depth of personal data processing, which Privacy International believes violates Articles five and six of the General Data Protection Regulation (GDPR).
“It’s been more than five months since the EU’s General Data Protection Regulation (GDPR) came into effect,” a Privacy International statement read. “Fundamentally, the GDPR strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement.
“Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people’s data. Despite exploiting the data of millions of people, are on the whole non-consumer facing and therefore rarely have their practices challenged.”
The GDPR Articles in question relate to the collection and processing of information. Article Five dictates a company has to be completely transparent in how it collects and processes information, but also the reasons for doing so. Reasonable steps must be taken to ensure data is erased once the purpose has been fulfilled, this is known as data minimisation. Article Six states a company must seek consent from the individual to collect and process information for an explicit purpose; broad brush collection, storage and continued exploitation of data is being tackled here.
In both articles, the objective is to ensure companies are being specific in their collection of personal information, and that it is utilised in a timely manner before being deleted once it has served its purpose. These are two of the articles which will hit the data-sharing economy the hardest, and it will be interesting to see how stringently GDPR will be enforced if there is any evidence of wrong-doing.
This is where Privacy International is finding issue with the firms. The advocacy group is challenging the business practises on the principles of transparency, fairness, lawfulness, purpose limitation,
data minimisation, accuracy and integrity and confidentiality. It is also requesting further investigations into Articles 13 and 14 (the right to information), Article 15 (the right of access), Article 22 (automated decision making and profiling), Article 25 (data protection and by design and default) and Article 35 (data protection impact assessments).
While GDPR sounds very scary, the reality is no-one has been punished to the full extent of the regulation yet. This might be because every company has taken the guidance on effectively and is operating entirely within the legal parameters, though we doubt this is the case. It is probably a case of no-one being caught yet.
The threat of a €20 million fine, or one which is up to 3% of a business’ total revenues, is nothing more than a piece of paper at the moment. If there is no evidence or fear authorities will punish to the full extent of the law, GDPR doesn’t act as much of a protection mechanism or a deterrent. When a genuine violation of GDPR is uncovered, Europe needs to bear its teeth and demonstrate there will be no breathing room.
This has been the problem for years in the technology industry; fines have been dished out, though there has been no material impact on the business. The staggering growth of revenues in the industry has far exceeded the ability of regulators to act as judge and executioner. Take the recent fines for Apple and Samsung over planned obsolescence in Italy. The $10 million and $5 million fines for Apple and Samsung would have taken 20 and 16 minutes respectively to pay off. This is not good enough.
Regulators now have the authority to hold the suspect characters in the industry accountable for nefarious actions concerning data protection and privacy, but it has to prove itself capable of wielding the axe. Until Europe shows it has a menacing side, nothing will change for the better.