This article originally appeared in Threat Post on November 9, 2018.
The results could start a wave of major damages for companies that collect and sell consumer information.
Equifax, Experian and Oracle are among a slate of companies whose business is consumer information, that could soon face billions of dollars in fines for improper data handling.
Privacy International has filed complaints against seven corporations, consisting of data brokers (Acxiom and Oracle), companies that provide consumer profiling and targeting data for advertising purposes (Criteo, Tapad and Quantcast), and two credit-referencing agencies that collect sensitive financial data on roughly everyone in the U.S. as well as many in Europe and elsewhere (Equifax and Experian). The complaints have been lodged with data protection authorities in France, Ireland and the U.K. The group is asking for an investigation into their data-handling practices under the auspices of Europe’s strict General Data Protection Regulation (GDPR).
The GDPR, which went into effect in May, gives regulators real teeth when it comes to enforcing privacy mandates, including issuing fines of up to 4 percent of an offending company’s annual turnover. That would equal billions of dollars for Fortune 500 companies such as Equifax, which consumers know from the massive data breach last year.
Aside from the credit-reporting giants, the complaints target companies that, despite collecting and using or selling the data of millions of people, are not household names.
“These complaints put under the microscope companies normally invisible to consumers,” Alan Toner, researcher at the Electronic Frontier Foundation, told Threatpost. “Internet users know little about these data brokers and advertising technology actors who are tracking their browsing activity on the web and merging this information with data collected from other online and offline sources. This occurs using unique identifiers such as cookies, device IDs and other unique identifiers. These are encompassed by the definition of personal data in the EU, which is broader than the idea of personally identifiable information used in the U.S. (names, email addresses, Social Security numbers etc.).”
“Our complaints argue that the way these companies exploit people’s data, in particular for profiling, is in contravention of the GDPR,” PI said in an announcement.
PI argues that none of the companies complies with the GDPR’s specific, named protection principles of transparency, fairness, lawfulness, purpose limitation, data minimization and accuracy.
“They amass vast amounts of data about millions of individuals, repurpose these data to infer (profile) more data (accurate and inaccurate) about individuals, then share this data with a multitude of third parties for innumerable purposes,” PI explained. “Many have also had data breaches in the past.”
As evidence, PI is using the more than 50 Data Subject Access Requests that have been made to these companies, which is the method by which EU citizens can exercise their right to right to ask organizations what data they hold about them. It’s also delivering evidence based on information that the companies provide in their marketing materials and in their privacy policies.
“The world is being rebuilt by companies and governments so that they can exploit data. Without urgent and continuous action, data will be used in ways that people cannot now even imagine, to define and manipulate our lives without us being to understand why or being able to effectively fight back,” said PI data exploitation program lead Frederike Kaltheuner. “We encourage journalists, academics, consumer organizations, and civil society more broadly, to further hold these industries to account.”
For some of the cases, PI has a head start. The U.K.’s Information Commissioner’s Office (ICO) has already issued assessment notices to Acxiom, Equifax and Experian, so the group is asking the ICO to take into account its submissions in the context of the ICO’s existing investigation.
While wholesale harvesting of personal information for mercenary purposes – like ad-targeting and political targeting – has been something that consumers have recently become aware of and upset over in the wake of the Facebook/Cambridge Analytica scandal, not everyone is so gung-ho on holding these types of companies’ feet to the fire.
Brian Vecci, technical evangelist at Varonis, elaborated on what he saw as the downside of the zeal to crack down on data brokers.
“Entire business models could be declared illegal and have to be scrapped if these complaints are valid, and that might be a bad thing for consumers,” he told Threatpost. “For years, companies of all kinds, big and small, have exploited the personal information of individuals, often without their knowledge or consent or any kind of real privacy protection. These complaints—that specific companies are unlawfully gathering and using personal data and failing to make sure that systems have privacy by design and that collection is limited—are designed to highlight some of the most egregious abuses by data brokers, ad tech companies and credit agencies. What’s key here isn’t that these particular companies are targeted, it’s that these complaints could likely be applied to entire industries that are built on data gathering and exploitation.”
He added, “These kinds of complaints will be the new normal for everyone, and not just data-centric industries like these.”
Vecci’s concerns point to the fact that PI’s set of complaints could indeed be a bellwether for the GDPR, because they will likely act to clarify some of the legal uncertainty around the wide-ranging law.
“Despite endless discussion about the GDPR over the last two years, there is still a lot of uncertainty about how it will apply,” he said. “Among publishers and ad tech companies, some are attempting to base their use of data on the consent of their users, others claim that the can do so based on their ‘legitimate interest’. This is a matter which regulators and the courts will eventually decide. There is also conflict over the legality of profiling involving the inference of what is classed as ‘sensitive data’ related to health, religion and political affiliation, and thus subject to stricter protection.”
He added, “The passage of the GDPR was a massive political battle in the EU, but we’ve yet to see how it will be enforced. The complaints being filed by PI and other organizations get that ball rolling.”
And the ball will likely be rolling sooner rather than later. Chris Olson, CEO of The Media Trust, said that for better or worse, PI’s high-profile move is probably just the kickoff of what looks to be a football game destined to go into overtime.
“Consumer data is money. For this reason, companies collect it, sometimes misuse it, and bad actors steal it while regulators and standards struggle to keep up,” he told Threatpost. “What makes GDPR and a growing number of regulations like the California Consumer Privacy Act and Senator Wyden’s recent proposal for a consumer privacy bill game-changing is that they require companies to obtain explicit consent and disclose what categories and types of personal information they collect from and about consumers, how that information will be used, etc. In the case of GDPR, companies must also track to whom they share the information and hold them accountable for their own and their third parties’ data processing practices.”
He added, “The largest data breaches in recent years—Target, Panera, Equifax, Ticketmaster—are all related to vulnerable third parties who supported their websites. Companies should reassess just how thoroughly they vet their third parties, who have their own contractors, and how well they police their activities. Because, in the next two years, as data privacy regimes proliferate, so too will lawsuits.”