Privacy International has filed complaints against seven companies including Experian, Equifax and Oracle for alleged contravention of the GDPR.
The rights group is hoping to highlight what it believes is illegal use of customer data, particularly for profiling purposes. It’s part of a wider campaign designed to make it easier for consumers to demand companies delete their data under the new legislation.
The complaints — based on 50 Data Subject Access Requests and information gathered from the companies’ privacy policies and marketing material — also target data broker Acxiom, and ad-tech firms Criteo, Quantcast and Tapad.
According to Privacy International, the company's practices have breached the GDPR principles of transparency, fairness, lawfulness, purpose limitation, data minimization, and accuracy.
The firms also allegedly have no legal basis for using data in the way they do, a key requirement of the GDPR. PI claims that neither consent nor legitimate interest are applicable in these cases, and there’s no basis for processing sensitive data.
Specifically, they fail to demonstrate consent was “freely given, specific, informed, and unambiguous,” and in the case of legitimate interest they have twisted the meaning to fit their own interests without considering the impact on individuals’ rights, PI claimed.
“The data broker and ad-tech industries are premised on exploiting people's data. Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives,” argued Privacy International legal officer, Ailidh Callander.
“The GDPR sets clear limits on the abuse of personal data. PI's complaints set out why we consider these companies' practices are failing to meet the standard — yet we've only been able to scratch the surface with regard to their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account.”
Both Experian and Equifax have, of course, suffered major data breaches in the past, the latter affecting 148 million consumers.