Privacy International, a UK-based registered charity that defends and promotes the right to privacy across the world, last week filed a number of complaints against US-based Companies to European based Data Protection bodies concerning suspected breaches of the General Data Protection Regulation.
The General Data Protection Regulation was introduced by the European Union on May 25 this year in a bid to protect the private information of all individuals within the European Union and to safeguard all data exported outside of the EU. It obliges all companies, groups and organisations managing data like this to fulfil a specific requirement or else they, the companies, will be found as breaching the legislation. The penalties for GDPR violations are steep, going as high as €20m or 4% of annual global revenue in the previous year – whichever figure is higher.
The submitted complaints against US-based companies including Oracle, Acxiom, Quantcast, Tapad and the credit referencing firms Equifax and Experian. These complaints claim that the method of obtaining proper consent from individuals before recording and using their personal information is not compliant with GDPR legislation.
Privacy International released a statement which said: “It’s been more than five months since the EU’s General Data Protection Regulation (GDPR) came into effect. Fundamentally, the GDPR strengthens rights of individuals concerning the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement.
It went on: “Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people’s data. Despite exploiting the data of millions of people, (these companies) are on the whole non-consumer facing and therefore rarely have their practices challenged.
Privacy International lawyer Ailidh Callander said: “The data broker and ad-tech industries are premised on exploiting people’s data. Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives. GDPR sets clear limits on the abuse of personal data. PI’s complaints set out why we consider these companies’ practices are failing to meet the standard—yet we’ve only been able to scratch the surface concerning their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account.”
These complaints further highlight the importance for US firms to ensure that they are entirely in compliance with GDPR to avoid the prohibitive fines for breaching it. Many privacy advocates are focusing their efforts on ensuring that large multinational companies are not violating the new legislation. Privacy International itself is conducting a campaign that seeks to challenge companies, like those listed in the complaints, on the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, accuracy and integrity and confidentiality. It is also requesting further investigations into Articles 13 and 14 (the right to information), Article 15 (the right of access), Article 22 (automated decision making and profiling), Article 25 (data protection and by design and default) and Article 35 (data protection impact assessments).