Privacy International (PI) has filed complaints of "systematic infringements" of data protection law by seven info-sucking companies that it says find it too easy to fly under the radar.
In the civil rights group's sight are data brokers Acxiom and Oracle, ad-tech firms Critero, Quantcast and Tapad, and credit referencing agencies Equifax and Experian.
PI said it wants European data protection watchdogs to launch probes into the seven companies, which it claimed exploit the data of millions of people without thorough criticism, to assess whether their practices meet the standards set in the General Data Protection Regulation.
The move comes as the data-slurping activities of tech giants like Facebook are under near-constant scrutiny from lawmakers across the world. Privacy International said the firms on its shit list, "despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged".
Oracle might dispute its perceived lack of brand awareness.
The complaints are based on more than 50 Subject Access Requests and the information the companies provide on firms' websites. And PI broadly argued that the way these companies use data – especially for profiling – contravenes the GDPR.
"GDPR sets clear limits on the abuse of personal data," said legal officer Ailidh Callander. "PI's complaints set out why we consider these companies' practices are failing to meet the standard – yet we've only been able to scratch the surface with regard to their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account."
The Information Commissioner's Office said yesterday it had issued assessment notices – which allow the body to carry out compulsory audits – to data broker Acxiom, as well as credit reference agencies Experian and Equifax. Privacy International wants the ICO to widen the net.
"These companies' processing activities are opaque and there is no direct relationship with individuals," Privacy International said.
"They amass vast amounts of data about millions of individuals, repurpose these data to infer (profile) more data (accurate and inaccurate) about individuals, then share this data with a multitude of third parties for innumerable purposes."
The group argued the data slurpers failed to comply with the data protection principles, set out in Article 5 of GDPR, of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy.
It added the seven don't have a legal basis for the way they use people's data. Under GDPR, there are six lawful bases for data processing, including the much-talked-about consent – but Privacy International said the firms can't claim any of these.
"Where they claim that consent is a valid basis for processing they fail to demonstrate how it was collected and that the consent was freely given, specific, informed, and unambiguous.
"Where they rely on legitimate interest they have moulded this to fit their self-determined interests without demonstrating the necessity nor sufficient consideration of the impact on individuals' rights."
Further to this, the complaints said the slurpers lack a basis for processing sensitive personal data, which makes stricter requirements on data controllers, and claimed there were various obstacles stopping people from exercising their individual rights under under GDPR.
The group also noted that a number of the seven have had data breaches in the past – Equifax is still feeling the pressure of its 2017 breach in which hackers made off with records on 46 million people.
The Register asked the seven slurpers to comment. Oracle has refused and we're yet to hear from the others. ®
Big Red example – a deeper dive into PI's complaint
Privacy International's complaint about Oracle outlines particular concerns about the Oracle Data Cloud, which allows advertisers to personalise customer interactions, and aggregates and analyses that customer data.
People are put into segments – of which there are thousands, including interests like online dating; dieting and weight; politics – to help advertisers figure out what to push at them.
"The scale of Oracle's processing activities, 'more than 30,000 data attributes on two billion consumer profiles drawn from 1,500 data partners', means that even though Oracle names data providers/partners it is extremely difficult to pinpoint the original source of the data," PI noted.
"As a result, it is de facto impossible for data subjects to understand how data that they have provided at one place and time ends up in Oracle's hands," PI said. And without knowing where it came from, or what it is, it remains hard to figure out what has been inferred, and what the consequences might be.
On profiling – where information is derived, inferred or predicted to generate new data – PI said Oracle fails to offer sufficiently granular information, especially given the scale of its profiling activities.
PI also outlined various ways in which it believes Oracle's reliance on consent and legitimate interests fall down, including the fact it relies on consent obtained by other data controllers further up the data supply chain.