Privacy International launches campaign to investigate range of data companies that facilitate mass data exploitation
On the day that GDPR comes into force, PI has launched a campaign investigating a range of data companies that make up a largely hidden data ecosystem. This hidden data ecosystem is comprised of thousands of non-consumer facing data companies - such as Acxiom, Criteo, Quantcast - that amass and exploit large amounts of personal data. Using the rights and obligations provided for within the new data privacy law, PI's campaign involves investigating a selection of these companies whose business models raise questions under GDPR.
To launch the campaign, PI has today sent letters to a selection of data companies. The letters ask a series of questions aimed at gaining clarity into how these companies handle personal data in view of their obligations under GDPR. Non-consumer facing data companies' business models depend on collecting and exploiting personal data without interacting with people directly. PI considers that amassing vast amounts of data about people and using it in ways that they would not expect to be the antithesis of what GPDR requires.
For example:
- If a user never interacts with a company the company should not have the user's data without then being made aware.
- If a user provides their data to a company for one purpose, the company should not share it with another company for another purpose.
- If a user has never knowingly interacted with a company, a company should not be able to use their data, to infer, derive, and predict more data (profile them).
Public debate so far has focused on personal data that people knowingly disclose - such as name, public posts online, email address. We urgently need to look beyond the data we provide knowingly to companies and government. Exploiting the hidden data ecosystem, companies (and governments) are relying less on data we provide and instead are looking at data they can observe, derive, and infer. Without urgent action, data will be used in ways that people cannot now even imagine, to define and manipulate their lives without transparency or accountability. PI's campaign is using GDPR as a tool to investigate and fight this exploitation.
Ailidh Callander, PI Legal Officer said:
"We welcome GDPR taking effect. It's been a long time coming, and GDPR is an important step in the right direction, providing essential safeguards to our human rights to privacy and data protection, by imposing more stringent obligations on companies, strengthening rights of individuals, and increasing enforcement powers. GDPR is a key tool to empower individuals, civil society, and journalists to fight against data exploitation."
Notes to editors:
PI also joined the Center for Digital Democracy and Public Citizen in writing to nearly 100 companies in the U.S. asking that the companies implement GDPR for users globally, and not make the deliberate choice to lower data privacy for users outside the EU.