Oracle and Equifax among seven firms accused of ignoring GDPR
Seven companies, including Oracle and Equifax, have been accused of violating GDPR data protection laws by privacy rights group Privacy International (PI).
PI filed complains against two data brokers, three ad-tech firms and two credit-referencing agencies to the French authorities, the Irish Data Protection Commission (DPC) and the Information Commissioner’s Office (ICO). The complaint accuses the seven firms of disregarding data protection principles, including purpose limitation (specifying how data is used), data minimisation (holding data no longer than is absolutely required) and data accuracy.
The organisation is basing its accusations on more than 50 subject access requests (SARs) files with the companies, as well as information they have provided in their marketing materials and privacy policies.
“The data broker and ad-tech industries are premised on exploiting people’s data,” said PI’s legal office Ailidh Callander.
“Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives.
“GDPR sets clear limits on the abuse of personal data. PI’s complaints set out why we consider these companies’ practices are failing to meet the standard – yet we’ve only been able to scratch the surface with regard to their data exploitation practices.”
The group argues that the companies, which also include Acxiom, Criteo, Experian, Quantcast and Tapad, do not have a legal basis for the way they use people’s data, and have not attained appropriate consents. PI also says they do not have the basis for processing sensitive personal data.
READ NEXT: The biggest data breaches of 2018
The ICO has already issued assessment notices to data broker Acxiom, as well as credit rating agencies Equifax and Experian. PI has urged the UK data regulator to widen its ongoing investigations to include the other four firms.
A Criteo spokesperson said the firm was requested to fill a questionnaire on privacy in May, and said they invited PI to meet for further discussions. They added they did not get a response, and instead learned of the complaint two days ago.
“Whilst disappointed that they have chosen to take this action, we have complete confidence in our privacy practices and we remain open to answer any questions that PI may have,” the spokesperson said.
READ NEXT: How to protect your data from misuse online
An Acxiom spokesperson said the company’s associates need to pass data security and privacy tests, and in May the business passed a Direct Marketing Association (DMA) audit around data privacy and compliance.
Experian, Quantcast, and Tapad were also approached. Oracle and Equifax refused to comment.
Alphr asked the ICO for the latest update on any investigations being conducted into the seven firms but did not receive a response at the time of writing.