Privacy International takes action against data brokers

Data brokers, businesses amassing and selling detailed profiles of individuals, can have a profound impact on our daily lives, without us even knowing of existence of such practices that fuel the personal data economy.

In this light, on 8 November 2018, Privacy International filed complaints against 7 companies (data brokers, advertising technology companies, and credit agencies) that compile and systemically exploit personal data of millions of people, urging the data protection authorities in France, Ireland, and the UK to hold them accountable. Among others, the non-profit accuses these firms of not complying with the data protection principles enshrined in the General Data Protection Regulation (GDPR).

Privacy International made use of marketing materials and privacy policies of the companies that are generally unknown – Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax, and Experian –, as well as making dozens of Data Subject Access Requests to get a sense of just how granular insight into one’s (online) behaviour these data brokers have. They found out that based on data like URLs, time stamps, IP addresses, cookies IDs, and browser information, the companies such as Quantcast, a so-called third party that monitors individuals’ online behaviour, can predict individual’s gender, age, education, income level, and even presence of children in their household; even more, they can categorize and target you as someone with interest in travelling to Canada, as “Alcohol at Home Heavy Spender” or as “Abortion-Minded Woman”, whether that is in fact true or not. As companies like Quantcast have trackers all over the internet, they are therefore able to aggregate and combine them together like puzzles to get a pretty specific sense of one’s identity. Thanks to advanced data analytics they can infer sensitive data from sources that seemingly do not reveal such data at all. Privacy International says the criteria for such categorization are impossible to understand and that data used for assigning an individual into a specific category cannot be reconstructed.

Privacy International also stresses that such third parties have no direct relationship with individuals whose data they collect. Data brokers of course claim they have individual’s consent for such data processing – remember clicking “I accept” on any random website you get your news from? – but, as such forms are designed in a way that is rather tedious to not accept the tracking, they believe this is in violation of the GDPR, which requires consent to be freely given, specific, informed, and unambiguous. Further, they argue data brokers lack other appropriate legal basis for data processing, stating that legitimate interest cannot be equated to the interest of companies to profit off of personal data of individuals.

Not only collecting, data brokers also buy personal data from other companies and combine it with other information they have their hands on. They have compiled data on a disturbing amount of people: worldwide, Acxiom has data on approximately 700 million people from hundreds of sources; in the Netherlands, Focum, for example, has payment behaviour scores on more than 10 million people.

Privacy International admits they have only been able to scratch the surface of these problematic practices. Previously, the concerns about data brokers and web trackers have also been voiced in other countries and by other organizations; Brave browser has accused behavioural advertising industry of a massive and systematic data breach, resulting from bid requests, calling for an investigation of the opaque online ad industry. The campaign of La Quadrature du Net is going after Google, Apple, Facebook, Amazon and Microsoft as a first step to dismantle the world of web trackers.

This being said, the workings and the extent of the global data brokers industry is still poorly understood, especially outside the EU and the US, as is the complexity of the web tracking ecosystem that in part underpins it. Global data markets are not widely investigated, even though recently we see an increase in attention by policy actors and academics, especially because of privacy related concerns raised by these practices. The new political economy of data requires methodological engagement and it is of utmost importance that research efforts look into the power imbalances in the global data markets and contribute to governance deliberations not only on data protection laws, but on wider data justice.

About the project

Places and populations that were previously digitally invisible are now part of a ‘data revolution’ that is being hailed as a transformative tool for human and economic development. Yet this unprecedented expansion of the power to digitally monitor, sort, and intervene is not well connected to the idea of social justice, nor is there a clear concept of how broader access to the benefits of data technologies can be achieved without amplifying misrepresentation, discrimination, and power asymmetries.

We therefore need a new framework for data justice integrating data privacy, non-discrimination, and non-use of data technologies into the same framework as positive freedoms such as representation and access to data. This project will research the lived experience of data technologies in high- and low-income countries worldwide, seeking to understand people’s basic needs with regard to these technologies. We will also seek the perspectives of civil society organisations, technology companies, and policymakers.