Privacy International, a UK-based charity that fight for the right to privacy across the world, last week submitted multiple complaints against US-based Companies to European based Data Protection bodies concerning possible breaches of the General Data Protection Regulation (GDPR).
The General Data Protection Regulation became enforceable yy the European Union on May 25 this year in a bid to safeguard the private information of all individuals within the European Union and to safeguard all data exported externally of the EU. It means that all companies, groups and organisations handling data like this to fulfil a specific requirement or else they, the companies, will be in violation of the legislation. The penalties for GDPR violations are high, going up to €20m or 4% of annual global revenue in the previous year – whichever figure is larger.
The complaints that have been filed are against US-based companies including Oracle, Acxiom, Quantcast, Tapad and the credit referencing firms Equifax and Experian. These complaints state that the method of receiving proper consent from people before recording and using their personal data is not compliant with GDPR legislation.
Privacy International published a statement which said: “It’s been more than five months since the EU’s General Data Protection Regulation (GDPR) came into effect. Fundamentally, the GDPR strengthens rights of individuals concerning the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement. Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people’s data. Despite exploiting the data of millions of people, (these companies) are on the whole non-consumer facing and therefore rarely have their practices challenged.
Ailidh Callander, lawyer for Privacy International released his own statement which said: “The data broker and ad-tech industries are premised on exploiting people’s data. Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives. GDPR sets clear limits on the abuse of personal data. PI’s complaints set out why we consider these companies’ practices are failing to meet the standard—yet we’ve only been able to scratch the surface concerning their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account.”
These complaints emphasise the importance for US firms on making sure that that they are entirely in compliance with GDPR to avoid the massive financial penalties for breaching it. Many privacy advocates are concentrating their efforts on ensuring that large multinational companies are not breaching the new legislation. Privacy International itself is completing a campaign that seeks to challenge companies, like those referred to in the complaints, on the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, accuracy and integrity and confidentiality. It is also asking that further investigations into Articles 13 and 14 (the right to information), Article 15 (the right of access), Article 22 (automated decision making and profiling), Article 25 (data protection and by design and default) and Article 35 (data protection impact assessments). be carried out.