Large companies have been hit by complaints from Privacy International, a leading UK advocacy organization that claims that they have breached privacy laws in Europe. Formal complaints have been filed in Ireland, France and the United Kingdom. According to Privacy International, there are seven major corporations that have failed to comply with the EU’s GDPR laws, which became effective last May. The complaints states that these firms continue misusing consumer data and exploiting it for their own benefit, without considering the General Data Protection Regulations that were introduced to protect them. Privacy International states that the companies involved are not top names, which has helped them to stay under the radar somehow.
The GDPR legislation that came to effect in May 2018, establishes that companies have to demonstrate that they use people’s for legitimate purposes. Privacy International analyzed more than 50 Data Subject Access Requests to unveil problematic gaps in the practices of multiple large companies. The companies against which Private International has filed the complaints are Oracle, Acxiom, Tapad, Experian, Equifax Quantcast and Criteo.
Privacy International states that all these companies are acting against transparency, lawfulness, fairness, purpose limitation, accuracy, data minimization and purpose limitation principles. All of them are a legal requirement to process consumer data in the European Union. Private International believes that its findings are just a small sample of a large scale problem and it predicts that regulators will find that there is widespread systematic violations against GDPR.
A ray of hope
Following the the complaints from Privacy International, the UK’s Information Commissioner’s Office issued assessment notices to Equifax, Acxiom and Experian. It is likely that the investigation extends to the other companies reported by Privacy International such as Oracle, Tapad and Criteo. If the complaints made against these companies are confirmed, data protection authorities are set to discover that infringement is systematic and widespread as alleged by Privacy International.
Privacy International is confident that at least some, if not all the firms reported, have failed to obtain the consent or legitimate interest needed to process the data they have. Additionally, Privacy International believes that the companies don’t have a legal basis to process special category personal data. This category includes sensitive information such as religious or philosophical believes, political opinions, race and ethnic origin, genetic data and sexual orientation. While these firms state that consent is a valid reason for processing the information, they are not able to show how it was collected and that the consent obtained was freely given, clear and informed. They have also failed to demonstrate that they understand the impact of the misuse of this data in people’s rights.
Large fines are likely to be imposed
In case it is found that the seven companies are indeed breaking the GDPR, they could face millionaire fines. The amount could be up to 20 million Euros or 4% of their annual turnover, if that is higher. Recently, the ICO in the UK, found that Facebook was guilty of breaking privacy regulations in the light of the Cambridge Analytica scandal. However, since the investigation was underway before the GDPR was officially implemented, Facebook avoided the hefty fines dictated by this regulation and it only had to pay 500.000 GBP. This would not be the case for the companies that Privacy International has filed complaints against, if they are found guilty this time.
Privacy International has found evidence showing that consumers are coming across challenges when they try to defend their data protection rights, including the rights to information, right to access and to erasure, which are Article 13/14, 15 and 17 of the GDPR. This is why it has launched a campaign that wants to make things easier for people to ask companies to request access to delete their data when they want to do it. If you want to join the campaign, you can go to Privacy International’s website. The organization’s legal officer explained that data broker and ad-tech companies are focused on exploiting users’ data. The majority of people have probably never heard about these companies before, which allows it to operate without drawing too much attention. This is how they can continue obtaining a large amount of data since they can establish complex profiles about people’s lives. It is likely that these companies are not able to meet the requirements of the GDPR, which is why they should be held accountable and people should make their rights be respected.
Related Best VPN to Bypass GDPR