A campaign group has asked EU regulators to investigate several data brokers, credit rating agencies, and adtech companies to see if they are breaching the General Data Protection Regulation (GDPR).
Privacy International filed several complaints to the British, Irish, and French data regulators on Thursday, November 8, against data broker Acxiom, software giant Oracle, credit rating agencies Experian and Equifax, and adtech companies Criteo, Quantcast, and Tapad. The group alleges that the companies, which buy and sell the data of millions of online consumers, cannot legally collect such information.
“Part of their business models are about fundamentally exploiting data and therefore clash with many of the provisions [of the EU’s General Data Protection Regulation],” said Ailidh Callander, legal officer at Privacy International, according to the Financial Times. “We put most of our attention on the bigger companies with which people have a direct relationship, like Facebook and Google, but then there are these other companies that most people have never heard of, and wouldn’t expect to have a huge amount of data about us.”
The UK’s Information Commissioner’s Office stated said it was “aware of concerns raised about the compliance of data protection laws by big tech companies, data brokers and credit referencing agencies.”
The GDPR allows European citizens to request their data from companies, as well as request for their data to be corrected and deleted under the “right to be forgotten” provision. Companies that fail to follow the new rules can face fines as high as €20 million (US$22.8 million), or 4% of their global annual revenue.
But a study found that three months in, GDPR compliance rates were low, showing that only 20% of firms are fully compliant. As a result, the number of complaints filed with the UK data protection watchdog has more than doubled since the GDPR went into effect at the end of May, while Ireland has also seen a boost in complaints.