Privacy & Cybersecurity Law Blog

On November 8, 2018, Privacy International (“Privacy”), a non-profit organization “dedicated to defending the right to privacy around the world,” filed complaints under the GDPR against consumer marketing data brokers Acxiom and Oracle. In the complaint, Privacy specifically requests the Information Commissioner (1) conduct a “full investigation into the activities of Acxiom and Oracle,” including into whether the companies comply with the rights (i.e., right to access, right to information, etc.) and safeguards (i.e., data protection impact assessments, data protection by design, etc.) in the GDPR; and (2) “in light of the results of that investigation, [take] any necessary further [action]... that will protect individuals from wide-scale and systematic infringements of the GDPR.”

The complaint alleges that the companies’ processing of personal data neither comports with the consent and legitimate interest requirements of the GDPR, nor the GDPR’s principles of:

• transparency (specifically relating to sources, recipients and profiling);
• fairness (considering individuals’ reasonable expectations, the lack of a direct relationship, and the opaque nature of processing);
• lawfulness (including whether either company’s reliance on consent or legitimate interest is justified);
• purpose limitation;
• data minimization; and
• accuracy.

The complaint emphasizes that Acxiom and Oracle are illustrative of the “systematic” problems in the data broker and AdTech ecosystems, and that it is “imperative that the Information Commissioner not only investigate[] these specific companies, but also take action in respect of other relevant actors in these industries and their practices.”

In addition to the complaint against Acxiom and Oracle, Privacy submitted two separate joined complaints against credit reference data brokers Experian and Equifax, and AdTech data brokers Quantcast, Tapad and Criteo.