SUBMISSION TO THE INFORMATION COMMISSIONER REQUEST FOR AN ASSESSMENT NOTICE OF DATA BROKERS Acxiom & Oracle (the ‘data brokers’)
A. Introduction and Purpose of this Submission 1. The purpose of this submission is to provide the Information Commissioner with analysis and evidence in order to assist her in assessing the relevant data controllers’ compliance with data protection law. Privacy International is aware that the Information Commissioner has issued an assessment notice pursuant to Section 146 of the Data Protection Act 2018 (the “DPA 2018”) in respect of the data broker, Acxiom1 and Privacy International requests that the Information Commissioner issue a similar notice in respect of the data broker Oracle, in order to assess their compliance with the data protection legislation, in particular, the General Data Protection Regulation EU 2016/676 (“GDPR”). In the absence of the Information Commissioner’s actions to date, Privacy International would have invited her to issue such assessment notices for both companies in response to the submissions set out herein. 2. Privacy International is gravely concerned at the data processing activities of the data broking and AdTech industry. We are therefore submitting this complaint against Acxiom and Oracle, together with two separate joined complaints against data broker/ credit reference agencies Experian and Equifax and AdTech companies Quantcast, Tapad and Criteo.2 Together these companies profit from the exploitation of the personal data of millions of people in the UK, in the rest of the European Union and further afield.3 1
The Information Commissioner’s Report to Parliament on 6 November 2018 indicated that the Information Commissioner has issued an assessment notice to Acxiom Ltd. ; https://ico.org.uk/media/action-wevetaken/2260271/investigation-into-the-use-of-data-analytics-in-political-campaigns-final-20181105.pdf 2 Submitted by Privacy International on 8 November 2018. 3 Privacy International has written extensively on how companies exploit personal data: How do data companies get our data? (May 2018) available at: https://privacyinternational.org/feature/2048/how-do-data-companies-getour-data; A Snapshot of Corporate Profiling (April 2018) https://privacyinternational.org/feature/1721/snapshotcorporate-profiling; Invisible Manipulation: 10 ways our data is being used against us https://privacyinternational.org/feature/1064/invisible-manipulation-10-ways-our-data-being-used-against-us; Further questions on Cambridge Analytica's involvement in the 2017 Kenyan Elections and Privacy International's investigations (March 2018) https://privacyinternational.org/feature/1708/further-questionscambridge-analyticas-involvement-2017-kenyan-elections-and-privacy
1