Privacy International has launched a new investigation into a swathe of shadowy data companies to see if they comply with the new EU General Data Protection Regulation (GDPR), which came into force today.
The GDPR has been several years in the making, and introduces strict new obligations for organizations on how they process and protect customer and employee data as well as how they seek consent for using that data.
The rights group claimed that the business model of many data companies raises significant question marks over compliance with the new law, which is EU-wide but also applies to any organization which processes data on EU citizens.
Non-consumer facing data companies such as Acxiom, Criteo and Quantcast “amass and exploit” large quantities of consumer data without directly interacting with the data subject, according to Privacy International.
If they collect this data without the user’s knowledge, use it to profile users, or share it with another company for a different purpose to that stated at the time of collection, they could be in breach of the GDPR, the group claimed.
To launch the campaign, Privacy International has sent letters to a selection of the companies involved to find out more on how they handle personal data.
The non-profit claimed that companies and governments are increasingly exploiting not just data that consumers willingly provide but information they can “observe, derive, and infer” in order to manipulate people’s lives without accountability.
Privacy International legal officer, Ailidh Callander, welcomed the GDPR.
“It's been a long time coming, and the GDPR is an important step in the right direction, providing essential safeguards to our human rights to privacy and data protection, by imposing more stringent obligations on companies, strengthening rights of individuals, and increasing enforcement powers,” she added.
“GDPR is a key tool to empower individuals, civil society, and journalists to fight against data exploitation."
The group has also joined the Center for Digital Democracy and Public Citizen in writing to almost 100 US companies asking that they implement GDPR for users globally, as Microsoft and other tech giants have promised.