We Need to Fix the ‘Data Wild West’
During the last World Economic Forum in Davos, the CEO of Microsoft joined the chorus of voices calling for new global privacy rules, saying the following in regard to the new European General Data Protection Regulation (GDPR):
“My own point of view is that it's a fantastic start in treating privacy as a human right. I hope that in the United States we do something similar, and that the world converges on a common standard."
We have come a long way. From tech companies fighting and lobbying against tougher data protection regulations, to a new consensus around the need for these rules.
This piece tries to help answering two questions: Why do we need these standards, and why are they necessary?
What is the ‘data wild west’?
Last November, Privacy International filed complaints against seven companies including data brokers, ad-tech companies and credit references agencies before data protection authorities in France, Ireland and the UK, for their wide-scale and systematic infringement of the European data protection law.
The companies we chose to query are just a small sample of a much larger ecosystem of companies exploiting our data. They reflect the diversity of the range of companies profiting from this exploitation.
These (and other) companies work in Europe, but they also operate at a global scale. In many cases, due to the lack of meaningful regulation or enforcement, they operate in a virtual “wild west” where personal data can be exploited with minimal or non-existent safeguards.
Here we take we look at the unique risks and challenges caused by these companies when they operate in countries without data protection. In particular, we look at the products marketed specifically for countries without data protection.
Axciom: 1500 data points on almost 96% of American citizens
Unlike Facebook and Google, Axciom is not a household name. Yet, it is one of the largest data companies in the world.
We already filed a complaint against them for their activities in the EU, but the extent of their operations is most evident in the United States, a country where the absence of comprehensive data protection laws has made US citizens’ data fair game for companies. In the US, Axciom holds approximately 1500 data points on about 96% of the American population.
Axciom’s US version of the company’s website compared to the UK version reveals variations between the products offered in both countries. One of the products offered in the US that is not offered in the UK is Audience Propensities.
Axciom claims that via Audience Propensities, “more than 3,500 market-leading indicators accurately predict brand affinity, preferences, and behaviour. Behavioural and attitudinal indicators are created based on known, actionable information and tied to shopping intent, attitudinal data, media behaviour, and more. Advanced analytics accurately predict consumer brand affinity and preferences, in-market interests and timing, and media viewing habits.”
Equifax: from credit scoring to selling our information
Equifax, a company mostly known as a credit referencing agency (and also a data broker) – is another company that has developed services that are specifically targeted to non-European markets. Their product “Ignite”, for instance, is only available in Latin America and the US. Ignite is marketed as a “revolutionary portfolio of premier data and advanced analytics solutions.” Equifax claims that the product aims to offer companies specialised data, so they can “pinpoint specific risk groups, target audiences and more.”
Under all of this lingo lies a striking reality: the personal data of millions of people outside of the European Union might be on the databases Equifax is selling to its customers, many of them without any legal safeguards in regard to its use. Our credit history, employment and income data and more are used to build profiles of us so that companies can get insight about “the broader market,” that is the people who are not yet their customers.
For companies that already have teams of data scientists on board, Equifax offers another product: “Ignite Direct”. It offers companies’ data scientists access to their “1.5 petabyte Big Data Score that includes 23 different data fees from eight core exchanges with more than 60 months of history.”
Again, under all the technicalities, we can find a shocking absence of limitations when a wide range of personal information can be collected and stored over the years, in many cases without any meaningful safeguard against it.
For example, the data contained in this database include “Equifax Exchange Data: Wealth and lifestyle insights, employment and income data, alternative data and more”; “Third-Party Data: Demographic data, auto registration and marketing data, property assessment information and more”; “Equifax Transaction Data: Credit data, employment verifications and more”; “External Data: Your customer data, new and unstructured data and more.”
Credit report agencies do not limit themselves to the collecting of our data for credit scoring purposes. Collecting data from a wide range of sources – including smaller data brokers – they are also exploiting the information they hold about us – including our financial information – to sell our profiles to other companies.
Experian and others: Gathering (and exploiting) information from public sources
Experian follows a similar business model as Equifax, as a credit rating agency that has also developed a marketing arm. Part of the data in Experian’s US marketing database comes from the US census and the phone book. It illustrates a problem that also exists in Europe: data companies are very much reliant on data that is mandatorily collected by the state.
This data can be used with several purposes, including political advertising. Coding Rights, in a joint report with Tactical Tech Collective, discovered a widespread industry of data brokers and advertising agencies whose business models are largely based on a lack of data protection.
In particular, their report highlighted the practice of combining and cross-referencing data collected through social networks and databases containing public information – such as the ones used for the provision of public policies and census information (IBGE), with personal information sold by data brokers such as Serasa Experian, including detailed information on voters (such as phone numbers of WhatsApp contacts), which was extensively used in the last presidential election.
This is by no means a practice of only big data brokers. In Chile, the data protection law allows for companies to use personal data available in public sources without the consent of the data subject. Due to this legal loophole, it is relatively easy to find webpages where you can obtain the ID number and address of every citizen included in the electoral records, which has automatic enrolment and is public by law.
This data is already used by local companies and combined with more data to offer services such as voter profiling, allowing the identification of political preferences in social media (especially Facebook) through their interactions. As Fundación Datos Protegidos featured in their report, these interactions were matched with the voters’ ID number and address, generating enough data to produce highly targeted messages.
The case for improving global data protection
The global extent of data brokers’ operations highlights the reality of a world in which some people’s personal data is protected, while that of others is up for grabs.
Data protection laws have been adopted in over 120 countries, but in many cases they are old and ineffective. The entry into force of GDPR and the current drafting of new data protection laws around the world (e.g. Kenya, India, Indonesia, Pakistan, Uganda, among several others) is an opportunity for governments and companies to adopt best practice on data protection.
The need to adopt strong and standardised data protection safeguards by companies operating around the world is necessary from a human rights perspective. It can also make sense from an economic point of view: exploiting legal loopholes while dealing with numerous jurisdictions and substantively different regulatory frameworks is not an efficient and sustainable business model.
So, what can we do now?
Luckily, there are some available answers to help us. For a start, governments need to adopt strong principles and rules that regulate the obligations of data controllers, protect users’ rights, and establish independent and effective oversight mechanisms.
International and regional standards have already identified these common principles, in instruments such as the OECD guidelines, the Convention 108+ of the Council of Europe, and at a regional level, GDPR.
In order to help with the task of assessing existing laws and promoting modern standards, last year we published a data protection guide to help in the analysis and advocacy of data protection worldwide. It features and expands on basic principles, rights, obligations, best practice, and enforcement issues related to data protection legislation.
Among many others, countries including Argentina, Chile, Brazil, India, Indonesia, Kenya, Pakistan and Uganda are debating new (or reformed) data protection laws. There are more than two billion inhabitants who stand the chance to have their rights better protected. To seize these opportunities, it is key that these new laws are approved in a way that ends the ‘data wild west’ in which many people are living today. We need to put a stop on how some companies operate across the world by taking advantage of deficient privacy frameworks.
We don’t need a ‘data wild west’, but a race to the top in data protection standards, where our data flows alongside our rights, where companies apply the same (high) standards everywhere, and where we have greater control over the massive data exploitation operation that is taking place at the expense of our fundamental rights.
Photo originally found here.