Thirty U.S. companies — including software giant Adobe, TechCrunch owner AOL and SaaS CRM purveyor Salesforce.com — have been identified as in probable violation of a EU-US agreement aimed at safeguarding personal data transfers in a complaint filed with the FTC by US consumer privacy rights NGO the Center for Digital Democracy (CDD).
The Safe Harbour agreement between the EU and the U..S governs the transatlantic transfer of personal data for commercial purposes — such as for cloud-based digital services where EU citizens’ data is stored and processed in the US. An agreement is necessary for personal data to flow from Europe to the US because the EU has a more formalised system of privacy legislation than the US. The FTC enforces Safe Harbour certifications in the US.
The list of companies named in the filing includes: Acxiom, Adara Media, Adobe, Adometry, Alterian, AOL, AppNexus, Bizo, BlueKai, Criteo, Datalogix, DataXu, EveryScreen Media, ExactTarget, Gigya, HasOffers, Jumptap, Lithium, Lotame, Marketo, MediaMath, Merkle, Neustar, PubMatic, Salesforce.com, SDL, SpredFast, Sprinklr, Turn, and Xaxis.
The named companies include data brokers, data management platforms and profilers and mobile marketers — in other words, companies who make it their business to join digital dots of personal information to flesh out detailed profiles of consumers to sell on to advertisers.
The CDD says its filing provides “factual information and legal analysis on probable violations of Safe Harbor commitments that materially mislead EU consumers”.
“The commercial surveillance of EU consumers by U.S. companies, without consumer awareness or meaningful consent, contradicts the fundamental rights of EU citizens and European data protection laws, and also violates the intention of the Safe Harbor mechanism to adequately protect EU consumers’ personal information,” the CDD notes in an executive summary of its filing.
“The U.S. is failing to keep its privacy promise to Europe,” added Jeff Chester, CDD’s executive director in a statement. “Instead of ensuring that the U.S. lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC. The Big Data-driven companies in our complaint use Safe Harbor as a shield to further their information-gathering practices without serious scrutiny.
“Companies are relying on exceedingly brief, vague, or obtuse descriptions of their data collection practices, even though Safe Harbor requires meaningful transparency and candor. Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on individuals so they can be profiled and targeted online.”
The Safe Harbour agreement dates back to 2000 and generally requires US companies to adhere to a set of E.U. personal data protection principles — such as informing citizens that their data is being collected and how it will be used. However the agreement has come under sustained criticism in recent times, especially since the Snowden revelations revealed the extent of US intelligence agencies’ dragnet surveillance programs.
One problem is the Safe Harbour agreement allows for certain limitations in the interests of national security — a loophole which has evidently been massively exploited by the NSA and its ilk, calling the whole agreement into question. Critics have also argued Safe Harbour is lax and weak, since it allows US companies to voluntarily self certify and therefore hardly offers copper-bottomed data protection safeguards.
The idea that Safe Harbour might not actually be so safe led the European Commission to review the agreement in November last year — and put forward a series of recommendations to improve it, with the ongoing threat of suspension of the agreement if the US does not take legislative action to shore up data issues.
The CDD’s filing, which requests the FTC investigate the named companies, piles more pressure on for reform — given the scope of the problems it has apparently identified.
“FTC should investigate these companies’ practices using its subpoena authority and other methods of investigation,” writes the CDD. “When FTC holds these data marketing and profiling companies’ practices up against their public statements to DOC and consumers, it seems likely (based on how these companies differently describe themselves to clients) that the agency will find numerous deceptive misstatements. If such violations are found, FTC should make sure these companies cannot continue in the Safe Harbor program without first addressing all violations, and submitting to active oversight.”
The CDD argues that the activity of the named companies is putting EU consumers’ privacy at risk owing to their use of “unique identifiers and sophisticated tracking and analysis”.
“They use such data sources as public records, census data, online tracking technologies, consumer trailing through mobile devices (following users both in the physical world and online), and many other sources. These companies add to this information through a variety of data sources, which can include sensitive information such as addresses, past purchase history, income, demographics, and family structure. A common feature of the business practices of nearly all the companies cited in this complaint is the involvement of an array of third-party data brokers and other information providers, who supply rich data sets used for the profiling and targeting of EU consumers. All of the companies, we believe, fall far short of the commitments they have made under the Safe Harbor,” it adds.
Specifically, the filing lists three main “patterns of deception” common to the listed companies which it urges the FTC to investigate: firstly that the companies are misstating their actual purposes and practices of data collection and use — so being insufficiently transparent; secondly that they are misrepresenting legal facts of importance to EU consumers, such as by claiming they are not data controllers; and thirdly by merging with and acquiring other companies to expand their data collection and profiling abilities — but not updating their Safe Harbour disclosures.
“FTC has a clear duty to enforce the framework against companies that demonstrate a pattern of violation despite self-certification and claims to abide by the principles. FTC should open investigations on these data marketing and profiling companies and stand by its enforcement commitments made when the Safe Harbor was first approved, as well as FTC commissioners’ ongoing assurances of the validity and importance of such enforcement,” it adds.
We’ve reached out to AOL for a response to the filing’s claims and will update this post with any response.