A US consumer privacy group has called for the Federal Trade Commission (FTC) to investigate 30 firms which operate data profiling and online targeting on the grounds that they are violating the ‘Safe Harbor’ framework.
This framework, established as a method for US firms to transfer personal data outside the European Union in a way that is consistent with the EU Data Protection Directive, is being flouted by US tech firms, according to the Center for Digital Democracy (CDD), which has filed the complaint.
Companies including Adobe, AOL, BlueKai, Criteo, Datalogix, Salesforce, and Xaxis have been listed as in need of investigation in CDD’s complaint to the FTC, for their methods of compiling, using and sharing of EU consumers’ personal information.
“The US is failing to keep its privacy promise to Europe,” said Jeff Chester, CDD’s executive director.
“Instead of ensuring that the US lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC.
“The big data-driven companies in our complaint use Safe Harbor as a shield to further their information-gathering practices without serious scrutiny. Companies are relying on exceedingly brief, vague, or obtuse descriptions of their data collection practices, even though Safe Harbor requires meaningful transparency and candor.
“Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on individuals so they can be profiled and targeted online.”
The group has called for Safe Harbor to be completely overhauled. CDD legal director Hudson Kingston said: “CDDs complaint describes the systemic failure of the Safe Harbor to function as it was intended.
“Companies are flouting standards that the Department of Commerce agreed to and the Federal Trade Commission pledged to enforce. Safe Harbor has to be overhauled to make sure it actually works; until that time, it should be suspended.
“We call on the FTC to investigate and sanction the companies named in our complaint. The fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward.”
The 30 companies cited in CDD’s filing include Acxiom, Adara Media, Adobe, Adometry, Alterian, AOL, AppNexus, Bizo, BlueKai, Criteo, Datalogix, DataXu, EveryScreen Media, ExactTarget, Gigya, HasOffers, Jumptap, Lithium, Lotame, Marketo, MediaMath, Merkle, Neustar, PubMatic, Salesforce.com, SDL, SpredFast, Sprinklr, Turn, and Xaxis.
Although all 30 companies listed in the complaint have different methods of data collection and sharing, the CDD has identified five broad concerns that “illustrate the inadequacy” of the Safe Harbor regime (see below).
- The failure of Safe Harbor declarations and required privacy policies in particular to provide accurate and meaningful information to EU consumers.
- An overall lack of candor from the companies about the nature of their data collection apparatus, including their networks of data broker partners and even their corporate affiliations.
- The general failure to provide meaningful opt-out mechanisms that EU consumers can find and use to remove themselves fully from privacy-harming data collection and processing.
- The myth of “anonymity” at a time when marketers—armed with vast amounts of details about consumers’ personal needs and interests, employment and social status, location and income—do not need to know one’s name in order to track and target that particular individual online.
- The false claim made by several companies named in the complaint that they act as “data processors” on behalf of others, when in fact they play a central role in bringing the power of their big data-driven services to bear on consumer profiling and targeting.
Safe Harbor, overseen by the US Department of Commerce,is based on a voluntary 'self-certification' process, under which companies promise to provide clear 'notice' of their data collection practices and data uses, and 'choice' – giving consumers the opportunity to 'opt out' of practices they did not previously agree to.
Once they have promised to do this they are then allowed to collect information from European consumers without strictly following the EU’s higher data-protection standards.