Transparent consumers – a report by Bits of Freedom

By EDRi · February 24, 2016

Data brokers follow everything you do. What you buy, where you live, what you like and what this information says about you. They sell profiles based on this information to other companies. Starting last summer, Bits of Freedom conducted research with Dutch online newspaper De Correspondent as part of the ‘Quantified society’ programme. We looked at the practices of data brokers and seriously doubt their conduct is in line with the Dutch data protection law. The unfair processing and re-use of our data could threaten our autonomy and society.

................................................................. Support our work - make a recurrent donation! .................................................................

Why we studied Dutch data brokers

Recent research shows that, in some countries, companies such as data brokers are increasingly collecting personal data for profiling. They can then offer these profiles to commercial clients who use them for marketing and credit rating.

The conduct of data brokers and profiling can create ethical risks. Personal data can be processed in a way that gives companies and governments power over people. It allows them to follow someone’s information trail step by step, to manipulate their economic decisions, to categorize individuals, to sort and discriminate among individuals, to inhibit an individual from changing or progressing; and to infringe or steal one’s identity. In other words, in the wrong hands, or applied the wrong way, these technologies could harm people .

This research looked at the Dutch situation and aimed at mapping the scope of data brokers and the commercial profiling industry in the field of commercial marketing and credit rating in the Netherlands, their legality, and to evaluate how society can mitigate risks associated with it.

Data brokers know more about you than you know

For our research we gathered a list of data brokers and approached them for interviews and with data access requests. The team also acted as a data broker to see which data it could access, and made profiles with the help of experts. An expert session was organised on ethical and legal aspects.

The research reveals that there are many (+180) data brokers in the Netherlands that collect personal (and at times sensitive) information. They get their data from various sources (public and commercial) and create profiles about individuals. The research also shows that it is fairly easy for data brokers to gain access to information and to make profiles. It also shows that small changes in algorithms can have big results and that it is not always clear why some profiling has certain outcomes.

For the people whose data is processed, it is difficult to control data flows as it is not transparent. It is also difficult to obtain information about how data is used or to get information about personal credit scores.

Data brokers break the law

We compared these outcomes with the legal framework and reached the following conclusions:

1. Data brokers lack the legal basis to process so much data.
The research reveals that in the case of data brokers, users have little control over what happens to their data. People have not consented to the processing of their data, because there is no direct contact between data brokers and the people whose data is being processed. Furthermore, the commercial ‘legitimate interest ‘data brokers claim as a legal basis for their processing is too weak to justify the privacy breach that further processing causes. Meanwhile, the research shows that data brokers process sensitive information, which requires explicit consent.

2. Data brokers don’t respect the obligation of purpose limitation.
Although some commercial entities state that data is shared with third parties, this says nothing about the purpose for which those third parties (the data brokers) will be processing their data. Individuals have no way of knowing how their data is further processed by those third parties. Furthermore, data brokers have given us little information about how the data is shared further. This denies people the opportunity to know and verify the purpose of the further processing.

3. There is too little transparency about data brokers and commercial data traffic.
Notices provided by parties that share data with brokers are vague and unspecific. Data brokers themselves are also not transparent about how they use their data, where they get their data and with whom they share their data.

4. There is no way for people to object.
The research shows that once data is shared, it is further shared with third parties. There should be limits to this chain and opportunities for people to object to processing. Onward sharing makes it increasingly difficult for users to exercise control over their data and to prevent further processing. We should also critically evaluate the reuse of public data and allow people the opportunity to object to processing.

5. Data subject rights are not respected.
The research reveals that some data brokers don’t respond to access requests and that people don’t get the information about their profile, even though they are legally entitled to this. People should be meaningfully informed about profiling. They should also be able to tell what that profile is and be able to ask for human intervention when decisions are made that concern them on the basis of profiles.

6. There should be more enforcement.
After new enforcement laws enter into force, the data authority should closely watch the behavior of these companies. We also recommend more proactive research and activity by the anti-discrimination authority. Research reveals that some profiles have the ability to indirectly discriminate against certain groups of people. The problem is, that this discrimination is difficult to spot, in particular when companies don’t directly use sensitive data.

Data brokers need to be studied extensively

Our research shows that the practices of data brokers pose risks to our society and that their conduct does not abide by the data protection laws. Furthermore, new technologies like big data and the Internet of things and the close alignment between the public and private sphere potentially exacerbate these risks. We therefore not only recommend more monitoring and enforcement, but also that these data broker practices are studied in other countries.

Floris Kreiken: Transparent consumers – Data brokers and profiling in the Netherlands

(Contribution by Floris Kreiken, Bits of Freedom)