Articles concerning the buying and selling of personal data come to my attention almost on a daily basis lately. For me this is a good thing as one of the hypothesis of my thesis is now the patrimonial value of personal data and its legal consequences – such as recognizing certain proprietary rights in personal data. However, for privacy and for the a bureaucratic-free society this is a completely bad thing.
I decided to create a new category in this blog which will collect all the information I gather from the media regarding the commercialization of aggregated personal information.
Today I read an article in The New York Times about Acxiom. I’ve never heard of that company before. Apparently, it is one of the biggest “data brokers” in the world. “Its servers process more than 50 trillion data “transactions” a year. Company executives have said its database contains information about 500 million active consumers worldwide, with about 1,500 data points per person. That includes a majority of adults in the United States.”
What is also interesting is that “For Acxiom, based in Little Rock, the setup is lucrative. It posted profit of $77.26 million in its latest fiscal year, on sales of $1.13 billion”. Hence, in one instance of the trade world, aggregated personal information values 1.13 billion dollar a year. So, is it just to talk about personal information as valuable goods? I believe it is, as it would be a non-sense declaring personal information values nothing, when one company in this world sells personal information for 1.3 billion dollar a year. However, the personal information sold is not merely personal information, but aggregated personal information. The legal regime of such transactions should, therefore, take into account also this reality.
What is even more interesting is the following statement from the same article: “Such large-scale data mining and analytics — based on information available in public records, consumer surveys and the like — are perfectly legal”. This affirmation involves two possible conclusions. First, if indeed they are legal, then the law has to be changed. Second, if they are not legal, then the existing law should be interpreted as such and applied against such companies. As far as I know, there is a right to privacy protected under American constitutional and tort law, even if it is not still very well developed in the sense of also covering information already made available to the public in certain circumstances or for certain purposes. But in a flexible common law system, this should not be a barrier of applying the right o privacy in such a manner.
Instead, the EU regulates more in depth the issue of processing even data previously made available to the public. So at least this is what I thought. I found out that Acxiom has several branches in EU, for instance in Germany, UK and Poland, just to name three. As far as I knew, EU data protection law forbids personal data processing without the consent of data subjects, unless the processing is provided by law or the processor, lato sensu, has a legitimate interest of processing it. I highly doubt that producing private profit for a big data company is a legitimate interest in the meaning of the 95/46 Directive. Hence, my assumption is that at least the European branches of this company have the consent of every single person whose data they sell for a particular transaction in a particular purpose. Because if they don’t have the data subjects’ consent and they are still legally functioning on the territory of the EU, than even the specialized European law of data protection is not good enough to prevent the invasion of privacy in this scenario.