[gingerlime]

I've been in touch with a company called Acxiom, who shared my details on Facebook. I've never heard of it, so I submitted a Data subject request to see what they know about me.

They then asked me to provide my address to confirm my identity. Given that I moved quite frequently, and that I'm now asked to share more personal data with a company who's mishandling my data, I wasn't keen on it.

I mentioned that my full name is globally unique, but they refused. I tried to ask them to share some masked data that I can confirm in full (e.g. "give me a partial address and house number, I can give you the full address"). They refused.

They definitely try to make it hard for you, and to dodge responsibility.

[culturestate]

Acxiom is one of the largest (and oldest, they started in the 1970s) data brokers in the world. I think they, like a lot of other creaky corporations, don't necessarily make things difficult on purpose but they...don't go out of their way to make the bureaucracy any more navigable than it has to be.

In other words, it's not a bug, it's an accidental feature.

[heavenlyblue]

I am sorry, how does that resolve the issue of them operating illegally?

The fact that you’re a old mess means you should be destroyed as a business to allow for newer, more ethical businesses to pop up.

If this is an accidental feature it means you should be accidentally run out of business.

[culturestate]

> how does that resolve the issue of them operating illegally?

Which part of the process described is illegal? The GDPR explicitly requires[1] controllers to verify subjects' identities in an access request:

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.

1. https://gdpr.eu/recital-64-identity-verification/

[Silhouette]

That is true, but the word "reasonable" is significant. Taking reasonable steps to confirm a data subject's claimed identity is fair and necessary. Giving them the run around and hiding behind that verification obligation as an excuse is not.

[culturestate]

I mean, sure, but OP indicated that he didn't want to provide the info they requested for verification. I don't see how their action here could be considered unreasonable.

"I promise you that I am the only person on earth with this name" doesn't really seem like a sufficiently secure attestation.

[gingerlime]

OP here. My name is unique globally (there are no other people with this name), easily searchable, linked to my personal domain, and my personal email address on that domain.

But even if we can't go by that, I gave them plenty of options that won't involve me disclosing my entire address history. How on earth am I supposed to give all my address history to a company I never heard of, and who shared my data without my consent...

They didn't come up with any concrete suggestions that won't involve disclosing much more information about myself than I think it's reasonable to require in order to release my own personal info.

I think I was very reasonable, and they weren't. Legally I'm not sure what the situation is. IANAL.

[shostack]

This. I would go out on a limb and offer that Axciom has likely invested more in compliance in this regard than most other companies on the planet.

People may not agree with their stance, but it has yet to be successfully challenged in court to my knowledge.

[Silhouette]

One good thing about the GDPR is that it was basically designed to allow the regulators to beat up businesses that do that. If you're too old or inflexible to live up to your obligations, congratulations, it's now a liability that could into substantial fines.

[Lio]

Has the EU actually shown any teeth to these outfits?

It's one thing to say something is illegal but if you don't enforce that these firms will be able to operate with impunity.

[Silhouette]

Has the EU actually shown any teeth to these outfits?

It's starting to.

https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2...

There are 7-8 figure fines already this year, and two 9 figure ones that the UK regulator has given notice on.

[gsnedders]

Note that in principle it's not up to the EU to enforce because the GPDR is a directive; it's up to the individual member states to enforce the directive as enshrined in their law.

[Silhouette]

GDPR isn't a directive, it's a regulation. It's literally what the R stands for.

The major difference between the two in terms of how the EU makes laws is that directives are the indirect one: individual member states are required to incorporate the provisions into their own legal systems to give them force of law. An EU regulation is the direct equivalent: it carries force of law across all member states immediately. In the case of the GDPR, the UK government has also stated that its provisions will continue here after Brexit and the related transition arrangements.

However, you're right that enforcement will normally be done by an individual member state, because it is typically the national data protection or privacy authority in each state that acts as regulator and has enforcement powers under the GDPR. In theory, there's supposed to be some coordination so one of those regulators will take the lead on any given investigation or enforcement action instead of 28 different organisations all diving in at once, but it doesn't seem to be clear yet how that aspect will work post-Brexit.

[gingerlime]

In theory, yes. In practice... I'm not so sure. These processes are slow and I imagine that the regulators are drowning in complaints and are hugely understaffed.

And there's no recourse besides filing a complaint. Even if I'm legally right, what damage was caused to me that I can seek compensation for? (assuming I go and try to take them to court directly).

[Silhouette]

Isn't the difficulty in proving actual damages in a personal claim one of the main arguments for making this a regulatory matter?

As mentioned in my other comment near here, the regulators have started issuing some reasonably substantial fines already.

[gingerlime]

Yes, absolutely. Yet the likelihood of Acxiom being fined anything other than some token amount in a case like mine is virtually zero.

[Silhouette]

It feels like that, but I wonder how long it will be before one of the regulators decides to make an example of one of the big data-hoarding companies. Their whole business model is morally and now also legally dubious, and it's so obviously against the spirit of the GDPR that it seems like a matter of time before someone decides to pick a fight. I doubt it will be a single case like yours that starts it, unless perhaps it provides a convenient excuse to start an investigation, but it will be a thousand or a million situations like yours that motivate it.

[icedchai]

There's so many copies of personal data all out there, it would blow your mind. I have a friend who works in this industry. Brokers sell to other brokers who sell to other brokers, who might even sell it back to the original broker after it's been "enriched" with more detail from additional brokers.

I'm a pessimist. You will never remove your personal data. If you get it removed by one company, the others will pop up like mushrooms. Also, from what I've seen, a lot of this information is out-of-date or crap that is just plain wrong.

[koheripbal]

They obviously need to have a process to validate identity, and it's ridiculous to think that they would tailor that process for every request.

It's also odd that you would want to give them your NEW address if they are likely validating against your OLD address.

Why didn't you just give them your OLD address to check against?

[fmajid]

In fact identity verification is one of Acxiom's lines of business, but that is US-centric and probably doesn't work very well for EU or global persons.

Disclaimer: I worked for Acxiom 2007-2009, but not in the data brokerage core business.

[Ntrails]

> They definitely try to make it hard for you, and to dodge responsibility.

Yes, but at the same time you do not want them handing over all your data with zero checks on identity right..?

[lucb1e]

My ID contains: first name, last name, date of birth, place of birth, length, issuance and expiration, document number, citizen service number (~SSN), citizenship, photo (2x), gender, issuing authority (in my case: a municipality so small that it's more specific than geoIP), and in some countries it also contains your place of residence.

If they just have my name, now they have a lot of extra information. That's why my government recommends[1] to both watermark the copy and blacken unnecessary fields like the citizen service number and your photo. Such fields don't help them identify you, so you shouldn't share it with them. But imagine actually doing that: the only non-black parts (the parts they can actually match against their database) would be my name. Or in the case of WiFi tracking: nothing. I had to submit ID but really they just looked up whatever MAC address I claimed; I could have claimed my ex girlfriend's MAC address for all they knew. It's also trivial to photoshop a document if all you need to swap around are a few letters.

Identification is completely useless unless done in person when they can actually hold the document against the light and compare it to the European database of what it should look like[2]. (I've never seen anyone do the latter; see also lichtbildausweis[3].) Online, the best you can do is ask to confirm data that you already have about the person. Asking to confirm that same data but on a photoshopped (watermarked and censored) piece of plastic doesn't help anything.

In conclusion, sure I agree that you shouldn't be able to request my data, but the point is about the means rather than the goal. Is providing a censored and watermarked picture of an identity document a means of reaching that goal a better means of reaching that goal than confirming some data like the calendar week during which I was in whatever hotel they have my data from (for example)? That's what GP was offering them: asking to confirm masked data rather than having to provide extra and unnecessary personal data.

[1] https://www.rijksoverheid.nl/onderwerpen/identiteitsfraude/v... In Dutch, but see the pictures near the bottom. This is the federal Dutch government's recommendation on how to provide a copy of your identity card.

[2] https://www.consilium.europa.eu/prado/en/search-by-document-...

[3] Original in Dutch: https://dewinter.com/2012/09/24/de-legitimatiecontrole-in-ne... TL;DR: a "lichtbildausweis" is the german word for "photo ID". But how many Dutch people know that? So when you order a photo ID from germany, for example from a website that sells company badges (like, upload your company logo and employee photo and they'll print a plastic card for you), make sure it contains all the fields that you'd generally expect on an ID card, and they'll take it for being a german ID.