[culturestate]

Acxiom is one of the largest (and oldest, they started in the 1970s) data brokers in the world. I think they, like a lot of other creaky corporations, don't necessarily make things difficult on purpose but they...don't go out of their way to make the bureaucracy any more navigable than it has to be.

In other words, it's not a bug, it's an accidental feature.

[heavenlyblue]

I am sorry, how does that resolve the issue of them operating illegally?

The fact that you’re a old mess means you should be destroyed as a business to allow for newer, more ethical businesses to pop up.

If this is an accidental feature it means you should be accidentally run out of business.

[culturestate]

> how does that resolve the issue of them operating illegally?

Which part of the process described is illegal? The GDPR explicitly requires[1] controllers to verify subjects' identities in an access request:

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.

1. https://gdpr.eu/recital-64-identity-verification/

[Silhouette]

That is true, but the word "reasonable" is significant. Taking reasonable steps to confirm a data subject's claimed identity is fair and necessary. Giving them the run around and hiding behind that verification obligation as an excuse is not.

[culturestate]

I mean, sure, but OP indicated that he didn't want to provide the info they requested for verification. I don't see how their action here could be considered unreasonable.

"I promise you that I am the only person on earth with this name" doesn't really seem like a sufficiently secure attestation.

[gingerlime]

OP here. My name is unique globally (there are no other people with this name), easily searchable, linked to my personal domain, and my personal email address on that domain.

But even if we can't go by that, I gave them plenty of options that won't involve me disclosing my entire address history. How on earth am I supposed to give all my address history to a company I never heard of, and who shared my data without my consent...

They didn't come up with any concrete suggestions that won't involve disclosing much more information about myself than I think it's reasonable to require in order to release my own personal info.

I think I was very reasonable, and they weren't. Legally I'm not sure what the situation is. IANAL.

[culturestate]

I'll be honest - based entirely on your description of events, with no other context, I wouldn't have approved this request either. Here's my reasoning:

> They then asked me to provide my address to confirm my identity...I wasn't keen on it.

This means one of the primary avenues of verification (possibly the only avenue for some shops) is unavailable. In the scope of GDPR, it's important to remember that they aren't allowed to retain any information you provide for this purpose for any reason other than keeping a record of the request.

> I mentioned that my full name is globally unique, but they refused.

I would have absolutely no way to validate this, because I don't have a comprehensive listing of all 7 billion-odd people in the world. Even if I did, and it was, it's still only a single factor - I doubt you'd want me to release your data to anyone else based only on them knowing your name and that it's unique.

> My name is...easily searchable, linked to my personal domain, and my personal email address on that domain

This can't be relied on, obviously, because there's no identity verification on (most) domain registrations. For all I know, the email address that I have attached to your profile isn't even yours (because we have no preexisting relationship, this has never been proven.)

> I tried to ask them to share some masked data that I can confirm in full...They refused.

I don't think this is actually allowed under GDPR, but assume it is. Let's say you do this twice with two different data controllers - they each provide you with a masked address, but they've masked different parts (because there's no standard).

If you were a malicious actor, you'd now have the subject's complete address and could use that to gain access to the rest of their data. It opens up a significant attack vector.

> How on earth am I supposed to give all my address history to a company I never heard of, and who shared my data without my consent...

Assuming this was someone unknown and not Acxiom, this is a valid point and unfortunately I don't think there's a great answer. In this case, it is Acxiom and you could've quite easily discovered that they're a major corporation and not a random data harvesting shop.

> I think I was very reasonable, and they weren't.

At the end of the day, you're going to have to give them something to prove who you are. If you won't even provide your old addresses, then absent a government-issued ID (which I assume you also would be reticent to provide on the same grounds) I don't know how else I would even attempt to conduct verification.

[shostack]

This. I would go out on a limb and offer that Axciom has likely invested more in compliance in this regard than most other companies on the planet.

People may not agree with their stance, but it has yet to be successfully challenged in court to my knowledge.

[Silhouette]

One good thing about the GDPR is that it was basically designed to allow the regulators to beat up businesses that do that. If you're too old or inflexible to live up to your obligations, congratulations, it's now a liability that could into substantial fines.

[Lio]

Has the EU actually shown any teeth to these outfits?

It's one thing to say something is illegal but if you don't enforce that these firms will be able to operate with impunity.

[Silhouette]

Has the EU actually shown any teeth to these outfits?

It's starting to.

https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2...

There are 7-8 figure fines already this year, and two 9 figure ones that the UK regulator has given notice on.

[gsnedders]

Note that in principle it's not up to the EU to enforce because the GPDR is a directive; it's up to the individual member states to enforce the directive as enshrined in their law.

[Silhouette]

GDPR isn't a directive, it's a regulation. It's literally what the R stands for.

The major difference between the two in terms of how the EU makes laws is that directives are the indirect one: individual member states are required to incorporate the provisions into their own legal systems to give them force of law. An EU regulation is the direct equivalent: it carries force of law across all member states immediately. In the case of the GDPR, the UK government has also stated that its provisions will continue here after Brexit and the related transition arrangements.

However, you're right that enforcement will normally be done by an individual member state, because it is typically the national data protection or privacy authority in each state that acts as regulator and has enforcement powers under the GDPR. In theory, there's supposed to be some coordination so one of those regulators will take the lead on any given investigation or enforcement action instead of 28 different organisations all diving in at once, but it doesn't seem to be clear yet how that aspect will work post-Brexit.

[gingerlime]

In theory, yes. In practice... I'm not so sure. These processes are slow and I imagine that the regulators are drowning in complaints and are hugely understaffed.

And there's no recourse besides filing a complaint. Even if I'm legally right, what damage was caused to me that I can seek compensation for? (assuming I go and try to take them to court directly).

[Silhouette]

Isn't the difficulty in proving actual damages in a personal claim one of the main arguments for making this a regulatory matter?

As mentioned in my other comment near here, the regulators have started issuing some reasonably substantial fines already.

[gingerlime]

Yes, absolutely. Yet the likelihood of Acxiom being fined anything other than some token amount in a case like mine is virtually zero.

[Silhouette]

It feels like that, but I wonder how long it will be before one of the regulators decides to make an example of one of the big data-hoarding companies. Their whole business model is morally and now also legally dubious, and it's so obviously against the spirit of the GDPR that it seems like a matter of time before someone decides to pick a fight. I doubt it will be a single case like yours that starts it, unless perhaps it provides a convenient excuse to start an investigation, but it will be a thousand or a million situations like yours that motivate it.