Address trader sues German DPA to prevent noyb from accessing files
Two years ago, noyb filed a complaint against the address trader Acxiom and the credit reference agency CRIF in Germany. Although there is strong evidence that the companies’ large-scale trade with people’s personal data violates the GDPR, the case is still pending with the Bavarian and Hessian DPA. So in spring 2023, noyb asked the Hessian authority for access to the case file of the Acxiom complaint. The address trader reacted quickly - with a request for an interim injunction against the authority to prevent any kind of access to the files.
- Complaint against CRIF and Acxiom (German)
- English auto-translation of the complaint
- timeline of the complaint
Background: secret and illegal trade of personal data. The credit reference agency CRIF continuously buys the names, dates of birth and addresses of millions of Germans from the address trader Acxiom. Although the data was originally collected for marketing purposes, CRIF uses it to assess people’s creditworthiness. This is usually done without ever informing people and without their consent – which is likely to violate European data protection law on several accounts.
No notice or consent. Under the GDPR’s principles of purpose limitation and lawfulness, data collected for marketing purposes can’t be used without consent for credit scoring (i.e. to forecast the probabilities of non-payment). This shouldn’t be news to Acxiom and CRIF: the Data Protection Conference, a board of all German data protection supervisory authorities, has emphasized several times that data other than negative payment experiences or other non-contractual behaviour may only be used for credit scoring with consent. Not only do CRIF and Acxiom categorically fail to ask their data subjects for such consent, they don’t even let them know that their data will be sold to CRIF. The data subject represented by noyb, for example, only found out about the unlawful processing of his data through an access request.
Marco Blocher, data protection lawyer at noyb: “Secretly using data from an address trader to calculate peoples’ credit scores is like a textbook case of unlawful processing under the GDPR. This practice is done in secret, entails an unlawful change in the purpose of the processing - and it simply lacks a legal basis."
Two years of standstill. The violations of European data protection law are hard to deny. Nevertheless, the case is still pending with the Hessian (responsible for Acxiom) and Bavarian (responsible for CRIF) data protection authorities (DPAs) almost two years after it was filed. In order to get an idea of the current state of those cases, noyb requested access to the case files from the Hessian authority (Bavaria doesn’t grant this right, but that is a problem in itself). The Hessian DPA seemed willing to grant the requested access and heard Acxiom on the matter – but was promptly sued. The address trader is now seeking to obtain an interim injunction in court to prevent the complainant from any access to the files, while the company itself requested and was granted access to the files.
Procedural delay. There are a few exceptions to the right of access to files, e.g. in the case of business secrets. However, there is no legal basis for closing the entire administrative file. Acxiom is probably aware of this. In reality, the company seems to be trying to delay a decision by the Hessian data protection authority by creating a procedural sideshow. This allows Acxiom to continue the unlawful sale of personal data.
A SLAPP-like measure. Acxiom's motion to ban seems to follow the concept of so-called "SLAPPs" ("Strategic Lawsuits Against Public Participation"), which the EU wants to criminalise. The filing of abusive applications, combined with the deterrent costs and complexity of litigation, as well as the frequent congestion of the courts, is intended to discourage individuals and NGOs like noyb from holding companies accountable.
Jonas Breyer, German lawyer representing the complainant and noyb before the Wiesbaden Administrative Court: "Companies keep trying to drag out the enforcement of data protection rights in order to keep shady but lucrative business models artificially alive. It speaks for itself when Axciom initiates legal proceedings, for example, calling their terms and conditions from 2008 and other outdated documents trade secrets."
Abuse of the legal system. The Acxiom case shows once again that even after five years of GDPR, some companies believe that the legal system can be absued to maintain unlawful business models. This is unacceptable, especially for a company that handles the data of millions of people and works with international clients such as Meta, Adobe, Google, IBM and PayPal. noyb will not back down and is ready to file further complaints or sue companies like Acxiom for injunctive relief and damages based on the new representative actions directive.