The case of a software giant selling personal data to a third party is troubling, Iris Akwetey, senior research analyst with Info-Tech Research said today.
Akwetey was responding to news of a class action lawsuit filed last Friday against Oracle Corp., which stated that the company has detailed personal information on the buying habits of an estimated five billion consumers.
“Oracle, in most cases, will act as a data processor for other or most businesses (the data controllers),” she said. “(It) clearly may be violating some part of their contracts or even abusing their responsibility as data processors not to share or sell personal data to third parties without the knowledge of the data controller or the consent of data subjects.”
The regulations, said Akwetey, “require that data should not be stored infinitely. Every category of data (personal and sensitive) has its own retention period, which must be adhered to. Additionally, organizations must delete any data as soon as it serves its purpose.
“Oracle must be aware of these practices and the consequences of violation. Selling billions of folks’ personal data in today’s age of technological advancement is careless and unacceptable, and regulators will more than likely make a scapegoat out of this.”
Larry Ellison, the company’s founder and chairman, freely admitted in a keynote speech he made in San Francisco six years ago that the company was tracking the purchasing trends of billions of consumers.
Speaking at Oracle OpenWorld 2016, he said “one of the most famous machine learning applications, of course, is trying to predict purchases from consumers. And here, it’s really a combination of real time looking at all of their social activity, real time looking at where they are including micro locations.”
Ellison then said this is “scaring the lawyers, they are shaking their heads and putting their hands over their eyes.”
He went on to say that as Oracle collects “information about consumers, and you combine that with their demographic profile, and their past purchasing behavior, we can do a pretty good job of predicting what they’re going to buy next.
“Now, where does this demographic data come from? Where does this past purchasing stuff come from? Well, Oracle Data Cloud is the largest database. There are two big databases that keep track of consumers if you will, and have a lot of information about consumers.
“One is very famous, it’s called Facebook. The other one is less well known. It’s Oracle’s Data Cloud. We actually have more consumers in our data cloud than they have in theirs. They have great data, don’t get me wrong, Facebook has incredible data assets, but so do we.”
“And in our data cloud, marketers are able to target consumers and do a much better job of predicting what they’re going to buy next. I believe five billion consumers are in our identity graph – five billion. How many people are on earth? Seven billion – only two billion to go.”
According to a statement released on Monday by the Dublin-based Irish Council for Civil Liberties (ICCL), Dr. Johnny Ryan, senior fellow with the organization, is one of three class representatives in a suit filed in the U.S. District Court for the Northern District of California last Friday.
The others are Michael Katz-Lacabe, a U.S.-based privacy rights activist, and Dr. Jennifer Golbeck, a professor at the University of Maryland, who is described in a court document as an expert in social networks, social media, privacy, and security on the Web.
“Oracle is an important part of the tracking and data industry,” the statement reads. “It has claimed to have amassed detailed dossiers on five billion people and generates US$42.4 billion in annual revenue.
“Oracle’s dossiers about people include names, home addresses, emails, purchases online and in the real world, physical movements in the real world, income, interests and political views, and a detailed account of online activity.”
Ryan added, “we are taking this action to stop Oracle’s surveillance machine.”
Akwetey said that EU’s GDPR, together with other privacy regulations around the world such as California’s CPRA, demands that data subjects consent about how their data will be used and which third parties will have access to their personal information, either domestically or internationally.
“Most regulations also require consent if the purpose of the data collected changes at a point. Both the data controller and the data processor (through contracts) must comply with these requirements.
“Data processors and data controllers are also required to know what data they have, if that data is relevant to the purpose for which it was collected, and where that data is stored. So far, almost all the regulations have demanded an organization that collects data predict the use of the data to avoid collecting excess data.”