Digital Identity Search Firm Blasts Noyb’s GDPR Complaint Against It
Lithuanian-based digital identity research tool Whitebridge.ai is selling "reputation reports" compiled from large amounts of scraped personal information about unsuspecting people to "anyone willing to pay" for them, privacy advocate Noyb alleged Monday. It slammed the company's "shady business model."
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
However, Whitebridge said Noyb's claims were "unfounded."
Noyb filed a complaint with the Lithuanian DPA asking the company to comply with complainants' GDPR subject access requests and to correct the false data in the reports about them. It urged the DPA to impose a fine.
Some data in Whitebridge's reports isn't factual but is AI-generated and includes suggested conversation topics, a list of alleged personality traits and a background check to determine if the person shared adult, political or religious content, Noyb said.
Despite people's legal right to free access to their data, "the company only sells its reports," Noyb said. "It seems the business model is largely based on scared users that want to review their own data that was previously unlawfully compiled."
In its privacy notice, Noyb noted, Whitebridge states its processing of personal data is legal and in line with its "freedom to conduct a business." But the company disregards the fact that any business must comply with the law, including the GDPR, Noyb said.
Whitebridge also doesn't have a legal basis to process all the personal data in the first place, Noyb added. The company claims it processes data from publicly available sources, but "in reality, most of this data is taken from social network pages that are not indexed or found on search engines."
Complainants searched for their names on Whitebridge's website and discovered that anyone could buy a report containing their information without them being informed, Noyb said. They then filed a subject access request but received no information.
Noyb purchased the complainants' reports, which contained false warnings for "sexual nudity" and "dangerous political content," matters considered specially protected sensitive data under the GDPR. The complainants were unsuccessful in having false information about themselves corrected, Noyb added.
In an email to Privacy Daily on Monday, Whitebridge said that all personal data processed by the company is collected from publicly available sources and solely for lawful, clearly defined purposes. In addition, Whitebridge said it doesn't proactively collect or store personal data and that data processing occurs "only after receiving an individual and specific client request for the preparation of a report."
In those cases, it said, only information that's already publicly available is used, such as public social media profiles, public news portals, or other open data sources. Whitebridge added that its legally required notices and policies are compliant. Moreover, it has conducted relevant personal data protection assessments to comply with the GDPR and other privacy laws.
"In light of this, we believe that the statement in the article regarding a “shady business model” and allegedly illegally collected and sold data is unfounded. We are open to constructive dialogue and are ready to further explain our processes to supervisory authorities."