Dutch Group Calls for Scrutiny of Palantir Over Opaque Partnerships With EU Law Enforcement Agencies, Possible Privacy Violations
SOMI, a Dutch privacy group, is calling for a large-scale investigation into the partnerships that data analytics company Palantir Technologies has with a number of law enforcement and intelligence agencies throughout the European Union. SOMI contends that the firm could be participating in both knowing and unknowing privacy violations based on its associations with agencies that are making use of “predictive policing” technologies.
This article was published on CPO magazine by Scott Ikeda on 25 November 2020.
Potential privacy violations tied to police forecasting
Founded nearly 20 years ago by entrepreneurs Peter Thiel and Alex Karp, Palantir is both one of the world’s biggest data analytics firms and one of its most controversial. The majority of its clients are government agencies. The firm works with law enforcement and intelligence agencies around the world that handle the most sensitive sorts of personal data, but has something of a checkered past of its own that includes involvement in controversial Immigrations and Customs Enforcement (ICE) operations in the United States and a fuzzy level of collaboration with disgraced political consulting firm Cambridge Analytica.
The firm is also notoriously guarded about its inner workings. SOMI considers that a problem after inspection of its UK NHSX COVID-19 data analytics program raised concerns about how it accesses and uses the personal information of citizens, creating situations that could lead to personal privacy violations.
SOMI says that neither Palantir nor any of the agencies that it works with are voluntarily sharing any more information of this nature. In the EU, Palantir is partnered with Europol, the French intelligence services, the Danish National Police, the German State Police, and there is an unconfirmed connection to law enforcement agencies in the Netherlands. The company is also working on a system overseeing the UK’s border and customs data after the split from the EU is complete.
The privacy advocates have particular concerns about Palantir’s use of “police forecasting” methods. The group has quietly been testing its forecasting systems in cities such as Los Angeles and New Orleans off-and-on since 2013. The system used in Los Angeles processes two years worth of personal information on individuals with prior convictions, placing those that exceed a risk score threshold (calculated via items like police stops and known gang affiliations) on a “Chronic Offender Bulletin.” Those that land on this list are subject to increased police attention (and potentially privacy violations) regardless of whether or not they are currently suspects in a criminal investigation. Another piece of Palantir software predicts property crime hotspots and steps up patrols in them during expected peak periods.
SOMI’s list of complaints extends beyond just this single issue, however. The Dutch privacy group accuses Palantir of having too much proprietary control over EU resident personal data, being too prone to errors that expose citizen data, and presenting a national security threat to EU member states due to its deep involvement with US government agencies. It points out that Palantir appears to have been losing money throughout most of its history, subsisting off of US federal government contracts and subsidies.
One interesting item in this area that SOMI points out is that Palantir is subject to the “Foreign Intelligence Surveillance Act” (FISA), meaning that US intelligence agencies must be granted access to data that Palantir collects about non-US citizens. This point echoes the central thrust of the Schrems II decision that has disrupted trans-Atlantic digital trade, in which the case was successfully made that privacy violations occurred under the terms of the General Data Protection Regulation (GDPR).
In making their case against Palantir, SOMI also points out that the use of predictive policing methods potentially violates the core legal principle of “innocent until proven guilty” along with several relevant GDPR terms that forbid similar types of personal profiling and automated decision-making. When profiling algorithms are used, the GDPR does have some protections that require companies to make their workings known to the public.
Pushing for transparency
SOMI is asking EU citizens to sign their names to a campaign that pressures Palantir to make changes to its operations in the region to put an end to potential privacy violations. The privacy group is calling for greater transparency about exactly which agencies and companies Palantir is contracting with, the function and scope of the data analytics software it is using, and its GDPR compliance status. It also calls for any European government agencies that contract with Palantir to terminate their agreements if it is found that EU citizen privacy is not being properly maintained or that EU intelligence and surveillance operations might be compromised by use of the company’s software.
SOMI has previously led campaigns against TikTok for its passing of user data to servers in China, Zoom for assorted data breaches and privacy violations in recent years, and has taken on the practices of banks in its native Netherlands.