Collective data request - Palantir
In August 2021, SOMI has launched a collective data request to three tech companies from outside the EU: TikTok, Palantir, and Zoom. With this campaign, we request access to the personal data collected by these companies on behalf of our participants. SOMI and its participants are advised and represented by Douwe Linders from the law firm SOLV.
On the 20th of October, Palantir has sent an email to our users inquiring about their relationships with the company. This communication was done without consultation with SOMI and our lawyer.
On the 4th of November, Palantir sent another email stating that under no circumstances does it process personal data from or about our participants. In short, Palantir claims that with regard to the protection of personal data of the citizens, it has no responsibility for GDPR protection because Palantir is no more than a processor of the data from other parties, but it does not have ultimate responsibility for the personal data.
SOMI believes that large SaaS (Software as a Service) platforms, such as Palantir, to some extent also maintain control of any collected data and that a large publicly-traded company cannot just shift its responsibility to customers.
In addition, Palantir makes important decisions about the application and presentation of data. This allows the company to influence what is done with those data. In such situation, Palantir can be regarded as both the processor and as a party responsible for the processing of personal data from third parties. If this is the case, Palantir is indeed subjected to access requests from European citizens to view the personal data collected about them.
In order to make this case more clear, SOMI refers to the guidelines by the European Data Protection Board. These guidelines determine how the European concepts regarding data collection and storage should be applied.
According to the EDPB guideline 7/2021, adopted on June 21st, 2021, a number of criteria are important to determine whether a processor of the data (from other parties) should also be seen as a processor due to the factual circumstances of the case itself, as a party that is independently responsible for the collection of personal data. This may include the following circumstances:
• The processor has an advantage or interest in processing of data
• The processor makes decisions about the processed data of third parties
• From a security point of view, the processor has its own responsibility for the internal processes in which data from third parties is processed
• The processor has full autonomy in determining the way in which the personal data (from third parties) is processed
There are several indications that the American company, Palantir Technologies, has processed data about European citizens from a large number of European governments and regulators. For example, Palantir has worked with six security regions in the Netherlands to process large amounts of personal data as part of the program to monitor the development of Coronavirus pandemic. In addition, Europol has been using Palantir's Gotham software to analyze counter-terrorism data since 2016. It is important to mention that Palantir, as an American company, is obligate to share personal data with American government authorities.
What is becoming clear so far is the complete lack of transparency about what Palantir is doing in Europe. Governments and law enforcement agencies that start using Palantir's software remain silent about it. As a result, there is no way to find out which data Palantir processes and how it works.
SOMI supports European citizens to return the personal data back to where it belongs so that we, as a citizen, can make our own decisions about it. Personal data is valuable. Possession of personal data is necessary for the individual's autonomy.
All your data. All yours.