Most of us are aware of instances where personal data is leaked through breaches orchestrated by hackers. Last year’s massive Optus cyberattack is one such example. We view these as unfortunate events not deliberately perpetrated by the company holding our data. But what many Australians don’t know is that several business giants are selling customer data – deliberately and legally.
Mastercard, the world’s second-largest payment-processing corporation is one such company. If you don’t have a Mastercard yourself, you’ll know someone who does. The corporate behemoth processes 28 per cent of all purchases across the country through their systems.
Not satisfied with that market domination, Mastercard sells customers’ transaction histories and data to third parties across the globe. Australian cardholders are not exempt from the practice, which nets the company as much as $380 billion a year.
Selling customer data – how is it legal?
The short answer is one that probably won’t surprise you. We consent to Mastercard passing on our data when we sign up for a new card. The details are all there in that land of text no-one ever visits – the ‘fine print’.
To be fair, Mastercard’s ‘Global Privacy Notice’ (GPN) is available online in an easy-to-read font size. But how many of its customers have the time or inclination to track them down and actually read them?
The old adage ‘buyer beware’ could reasonably be applied here. It’s up to us as customers to know what we’re agreeing to. On the other hand, should we expect Australian law to prevent dissemination of such data?
Here’s where it gets interesting. What happens if Mastercard passes on customer data covered by Australian law to a country that has less strict regulations? The company addresses that question in its GPN.
It starts with what could almost be construed as an excuse: “Mastercard is a global business.” Then it gets down to tin tacks: “We may transfer your Personal Information to the United States and other countries which may not have the same data protection laws as the country in which you initially provided the information, but we will protect your Personal Information in accordance with this Global Privacy Notice, or as otherwise disclosed to you.”
That seems rather vague.
Should Mastercard be doing better?
The US-based Public Interest Research Group (PIRG) thinks so. It says companies such as Mastercard have taken data harvesting and sales too far. “Mastercard should commit to a policy of limited data use by implementing the principles of data minimization and purpose specification. This would mean collecting only the data necessary for providing the services cardholders are expecting to get – access to a safe and reliable credit card – and using the data only for that purpose.”
Many would agree with that sentiment, but Mastercard and other global giants are unlikely to make such commitments unless obliged – not when they are sitting on what are described as ‘gold mines’ of data.
There’s big money in customer data
That may sound like an exaggeration, but the market for data is huge. The global data market is estimated to pass $700 billion by 2031. Mastercard is well aware of its potential, to the point where it has established its own data sales division.
When it comes to your customer data, it is protected – to a degree. But perhaps not quite the degree you may have expected.
Were you aware that companies like Mastercard were selling customer data? How do you feel about that? Let us know via the comments section below.
Also read: Angry Aussies demand more compensation for data breaches
Does this include Mastercard ‘Debit’ cards, issued by banks, which are attached to savings accounts?