Updated Whitebridge AI, based in Lithuania, faces a privacy complaint for allegedly selling “reputation reports” based on unlawfully collected data and AI misinformation.
Noyb, a privacy advocacy group based in Austria, has asked the Lithuanian State Data Protection Inspectorate to ban Whitebridge AI’s “processing of scraped personal data and AI generated false information.”
The complaint [PDF] contends that Whitebridge AI has violated several provisions of Europe’s General Data Protection Regulation (GDPR), including Articles 5, 6, 9, 12, 14, 15, and 16.
The AI company on its website claims, “We fully comply with the GDPR, ensuring your personal data is protected and handled transparently. We only collect publicly available information and you have rights to access, rectify, erase, and restrict processing of your data.”
Noyb counters that most of the information in company reports appears to come from social media sites or searches of those sites – data that European case law has already established is not “manifestly public,” the threshold under Article 9 GDPR.
Lisa Steinfeld, data protection lawyer at Noyb, argues that Whitebridge AI’s business model is based on generating alarming data about people and monetizing the resulting anxiety.
“Whitebridge AI just has a very shady business model aimed at scaring people into paying for their own, unlawfully collected data,” said Steinfeld in a statement. “Under EU law, people have the right to access their own data for free.”
Whitebridge AI offers two AI-based services: reports describing a person’s online presence – images, social media posts, news articles – and real-time monitoring of that online presence to report any changes.
Google’s dev registration plan ‘will end the F-Droid project’
Your AI conversations are a secret new treasure trove for marketers
One line of malicious npm code led to massive Postmark email heist
ChatGPT wants teens to agree to let their parents spy on them
Noyb is representing two unidentified complainants who sought their reports under Article 15 – which provides people with the right to access their data – but received no response. When Noyb purchased their reports, the profiles “contained false warnings for ‘sexual nudity’ and ‘dangerous political content.'”
When the complainants sought to correct their reports, Whitebridge AI is alleged to have required a “qualified electronic signature” to carry out the request – a requirement that Noyb says does not exist under EU law.
A year ago, Stacey Edmonds, co-founder and CEO of Australia-based cybersafety group Dodgy or Not?, published a LinkedIn post that expressed concern about Whitebridge AI’s data gathering service.
Edmonds wrote that she contacted Whitebridge AI and the Lithuanian State Data Protection Inspectorate to communicate her concerns. Her inquiry appears not to have had any impact on the company’s practices.
Maybe Noyb’s formal complaint will get more attention. ®
Updated to add:
In a statement provided to The Register after this story was filed, a spokesperson for Whitebridge AI defended the company’s practices, telling us: “WhiteBridge AI takes data protection and privacy very seriously.
“All personal data processed by the company is collected only from publicly available sources and solely for lawful, clearly defined purposes. We want to emphasize clearly that WhiteBridge AI does not proactively collect or store any personal data.
“Data processing takes place only after receiving an individual and specific client request for the preparation of a report. In such cases, only information that is already publicly available is used – for example, public social media profiles, public news portals, or other open data sources. WhiteBridge AI strictly adheres to data retention limitation practices – all issued reports are deleted after 30 days.
“WhiteBridge AI has no databases or archives where information about individuals would be stored without a legitimate request, nor does it create such databases.
“The company has implemented legally required notices and policies, as well as conducted the relevant assessments related to personal data protection, ensuring compliance with the GDPR and the Law on the Legal Protection of Personal Data.”
It added in response to noyb’s legal team’s statement that the org believes “that the statement in the article regarding a ‘shady business model’ and allegedly illegally collected and sold data is unfounded. We are open to constructive dialogue and are ready to further explain our processes to supervisory authorities.”
