On October 27, 2020, the Office of the United Kingdom Information Commissioner (“ICO”) issued its notice of enforcement against credit reporting agency Experian Limited (“Experian”) under Section 149 of the Data Protection Act 2018 (“DPA”) (the “Notice”). ). The notice obliges Experian to make fundamental changes to its offline direct marketing practices. It was released after the ICO conducted a two-year investigation into the use of personal data by data brokers Experian, Equifax and TransUnion.
The ICO’s investigation found that all three organizations had used personal data to enable commercial organizations, political parties, and charities to find new customers, identify the people most likely to be able to afford goods and services, and without the knowledge of Individuals create profiles about individuals to their millions of data subjects (ie “invisible processing”). In the case of Experian, the ICO found that its practices violated the data protection principles under Article 5, in particular the principles of transparency and legality, and against the rights of data subjects under Articles 12 to 22 of the EU General Data Protection Regulation (“GDPR”) ) violated.
The ICO identified numerous other shortcomings of the three organizations, including the continued use of personal data provided for credit referencing purposes for direct marketing, the use of profiles to generate new information about data subjects, a lack of transparency and the incorrect use of lawful bases for processing . The shortcomings of the organizations are explained in more detail in the ICO’s report on data protection compliance in the area of direct marketing data brokerage published by the ICO on October 27, 2020.
While all three organizations made changes to their marketing practices at the request of the ICO, including – in the case of Equifax and TransUnion – withdrawn certain products and services, the ICO found that Experian had not gone far enough and that of the ICO. Experian has refused to provide privacy information to individuals or to stop using credit reference data for direct marketing purposes. The ICO considered Experian’s violations of the law serious because (1) an extremely large number of affected individuals were affected; (2) the processing involved profiling and compiling personal data from a number of different sources; (3) the processing was invisible, and parts of Experian’s business model relied on such processing to be invisible; and (4) there was no public interest in the processing. The ICO also noted that the processing was likely to cause some problems for data subjects due to its unexpected nature.
The notice requires Experian to make changes by July 2021 so that data subjects are informed that they are holding their personal information and how they are using or intending to use it for marketing purposes (subject to Experian’s appeal). Experian must also cease using personal data obtained through its credit reference business for direct marketing purposes by January 2021, as individuals have no control over whether data is shared with Experian for credit reference purposes and would not expect such processing to occur. Failure to take the necessary action could result in the largest fines available under the GDPR (i.e. up to £ 20 million or 4% of Experian’s annual global sales).
UK Information Commissioner Elizabeth Denham said: “The data brokerage sector is a complex ecosystem where information appears to be widespread, with no concern for transparency, and millions of adults in the UK have little or no choice or control over their personal information. The lack of transparency and legal bases coupled with the intrusive nature of profiling has resulted in a serious violation of the individual’s information rights. Denham also commented that she expects other data brokerage organizations to make the same commitments as Equifax and TransUnion when it comes to promoting the legal rights of individuals.
Experian has announced that it will appeal the notice.