Vladimir Gerasimov - stock.adobe

ICO slams Experian over ‘invisible’ data processing

Data processing practices used by Experian broke data protection law, says Information Commissioner’s Office

Credit reference agency (CRA) Experian must make significant changes to how it handles people’s personal data within its direct marketing practice – or face sanctions under a new enforcement notice issued by the UK Information Commissioner’s Office (ICO).

The order comes after a two-year probe into the data-processing practices used by Experian and its competitors, Equifax and TransUnion, which found significant data protection failings at each.

During the investigation, the ICO found each agency was “trading, enriching and enhancing” people’s personal data without their knowledge to develop products that were then sold on to commercial organisations, political parties and charities. It said this “invisible” data processing affected millions of adults in the UK who were unaware that their data was being collected and used in this way – a breach of the General Data Protection Regulation (GDPR).

“Our investigation uncovered data protection failings that likely affected millions of adults in the UK,” said information commissioner Elizabeth Denham. “Our investigation has changed the way credit reference agencies operate their offline direct marketing services. It has found invisible processing, allowing people to better understand how their data is being used, meaning people can exercise their privacy and data protection rights.

“The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect.”

The investigation also unearthed a number of other data protection failings at the CRAs, including a lack of transparency in what the agencies told people they were doing with their data, and the incorrect use of lawful bases for data processing.

Both Equifax and TransUnion have accepted the ICO’s findings and have withdrawn a number of products and services. However, said the watchdog, Experian has not accepted that it was required to make changes and, as such, is not prepared to issue privacy information directly to individuals, or to stop using credit reference data for direct marketing purposes.

The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data,” said Denham. “The lack of transparency and lack of lawful bases, combined with the intrusive nature of the profiling, has resulted in a serious breach of individuals’ information rights.

“The trade in personal data with other organisations has implications beyond the industry. Disrupting the flow of non-compliant personal data will have a significant impact not just across the sector, but will drive benefits for individuals and organisations wherever this data is used.”

Denham added: “I am encouraged by Equifax and TransUnion’s willingness to change their practices and put people’s legal rights first. Now I expect the data broking sector to make the same commitments.”

Read more about GDPR compliance

  • The 90% reduction in the fine levied on BA over a 2018 data breach has legal experts talking about the ramifications for the future of data protection.
  • Data protection officers working across the UK government are finding it tough to keep up with the increased workload generated by GDPR, according to a report.
  • Explore the cloud industry’s response to the GDPR and CCPA requirements and learn what types of organisations these governance policies have affected so far.

The ICO has now issued an enforcement notice compelling Experian to make changes within nine months or risk a fine of up to £20m or 4% of its annual worldwide turnover, under the GDPR.

The notice forces Experian: to inform people that it holds their data and how it uses or plans to use it for marketing by July 2021; to stop using data derived from the credit referencing side of its activities for direct marketing by January 2021; to improve transparency around what data it collects, where it comes from, what it is used for, who it is sold to and why; to delete any data supplied to it on the lawful basis of consent that is being processed using a different lawful basis of legitimate interest; and to stop processing any personal data that it has collected unlawfully.

Experian CEO Brian Cassin said: “We disagree with the ICO’s decision today and we intend to appeal. At heart, this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements.

“This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the Covid-19 crisis.”

Cassin said many of the firms that use Experian’s marketing services are SMEs with fewer than 200 employees, in sectors that have been hit hard by Covid-19, such as retail, leisure and travel.

He said data provided by Experian had helped local authorities, NHS organisations, food banks, councils and charities get help to some of the most vulnerable people in the UK during the pandemic, and assisted with forecasting government support for businesses.

Cassin also rejected the ICO’s assertion that Experian was not clear over the clarity it provides to people on how it uses their data.

Read more on Privacy and data protection