The UK Information Commission’s Office (ICO) has slapped Experian with an enforcement notice requiring the company to make major changes to how it processes personal data in its UK marketing services business.
The two other largest credit reference agencies (CRAs) Equifax and TransUnion were also investigated at the same time in relation to their use of personal data within their data broking businesses for direct marketing.
The main themes in the investigation, which targeted various players in the credit referencing industry, centred on “invisible processing”, “over processing”, providing insufficiently clear privacy information and using certain lawful bases incorrectly for processing people’s data.
Experian has said that it is appealing the decision.
What action has the ICO taken?
A monetary fine has not been ordered at this stage. Instead, the ICO has said that:
“Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover.”
Because Equifax and TransUnion made improvements alongside withdrawing some products and services, the ICO has taken no further action against them.
Whilst Experian has made some improvements, the ICO does not think that these went far enough and so has proceeded with enforcement action.
How has Experian responded?
Experian been vocal in its disagreement with the regulator’s decision, issuing a robust press release, saying that it thinks that the ICO has overstepped the mark in its interpretation of GDPR and that it is appealing the decision: https://www.experianplc.com/media/news/2020/response-to-ico-enforcement-notice-in-relation-to-uk-marketing-services/
Experian maintains that its consumer portal “makes it very easy for consumers to fully understand the ways we work with data and to opt out of having their data processed if they wish”. It has said that the changes it is being required to make to the relevant services will adversely impact its clients, who are already struggling in these COVID times. It also notes that the marketing services that it provides in the UK account for 1% of Experian’s Group revenue.
There’s no fine – so, why is this decision significant?
Whilst most headlines are grabbed with news of multi-million £ / € fines, other corrective powers of data protection authorities, such as cease processing orders or orders to delete data, can be just as (or even more) hard-hitting. For example, see our previous alert on the Irish Data Protection Commission’s dawn raid and postponement of the launch of the Facebook dating service: https://www.corderycompliance.com/ireland-dpc-halts-fb-dating-service/.
If upheld, the enforcement notice could force major changes to Experian’s business model and its ability to access and use to data in relation to its marketing services business.
What are the main problems that the ICO sees with Experian’s data processing activities?
The ICO said that it was concerned with:
“how the three CRAs were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.”
The ICO’s primary concern was that “invisible processing” (i.e. people were not aware that their data was being used) was happening on a massive scale and, even where some information was provided about use of people’s data for marketing services, this was not clear enough. In reaching this conclusion, the ICO would have gone through a process of:
- examining Experian’s marketing services activities that involve personal data; and
- then looking at the privacy information that Experian provides, such as in its privacy notices about what it is doing with people’s personal data,
and deciding that these do not match up.
If this is the case, this could be problematic for an organisation like Experian on a couple of levels – firstly, GDPR and the UK Data Protection Act 2018 impose requirements regarding “transparency” of processing. This means that certain minimum information must be explained in a privacy notice (or by other appropriate means), including
- the purposes and lawful bases for the processing,
- (for third party data) the categories of personal data,
- the recipients of the personal data,
- any legitimate interests pursued by the controller organisation or a third party,
- (for third party data) the source of the data and certain other information.
Secondly, organisations that process personal data must establish a “lawful basis” to process the data. The law contains essentially a list of “permitted reasons” for which personal data can be processed and the organisation must ensure that its processing comes within one of these. Consent is one lawful basis; “legitimate interests” is the other most commonly relied on for marketing.
According to the maze of privacy notices available on Experian’s website, Experian has historically maintained that it validly processes personal data in line with its and / or its clients’ legitimate interests:
To be able to validly rely on “legitimate interests”, a controller organisation must only use individuals’ data in ways that people would reasonably expect, unless they have a very good reason. Therefore, if a controller organisation has not been sufficiently transparent, this may mean that they are unable to rely on legitimate interests. The fact that people would object if they really knew how their information was being used would not constitute a good reason to not tell them about it.
Another concern that the ICO has raised is in relation to “over processing” of personal data – where data is collected for one purpose (e.g. credit checking) and is used for a different purpose (e.g. marketing). Some of the CRAs were also using profiling to generate new or previously unknown information about people, which can be potentially privacy intrusive.
The enforcement actions ordered by the ICO will be stayed pending Experian’s appeal.
The ICO is also continuing to investigate other large data brokers.
For more information please contact Katherine Eyres, Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||
Katherine Eyres, Cordery, Lexis House, 30 Farringdon Street, London EC4A 4HH
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785||Office: +44 (0)20 7075 1786|