Who: Information Commissioner’s Office (ICO), Experian Limited (Experian)
Where: United Kingdom
When: 27 October 2020
Law stated as at: 2 November 2020
What happened:
Experian has been issued with an enforcement notice by the ICO, requiring it to change some of its data practices within 9 months, otherwise risking further action potentially including a fine under the General Data Protection Regulation (GDPR) of up to €20m or 4% of the company’s total annual worldwide turnover.
This follows a two year investigation by the ICO into how credit reference agencies (CRAs) Experian, Equifax and TransUnion collect and use personal data. The investigation found that each CRA’s practices breached the GDPR requirements in respect of transparency and fair and lawful processing of data concerning direct marketing data broking. The ICO found that data provided for the purpose of credit checks was being used for direct marketing and developing products used by organisations to identify consumers most likely to be able to afford certain goods and services. This was deemed to be invisible processing as consumers had no knowledge of their data being used for such purposes and could not have anticipated it.
In making this finding, the ICO applied a broad interpretation of direct marketing. Data analytics processing used to further direct marketing activities of third parties was found to be processing for direct-marketing purposes. Screening, validation, matching, linking and modelling were all specifically listed as falling under the category of direct marketing processing.
Equifax and TransUnion made necessary improvements and removed certain non-compliant products and services, and although Experian did similarly make changes, its actions did not suffice. It did not alter its approach to using credit reference data for the purpose of direct marketing and did not provide privacy information to individual consumers. This resulted in the ICO taking enforcement action that it deemed most likely to achieve Experian’s compliance by changing its practices.
Specifically, the notice requires that Experian:
- draws attention, in the first layer of its privacy notice, to the most significant and impactful processing that may surprise a customer, without them having to scour multiple policies for this information,
- informs consumers that their personal data is being held and how it plans on using it for direct marketing purposes,
- stops screening customers from direct marketing lists based on their financial standing by January 2021,
- details improvements to its privacy information in order to make it apparent what personal data is collected, from where it comes, the purpose(s) for which it is used and why,
- stops processing any personal data that has been gathered by unlawful means, and
- deletes data collected under the lawful basis of consent that subsequently processed under a different lawful basis of legitimate interests.
Experian has made known its intention to appeal the ICO’s enforcement notice, stating that they believe their data processing information is clear and easily comprehensible.
Why this matters:
Experian’s practices targeted here are not uncommon in the data broking industry. This case highlights the following important issues and clarifications for businesses in this area:
- The ICO takes a very broad view of processing activities that constitute direct marketing (including data analytics processing used to further direct marketing activities of third parties).
- Businesses cannot rely on the number of data subjects or cost of compliance to justify not providing transparency information.
- Legitimate interest assessments must be carefully considered and carried out thoroughly. the outcome of which cannot be skewed in a business’ favour.
- Relying on legitimate interest when profiling on a large scale and involving vast categories of data subjects with intrusive processing will be very difficult.
- The ICO expects businesses to present intrusive and unexpected processing more prominently in transparency information (within the first layer of a privacy policy).
