On 27 October 2020, following a two-year investigation into certain credit reference agencies, the UK Information Commissioner’s Office (ICO) published a report into data broking compliance in the direct marketing data broking sector.
The ICO also announced that it has ordered Experian Limited to make certain significant changes to the ways in which it processes individuals’ personal data for the purposes of direct marketing.
The ICO’s investigation, which related to how three credit reference agencies, Equifax, Experian and TransUnion, were processing personal data as part of their data broking businesses for direct marketing, led to each of the agencies making changes to certain aspects of their direct marketing services businesses.
The ICO discovered that the agencies had been undertaking considerable “invisible” processing which potentially impacted upon very large numbers of UK citizens. The processing involved the agencies trading and augmenting data subjects’ personal information without the relevant individuals being aware of this, leading to products which were utilised by various commercial organisations, political parties and charities to profile individuals (which can be privacy intrusive) and identify new and potential customers.
The ICO’s investigation uncovered a number of serious data protection compliance issues in respect of each of the three agencies (which varied between the agencies). For example, the agencies were held to be insufficiently transparent and their website privacy information failed to plainly elucidate how individuals’ personal information was being used.
Other failings included relying on incorrect lawful bases for processing personal data, profiling to create new or previously unknown information about individuals and also using personal data supplied in relation to the agencies' statutory credit referencing activities for certain marketing purposes.
TransUnion and Equifax were willing to change their data protection practices to address the ICO’s concerns. However, the ICO issued an enforcement notice in respect of Experian on the basis that the steps taken by Experian to address the relevant issues were deemed to be insufficient and Experian rejected the requirement to make the changes required by the ICO and were unwilling to stop using credit reference data for direct marketing, or to issue privacy information directly to individuals.
The enforcement notice requires Experian to modify its practices during the next nine months (with some actions to be taken sooner than that) to avoid the possibility of further action, which could include financial penalties.
The Information Commissioner, Elizabeth Denham, has made it clear that she regards the trading of information by the data broking industry as having led to a number of significant infringements of individuals’ data protection rights and expects the industry to take steps to ensure compliance with applicable data protection law. It will be interesting to see how the data broking industry responds to the ICO’s report and also how the industry reacts to this enforcement action.
“Our investigation uncovered data protection failings that likely affected millions of adults in the UK. Our investigation has changed the way credit reference agencies operate their offline direct marketing services. It has found invisible processing, allowing people to better understand how their data is being used, meaning people can exercise their privacy and data protection rights. “The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect.