ICO Issues Enforcement Notice to Experian - DMA Comments

Yesterday (27 October), the Information Commissioner’s Office (ICO) issued an enforcement notice to Experian. This followed a two-year investigation into how credit rating agencies (CRAs) processed and shared data within their data broking businesses for direct marketing purposes.

The ICO found that Experian and two other CRAs - Equifax and TransUnion – were processing a significant amount of data that was deemed ‘invisible’, meaning that people did not know their information was being shared.

This has been investigated by the ICO as the actions of the CRAs affects the privacy rights of over 50 million UK citizens.

The key findings include:

• The privacy information of the CRAs did not clearly explain their processing with respect to their marketing services.
• The CRAs did not ensure they provided appropriate privacy information directly to all the individuals for whom they hold personal data, within their capacity as data brokers for direct marketing purposes (GDPR Article 14).
• The CRAs were using personal data collected for credit referencing purposes for direct marketing.
• The consents relied upon by Equifax were not valid under the GDPR. To comply with the GDPR, CRAs must ensure that the consent is valid, if they intend to rely on consent obtained by a third party.
• Legitimate interests assessments (LIAs) conducted by the CRAs in respect of their marketing services were not processed correctly.
• In some cases, Experian was obtaining data on the basis of consent and then processing it on the basis of legitimate interests. Switching from consent to legitimate interests in this instance is not compliant with the GDPR.

Equifax and TransUnion will not face disciplinary action from the regulator because both made some necessary changes, including withdrawing some products and services.

Experian has decided to appeal the ICO’s decision as it states it has been compliant with the GDPR’s requirements.

Brian Cassin, Chief Executive Officer, Experian said: “We disagree with the ICO’s decision today and we intend to appeal. At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.”

“We share the ICO’s goals on the need to provide transparency, maintain privacy and ensure consumers are in control of their data. The Experian Consumer Information Portal makes it very easy for consumers to fully understand the ways we work with data and to opt out of having their data processed if they wish.”

The ICO’s notice requires Experian to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes. Experian has until July 2021 to do this (subject to appeal).

Transparency and accountability are two of the core principles of the GDPR, which the DMA Code supports and enforces. The DMA believes this decision by the ICO highlights how important it is for all organisations to be transparent and accountable if they are processing or sharing data.

The ICO’s focus on data processing and lawful bases is also worth highlighting. Organisations should not collect data for credit rating purposes and then use this data for direct marketing without the knowledge of the data subject. In addition, organisations should not use one lawful ground (consent) for a purpose and then change this to another (LI).

The ICO’s key findings in this case will be discussed by the DMA in greater detail in the coming weeks/months, as they could have a significant impact on the direct marketing sector. Data processing and sharing is essential to the smooth running of the modern digital economy, but organisations must ensure that it complies with the GDPR.

“Customers value receiving offers that are relevant to them, which is highlighted by the DMA’s ‘Customer Engagement - How to win Trust & Loyalty 2020’ research. But in order for businesses to provide a personalised experience for customers, they must have access to insights gained from their own first-hand knowledge of customers, as well as additional insights from external sources. Organisations that communicate the right products and services to customers create a more efficient economy and reduce wasteful spending, but they must remain compliant with the GDPR at all times,” said John Mitchison, Director of Policy and Compliance.

“The DMA is keen to understand the reasoning and evidence behind the ICO’s enforcement notice as well as the basis of Experian’s appeal. Once we have fully reviewed the ICO’s findings we will provide further comment.”