ICO finds “widespread and systemic data protection failings” at credit reference agencies and issues enforcement notice to Experian

October 28, 2020

The ICO has published a report of its investigation into offline direct marketing data broking, in particular the activities of the three largest credit reference agencies in the UK: Experian, Equifax, and TransUnion. The investigation began in 2018 and involved compulsory audits of the three credit reference agencies alongside three other data brokering hubs, though the ICO stresses the investigation did not relate to any core credit reference activities.

The report

The investigation found systemic non-compliance at all three of the credit reference agencies and the report sets out a series of key findings

1. The privacy information of the CRAs did not clearly explain their processing with respect to their marketing services

Any information given “was not clear because it was not sufficiently prominent, it did not sufficiently explain how the data was collected, what sources were used, how it was processed, or how it was sold.”

2.  CRAs were incorrectly relying on the ‘disproportionate effort’ exception (Article 14(5)(b)) to avoid providing privacy information directly to individuals

“Very large numbers of individuals cannot be the deciding factor against it being proportional to notify people about the processing in these circumstances. Otherwise this would give controllers a perverse incentive to gather as much data as possible in order to reduce the burden on them to notify people.”

”The nature of the processing that is being undertaken for data broking purposes means that it is likely that the CRAs will have relevant contact details for the individuals affected.”

3. CRAs were using personal data collected for credit referencing purposes for direct marketing purposes

The CRAs must not use this data for direct marketing purposes unless this has been transparently explained to individuals and they have consented to this use. 

“There were a relatively small number of direct marketing uses made of credit reference data (credit data was not sold in bulk for direct marketing purposes, for example). However, the CRAs did not make clear to individuals that they would use the credit data for direct marketing purposes as part of their data broking business and they did not ask individuals to agree to this use of that data.”

4. consents relied on by Equifax were not valid under the GDPR 

To comply with the GDPR, CRAs must ensure that the consent is valid, if they intend to rely on consent obtained by a third party. 

“Equifax claimed that personal data was supplied to it by third party data brokers on the basis of consent and it subsequently relied on this consent to process for data broking purposes. However our investigation found that none of the consents reviewed by auditors met the standard required by the GDPR. For example, the consents were not informed or specific.”

5. Legitimate interest assessments (LIAs) conducted by the CRAs in respect of their marketing services were not properly weighted

“The CRAs must revise their LIAs to reconsider the balance of their own interests against the rights and freedoms of individuals in the context of their marketing services. Where an objective LIA does not favour the interests of the organisation, the processing of that data must stop until that processing can be made lawful.”

“they gave little weight to the fact that they were processing a large amount of personal data in highly targeted ways, profiling individuals, along with significant issues of non-transparency”

6. In some cases Experian was obtaining data on the basis of consent and then processing it on the basis of legitimate interests. 

“Switching from consent to legitimate interests in this situation is not appropriate. Where personal data is collected by a third party and shared for direct marketing purposes on the basis of consent, then the appropriate lawful basis for subsequent processing for these purposes will also be consent. Experian must therefore delete any data supplied to it on the basis of consent that it is processing on the basis of legitimate interests.”

In conclusion, while the report’s authors recognise that data broking can be positive for businesses and individuals, and that some individuals may be happy to have their data bought and sold models built using it, others will not and if those individuals 

“do not know that processing is happening, they cannot make this decision. All individuals have the right to be informed about the processing of their personal data, and the right to object to it. Without this knowledge, individuals cannot have effective control over their personal data. Failure to proactively provide the required level of transparency effectively deprives individuals of their data protection rights.”

At 8.5 there is also reference to the ongoing and related investigation into Real Time Bidding and adtech which it says is “looking into all the various players in [that] ecosystem.”

The enforcement action

While all three agencies made some changes as a result of the finings of the ICO, the Information Commissioner, Elizabeth Denham, decided that Experian “did not go far enough” as they “did not accept that they were required to make the changes requested, were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes. “

As a result, Experian has been issued with an enforcement notice compelling it to

  • inform people that it holds their personal data and how it is using or intends to use it for marketing purposes by July 2021. 
  • stop using personal data derived from the credit referencing side of its business by January 2021 because, as the notice states “people have no choice about whether their data is shared with Experian for credit referencing purposes and that Experian’s processing of this data for marketing purposes is unexpected.

In a press release announcing the notice, Information Commissioner, Elizabeth Denham, urged the industry to comply with data protection law

“Our investigation uncovered data protection failings that likely affected millions of adults in the UK. Our investigation has changed the way credit reference agencies operate their offline direct marketing services. It has found invisible processing, allowing people to better understand how their data is being used, meaning people can exercise their privacy and data protection rights.

The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect.

The trade in personal data with other organisations has implications beyond the industry. Disrupting the flow of non-compliant personal data will have significant impact not just across the sector but will drive benefits for individuals and organisations wherever this data is used.