The ICO takes action against Experian’s ‘invisible processing'

It has been a busy month for the ICO, who only last week marked a significant milestone in UK data protection enforcement by announcing a £20m fine against British Airways. This week, the ICO has turned its attention back to Experian Limited, one of the three largest credit reference agencies.

We have summarised the ICO’s decision below. If you would like to read the ICO announcement in full, it can be found here and the full Enforcement Notice can be found here.

The Investigation

The Enforcement Notice against Equifax marks the end of a two-year investigation into Experian, Equifax and TransUnion’s data brokering businesses, including the use of personal data for direct marketing purposes.

The ICO determined that all three credit reference agencies (CRAs) were using individuals’ personal data that had been provided to each CRA in order for them to provide their statutory credit referencing function for marketing purposes. The ICO has, appropriately, labelled this ‘invisible’ processing given the lack of transparency afforded to the individual and lack of consent obtained. The ICO said that this 'invisible’ processing “likely affected millions” and “resulted in [the creation of] products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.”

This processing went beyond the lawful use of the individual’s personal data. The Commissioner, Elizabeth Denham commented: “The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”

The investigations against Equifax and TransUnion appear to have been resolved. Denham said she was “encouraged to see the two organisations committed to complying voluntarily, without the need for enforcement action” but that the remainder of the data brokering sector needed to “make the same commitments”.

Unlike Equifax and TransUnion however, Experian has had more trouble in satisfying the ICO that its processing of personal data is now compliant. The ICO’s decision to issue an Enforcement Notice seems to rest largely on Experian’s refusal to issue privacy information directly to individuals, in breach of the data protection principle of ‘transparency’, and to cease the use of credit reference data for direct marketing purposes.

The Enforcement Notice

The Enforcement Notice requires Experian to make fundamental changes within nine months or risk further action. Further action could include a fine of up to £20m or 4% of their total annual worldwide turnover. On the basis of expected 2020 turnover of USD 5,179m, a fine of 4% could be as high as USD 51m (approx., £40m). In the event that Experian did fail to comply, the actual level of the fine would be determined in line with the ICO’s recent guidance (see our article here on the guidance and here on the implications of the ICO’s £20m penalty notice against British Airways).

The Enforcement Notice requires Experian to:

• by July 2021, inform individuals that it holds their personal data and how it is using or intends to use it for marketing purposes;
• by January 2021, stop using personal data derived from the credit referencing side of its business;
• delete any data supplied to Experian under the lawful basis of consent which is now purporting to process using the different lawful basis of legitimate interests; and
• stop processing any personal data that has been collected unlawfully.

To some this move won’t come as a surprise: the ICO published a Preliminary Enforcement Notice on 17 April 2019 and a revised draft on 20 April 2020. However, the ICO’s willingness to use its regulatory powers to force Experian’s hand, in relation to what is likely a core element of its business model, is interesting. We have seen in other cases the effect and power this regulatory tool can have in forcing compliance and we expect the ICO are hopeful that Experian will follow the path taken by Equifax and TransUnion rather than that taken by Cambridge Analytica in 2019.

Experian intends to appeal the enforcement notice. We will keep you updated.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.