ICO issues results of investigation into data broking sector

The ICO has issued the results of an investigation into the "direct marketing data broking" sector (available here) as well as a related enforcement notice against Experian (available here). The findings of the investigation and enforcement notice have implications for data broking services and those using them as well as providing some important guidance on some key data protection issues.

What did the investigation cover?

The report into the investigation was the culmination of around 5 years' worth of investigation and consideration of the trade in personal data. It relates to "offline marketing services of the data broking industry" by which the ICO means providing marketing to individuals through methods other than the internet (including postal, telephone and SMS marketing). It did not cover data collected about an individual's online behaviours but the ICO is investigating participants in the online advertising industry separately.

The ICO was specifically interested in data broking conducted by Experian, Equifax and TransUnion (all credit reference agencies or CRAs) for direct marketing purposes which involves collecting data about individuals from a variety of sources, then combining it and selling or licensing it to other organisations. Each of the CRAs had developed a business of licensing the data and / or enabling companies to use it to inform their (not the CRA's) direct marketing activities.

It is also worth noting that the report mentions that the ICO is investigating three other data brokers so more enforcement action could follow.

Outcome of the investigation

All of Experian, Equifax and TransUnion have had to alter their practices to deal with the issues summarised below and, in some cases, they have stopped providing some relevant services. The ICO felt that Experian had not gone far enough so it issued an enforcement notice requiring further action to be taken.

Transparency and privacy notices

The ICO was concerned that people would not be aware that their information would be used by the CRAs for direct marketing purposes. The information on their websites was not sufficiently clear on this and did not meet GDPR requirements. The CRAs have updated their website privacy notices as a result.

More challenging was the ICO's finding on provision of privacy notice wording directly to individuals and this requires consideration by any business acquiring data from third party sources. As much of the information collected and used by the CRAs for data broking purposes came from third party sources rather than the individuals themselves, the CRAs tried to apply two exemptions to the requirement to deliver a privacy notice to the individuals:

• The individual already has the information (Art 14(5)(a)) - this was on the basis that the third parties that collected the information would have provided a notice. The ICO rejected this on the basis that it would be unlikely that the third party notices would adequately describe the CRA's use of the data.
• The provision of a privacy notice would involve disproportionate effort (Art 14(5)(b)) - the ICO rejected the argument that size of the databases in question and the fact that the CRAs did not necessarily have a direct relationship with the individuals meant that it would involve disproportionate effort to supply the notice. The ICO's view was that the CRAs would have contact details for individuals and would be able to provide a privacy notice to them. Moreover, the ICO said that it would be perverse to allow companies to escape the requirement to deliver privacy notices by building up vast databases and also to argue that a failure to historically provide notices would now make delivering the notices difficult and costly.

Both points are important to note for any business acquiring data from third party sources and they indicate that the ICO will apply a narrow construction to both exemptions.

Legitimate expectations

The CRAs had used the credit related information that they held for the purposes of their core credit scoring / reference activities for the purposes of their clients' direct marketing activities (eg selecting or de-selecting people based on their credit score). Again the ICO felt that this was not covered by the CRAs' privacy notices but also that it was not likely to be within the legitimate expectations of the individuals and therefore the processing would not be fair processing.

Lawful basis for processing

The CRAs had claimed that their processing of individuals' personal data was based on:

• consents obtained by the third parties from whom data was obtained; and / or
• legitimate interests.

The ICO found both to be problematic.

In relation to reliance on third party consents, the ICO said that the consents obtained were not specific and informed. They did not adequately address the use of the data by the CRAs. This illustrates the challenge of trying to rely on consents obtained by third parties (particularly if the consents are trying to cover disclosure of data to multiple third parties for a variety of uses). It can be difficult to establish whether valid consent has been obtained by the third party and any consent obtained may well not be specific enough to cover the intended usage of the data by the recipient (let alone the recipient's clients).

In relation to legitimate interests there were two problems identified by the ICO:

• Shifting from consent to legitimate interests - the CRAs had obtained some of the data based on third party consents but then sought to justify further processing of the data based on its legitimate interests. The ICO objected to that shift in lawful basis of processing saying "Switching from consent to legitimate interests meant that the original consent was no longer specific or informed, the degree of control and the nature of the relationship with the individual was misrepresented, and the right to withdraw consent was also undermined". Organisations therefore have to be wary of basing additional data processing on new lawful bases when consent was the original basis for processing.
• Legitimate Interests Assessment - the ICO felt that the LIAs conducted took insufficient account of the impact of the processing on individuals and unduly favoured the commercial interests of the organisation over the rights of the individual. The takeaway is therefore that organisations must preserve objectivity in the creation of their LIAs (and by extension DPIAs).