On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published its enforcement notice against credit reference agency Experian Limited (“Experian”) under Section 149 of the Data Protection Act 2018 (“DPA”) (the “notice”). The notice requires Experian to make fundamental changes to its offline direct marketing practices, and was issued after the ICO undertook a two-year investigation into the use of personal data by data broking businesses Experian, Equifax and TransUnion.
The ICO’s investigation found that all three organizations had used personal data to allow commercial organizations, political parties and charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people, without the knowledge of their millions of data subjects (i.e., “invisible processing”). In Experian’s case, the ICO determined that its practices infringed the data protection principles under Article 5, specifically the principles of transparency and lawfulness, and the data subject rights under Articles 12 to 22 of the EU General Data Protection Regulation (“GDPR”).
The ICO identified numerous other failings by the three organizations, including the further use of personal data provided for credit referencing purposes for direct marketing, the use of profiling to generate new information about data subjects, a lack of transparency and incorrect use of lawful bases for processing. The failings of the organizations are further detailed in the ICO’s report into data protection compliance in the direct marketing data broking sector, which was released by the ICO on October 27, 2020.
While all three organizations made changes to their marketing practices at the ICO’s request including –in Equifax and TransUnion’s case – withdrawing certain products and services from the market, the ICO found that Experian had not gone far enough and did not make the changes requested by the ICO. Experian was not willing to provide privacy information to individuals or stop using credit reference data for direct marketing purposes. The ICO considered Experian’s contraventions of the law to be serious on the basis that (1) an extremely large number of data subjects was affected; (2) the processing involved profiling and collation of personal data from an array of different sources; (3) the processing was invisible, and parts of Experian’s business model depended on such processing being invisible; and (4) there was no public interest in the processing. The ICO also determined that the processing was likely to cause some distress to data subjects, due to its unexpected nature.
The notice requires that…
EU court lowers requirements for imposing fines for data protection breaches
The European Court of Justice issued a landmark ruling on Tuesday (5 December) that is set…