On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published its enforcement notice against credit reference agency Experian Limited (“Experian”) under Section 149 of the Data Protection Act 2018 (“DPA”) (the “notice”). The notice requires Experian to make fundamental changes to its offline direct marketing practices, and was issued after the ICO undertook a two-year investigation into the use of personal data by data broking businesses Experian, Equifax and TransUnion.

The ICO’s investigation found that all three organizations had used personal data to allow commercial organizations, political parties and charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people, without the knowledge of their millions of data subjects (i.e., “invisible processing”). In Experian’s case, the ICO determined that its practices infringed the data protection principles under Article 5, specifically the principles of transparency and lawfulness, and the data subject rights under Articles 12 to 22 of the EU General Data Protection Regulation (“GDPR”).

The ICO identified numerous other failings by the three organizations, including the further use of personal data provided for credit referencing purposes for direct marketing, the use of profiling to generate new information about data subjects, a lack of transparency and incorrect use of lawful bases for processing. The failings of the organizations are further detailed in the ICO’s report into data protection compliance in the direct marketing data broking sector, which was released by the ICO on October 27, 2020.

While all three organizations made changes to their marketing practices at the ICO’s request including –in Equifax and TransUnion’s case – withdrawing certain products and services from the market, the ICO found that Experian had not gone far enough and did not make the changes requested by the ICO. Experian was not willing to provide privacy information to individuals or stop using credit reference data for direct marketing purposes. The ICO considered Experian’s contraventions of the law to be serious on the basis that (1) an extremely large number of data subjects was affected; (2) the processing involved profiling and collation of personal data from an array of different sources; (3) the processing was invisible, and parts of Experian’s business model depended on such processing being invisible; and (4) there was no public interest in the processing. The ICO also determined that the processing was likely to cause some distress to data subjects, due to its unexpected nature.

The notice requires that…

Read The Full Article

EU
March 8, 2024
0 271

IAB Europe’s advertising bidding model uses personal data, EU court rules

Enforcement EU
December 6, 2023
0 475

EU court lowers requirements for imposing fines for data protection breaches

Enforcement
February 21, 2023
0 987

Brussels sets out to fix the GDPR

Enforcement
January 4, 2023
0 883

Meta’s Ad Practices Ruled Illegal Under E.U. Law

Cookies
October 16, 2023
0 770

Cookie consent: 5 harmful designs from UK Regulators’ guidance

USA
August 16, 2023
0 848

California delays CPRA regulations

Enforcement USA
July 21, 2023
0 761

Major Privacy Law Enforcement Announcements by CPPA and California and Colorado Attorneys General

Data Transfers EU Guidance Privacy USA
July 10, 2023
0 965

Data Protection: European Commission adopts new adequacy decision for safe and trusted EU-US data flows

Check Also

Cookie consent: 5 harmful designs from UK Regulators’ guidance

The UK’s data protection regulator, the Information Commissioner’s Office (ICO), and …