ICO issues enforcement notice to Experian

The Information Commissioner’s Office (ICO) has issued an enforcement notice to Experian, the credit reporting agency, asking it to make changes on how it handles personal data within its direct marketing services. The ICO has given Experian 9
months to make the required changes to its data processing regime and comply with data protection legislation, otherwise financial penalties will be imposed under the EU General Data Protection Regulation.

A two-year ICO investigation found Experian and two other credit reporting agencies namely Equifax and TransUnion were “trading, enriching and enhancing” personal data without consent. While Equifax and TransUnion made changes to their marketing practices, the ICO considered Experian’s efforts to be insufficient.

The investigation examined the provision of offline marketing services by all three credit reporting agencies (CRAs).  According to the ICO, the investigation focused on how the CRAs used ‘personal data within their data broking businesses for direct marketing purposes’.

ICO’s Elizabeth Denham commented that “The investigation found how the three CRAs were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.”

In response to the findings of the investigation, Experian made some changes but remained unwilling to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes.

Experian plans to appeal the ICO’s action to the First-Tier Tribunal and Brian Cassin, CEO at Experian, responded by saying that “At heart, this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements.  This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the Covid-19 crisis.”

“We develop statistical models from data to infer insights useful to businesses and public bodies in order that they can function more efficiently.  We do not track internet activity nor do we collect actual consumer purchases, behavioural data or actual preferences, nor is there any location tracking of individuals,” Cassin added.

Equifax and TransUnion were not issued with enforcement notices after both made significant changes to their data collection and processing activities. 

The ICO has asked Experian to make seven changes to its data processing regime within nine months, this includes ceasing to use data provided to Experian for credit reporting purposes in any direct marketing activities, (except where requested by the individual).

Also, the investigation revealed that Experian obtained data based on ‘consent’ but processed it based on ‘legitimate interests’.  According to the ICO, “Where personal data is collected by a third party and shared for direct marketing purposes on the basis of consent, then the appropriate lawful basis for subsequent processing for these purposes will also be consent.”