ICO - Enforcement Notice against Experian

From GDPRhub
ICO - Enforcement Notice against Experian
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1) GDPR
Article 6(1) GDPR
Article 14 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 12.10.2020
Published: 27.10.2020
Fine: None
Parties: Experian Limited
National Case Number/Name: Enforcement Notice against Experian
European Case Law Identifier: n/a
Appeal: Pending appeal
ICO
Original Language(s): English
Original Source: Enforcement action against Experian (in EN)
Initial Contributor: Andrea S.

The UK DPA (ICO) served an Enforcement Notice against the credit reference agency Experian, after it found that Experian violated the transparency principle and failed to uphold data subject rights. Experian must make significant changes to how it handles people’s personal data in its direct marketing practices – or face sanctions.

English Summary[edit | edit source]

Facts[edit | edit source]

The ICO autonomously started an investigation into the three major Credit Reference Agencies ('CRAs') in 2018 under the Data Protection Act 1998. The investigation was paused and then resumed after the new GDPR entered into force in order to ensure the violations were addressed under the modern data protection regime, rather than a historical legal position, given the importance and relevance of such processing activities.

The processing in question is on a very large scale (roughly 50 million people resident in the UK, with more than 500 attributes for each person).

Experian acquired this information from a variety of sources and it also include credit reference data, which could lead to unexpected and 'invisible' processing activities. Experian uses them to propose a variety of marketing-led products (eg. Mosaic and Channelview), which are sold to third parties to enable them more targeted and effective direct marketing to data subjects.

Having found several violations of the new Regulation, the Commissioner issued a Preliminary Enforcement notice on 17 April 2019 to Experian. Afterwards, Experian collaborated with the Authority and provided further details and documents in order to make the improvements requested. On 20 April 2020, a revised Enforcement Notice was proposed.

Dispute[edit | edit source]

The ICO had to determine whether all the information requested by art. 13 and 14 of the GDPR are clearly communicated to the data subjects involved in the processing activity carried out by Experian.

Then, the Authority needs to establish if the lawful grounds used by Experian and its suppliers are correct and understood by the data subjects involved.

Holding[edit | edit source]

The ICO found three main categories of failures on Experian's approach to data protection compliance:

1. Transparency and fairness

The privacy notice and the Consumer information portal ('CIP') drafted by Experian were insufficiently clear in explaining how data is collected, processed and sold, in particular in relation to the credit data used in connection with the direct marketing purposes.

Also, the CIP did not specify all the rights available to the data subjects (in particular rectification and restriction under art.16 of the GDPR) and did not set up a proper retention period for the data used.

The Commissioner acknowledged the CIP still fails to set out clearly in one place and at the forefront:

- the attributes that may be processed about an individual;
- the 'invisible' tracing activity undertook for marketing;
- the explanation of the drawbacks or outcomes that individuals may find undesirable.

With reference to the credit reference data, The Authority highlighted that was not appropriate to use them for direct marketing purposes without the active engagement of the individuals concerned. Such consent needs to be either obtained by Experian directly from the individual, or by the lender on the Experian’s behalf, clearly and separately from the collection of data to be shared for credit referring purposes.

2. Art. 14 of GDPR

The ICO found that, where Experian acquires the personal data of a data subject from a third party, Experian does not provide Art. 14 privacy information to the data subject directly, relying on the privacy policy of the third parties, which in many cases provides links to the policies of Experian.

Experian suggested that any direct notification exercise will be extremely costly and disproportionate. However, the Commissioner’s views are that the question for the proportionality must be considered in the light of the extensive processing carried out by Experian. Moreover, the ICO pointed out that the processing activities are a matter of choice of Experian, and it follows from Experian's business model. The fact that there are large numbers of data subjects cannot in itself be a determinative factor against the proportionality of the notification.

The cost could be seen as high because it is the cost of an accumulation of many years during which there has been a failure to give notifications.

3. Lawful processing

The Commissioner considered that it is unlikely that Experian would be able to apply its legitimate interests for intrusive profiling for direct marketing purposes. The Legitimate Interest Assessment put in place could not be considered to be properly balanced.

Also, the Commissioner was not satisfied that the privacy information and data capture mechanism of Experian’s suppliers with regards to the transparency and lawful obligations of the GDPR. It seemed that an individual could be confused about which marketing activities they had, or had not, consented to, and how much control they had over the onwards processing of their data.

Therefore, the Commissioner is requiring Experian to take specified steps to comply with the GDPR. In particular, within 3 months:

- revise the CIP to set out a clear summary of the direct marketing activities that Experian undertakes; place information that is likely to surprise the individuals, in a clearer and more concise language; - cease using credit reference data for any direct marketing activities other than those requested by the individuals. - delete any data supplied by third parties on the basis of the consent which is now being processed on the basis of the Experian's legitimate interests.

Also, within 9 months, Experian must:

- directly provide all data subjects with an 'Art. 14 privacy notice', potentially sent by mail or other similar means; - review the compliance with the GDPR of the privacy notice of its suppliers to provide the same standard of transparency as the CIP; and their data capture mechanisms in order to have a valid 'consent' to the disclosure and further processing of the data carried out by Experian.

Comment[edit | edit source]

The investigation covered all the three main CRAs (TransUnion, Equifax and Experian), but the first two were able to make the improvements requested alongside withdrawing some products and services, so the ICO decided to not take further action against them.

In relation to the Experian activities, it specifically relates to the processing of personal data in the provision of offline marketing services. It means that it doesn’t include the activities based on the online behaviour of the individuals, which is being investigated separately.

Experian has already stated that they intend to appeal against the Notice (source: https://www.experianplc.com/media/news/2020/response-to-ico-enforcement-notice-in-relation-to-uk-marketing-services/)

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Not applicable. Please see the English original.