ICO issues notice of enforcement action against Experian
3rd November, 2020
The Information Commissioner's Office (ICO) has issued an enforcement notice to the credit reference agency Experian Limited following an investigation into the practices of the three largest credit reference agencies in the UK (Experian, Equifax and TransUnion) and their use of personal data for direct marketing purposes. The notice came at the conclusion of a two-year investigation following a complaint by the charity Privacy International.
The investigation established that the credit reference agencies had processed personal data and this data was then used for direct marketing purposes without data subjects’ knowledge. In particular, the ICO discovered that significant ‘invisible’ processing had been carried out, whereby the data subjects concerned were unaware that the credit reference agency were collecting and processing their personal data, contrary to UK data protection law. Some of the agencies were also using profiling techniques to generate new or previously unknown information about users, which can be be invasive of a data subject’s privacy.
Other breaches of privacy law included failing to clearly explain what the agencies were doing with personal data, and incorrectly using lawful bases for processing data (such as collecting data under the lawful basis of consent but processing the data under the separate lawful basis of legitimate interests).
Following the ICO’s intervention, Equifax and TransUnion made sufficient improvements to their data processing and direct marketing systems, and so the ICO has ceased taking further action against them. However, the ICO deemed Experian’s attempts to improve its practices to have been insufficient to avoid enforcement action. Experian denied that they were required to adopt the ICO’s requested changes and were not willing to issue privacy information directly to individuals nor to cease the use of credit reference data for direct marketing processes.
As a result, the ICO has issued an enforcement notice against Experian obliging it to make further changes to its data protection practices or face further action, which could include a potential fine of up to £20m or 4% of its total annual worldwide turnover (which was $5.179 billion for Financial Year 2020) meaning a maximum potential fine of up to $207,160,000 (approximately £161 million). Experian has nine months to enact the required changes, subject to any appeal.
What to do now
This case makes clear to organisations the importance of ensuring that strict data protection policies are implemented and adhered to in order to guarantee the safeguarding of individuals’ data. In particular, it should be clearly and fully explained to customers when their data is being processed and for what purposes, while organisations should be dedicated to only processing data on the lawful basis under which it is initially collected. If you haven’t already, you should review your data processing record and ensure that you are processing personal data on the lawful basis that you have identified and that your privacy policies are clear as to what, why and how you are processing an individual’s personal data.
Click here for the statement from the ICO.
Our services
Ward Hadaway regularly advises organisations in a variety of sectors on complying with data protection law and our team of data protection experts are experienced in dealing with these types of issues. For more details on how we can help you, or for guidance in relation to any of the issues raised, please get in touch.
Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.
This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.
Topics: