Nearly three weeks after the Information Commissioner’s Office suggested the UK’s data industry had been cleared of any wrongdoing in the Cambridge Analytica probe, the regulator has ordered Experian to make fundamental changes to how it handles people’s personal data within its direct marketing services or face a severe fine.
Late in August, the ICO said that it would not be producing a final report on the use of data analytics for political purposes even though it had pledged to do so at the height of the storm, triggering claims it has been brushed under the carpet.
However, when contacted by Decision Marketing, the regulator insisted that the investigation into the data giants had yet to be completed.
Even so Commissioner Elizabeth Denham said in early October: “We have now completed our main remaining lines of enquiry as far as the available evidence took us. This included analysis of materials obtained during the investigation and those seized under warrant. The investigation is therefore concluding.”
However, the ICO now says that the enforcement notice follows this same two-year investigation into how Experian, Equifax and TransUnion used personal data within their data broking businesses for direct marketing purposes.
A crucial element appears to have been a 2018 complaint from Privacy International to the ICO which raised concerns about the data broking industry, specifically Equifax and Experian.
Its investigation found how the three companies were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.
The ICO has ruled that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data. This is against data protection law.
Although the companies varied widely in size and practice, the ICO found significant data protection failures at each company. As well as the failure to be transparent, the regulator found that personal data provided to each business, in order for them to provide their statutory credit referencing function, was being used in limited ways for marketing purposes.
Some of the the firms were also using profiling to generate new or previously unknown information about people, which is often privacy invasive.
Other thematic failings identified included the fact that although the three firms did provide some privacy information on their websites about their data broking activities, their privacy information did not clearly explain what they were doing with people’s data.
Separately, they were using certain lawful bases incorrectly for processing people’s data, the ICO found.
The regulator claims that, as a result of its work, all three credit reference agencies made improvements to their direct marketing services business. Equifax and TransUnion made the improvements alongside withdrawing some products and services. The ICO is therefore taking no further action against them.
But although Experian made progress in improving compliance, it did not go far enough. Experian did not accept that it was required to make the changes set out by the ICO, and as such was not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes.
As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover of $5.2bn, the ICO claimed, which could be more than £208m.
Denham said:“Our investigation uncovered data protection failings that likely affected millions of adults in the UK. Our investigation has changed the way credit reference agencies operate their offline direct marketing services. It has found invisible processing, allowing people to better understand how their data is being used, meaning people can exercise their privacy and data protection rights.
“The information the credit reference agencies are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect.
“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.
“The trade in personal data with other organisations has implications beyond the industry. Disrupting the flow of non-compliant personal data will have significant impact not just across the sector but will drive benefits for individuals and organisations wherever this data is used.
“I am encouraged by Equifax and TransUnion’s willingness to change their practices and put people’s legal rights first. Now I expect the data broking sector to make the same commitments.”
The ICO decided an enforcement notice would be the most effective and proportionate way to achieve compliance in this situation, rather than a fine, insisting it is the most likely tool to achieve the results necessary to change behaviour.
The ICO’s notice requires Experian to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes. Experian has until July 2021 to do this subject to any appeal.
The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes. In the enforcement notice, the ICO states that people have no choice about whether their data is shared with Experian for credit referencing purposes and that Experian’s processing of this data for marketing purposes is unexpected.
As an example it should stop screening out prospective customers from marketing lists on the basis of financial status.
Other key requirements of the notice include setting out improvements to privacy information to make clear what personal data is collected, where it has come from, what it is being used for or who the data is being sold to and why.
Experian must also delete any data supplied to it under the lawful basis of consent which is now being processed using a different lawful basis of legitimate interests and stop the processing of any personal data that has been collected unlawfully.
The ICO’s engagement and educational work in this area is ongoing, with further audit findings to be published when they are concluded.
UK data giants ‘off the hook’ over Cambridge Analytica
Top UK data firms still under investigation, 2 years on
Bounty ditches broker deals after £400,000 ICO fine
Major UK data firms under scrutiny as watchdog bites
Privacy group calls for probe of seven data companies
ICO data analytics probe ‘the biggest ever undertaken’
Data firms under cosh as ICO ramps up political probe
Experian in ICO sights as Emma’s Diary gets walloped
ICO vows to pursue chiefs as Cambridge Analytica folds
Facebook admits over a million Brits hit by data scandal
Acxiom faces $25m hit from loss of Facebook data deal
Facebook tears up data deals with Acxiom and Experian