Experian lawyers set for long battle against ICO ruling

Experian is threatening a lengthy legal battle over an order that forces the firm to make fundamental changes to how it handles people’s data within its direct marketing services, insisting the ruling “goes beyond the legal requirements” of GDPR.

Yesterday, the Information Commissioner’s Office published the findings of its two-year investigation into the three major credit reference agencies in the UK, Experian, Equifax and TransUnion. It found how the companies were trading, enriching and enhancing people’s personal data without their knowledge.

Equifax and TransUnion have agreed to make changes but the ICO ruled that Experian had not gone far enough and slapped it with an enforcement notice, compelling it to make changes within nine months or risk further action.

Within hours, Experian’s chief executive officer Brian Cassin said the company planned to appeal the decision.

He said: “At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the Covid-19 crisis.

“We develop statistical models from data to infer insights useful to businesses and public bodies in order that they can function more efficiently. We do not track Internet activity nor do we collect actual consumer purchases, behavioural data or actual preferences, nor is there any location tracking of individuals.”

As the ICO found out to its cost with the British Airways case, the evidence has to be watertight for any action to succeed as lawyers will use any trick in the book to get their clients off the hook.

With BA, the airline’s lawyers managed to get a proposed £183m GDPR fine slashed by 90% to £20m. Some have argued that this was a major climbdown, although £20m is still one of the highest GDPR penalties that has been issued in Europe.

The protracted legal battle could well have made the ICO think twice about slapping Experian with a fine straight-away, instead opting to give the company an ultimatum to get its house in order.

Even so, the ICO is unlikely to give up without a fight. Its investigation found what the regulator branded “systemic data protection failings” across the entire data broking sector, adding that non-compliance with key principles of data protection law appears to be widespread within an industry that depends on personal data.

The ICO’s report stated: “All individuals have the right to be informed about the processing of their personal data, and the right to object to it. Without this knowledge, individuals cannot have effective control over their personal data.

“Failure to proactively provide the required level of transparency effectively deprives individuals of their data protection rights.

“Our action represents a key milestone in driving change and achieving compliance in the data broking industry. However, our work is not over. The ICO remains committed to securing compliance across this sector, and we intend to carry out further investigative, engagement and educational work.”

Industry body the DMA has yet to comment on the findings of the ICO’s investigation, even though data brokers are a key part of its membership. Experian’s marketing services division was one of the organisation’s founders, with former CEO David Coupe also serving as DMA chair from 2003 to 2005.

The DMA Code is an agreement to which all members and their business partners must adhere and provides five clear principles, “Put your customer first”, “Respect privacy”, “Be honest and fair”, “Be diligent with data” and “Take responsibility”. Any business found breaching these rules can face expulsion.