Out-Law Analysis 6 min. read
05 Nov 2020, 10:29 am
Recent findings by the UK's Information Commissioner's Office (ICO) in relation to credit reference agencies' data practices will impact thousands of businesses that rely on data brokers and also provide insights on how the authority interprets core provisions of data protection law.
The report the ICO has published into compliance in the offline direct marketing data broking sector also suggests the authority may require data practices in the world of online digital advertising to change in the near future.
On 27 October the ICO announced that it had served an enforcement notice on Experian, requiring the credit reference agency to "make fundamental changes to how it handles people’s personal data within its direct marketing services".
The enforcement action against Experian arose out of a wider investigation into the offline activities into a handful of so-called ‘data brokers’ – those being organisations, mainly credit reference agencies, that obtain information from a variety of sources and trade that information to other organisations for their use. The ICO published a report into data protection compliance in the direct marketing data broking sector alongside the enforcement notice it imposed on Experian.
For those who receive data from data brokers, the ICO has issued some FAQs detailing the steps that need to be taken to ensure compliance
The ICO spent two years investigating how Experian, together with other credit reference agencies Equifax and TransUnion companies TransUnion International UK and Callcredit Marketing, used personal data from their data broking businesses for direct marketing purposes.
The ICO found all three credit reference agencies to have collected and used personal data in breach of the transparency and lawful processing requirements outlined in the General Data Protection Regulation.
Specifically, the ICO took issue with the companies using data they had collected for select purposes – conducting credit checks and limited marketing activity – for other purposes, namely generating products and services to provide to organisations. The ICO deemed this to amount to "invisible processing" because the data subjects had not been made aware of those operations and could not have anticipated these other uses of their data. The ICO also discovered that lawful bases for processing data were being relied upon incorrectly.
While Equifax and the TransUnion companies made sufficient improvements to their operations in response to an ICO audit and had no action taken against them, the ICO found that Experian had not taken enough remedial action. As a result, Experian was given an enforcement notice requiring it to make changes directed by the ICO within nine months, or risk further action.
The enforcement notice requires Experian to:
The potential impact of the ICO's decision is much wider than just to Experian's business.
The data broking ‘ecosystem’ is substantial. Large numbers of organisations use the services of credit reference agencies and other data brokers to inform their marketing and other activities. Not only will those organisations need to review and potentially delete information obtained from Experian and other brokers for marketing and related purposes, but the availability and utility of services they previously received from brokers will be much more limited. For those who receive data from data brokers, the ICO has issued some FAQs detailing the steps that need to be taken to ensure compliance.
The ICO’s decision in the Experian case provides a valuable insight into how the authority interprets various core principles of data protection legislation that will have an impact on the processing of personal data by all businesses.
Jonathan Kirsop
Partner, Head of Technology, Media, and Telecoms
Even where the processing is to screen people so that they do not receive direct marketing, in this case on the basis of affordability, this would constitute processing for direct marketing purposes
Experian was found to provide a lack of transparency in two main areas:
The decision reiterated the ICO’s position that where data has been collected on the basis of one lawful basis – namely, consent – it cannot then be processed on the basis of a separate lawful basis for separate purposes – in this case, legitimate interest. This would be deemed incompatible even if that lawful basis might otherwise be available.
The ICO's enforcement notice for Experian and its data broker report provide a wide interpretation of processing, and profiling, for the purposes of direct marketing. In particular, even where the processing is to screen people so that they do not receive direct marketing, in this case on the basis of affordability, this would constitute processing for direct marketing purposes. Likewise, the ICO said that the process of aggregating data to provide ‘insights’ into particular categories of individuals for the purposes of direct marketing to be carried out by third parties constituted processing for direct marketing by Experian and the other brokers investigated.
It is notable that the ICO chose to impose an enforcement notice – requiring changes to be implemented by Experian by June 2021 – rather than a monetary penalty, despite there having been an ongoing dialogue and Experian, in the ICO's view, not adequately addressing deficiencies that it had already pointed out.
This decision indicates that the ICO is currently adopting a different approach in cases of data security breaches in comparison with other data breaches when it comes to exercising its fining powers.
The ICO recently imposed a £20 million fine on British Airways over data security failings which enabled unauthorised access to be obtained to personal and payment card information relating to more than 400,000 of its customers. The ICO also recently announced its decision to fine the Marriott hotel group £18.4m after customer data was compromised in a cyber attack.
It appears that the ICO is currently committed to using its powers to issue substantial fines in cases of data security breaches to encourage data controllers to make their systems more secure, and that it is more likely to enter into a dialogue and give businesses an opportunity to remedy non-compliant practices prior to taking enforcement action in cases that do not concern issues of data security.
Although the ICO's review focused on data brokers’ ‘offline’ activities, there are potential analogies with the online ecosystem of digital advertising. Some of the ICO's findings may map across to the ICO’s parallel investigation into ‘ad tech’ and real time bidding which it has recently resumed after a pause in the spring.
The report also highlights potential issues around the use of consent and/or legitimate interests as the lawful basis for personal data processing involving segmentation and profiling. This may have a relevance to similar activities in the online space
In its report, the ICO highlighted areas of the direct marketing data broking sector that are of potential relevance in an adtech context. These include its findings relating to transparency and what it described as 'invisible processing'. .
The report also highlights potential issues around the use of consent and/or legitimate interests as the lawful basis for personal data processing involving segmentation and profiling. This may have a relevance to similar activities in the online space.
The ICO’s previously stated view in an online context is that, as consent is required for the use of the tracking technologies such as cookies to collect data, then consent is most likely to be the basis of any subsequent processing. However, the sector considers that its legitimate interests in processing data can be relied upon as a lawful basis for some of the purposes it pursues.
The use of consent and legitimate interests has been reflected in the IAB Europe’s Transparency and Consent Framework (TCF) v2 which is gaining use across the web as the basis for publishers' consent mechanisms with the intended aim of helping publishers comply with the GDPR. The framework has been widely adopted. However, we already have some indication that regulators may not agree with its approach – there have been some reports that the Belgian data protection authority, as part of its preliminary findings, has concerns about the transparency, fairness and also the lawfulness of processing under the framework.
The ICO's view on these areas is likely to become clearer as the adtech investigation progresses.