Experian, data brokers, ICO enforcement and digital advertising

The report the ICO has published into compliance in the offline direct marketing data broking sector also suggests the authority may require data practices in the world of online digital advertising to change in the near future.

The Experian case and its impact on users of data brokers

On 27 October the ICO announced that it had served an enforcement notice on Experian, requiring the credit reference agency to "make fundamental changes to how it handles people’s personal data within its direct marketing services".

The enforcement action against Experian arose out of a wider investigation into the offline activities into a handful of so-called ‘data brokers’ – those being organisations, mainly credit reference agencies, that obtain information from a variety of sources and trade that information to other organisations for their use. The ICO published a report into data protection compliance in the direct marketing data broking sector alongside the enforcement notice it imposed on Experian.

The ICO spent two years investigating how Experian, together with other credit reference agencies Equifax and TransUnion companies TransUnion International UK and Callcredit Marketing, used personal data from their data broking businesses for direct marketing purposes.

The ICO found all three credit reference agencies to have collected and used personal data in breach of the transparency and lawful processing requirements outlined in the General Data Protection Regulation.

Specifically, the ICO took issue with the companies using data they had collected for select purposes – conducting credit checks and limited marketing activity – for other purposes, namely generating products and services to provide to organisations. The ICO deemed this to amount to "invisible processing" because the data subjects had not been made aware of those operations and could not have anticipated these other uses of their data. The ICO also discovered that lawful bases for processing data were being relied upon incorrectly.

While Equifax and the TransUnion companies made sufficient improvements to their operations in response to an ICO audit and had no action taken against them, the ICO found that Experian had not taken enough remedial action. As a result, Experian was given an enforcement notice requiring it to make changes directed by the ICO within nine months, or risk further action.

The enforcement notice requires Experian to:

• make improvements to the privacy notice on its website;
• cease the use of data provided to Experian for credit referencing purposes for any direct marketing purposes, except where requested by the individual;
• delete data supplied on the basis of consent, which is processed by Experian on the basis of its legitimate interests;
• directly provide to individuals a GDPR compliant privacy notice, even where Experian has obtained their data from public or other sources than the data subject, with some limited exceptions;
• cease processing personal data where an objective legitimate interest assessment cannot be said to favour the interests of Experian over the rights of the data subject, having particular regard to transparency, and the intrusive nature of profiling;
• review the privacy notices and consent mechanisms of its data suppliers for GDPR compliance; and
• cease processing any personal data where there is insufficient evidence it was collected in a compliant manner.

The potential impact of the ICO's decision is much wider than just to Experian's business.

The data broking ‘ecosystem’ is substantial. Large numbers of organisations use the services of credit reference agencies and other data brokers to inform their marketing and other activities. Not only will those organisations need to review and potentially delete information obtained from Experian and other brokers for marketing and related purposes, but the availability and utility of services they previously received from brokers will be much more limited. For those who receive data from data brokers, the ICO has issued some FAQs detailing the steps that need to be taken to ensure compliance.

Insights from the ICO's decision and report

The ICO’s decision in the Experian case provides a valuable insight into how the authority interprets various core principles of data protection legislation that will have an impact on the processing of personal data by all businesses.

Transparency and so-called ‘invisible’ processing

Experian was found to provide a lack of transparency in two main areas:

• First, in respect of those individuals who may be deemed to have received its privacy notice, either directly or via third parties such as banks with whom those individuals had a relationship, Experian was held to insufficiently notify processing which an individual would ‘not be likely to expect’ – i.e. processing for direct marketing purposes. Although Experian provided information as to this processing, this was held to be insufficiently prominent in its ‘layered’ privacy policy.
• Second, in respect of categories of individuals where there was no effective notification of a privacy policy, for example, where data was obtained from certain public sources, the ICO did not agree with Experian’s argument that to provide such individuals with notice would involve ‘disproportionate effort’, highlighting the limitation of that exemption under Article 14(5)(b) of the GDPR.

Lawful basis

The decision reiterated the ICO’s position that where data has been collected on the basis of one lawful basis – namely, consent – it cannot then be processed on the basis of a separate lawful basis for separate purposes – in this case, legitimate interest. This would be deemed incompatible even if that lawful basis might otherwise be available.    

Scope of direct marketing

The ICO's enforcement notice for Experian and its data broker report provide a wide interpretation of processing, and profiling, for the purposes of direct marketing. In particular, even where the processing is to screen people so that they do not receive direct marketing, in this case on the basis of affordability, this would constitute processing for direct marketing purposes. Likewise, the ICO said that the process of aggregating data to provide ‘insights’ into particular categories of individuals for the purposes of direct marketing to be carried out by third parties constituted processing for direct marketing by Experian and the other brokers investigated.

What it tells us about the ICO’s approach to enforcement

It is notable that the ICO chose to impose an enforcement notice – requiring changes to be implemented by Experian by June 2021 – rather than a monetary penalty, despite there having been an ongoing dialogue and Experian, in the ICO's view, not adequately addressing deficiencies that it had already pointed out.

This decision indicates that the ICO is currently adopting a different approach in cases of data security breaches in comparison with other data breaches when it comes to exercising its fining powers.

The ICO recently imposed a £20 million fine on British Airways over data security failings which enabled unauthorised access to be obtained to personal and payment card information relating to more than 400,000 of its customers. The ICO also recently announced its decision to fine the Marriott hotel group £18.4m after customer data was compromised in a cyber attack.

It appears that the ICO is currently committed to using its powers to issue substantial fines in cases of data security breaches to encourage data controllers to make their systems more secure, and that it is more likely to enter into a dialogue and give businesses an opportunity to remedy non-compliant practices prior to taking enforcement action in cases that do not concern issues of data security.

Parallels with the digital advertising sector

Although the ICO's review focused on data brokers’ ‘offline’ activities, there are potential analogies with the online ecosystem of digital advertising. Some of the ICO's findings may map across to the ICO’s parallel investigation into ‘ad tech’ and real time bidding which it has recently resumed after a pause in the spring.

In its report, the ICO highlighted areas of the direct marketing data broking sector that are of potential relevance in an adtech context. These include its findings relating to transparency and what it described as 'invisible processing'.  .

The report also highlights potential issues around the use of consent and/or legitimate interests as the lawful basis for personal data processing involving segmentation and profiling. This may have a relevance to similar activities in the online space. 

The ICO’s previously stated view in an online context is that, as consent is required for the use of the tracking technologies such as cookies to collect data, then consent is most likely to be the basis of any subsequent processing. However, the sector considers that its legitimate interests in processing data can be relied upon as a lawful basis for some of the purposes it pursues. 

The use of consent and legitimate interests has been reflected in the IAB Europe’s Transparency and Consent Framework (TCF) v2 which is gaining use across the web as the basis for publishers' consent mechanisms with the intended aim of helping publishers comply with the GDPR. The framework has been widely adopted. However, we already have some indication that regulators may not agree with its approach – there have been some reports that the Belgian data protection authority, as part of its preliminary findings, has concerns about the transparency, fairness and also the lawfulness of processing under the framework.

The ICO's view on these areas is likely to become clearer as the adtech investigation progresses.