A data broking investigation conducted over the past two years has resulted in an enforcement action against the company Experian.
A data broking investigation into Experian as well as Equifax and TransUnion and their use of personal data within their data broken businesses has resulted in enforcement action. The ICO published a report earlier this month, on the findings of their extensive investigation into these data broking companies, their processes, and the legislative framework which led to this outcome.
The investigation found significant processing of personal data unbeknownst to the data subjects, by the CRAs; Equifax, TransUnion and Experian.
The investigation by the ICO uncovered how these three CRAs (Credit Reference Agencies) were trading, enriching and enhancing people’s personal data without their knowledge. This personal data was then used by commercial organizations, political parties and charities to find new customers, build profiles about people, and also identify the people most likely to be able to afford their goods and services.
The ICO defines data broking as “the practice of obtaining information about individuals and trading, including by licensing, this information or information derived from it as products or services to other organisations or individuals. Information about individuals is often aggregated from multiple sources, or otherwise enhanced, to build individual profiles.” Collecting and using an individual’s personal data without their knowledge goes against data protection law.
Through the data broking investigation, the ICO uncovered several data protection failures at each company.
Through their investigation the ICO found that the personal data provided to each of these CRAs which would then be used to provide the statutory credit referencing function, was also being used for marketing purposes in limited ways. Some of the CRAs also engaged in profiling to generate new information or previously unknown information about the data subjects.
These companies also failed to be transparent. While they did provide some privacy information on their websites, it did not clearly explain what they were doing with people’s data. In addition to this, they were using some lawful bases incorrectly to process the data.
While all three companies were at fault, only Experian was subjected to enforcement action because they did not do enough to improve compliance.
All three CRAs made improvements to their Direct Marketing Services business as a result of the work done by the ICO. In addition to this, Equifax and TransUnion withdrew some of their products and services. For this reason the ICO has chosen not to take any further action against them.
While Experian has also made some progress, the ICO found that the company did not go far enough. This CRA does not accept accountability for making changes set out by the ICO, and as a result, were not prepared to issue privacy information directly to data subjects, nor were they prepared to stop using credit reference data for direct marketing purposes.
Experian is now expected to make necessary changes to their framework within 9 months or risk further action including being fined.
The ICO decided to issue an enforcement notice, as it is seen at the most effective way of achieving compliance in this situation. The notice orders Experian to make the necessary changes within 9 months or risk further action. The company now risks being hit with a fine of up to €20 million or 4% of it’s total annual worldwide turnover. This notice from the ICO also requires Experian to inform people that hold their personal data. The company must also stop using the data derived from the credit referencing side of its business by January 2021.