ICO criticizes Experian for “invisible” data processing

Credit Reference Agency (CRA) Experian must make significant changes to the way it treats individuals’ personal data as part of its direct marketing practice – or face penalties under a new notice. execution published by the Office of the Information Commissioner (ICO) of the United Kingdom.

The order comes after a two-year investigation into the data handling practices used by Experian and its competitors, Equifax and TransUnion, which found significant data protection gaps in each of them.

During the investigation, the ICO found that each agency ‘traded, enriched and improved’ the personal data of people without their knowledge to develop products which were then sold to commercial organizations, political parties and charities. . He said this ‘invisible’ data processing affected millions of adults in the UK who were unaware that their data was being collected and used in this way – a violation of the General Data Protection Regulation (GDPR) .

“Our investigation revealed data protection failures that have likely affected millions of adults in the UK,” Information Commissioner Elizabeth Denham said. “Our survey changed the way credit reference agencies operate their offline direct marketing services. He discovered invisible processing, allowing people to better understand how their data is used, which means people can exercise their privacy and data protection rights.

“The information that credit rating agencies are privileged to hold for statutory credit reference purposes has been used unlawfully by them in their capacity as data brokers, regardless of what people might want or expect. “

The investigation also uncovered a number of other data protection gaps at credit rating agencies, including a lack of transparency in what agencies told people they were doing with their data. and incorrect use of legal bases for data processing.

Equifax and TransUnion accepted the ICO’s findings and withdrew a number of products and services. However, the watchdog said, Experian did not accept that it was necessary to make changes and, as such, is not ready to provide privacy information directly to individuals, or to cease to use credit reference data for direct marketing purposes.

“The data brokerage industry is a complex ecosystem where information appears to be widely exchanged, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data,” said Denham said. “The lack of transparency and the lack of a legal basis, combined with the intrusiveness of profiling, have resulted in a serious violation of individuals’ rights to information.

“Trading personal data with other organizations has implications beyond the industry. The disruption of the flow of non-compliant personal data will have a significant impact not only on the entire industry, but will bring benefits to individuals and organizations wherever that data is used.

Denham added, “I am encouraged by the willingness of Equifax and TransUnion to change their practices and prioritize the legal rights of people. Now, I expect the data brokerage industry to make the same commitments. “

The ICO has now issued an enforcement notice requiring Experian to make changes within nine months or risk a fine of up to £ 20million or 4% of its annual worldwide revenue, under of the GDPR.

The advisory requires Experian to: notify individuals that it holds their data and how it uses or plans to use it for marketing purposes by July 2021; cease using data derived from the credit listing side of its business for direct marketing purposes by January 2021; improve transparency on the data it collects, where it comes from, what it is used for, to whom it is sold and why; delete all data provided to it on the legal basis of consent and which is processed on another legal basis of legitimate interest; and to stop processing the personal data that it has collected illegally.

Experian CEO Brian Cassin said: “We do not agree with the ICO’s decision today and we intend to appeal. Basically, this is the interpretation of the GDPR and we believe that the ICO’s point of view goes beyond legal requirements.

“This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, especially as they try to recover from the Covid-19 crisis.”

Cassin said many of the companies that use Experian’s marketing services are SMEs with fewer than 200 employees, in industries hard hit by Covid-19, such as retail, entertainment and travel.

He said data provided by Experian had helped local authorities, NHS organizations, food banks, councils and charities to help some of the UK’s most vulnerable people during the pandemic, and helped plan government support for businesses.

Cassin also dismissed the ICO’s claim that Experian was unclear about the clarity it provides to people about how it uses their data.

Comments are closed.