On 27 October 2020, following a two-year investigation, the UK Information Commissioner’s Office (ICO), published its enforcement notice against credit reference agency Experian Limited (Experian). During the investigation process, Experian strove to improve compliance with the GDPR and the UK Data Protection Act, but it did not go far enough and ICO’s enforcement notice points to a number of continuing contraventions.

Because data brokers collect and commercialize a huge amount of data, they belong to the exclusive category of data controllers who attract particular attention on the part of the supervisory authorities and the general public. On the other hand, if the example of Experian is an indication, there is not much exclusive about the key issues determining lawfulness or unlawfulness of the data brokers’ operations. ICO’s 55-page decision for the most part deals with issues which supervisory authorities often address irrespective of the nature of the data controller’s activity: content and provision of data processing notices, and interplay between consent and legitimate interest as the legal bases for the processing of personal data. An issue which emerges less frequently concerns data controller’s obligation to ensure that third party suppliers of data have obtained the data compliantly; ICO offered valuable insights in that regard.

Background

Experian, as a credit reference agency, gives lenders a range of information about potential borrowers; lenders then use the information to make decisions about whether to approve credit to particular individual, or not. A credit reference agency may, however, extend its business operations by collecting data about individuals from a variety of sources and selling that data to clients from varied categories, for direct marketing purposes. The clients range from companies (for targeted ad campaigns for their products and/or services) and political parties (for political campaigning) to charities for their fundraising campaigns. Experian has expanded its activities in the described manner. It runs databases containing data on almost 50 million UK citizens.

Experian uses the data from a variety of sources to create profiles of individuals and adds different attributes to each individual. More than 30 million profiles are flagged as available to be sold to third party organizations for marketing purposes. Other marketing services provided by Experian include enabling third parties to compare their own data with Experian’s records (e.g. to update contact details and to remove the records no longer appropriate or relevant).

Experian’s website contains various privacy policies, including a Consumer Information Portal (CIP) with information on the processing of personal data for marketing purposes and a Credit Reference Agency Information Notice (CRAIN), which explains the processing within credit referencing part of Experian’s business.

ICO’s main findings
  • Transparency requirement not met

ICO found that Experian’s CIP portal is not sufficiently transparent, within the meaning of that term under GDPR Art. 5(1)(a), to ensure that individuals understand Experian’s processing of their personal data for marketing purposes. ICO took into consideration the complexity and scale of the processing on the part of Experian and, on that basis, instructed Experian to revise the CIP. The specific steps Experian should take include placing the information which is likely to surprise individuals into the first layer of the CIP, explaining in real-world terms the potential drawbacks or undesirable outcomes of the data processing, and offering examples of the complex processing activities.

ICO also obliged Experian to transparently explain to the individuals that the company processes their credit reference data for direct marketing purposes.

  • Invisible processing is not allowed – data subjects need to be appropriately informed

ICO ordered Experian to directly notify all concerned individuals (by mail or other acceptable means of communications), where Experian has acquired their personal data from any source other than the individuals themselves. This notice needs to clearly inform the data subject that Experian has obtained his personal data for purposes which include direct marketing, as well as to explain how Experian processes that data. Also, the notice needs to follow the same transparency guidance ICO gave in relation to the CIP. Under the ICO’s enforcement notice, Experian must cease processing of personal data of any individual to whom an Article 14-compliant notice is not sent.

Experian advanced two arguments in order to claim it was under no obligation to send the notices to the data subjects.

Under the first argument, the data subjects already had the information about the processing (GDPR Art. 14(5)(a)). Experian argued that, when it obtains personal data for direct marketing purposes from third party suppliers, it relies on the third-party supplier’s privacy policy, by which the supplier informed the data subjects on the processing. ICO disagreed, stating that these policies are inadequate on multiple grounds: the notices either do not inform the individuals at all that their data would be used by a credit reference agency for direct marketing purposes, or bury such information in second or subsequent layers of layered privacy notices. As data subjects do not expect that their data would be used for direct marketing purposes, such information about unexpected processing should be included in the first layer.

ICO also did not agree with Experian’s second argument, that direct notification of all affected individuals would mean disproportionate effort for the company (GDP Art. 14(5)(b)). Experian based its proportionality analysis on the claim that, on the one hand, the processing was non-intrusive and was likely to be expected by the data subject, while on the other hand direct notification would be extremely costly and ignored by data subjects. ICO rejected all these claims. Experian’s processing is intrusive of privacy because it involves profiling; the processing is also unlikely to be expected. The fact that there are large numbers of affected individuals is not an argument against notification, because Experian voluntarily chose its own business model and in any event controllers cannot accumulate data about as many individuals as possible in order to claim that their huge number reduces the burden of notification.

Alternatives to direct individual notifications proposed by Experian including newspaper, TV, or other type of advertising campaign, did not satisfy ICO because it cannot be guaranteed that a given individual would see the campaign. Also, such general advertisement would not be directed to the individual viewing it, meaning that the individual could not know whether his data is being processed or not.

  • Legitimate interest can hardly be the legal basis when processing personal data for profiling purposes

Experian processes the personal data used for direct marketing purposes on the basis of legitimate interest. ICO found this contrary to the law because Experian’s legitimate interests are overridden by the interests or fundamental rights and freedoms of the individual concerned.

The nature of the processing on the part of Experian is intrusive, ICO found, especially because it involves profiling. ICO invoked an opinion of the Article 29 Working Party (06/2014, on the “Notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC” (WP 217)) to the effect that profiling activity is likely to present a significant intrusion into the privacy of the data subject and that the controller’s interest will be overridden as a result. ICO further elaborated that profiling for direct marketing purposes is not generally in an individual’s reasonable expectations and is rarely transparent enough. Therefore, as Article 29 Working Party stated in Opinion 03/2013 on “Purpose Limitation” (WP 203), free, specific, informed, unambiguous opt-in consent would almost always be required for tracking and profiling for purposes of direct marketing.

Because legitimate interest cannot serve as the legal basis for the processing, Experian may, as a rule, process the personal data of the data subjects only on the basis of their consent – either obtained by Experian directly, or by the suppliers from which Experian obtains the data.

  • Switching from consent to legitimate interest is not allowed

ICO ordered Experian to delete personal data received from third-party data suppliers on the basis of the individual’s consent, where Experian processed those data on the basis of legitimate interest. Switching to legitimate interest would misrepresent the degree of control and the nature of the relationship with the individual. Also, the scope of the initial consent often did not encompass processing activities carried out for the purpose of direct marketing, so the further processing for such purpose would render the original consent invalid (not specific and not informed). An additional reason for impermissibility of the switch to legitimate interest is that the individuals would not be able to exercise their right to effectively withdraw the consent.

  • Data controller needs to review compliance of its third-party data suppliers with the GDPR

ICO explained that, in line with the accountability principle (Art. 5.2 GDPR), Experian needed to demonstrate that its processing was compliant with the GDPR. In order to be able to meet that obligation, Experian needed to make sure that the personal data the company received from its suppliers has been collected in a compliant manner. Where there is insufficient evidence that the suppliers collected the personal data in a complaint manner, Experian cannot lawfully process the data.

In that context, ICO’s Terms of the Proposed Enforcement Notice include a request that Experian review compliance with the GDPR of the privacy notices and data capture mechanisms of the suppliers of personal data. Following that exercise, Experian should collect data from only those suppliers who use transparent privacy notices and obtain valid consents.


[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]