The ICO has ordered the credit reference agency Experian to make fundamental changes to how it handles people's personal data within its offline direct marketing services.
Experian now has until July 2021 to inform people that it holds their personal data and how it intends to use it for marketing purposes. The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021.
Today's report is the result of a two year investigation into Experian, Equifax and TransUnion initiated, in part, pursuant to a complaint filed by Privacy International against Equifax and Experian in November 2018. The complaint argued that the data broker industry, an industry premised on exploiting people's data, did not comply with fundamental data protection principles, and requested an investigation by the ICO.
The ICO investigation found "widespread and systemic data protection failings across the sector", "significant data protection failures at each company" and that significant ‘invisible’ processing took place, likely affecting millions of individuals in the UK." As the report underlines, "between the CRAs, the data of almost every adult in the UK was, in some way, screened, traded, profiled, enriched, or enhanced to provide direct marketing services."
Moreover, the report notes that all three of the credit referencing agencies investigated were also using profiling to generate new or previously unknown information about people. This can be extremely invasive and can also have discriminatory effects for individuals. According to the ICO, Experian, Equifax and TransUnion, "also used personal data to create aggregated and anonymous profiling models which could be applied at postcode level..."
Data brokers are key actors in the hidden data ecosystem. The data they collect and later sell can be used for a range of different purposes, from commercial advertising to political campaigning, and in some worrying instances, law enforcement. Most people will never have heard of the these companies, as most data brokers are not consumer facing or household names. People cannot assert their rights if there is no transparency around who is collecting their personal data and for what purpose.
While these companies claim that they can process people's data with or without their consent, today's report has made it clear that the consent relied on to pass on data to third parties was often invalid. Therefore, the ICO's announcement today about three of the most recognisable data brokers in the ecosystem is an important step forward.
Every country with data protection laws needs to look at this sector. Every regulator needs to ask what it is doing to protect people from their data being opaquely exploited by 'credit reference agencies' like Experian. As the UK regulator notes, people don't even know the names of most of these companies and yet they hold everyone's data. We believe the deck is stacked against people and this can't continue.
In November 2018, Privacy International filed a complaint with the UK ICO against Equifax and Experian.
That complaint was part of a broader series of complaints filed at the same time against the hidden data ecosystem that threatens our privacy and blatantly exploits our data in contravention to legal protections such as GPDR.
The complaint alleged that Equifax and Experian do not comply with the Data Protection Principles, namely the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy. Furthermore, they do not have a legal basis for the way they use people's data. Neither consent nor legitimate interest are satisfactory conditions for processing by these companies. They also do not have a basis for processing special category personal data.
Such data exploitation has relevance beyond the legally questionable nature of the practices. Data brokers like Experian and Equifax build profiles of people which can be used by a variety of different actors, including political parties. These intricate profiles make it possible for individuals to be targeted with political ads with a higher degree of effectiveness and accuracy.
Law enforcement and other state agencies also use the data collected by such companies to power their increasingly intrusive surveillance activities. A 2018 investigation by Big Brother Watch showed how Durham Police in the UK were feeding Experian’s Mosaic marketing data into their ‘Harm Assessment Risk Tool’, to predict whether a suspect might be at low, medium or high risk of reoffending.