In October 2020, the Information Commissioner’s Office (ICO) ordered credit reference agency Experian, to make changes to the way it handles personal data in direct marketing services. The command followed a two-year investigation by the ICO into how Experian, Equifax and TransUnion use personal data for marketing purposes. According to investigators: “The data of almost every adult in the UK was, in some way, screened, traded, profiled, enriched, or enhanced to provide direct marketing services.”
An investigation by the ICO discovered that Experian, Equifax and TransUnion were “trading, enriching and enhancing people’s personal data without their knowledge”. This was a clear breach of data protection law.
The practices uncovered by the ICO included taking personal data from the electoral roll and supplementing it with other information about an individual to build a more complete data profile. These profiles were then sold to commercial organisations, political parties, or charities and used to help them to find new customers, etc.
According to the ICO, “significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data.”
The ICO raised concerns with all three credit agencies. And, in response, Equifax and TransUnion made the necessary improvements/changes.
However, Experian did not accept the ICO’s instructions. As a result, Experian was issued with an enforcement notice compelling it to make the changes or risk further action. Experian appealed the decision.
Experian did unlawfully process the personal data of over five million individuals.
That was the ruling of The First-Tier Tribunal (Information Rights), a body which settles legal disputes relating to data protection matters.
The ruling by the Tribunal upheld some aspects of the ICO’s 2020 decision, while rejecting it in other areas. However, while Experian is claiming to be “very pleased” with the outcome of its appeal, the Tribunal ruled that it did not process the personal data of over five million individuals transparently, fairly, or lawfully, because it failed to notify them that it was processing their data for direct marketing purposes. In short, Experian broke data protection laws.
Commenting on the case, Head of Data & Privacy Litigation at Keller Postman UK, Kingsley Hayes said:
“Experian has been found guilty of processing data illegally, and breaching the data protection rights of up to five million people in the UK. While the latest decision rejects the ICO’s view that Experian’s privacy notice was not transparent, that using credit reference data for direct marketing purposes is unfair, or that Experian did not properly assess its lawful basis, this is still a win for data protection advocates. Even if Experian tries to claim otherwise.