On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published its enforcement notice against credit reference agency Experian Limited (“Experian”) under Section 149 of the Data Protection Act 2018 (“DPA”) (the “notice”). The notice requires Experian to make fundamental changes to its offline direct marketing practices, and was issued after the ICO undertook a two-year investigation into the use of personal data by data broking businesses Experian, Equifax and TransUnion.

The ICO’s investigation found that all three organizations had used personal data to allow commercial organizations, political parties and charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people, without the knowledge of their millions of data subjects (i.e., “invisible processing”). In Experian’s case, the ICO determined that its practices infringed the data protection principles under Article 5, specifically the principles of transparency and lawfulness, and the data subject rights under Articles 12 to 22 of the EU General Data Protection Regulation (“GDPR”).

The ICO identified numerous other failings by the three organizations, including the further use of personal data provided for credit referencing purposes for direct marketing, the use of profiling to generate new information about data subjects, a lack of transparency and incorrect use of lawful bases for processing. The failings of the organizations are further detailed in the ICO’s report into data protection compliance in the direct marketing data broking sector, which was released by the ICO on October 27, 2020.

While all three organizations made changes to their marketing practices at the ICO’s request including –in Equifax and TransUnion’s case – withdrawing certain products and services from the market, the ICO found that Experian had not gone far enough and did not make the changes requested by the ICO. Experian was not willing to provide privacy information to individuals or stop using credit reference data for direct marketing purposes. The ICO considered Experian’s contraventions of the law to be serious on the basis that (1) an extremely large number of data subjects was affected; (2) the processing involved profiling and collation of personal data from an array of different sources; (3) the processing was invisible, and parts of Experian’s business model depended on such processing being invisible; and (4) there was no public interest in the processing. The ICO also determined that the processing was likely to cause some distress to data subjects, due to its unexpected nature.

The notice requires that, by July 2021, Experian implement changes so that data subjects are informed that it holds their personal data and  how it uses or intends to use it for marketing purposes (subject to Experian’s appeal). Experian is also required to cease using personal data obtained through its credit referencing business for direct marketing purposes by January 2021, since individuals do not have control over whether data is shared with Experian for credit reference purposes and would not expect such processing to occur. If Experian does not take the required actions, it may be subject to the highest fines available under the GDPR (i.e., up to £20m or 4% of Experian’s total annual worldwide turnover).

UK Information Commissioner Elizabeth Denham stated: “The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.” Denham also commented that she expects other organizations in the data broking sector to make the same commitments as Equifax and TransUnion with regards to putting the legal rights of individuals first.

Experian has stated it will appeal the notice.