ICO’s investigation into the data broking sector and enforcement notice to Experian

The report and the enforcement notice, together, set out strict requirements in relation to: transparency and privacy notices; further processing/purpose limitation; lawful basis; and sourcing personal data from third party suppliers. Further comment on each of these points is set out below. 

Although the report is specific to offline uses of personal data, many of the conclusions in the report will be relevant to, and are consistent with concerns ICO has expressed about, online uses of personal data.  Organisations involved in data broking – whether off or online – should now:

• check how clear they are in their privacy notices and re-assess if they need to provide notices directly to individuals, rather than relying on their suppliers to do this; 
• check if they can rely on legitimate interests or should be relying on consent to process personal data; 
• ensure legitimate interests assessments are carried out in a sufficiently objective manner; and 
  check whether they have a robust audit programme in place in relation to third parties who supply them with personal data.

1. Transparency: ICO emphasized a need to have a clear explanation of what personal data was collected; the sources used (which should include precise sources of public register data); how data would be processed and how sold on – including examples to make this clear to individuals. Information which would surprise individuals must be included early on in the notice.  Euphemisms and industry jargon – such as the term “insights” –are not acceptable.  The front of the privacy notice should contain an “at a glance” summary of direct marketing processing, including the attributes uses in profiles (both actual and modelled data).  ICO did pay regard to CRA commissioned user research to demonstrate the readability of its notice, noting that this could assist a controller in demonstrating that it has met its transparency obligations.
   
   
2. Art. 14 and invisible processing: the CRAs did not proactively provide privacy information to individuals, because the CRAs did not collect personal data directly from individuals. ICO rejected arguments that individuals already had this information (via privacy notices of third party data suppliers). ICO also rejected arguments that it would be a disproportionate effort for the CRAs to provide a direct notice – arguing that where a controller’s business model is based upon massive collection of personal data it cannot assert that compliance with associated legal requirements is burdensome. ICO accepted that there was no need to provide a direct privacy notice purely for personal data obtained from suppression lists (such as the Telephone Preference Service) or for data on the open electoral register. However, this last exemption would only apply if open electoral data is used by itself (e.g. for address validation); if it is appended to any other data, then a privacy notice should be provided directly to individuals. ICO rejected arguments from Experian that transparency obligations could be met by “open” public notices, or via TV advertising or “dear householder” type letters. Instead, ICO considered that Experian must provide this information directly to individuals – for example, by directly addressed mail. 
   
   
3. Further processing/ purpose limitation: the CRAs were using personal data collected for credit referencing purposes for limited direct marketing purposes – principally screening out individuals from direct marketing campaigns where there were affordability concerns. ICO considered that even this limited use – which could often even be in the interests of the individuals concerned as it would minimise risks of over-indebtedness – should be restricted.  In the enforcement notice on Experian, ICO did note that it may – possibly – be open to Experian to source credit reference data without consent from other sources, for example, County Court Judgments. 
   
   Lawful basis: The CRAs relied on legitimate interests as the lawful basis for processing. ICO required  legitimate interest assessments (LIA) to be carried out “objectively” giving due weight to the fact that large amounts of data are processed in a highly targeted way. Experian concluded that its processing was not intrusive, a view ICO considered to be “erroneous”, on the basis that it was a different conclusion to that contained in published guidance from EU authorities, the Article 29 Working Party. In the report, ICO notes that legitimate interests is likely to be the appropriate basis when individuals would expect processing and there is minimal privacy impact, or when there is a compelling justification for the processing – this seems to be a significant narrowing of when legitimate interests can be applied, reducing its application below that permitted by the GDPR itself. The enforcement notice against Experian also requires it to cease processing any personal data where an objective legitimate interests assessment cannot be said to favour the interests of Experian – this seems to flip the actual test in GDPR, which allows processing unless the controller’s interests are overridden by the interest of the data subject (in other words, the test does not have to “favour” the controller, it is enough that it does not favour data subjects). 
   
   
4. Inappropriate change of legal basis: the Experian enforcement notice found that in some cases, data suppliers supplied Experian with data on the basis of consent, but Experian then relied on legitimate interests as the lawful basis for processing. The ICO found that switching from consent to legitimate interests was not appropriate. ICO concluded that this would mislead individuals as to the degree of control they had over their data and their ability to withdraw consent; according to ICO, this misrepresentation would then automatically mean that a legitimate interests assessment would inevitably conclude that individuals interests outweigh the controllers. 
   
   
5. Data suppliers: data brokers must carry out due diligence on their suppliers to check if their privacy notices are sufficiently clear and prominent. In the Experian enforcement notice, ICO noted that Experian checked notices every 3 months (or for one supplier, every 6 months). ICO sampled some of these notices and found them to be unsatisfactory and tasked Experian with reviewing these notices and ceasing to process personal data where notices were not of a sufficiently high standard.

Background to the investigation and notice

The ICO contacted these CRAs in 2017 with detailed questions about their products as part of a long running assessment of direct marketing data broking practices and, in summer 2018, the CRAs participated in audits of their respective practices by the ICO. 

Following its investigation, the ICO issued preliminary enforcement notices to the three CRAs outlining the steps that the ICO intended to require of them: TransUnion and Equifax made improvements to their marketing services and also withdrew certain products and services, and as a result the ICO gave each a clean bill of health with no enforcement action being commenced against either company. Although the ICO recognised that Experian had made progress in improving its compliance, it issued Experian with an enforcement notice, as the ICO said that it continued to have fundamental concerns with its processing of personal data. The ICO also investigated the direct marketing services of three other data brokers who do not operate as CRAs and will publish the results of this investigation separately. 

The full ICO report is available here.

In its enforcement notice to Experian, the ICO identified the failings described above and required Experian to take steps to comply with the GDPR, in particular:

- Within 3 months to:

(a) review its Consumer Information Portal (CIP) i.a. to clearly set out at one place and at the forefront of the privacy information an “at a glance” summary of its direct marketing processing, including the attributes its uses in respect of individuals’ profiles; to place information that is more likely to surprise individuals more prominently; to remove unduly euphemistic or industry-based language; to include information about each source of data, each use of data and the onward disclosure of data along with examples and possible outcomes; 
(b) cease using credit reference derived data for direct marketing purposes, unless requested by individuals; and
(c) delete data collected on the basis of consent which is now processed by Experian on the basis of its legitimate interests. 

- Within 9 months to:

(d) directly provide all individuals with an Article 14-compliant privacy notice, or cease processing their data if it fails to provide such notice; 
(e) cease processing data where the objective LIA cannot be said to favour Experian’s legitimate interests; and
(f) in respect of Experian’s suppliers, review the GDPR compliance of their privacy notices and data collection mechanisms and cease processing data where there is insufficient evidence that it was collected in a compliant manner. 

In parallel, the ICO has published guidance for organisations using marketing services of data brokers, which includes information about carrying out due diligence of data broking providers, ensuring transparency and establishing a lawful basis. The ICO’s guidance is available here.