On October 27, 2020, the Office of the UK Information Commissioner (“ICO”) released a report following its investigation into data protection compliance in the area of direct marketing data brokerage and its enforcement action against Experian. During the investigation, the ICO audited the direct marketing data brokerage businesses of the UK’s three largest credit reporting agencies (“CRAs”) – Experian, Equifax and TransUnion – and found that “each of them were significant data privacy flaws” “deeply embedded” within the companies.
Data brokerage is the process of collecting and combining personal data from various sources and selling or granting other organizations access to this aggregated data. The data may be in the form of lists of people’s names and contact details, or more detailed profiles of people, including information such as their preferences and habits. The ICO’s investigation focused specifically on “offline” marketing services such as post, telephone and SMS marketing.
As part of the work of the ICO prior to the implementation of the EU General Data Protection Regulation (“GDPR”), a map of the trade in personal data within the UK was created, identifying several “hubs” through which large amounts of personal data flowed. The three rating agencies examined as part of this study were three such hubs.
The ICO found that the data of almost all adults in the UK was processed by at least one of the rating agencies for direct marketing services, including data provided for credit referencing purposes required by law. In addition, this data has at times been used to generate new information about individuals that the ICO says may compromise privacy. This data has been used by commercial organizations, political parties and charities and, in general, the data subjects were not aware of this processing.
The ICO commented: “The data brokerage sector provides a valuable service in supporting organizations across the UK. Products designed for marketing purposes can have benefits beyond just sending out promotional materials. Sometimes they are used to help organizations such as charities, health officials, and law enforcement agencies target resources to a specific area. However, the sector does this by processing large amounts of data from people, often in order to profile them, and usually without any direct relationship with the people on whose information it relies. “
The ICO report specifically focused on the transparency of the processing, the appropriate legal basis for the processing and the use of credit reference data for direct marketing. The main results of the ICO were:
- The rating agencies’ privacy information did not explain the processing clearly, resulting in a lack of transparency. The information was not well known and did not clearly explain how the data was collected, where it was obtained from, how it was processed, or how it was sold.
- Personal data collected for credit referencing purposes has been used without consent from individuals for limited direct marketing purposes. The ICO stated: “The central role of credit rating agencies in the financial sector puts them in a position of trust and this brings responsibility.” This means that credit rating agencies are subject to a high standard of accountability, transparency and fairness. The use of personal information collected for legal credit referencing purposes for secondary direct marketing purposes was deemed not to be fair or appropriate.
- The consents cited by Equifax, which were generally obtained from third parties on Equifax’s behalf, were not valid under the GDPR. These approvals were neither informed nor specified.
- With regard to direct marketing services, the legitimate interest assessments carried out were not correctly weighted. They gave little weight to the fact that large amounts of personal data were processed in a very targeted manner, that people were profiled and that the processing was not transparent.
- In some cases, personal data obtained on the basis of consent has been processed with reference to the legal basis of legitimate interest. The ICO confirmed that when data is collected or passed on for direct marketing purposes on the basis of consent, consent is also the appropriate legal basis for subsequent processing for direct marketing purposes. It was also pointed out that if there was a change in the legal basis, it would misrepresent the level of control and the nature of the relationship with the individual and undermine the right to withdraw consent. This in turn would inevitably affect the compensation of the legitimate interest rate equalization test against the rating agency. The ICO asked Experian to delete all data provided to it based on consent, which it later processed based on legitimate interests.
Equifax and TransUnion have since changed their practices at the request of the ICO, including withdrawing certain products and services from the market despite not accepting that their practices violate data protection laws. Experian was rated better, but the ICO considered the processing of personal data as part of marketing services to be non-compliant. The ICO issued an enforcement notice to ensure Experian is aligning its remaining practices. Experian has announced that it will appeal the enforcement notice.
Separately, the ICO is investigating the data processing activities of participants in the online advertising industry (Adtech) and is continuing its investigations at three other large data brokers. Additionally, the ICO is conducting a criminal investigation into the trafficking of personal data illegally sourced from the auto accident repair field that has been sold to claims management companies and is investigating possible violations under the Data Protection Act 1998, the Computer Misuse Act 1990, and the Conspiracy against commit both crimes. The ICO is also busy updating two codes of conduct relevant to data brokering under the Data Protection Act 2018: the code for data exchange and the code for direct marketing. These codes have not yet been presented to the Foreign Minister.