Transparency and so-called ‘invisible’ processing
Experian was found to provide a lack of transparency in two main areas:
The decision reiterated the ICO’s position that where data has been collected on the basis of one lawful basis – namely, consent – it cannot then be processed on the basis of a separate lawful basis for separate purposes – in this case, legitimate interest. This would be deemed incompatible even if that lawful basis might otherwise be available.
Scope of direct marketing
The ICO’s enforcement notice for Experian and its data broker report provide a wide interpretation of processing, and profiling, for the purposes of direct marketing. In particular, even where the processing is to screen people so that they do not receive direct marketing, in this case on the basis of affordability, this would constitute processing for direct marketing purposes. Likewise, the ICO said that the process of aggregating data to provide ‘insights’ into particular categories of individuals for the purposes of direct marketing to be carried out by third parties constituted processing for direct marketing by Experian and the other brokers investigated.
What it tells us about the ICO’s approach to enforcement
It is notable that the ICO chose to impose an enforcement notice – requiring changes to be implemented by Experian by June 2021 – rather than a monetary penalty, despite there having been an ongoing dialogue and Experian, in the ICO’s view, not adequately addressing deficiencies that it had already pointed out.
This decision indicates that the ICO is currently adopting a different approach in cases of data security breaches in comparison with other data breaches when it comes to exercising its fining powers.
The ICO recently imposed a £20 million fine on British Airways over data security failings which enabled unauthorised access to be obtained to personal and payment card information relating to more than 400,000 of its customers. The ICO also recently announced its decision to fine the Marriott hotel group £18.4m after customer data was compromised in a cyber attack.
It appears that the ICO is currently committed to using its powers to issue substantial fines in cases of data security breaches to encourage data controllers to make their systems more secure, and that it is more likely to enter into a dialogue and give businesses an opportunity to remedy non-compliant practices prior to taking enforcement action in cases that do not concern issues of data security.
Parallels with the digital advertising sector
Although the ICO’s review focused on data brokers’ ‘offline’ activities, there are potential analogies with the online ecosystem of digital advertising. Some of the ICO’s findings may map across to the ICO’s parallel investigation into ‘ad tech’ and real time bidding which it has recently resumed after a pause in the spring.