Experian, data brokers, ICO enforcement and digital advertising

Transparency and so-called ‘invisible’ processing

Experian was found to provide a lack of transparency in two main areas:

  • First, in respect of those individuals who may be deemed to have received its privacy notice, either directly or via third parties such as banks with whom those individuals had a relationship, Experian was held to insufficiently notify processing which an individual would ‘not be likely to expect’ – i.e. processing for direct marketing purposes. Although Experian provided information as to this processing, this was held to be insufficiently prominent in its ‘layered’ privacy policy.
  • Second, in respect of categories of individuals where there was no effective notification of a privacy policy, for example, where data was obtained from certain public sources, the ICO did not agree with Experian’s argument that to provide such individuals with notice would involve ‘disproportionate effort’, highlighting the limitation of that exemption under Article 14(5)(b) of the GDPR.
Lawful basis

The decision reiterated the ICO’s position that where data has been collected on the basis of one lawful basis – namely, consent – it cannot then be processed on the basis of a separate lawful basis for separate purposes – in this case, legitimate interest. This would be deemed incompatible even if that lawful basis might otherwise be available.    

Scope of direct marketing

The ICO’s enforcement notice for Experian and its data broker report provide a wide interpretation of processing, and profiling, for the purposes of direct marketing. In particular, even where the processing is to screen people so that they do not receive direct marketing, in this case on the basis of affordability, this would constitute processing for direct marketing purposes. Likewise, the ICO said that the process of aggregating data to provide ‘insights’ into particular categories of individuals for the purposes of direct marketing to be carried out by third parties constituted processing for direct marketing by Experian and the other brokers investigated.

What it tells us about the ICO’s approach to enforcement

It is notable that the ICO chose to impose an enforcement notice – requiring changes to be implemented by Experian by June 2021 – rather than a monetary penalty, despite there having been an ongoing dialogue and Experian, in the ICO’s view, not adequately addressing deficiencies that it had already pointed out.

This decision indicates that the ICO is currently adopting a different approach in cases of data security breaches in comparison with other data breaches when it comes to exercising its fining powers.

The ICO recently imposed a £20 million fine on British Airways over data security failings which enabled unauthorised access to be obtained to personal and payment card information relating to more than 400,000 of its customers. The ICO also recently announced its decision to fine the Marriott hotel group £18.4m after customer data was compromised in a cyber attack.

It appears that the ICO is currently committed to using its powers to issue substantial fines in cases of data security breaches to encourage data controllers to make their systems more secure, and that it is more likely to enter into a dialogue and give businesses an opportunity to remedy non-compliant practices prior to taking enforcement action in cases that do not concern issues of data security.

Parallels with the digital advertising sector

Although the ICO’s review focused on data brokers’ ‘offline’ activities, there are potential analogies with the online ecosystem of digital advertising. Some of the ICO’s findings may map across to the ICO’s parallel investigation into ‘ad tech’ and real time bidding which it has recently resumed after a pause in the spring.

Source link

Leave a comment