On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published a report following its investigation into data protection compliance in the direct marketing data broking sector, alongside its enforcement action against Experian. During the investigation, the ICO conducted audits of the direct marketing data broking businesses of the UK’s three largest credit reference agencies (“CRAs”) – Experian, Equifax and TransUnion – and found “significant data protection failures at each” that were “deeply embedded” within the businesses.
Data broking involves collecting and combining personal data from various sources and selling or providing access to this aggregated data to other organizations. The data may take the form of lists of individuals’ names and contact details, or more detailed profiles about individuals, including information such as their preferences and habits. The ICO’s investigation focused specifically on “offline” marketing services, such as postal, telephone and SMS marketing.
As part of the ICO’s work prior to the implementation of the EU General Data Protection Regulation (“GDPR”), it created a map of the trade of personal data within the UK, identifying several “hubs” through which large volumes of personal data flowed. Three such hubs were the three CRAs audited as part of this investigation.
The ICO found that the data of almost every adult in the UK was processed for direct marketing services by at least one of the CRAs, including data provided for statutorily-required credit referencing purposes. In addition, that data was, at times, used to generate new information about individuals, which the ICO stated can be privacy invasive. This data was used by commercial organizations, political parties and charities, and generally, the relevant data subjects were unaware of this processing.
The ICO commented, “The data broking sector provides a valuable service to support organisations across the UK. Products designed for marketing purposes can have a utility beyond merely sending people promotional material, and are sometimes used to help organisations including charities, health bodies and police forces to target resource to a particular area. But the sector does this by processing large amounts of people’s data, often to profile them, and with typically no direct relationship with those people whose information it relies on.”
In particular, the ICO’s report focused on the transparency involved in the processing, the appropriate lawful basis for processing, and the use of credit reference data for direct marketing. The ICO’s key findings were that:
The CRAs’ privacy information did not clearly explain the processing that was taking place, resulting in a lack of transparency. The information was not sufficiently prominent and did not clearly explain how the data was collected, from where it was sourced, how it was processed, or how it was sold.
With regard to their direct marketing services, the CRAs did not provide the information required under the GDPR’s Article 14 to data subjects, incorrectly relying on the exemption permitted by Article 14 where the individual already has the relevant information or where providing it would involve disproportionate effort. The CRAs relied on the privacy notices of the third parties who supplied personal data to them, which did not clearly draw attention to the processing carried out by the CRAs for direct marketing purposes. This resulted in “invisible processing,” which the ICO considered likely not fair and not within an individual’s reasonable expectations. The absence of the Article 14 information also made it difficult for individuals to exercise their rights under the GDPR. The ICO commented that this lack of awareness also prevented it from relying on its usual indicators of public opinion, such as the number of complaints made. In response to the CRAs’ contention that providing a privacy notice would involve disproportionate effort (given the large volume of personal data held and the costs that would be incurred), the ICO noted that, “very large numbers of individuals cannot be the deciding factor against it being proportional to notify people about the processing,” since this would provide a “perverse incentive” for organizations to collect as much data as possible.
Personal data collected for credit referencing purposes was being used for limited direct marketing purposes, without informed consent from individuals. The ICO commented that, “the CRAs’ pivotal role in the financial sector puts them in a position of trust and this brings responsibilities,” meaning that the CRAs were held to a high standard of accountability, transparency and fairness. Using personal data that was collected for statutory credit referencing purposes for secondary direct marketing purposes was not considered fair or appropriate.
The consents relied on by Equifax, generally obtained by third parties on Equifax’s behalf, were not valid under the GDPR. These consents were neither informed nor specific.
With respect to direct marketing services, the legitimate interest assessments that were carried out had not been correctly weighted. They gave little weight to the fact that large amounts of personal data were processed in highly targeted ways, that individuals were being profiled and that the processing lacked transparency.
In some instances, personal data obtained on the basis of consent was then processed in reliance on the legitimate interest legal basis. The ICO confirmed that where data is collected or shared for the purposes of direct marketing on the basis of consent, the appropriate lawful basis for subsequent processing for direct marketing purposes will also be consent. It also commented that the degree of control and the nature of the relationship with the individual would be misrepresented and the right to withdraw consent would be undermined where a change in legal basis took place. This, in turn, would inevitably tip the balance of the legitimate interest balancing test against the CRA. The ICO required Experian to delete any data supplied to it on the basis of consent that it subsequently processed on the basis of legitimate interests.
Equifax and TransUnion have since changed their practices at the ICO’s request, including by withdrawing certain products and services from the market, although they did not accept that their practices were in breach of data protection legislation. Experian was judged to have improved its compliance but the ICO considered its processing of personal data in the context of marketing services to be non-compliant. The ICO issued an Enforcement Notice as an “effective and proportionate” way to ensure Experian brings its remaining practices into compliance. Experian has stated that it will appeal the Enforcement Notice.
Separately, the ICO is investigating the data processing activities of participants in the online advertising (adtech) industry and continuing its investigations into three other large data brokers. In addition, the ICO is conducting a criminal investigation into the trade of personal data obtained unlawfully from the motor accident repair sector and sold to claims management companies, and considering potential offences under the Data Protection Act 1998, the Computer Misuse Act 1990 and conspiracy to commit both offenses. The ICO is also engaged in updating two codes of practice with relevance to data broking under the Data Protection Act 2018: the data sharing code and the direct marketing code. These codes have not yet been submitted to the Secretary of State.
Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 310