Following a two-year investigation into credit reference agencies, the Information Commissioner’s Office (ICO) has taken enforcement action against Experian. It was ruled that the company must make “fundamental changes to how it handles people’s personal data”, according to the ICO.
The investigation examined three credit agencies, of which Experian is the only one to reportedly face punitive action for data handling they carry out for direct marketing purposes.
Experian is understood to have taken some steps towards improving their data handling, but it was not enough to satisfy the ICO that data protection law was being adhered to. It is reassuring to know that Experian must make changes, and demonstrates to other companies that any sidestepping of the GDPR will not be tolerated by regulators.
Why has the ICO taken enforcement action against Experian?
The ICO investigation began in 2018 when the watchdog decided it would be appropriate to review the data broking practices of credit reference agencies (CRAs) in light of the new GDPR (General Data Protection Regulation) introduced in the same year. Concerns were also raised by campaign group Privacy International, who reportedly made a complaint specifically about Experian and Equifax.
Data broking is a practice within the direct marketing services provided by CRAs, whereby agencies acquire personal data, gather more information to build a picture of individuals’ identities, and then can sell this information on to businesses, charities and political parties. This personal data can be incredibly valuable to its buyers, enabling them to identify who to target with their goods and services.
The ICO found that this data processing and trading was being carried out without the clear knowledge or permission of customers at Equifax, Transunion and Experian. While the first two CRAs made improvements and removed some non-compliant products and services, the latter did not concede. As such, the ICO was compelled to take enforcement action against Experian.
What does this mean for the public?
The practice of data broking had widely been viewed as unethical even before the investigation began. As such, the announcement of enforcement action against Experian is a positive step towards upholding data privacy at CRAs.
The apparent lack of transparency surrounding data processing at CRAs has now been condemned by the ICO, such that these companies should now toe the line when it comes to data protection law.
However, Experian announced its intention to appeal the action, with a spokesperson stating that “the ICO’s view goes beyond the legal requirements”. It is disappointing to hear that the company is unwilling to accept the enforcement action, which simply requires Experian to process data in a way perceived as lawful and inform customers about how their information is processed.
CRAs and data breach law
CRAs have long been of concern to Your Lawyers – The Data Leak Lawyers – as we recognise the harmful effect that invisible data processing can cause to unsuspecting people.
While we hope that the enforcement action against Experian will act as a lesson to other businesses, many companies are often unwilling to learn, and so data breaches will continue to happen. We are here to help anyone who has suffered the effects of a data protection breach, aiming to win them the compensation that they deserve.
Please do not hesitate to contact us for free, no-obligation advice if you think you have a claim to make.