ICO controls the collection and use of data by the data broker
On October 27, 2020, following a two-year investigation, the UK Information Commissioner’s Office (ICO), published his execution notice against the credit reference agency Experian Limited (Experiential). During the investigative process, Experian made an effort to improve compliance with GDPR and UK data protection law, but this did not go far enough and ICO’s notice of execution indicates a number of continuing violations.
Because data brokers collect and market a huge amount of data, they fall into the exclusive category of data controllers that attract special attention from supervisors and the general public. On the other hand, if the Experian example is any indication, there isn’t much exclusivity on the key issues determining the legality or illegality of data brokers’ operations. The 55-page ICO decision essentially deals with issues that supervisory authorities often address regardless of the nature of the controller activity: content and provision of data processing notices, and interaction between consent and legitimate interest as legal bases for the processing of personal data. A less frequent problem concerns the obligation of the controller to ensure that third party data providers have obtained the data in a compliant manner; ICO offered valuable information in this regard.
Experian, as a credit reference agency, provides lenders with a range of information on potential borrowers; lenders then use the information to decide whether or not to approve credit to a particular person. However, a credit reference agency can expand its business activities by collecting data about individuals from various sources and selling that data to customers of various categories for direct marketing purposes. Clients range from businesses (for targeted advertising campaigns for their products and / or services) and political parties (for political campaigns) to charities for their fundraising campaigns. Experian has expanded its activities in the manner described. It maintains databases containing data on nearly 50 million UK citizens.
Experian uses data from various sources to create individual profiles and adds different attributes to each individual. Over 30 million profiles are reported as available to be sold to third party organizations for marketing purposes. Other marketing services provided by Experian include the ability for third parties to compare their own data with Experian’s records (for example, to update contact details and remove records that are no longer appropriate or relevant).
Experian’s website contains various privacy policies, including a Consumer Information Portal (CIP) with information on the processing of personal data for marketing purposes and an informational notice on referral agencies. credit (CRAIN), which explains the processing in the context of credit referencing.
Main findings of the ICO
- Transparency requirement not met
ICO has found that the Experian CIP portal is not sufficiently transparent, within the meaning of this term according to art. 5 (1) (a), to ensure that individuals understand Experian’s processing of their personal data for marketing purposes. The ICO took into consideration the complexity and scale of the processing on Experian’s part and, based on that, asked Experian to revise the CIP. The specific steps Experian should take include placing information that might surprise individuals in the first layer of the CIP, explaining in real terms the potential drawbacks or undesirable results of the data processing, and providing examples of how to process the data. ‘complex processing activities.
ICO also required Experian to transparently explain to individuals that the company is processing their credit reference data for direct marketing purposes.
- Invisible processing is not allowed – data subjects must be properly informed
The ICO has ordered Experian to directly notify all affected individuals (by mail or other acceptable means of communication), when Experian has obtained their personal data from any source other than the individuals themselves. This notice must clearly inform the data subject that Experian has obtained their personal data for purposes which include direct marketing, as well as explain how Experian treats such data. In addition, the notice must follow the same transparency guidelines that the ICO has given with respect to the CIP. Under the ICO Completion Notice, Experian must cease processing the personal data of anyone to whom Section 14 notice is not sent.
Experian made two arguments to claim that it had no obligation to send the notices to affected persons.
ICO also disagreed with Experian’s second argument, that direct notification of all concerned would result in a disproportionate effort for the company (GDP Art. 14 (5) (b)). Experian based its proportionality analysis on the assertion that, on the one hand, the processing was non-intrusive and was likely to be expected by the data subject, while on the other hand, direct notification would be extremely expensive and ignored by those affected. ICO has rejected all of these allegations. Experian’s processing is an invasion of privacy as it involves profiling; treatment is also unlikely. The fact that there are a large number of people involved is not an argument against the notification, as Experian has voluntarily chosen its own business model and in any event, the controllers cannot accumulate data on that much. of people as possible in order to claim that their large number reduces the notification burden.
The alternatives to direct individual notifications offered by Experian, including newspaper, television, or any other type of advertising campaign, have not satisfied ICO as it cannot be guaranteed that a given individual will see the campaign. In addition, such general advertising would not be directed to the person viewing it, which means that the person would not be able to know whether their data is being processed or not.
- Legitimate interest can hardly be the legal basis when processing personal data for profiling purposes
Experian processes personal data used for direct marketing purposes on the basis of legitimate interest. ICO has found this to be against the law because the legitimate interests of Experian outweigh the interests or fundamental rights and freedoms of the data subject.
The nature of the processing on Experian’s part is intrusive, ICO found, in part because it involves profiling. The OIC invoked an opinion of the Article 29 Working Group (06/2014, on the “Concept of legitimate interests of the data controller under Article 7 of Directive 95/46 / EC”(WP 217)) to the effect that the profiling activity is likely to present a significant intrusion into the privacy of the data subject and that the interests of the controller will therefore be overridden. ICO further clarified that profiling for direct marketing purposes is generally not within an individual’s reasonable expectation and is rarely transparent enough. Therefore, as stated by the Article 29 Working Party in Opinion 03/2013 on “Limitation of the object” (WP 203), free, specific, informed and unambiguous consent would almost always be required for tracking and profiling for direct marketing purposes.
Since legitimate interest cannot serve as a legal basis for processing, Experian may, as a general rule, process the personal data of data subjects solely on the basis of their consent – either obtained directly by Experian or by suppliers. from which Experian obtains the data.
- Switching from consent to legitimate interest is not allowed
ICO ordered Experian to delete personal data received from third party data providers based on the individual’s consent, where Experian processed that data based on a legitimate interest. Switching to legitimate interest would distort the degree of control and the nature of the relationship with the individual. In addition, the scope of the initial consent often did not encompass processing activities carried out for direct marketing purposes, so further processing for this purpose would render the initial consent invalid (non-specific and uninformed). A further reason for the inadmissibility of the shift to legitimate interest is that individuals would not be able to exercise their right to effectively withdraw consent.
- The controller must verify the compliance of its third-party data providers with the GDPR
ICO explained that, in accordance with the principle of liability (Art. 5.2 GDPR), Experian must demonstrate that its processing complies with the GDPR. In order to be able to meet this obligation, Experian had to ensure that the personal data the company received from its suppliers was collected in a compliant manner. Where there is insufficient evidence that the providers have collected the personal data as part of a complaint, Experian cannot legally process the data.
In this context, the ICO terms of the proposed application notice include a request that Experian review the GDPR compliance of privacy notices and data capture mechanisms of personal data providers. As a result of this exercise, Experian should collect data only from vendors who use transparent privacy notices and obtain valid consents.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]