We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
20 November 2020
On 27th October 2020, the ICO published a report on its investigation into data protection compliance in the direct marketing data broking sector. The ICO's investigation focussed on offline marketing services offered by the three largest credit reference agencies (CRAs) in the UK. The investigation covered only direct marketing services and did not extend to the core credit referencing function of these companies. Also, it did not involve data collected about individuals' online behaviour. On 12th October 2020, in connection with this investigation, the Information Commissioner published an enforcement notice on Experian, requiring it to make certain changes to its privacy notice and processing of personal data.
The report and the enforcement notice, together, set out strict requirements in relation to: transparency and privacy notices; further processing/purpose limitation; lawful basis; and sourcing personal data from third party suppliers. Further comment on each of these points is set out below.
Although the report is specific to offline uses of personal data, many of the conclusions in the report will be relevant to, and are consistent with concerns ICO has expressed about, online uses of personal data. Organisations involved in data broking – whether off or online – should now:
The ICO contacted these CRAs in 2017 with detailed questions about their products as part of a long running assessment of direct marketing data broking practices and, in summer 2018, the CRAs participated in audits of their respective practices by the ICO.
Following its investigation, the ICO issued preliminary enforcement notices to the three CRAs outlining the steps that the ICO intended to require of them: TransUnion and Equifax made improvements to their marketing services and also withdrew certain products and services, and as a result the ICO gave each a clean bill of health with no enforcement action being commenced against either company. Although the ICO recognised that Experian had made progress in improving its compliance, it issued Experian with an enforcement notice, as the ICO said that it continued to have fundamental concerns with its processing of personal data. The ICO also investigated the direct marketing services of three other data brokers who do not operate as CRAs and will publish the results of this investigation separately.
The full ICO report is available here.
In its enforcement notice to Experian, the ICO identified the failings described above and required Experian to take steps to comply with the GDPR, in particular:
- Within 3 months to:
(a) review its Consumer Information Portal (CIP) i.a. to clearly set out at one place and at the forefront of the privacy information an "at a glance" summary of its direct marketing processing, including the attributes its uses in respect of individuals' profiles; to place information that is more likely to surprise individuals more prominently; to remove unduly euphemistic or industry-based language; to include information about each source of data, each use of data and the onward disclosure of data along with examples and possible outcomes; (b) cease using credit reference derived data for direct marketing purposes, unless requested by individuals; and (c) delete data collected on the basis of consent which is now processed by Experian on the basis of its legitimate interests.
- Within 9 months to:
(d) directly provide all individuals with an Article 14-compliant privacy notice, or cease processing their data if it fails to provide such notice; (e) cease processing data where the objective LIA cannot be said to favour Experian's legitimate interests; and (f) in respect of Experian's suppliers, review the GDPR compliance of their privacy notices and data collection mechanisms and cease processing data where there is insufficient evidence that it was collected in a compliant manner.
In parallel, the ICO has published guidance for organisations using marketing services of data brokers, which includes information about carrying out due diligence of data broking providers, ensuring transparency and establishing a lawful basis. The ICO's guidance is available here.
For further information on this topic please contact Ruth Boardman or Katerina Tassi at Bird & Bird LLP by telephone (+44 20 7415 6000) or email (firstname.lastname@example.org or email@example.com). The Bird & Bird LLP website can be accessed at www.twobirds.com.
This article has been reproduced in its original format from Lexology – www.Lexology.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.