Experian has been rapped over the knuckles by the UK's Information Commissioner's Office (ICO) after it discovered the credit reference agency was trading "millions" of people's data for marketing purposes.
Instead of issuing a monetary fine, however, the data regulator wrapped up a two-year probe yesterday by merely insisting Experian tweaks its online privacy policies and informs consumers it acquired data about them.
"The ICO found that significant 'invisible' processing took place, likely affecting millions of adults in the UK. It is 'invisible' because the individual is not aware that the organisation is collecting and using their personal data. This is against data protection law," said the ICO.
It added: "Some of the [credit reference agencies] were also using profiling to generate new or previously unknown information about people, which is often privacy invasive."
In an aggressive response, Experian chief exec Brian Cassin claimed the ICO enforcement notice against his employer "risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis."
The ICO investigation into data brokers-cum-marketing agencies was triggered by campaign group Privacy International, which hailed its "achieved result" by saying: "Data brokers are key actors in the hidden data ecosystem. The data they collect and later sell can be used for a range of different purposes, from commercial advertising to political campaigning, and in some worrying instances, law enforcement. Most people will never have heard of the these companies, as most data brokers are not consumer facing or household names."
Two other agencies, Equifax and TransUnion, were said to have changed their practices before the ICO investigation finished, while Experian dug its heels in and insisted it was doing nothing wrong.
Experian's Cassin claimed the agency's data-harvesting practices consisted of hoovering up information from the electoral register, censuses and "market research data" before developing "statistical models from data to infer insights useful to businesses and public bodies in order that they can function more efficiently".
Cassin also said that local councils, NHS organisations, fire brigades, and charities had all been buying this marketing data from Experian, allegedly "to get help and support to the most vulnerable during the crisis".
Experian said it would be appealing against the ICO's formal enforcement notice. Companies targeted by the ICO since 2018 have a strong incentive to play hardball with the regulator in tribunals and courts: the GDPR and the Data Protection Act 2018 so far have few precedents that either the regulator or industry can point to. Setting early legal precedents that constrain the ICO is therefore vital for companies determined not to let data protection law impede their operations.
British Airways was mostly successful in this, negotiating a proposed £183m data breach fine down to just £20m after two years of intense legal discussions. ®