Experian faces GDPR action after ICO finds ‘widespread data protection failings’

A magnifying glass held over the Experian logo as seen on the company's website

The Information Commissioner’s Office (ICO) has ordered credit rating giant Experian to stop profiting from the secretive enriching and processing of people’s personal data or face a massive GDPR fine.

The UK data regulator has reprimanded the company after discovering a massive data broking operation across the entire credit rating industry, with all three credit reference agencies (CRAs), including Equifax and TransUnion, under fire for illegal practices.

The investigation found the three firms were trading, enriching and enhancing people’s personal data without their knowledge or consent. This resulted in products which were used by third-party commercial organisations to find new customers, identify those who were most likely to be able to afford products, and build individual profiles around people. Such services were also used by political parties and charities.

This “invisible” processing likely affected millions of adults in the UK, and certainly breaches data protection laws, the ICO concluded in its report - the result of a two-year investigation into the sector following an initial complaint in 2018.

The data regulator uncovered “widespread and systemic data protection failings” across the entire CRA sector, which it found is particularly concerning in an industry entirely dependent on personal data.

Of particular concern is the way these companies were using profiling to generate fresh or previously unknown information about individuals, which can be extremely invasive and can also have discriminatory effects.

“The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect,” said Information Commissioner Elizabeth Denham.

“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”

After all three companies were confronted, each made improvements to their direct marketing services business. Equifax and TransUnion made these improvements alongside withdrawing some products and services, so the ICO will be taking no further action.

Experian, however, has not gone far enough in making the required changes, so the ICO has issued an enforcement notice giving the company nine months to make the required changes or face a massive fine under GDPR.

The credit rating giant did not accept it was required to make changes set out by the ICO, and as such was not prepared to issue privacy information directly to individuals, or stop using credit reference data for marketing purposes. Should Experian continue to dig its heels in, the company could face a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover.

“While these companies claim that they can process people's data with or without their consent, today's report has made it clear that the consent relied on to pass on data to third parties was often invalid,” said campaigns organisation Privacy International. “Therefore, the ICO's announcement today about three of the most recognisable data brokers in the ecosystem is an important step forward.

“Every country with data protection laws needs to look at this sector. Every regulator needs to ask what it is doing to protect people from their data being opaquely exploited by 'credit reference agencies' like Experian. As the UK regulator notes, people don't even know the names of most of these companies and yet they hold everyone's data. We believe the deck is stacked against people and this can't continue.”

Experian has hit back, with its CEO Brian Cassin disagreeing with the ICO's judgement and outlining his company's intention to appeal the ruling.

"At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements," he said. "This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis."

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.