Alongside the issuing of an enforcement notice to Experian (see here for our article on this https://www.lewissilkin.com/en/insights/the-ico-takes-action-in-the-offline-data-broking-sector), the ICO has issued a report on its investigation (to date) into data protection compliance in the direct marketing data broking sector.
This investigation has focused on three main players: Equifax, Experian and certain entities within the TransUnion group of companies. However, the ICO confirmed that there are other ICO investigations being carried out alongside this one (notably a major criminal investigation into the trading of personal data which has been obtained unlawfully from the motor accident repair sector and sold to claims management companies).
Following this investigation, it was felt that Equifax and the TransUnion entities had taken sufficient steps during the investigation process to address any areas of non-compliance, such as withdrawing various non-compliant products and services. Conversely it was felt Experian has not yet taken sufficient steps to address the ICO's concerns and for this reason the ICO has decided to take enforcement action against Experian.
This report is a really interesting read for any organisation carrying out data broking activities or engaging with data brokers, and contains useful insights into the challenges now faced by data brokers in the offline marketing sector.
Key findings include:
1) The need for greater transparency - this is not just about data brokers clearly articulating their activity in their privacy notices, but also about taking proactive steps to provide data subjects with these notices; particularly where the data has not been directly collected from the data subject.
2) The need to obtain consent to use data collected for different purposes - the example cited here was that credit reference agencies were collecting personal data for the purpose of running credit checks but then using that data for direct marketing without consent, meaning they did not have a valid lawful basis for their data processing.
3) Limited role for legitimate interest – the ICO is very clear that if a data broker is trying to rely on legitimate interest to carry out profiling for direct marketing purposes, a proper balancing exercise needs to be carried out. This exercise should be conducted objectively taking into account all factors. As part of its investigation, the ICO found that the legitimate interest assessments carried out by the credit reference agencies did not adequately balance the rights of the data subject and credit reference agency. This is primarily because, in the ICO's view, the profiling in question is intrusive and outside of the reasonable expectation of the data subject. Of course, greater transparency would address some of the concern. However, this view will make it very difficult for data brokers to rely on legitimate interest as the correct lawful basis to carry out profiling for direct marketing purposes, unless they can persuade the ICO that such profiling for direct marketing is within the reasonable expectation of the data subject.
4) No change of lawful basis – the ICO is very clear that if personal data is shared with a broker on the basis of consent for a particular purpose, the data cannot then be processed by the data broker for that same purpose on an alternative lawful basis (i.e. legitimate interest).
It is clear from this report that the ICO is only scraping the surface and more enforcement action (and even criminal sanctions) are on the way.
If you are an organisation intending to engage with data brokers, the ICO has also produced some useful guidance on the steps you should be taking prior to such engagement.
Our action today represents a key milestone in driving change and achieving compliance in the data broking industry. However, our work is not over. The ICO remains committed to securing compliance across this sector, and we intend to carry out further investigative, engagement and educational work.