The ICO takes action in the offline data broking sector

The enforcement notice is accompanied by a report setting out key findings from the ICO’s two-year investigation into the offline direct marketing activities of certain credit reference agencies (‘CRAs’) in the data broking industry.

Data broking for direct marketing purposes involves collecting data about individuals from a variety of sources (for example, third party suppliers, the open electoral register and other publicly available data), then combining it and selling it to other organisations. The ICO’s report provides depth and colour on the rationale behind its findings of ‘systematic compliance failings’ in the data broking sector, and a number of key takeaways for organisations that are applicable to all sectors, especially those that undertake ‘invisible processing’ or that rely on the use of personal data that has been collected from third parties.

Transparency

The ICO takes particular aim at ‘invisible processing’. Individuals have the right to receive information about the collection and use of their personal data and, according to the ICO, the CRAs were failing to comply with this obligation on two main counts:

1. Not providing sufficiently clear and prominent privacy information on their websites explaining how the personal data was collected, processed or sold, or what sources were used; and
2. Not proactively providing privacy information to individuals when they had obtained the data from third party sources for direct marketing purposes.

The word ‘proactively’ is worth highlighting because it ties in with the ICO’s view that the CRAs were incorrectly relying on the privacy policies of third party data suppliers or the ‘disproportionate effort’ exemption. The ICO noted that organisations seeking to rely on the exemption cannot rely on there being ‘very large numbers of individuals’ because this would give controllers a ‘perverse incentive to gather as much data as possible’.  

Transparency, therefore, continues to remain a primary focus for the regulator, and organisations should not underestimate the importance of comprehensive privacy notices and making sure data subjects see those notices.

Profiling

In some instances, the CRAs were using personal data held for credit reference services to screen individuals out from receiving direct marketing on the basis of their poor financial standing. The report is clear that this is a form of profiling and is processing for direct marketing purposes. The ICO’s view is that individuals would not reasonably expect their personal data to be used in this way and that this processing is not fair unless the individual consents to it. It continues a trend that implies the ICO would find all but the most innocuous forms of profiling to not be within the individual’s reasonable expectations.

Legitimate interests

Where the CRAs had relied on legitimate interests as their lawful basis for processing personal data, the ICO found that their legitimate interest assessments (‘LIAs’) had not been properly weighted. Insufficient weight was given to the processing of large amounts of personal data in highly targeted and non-transparent ways, as well as profiling individuals. To properly rely on legitimate interests, organisations need to undertake a careful and objective balancing exercise that gives adequate weight to the rights of individuals, and it will be difficult to rely on this ground unless the organisation can show that individuals would not be surprised by the processing activity.  

Consent and rights of opt out

The ICO noted that, on some occasions, Experian had obtained personal data that had been collected by third parties on the basis of consent, but that Experian then relied on legitimate interests for its processing activities. The ICO is clear that it doesn’t consider this to be appropriate. Switching from consent to legitimate interests means that the original consent is no longer specific or informed, and an individual’s right to withdraw consent is also undermined.

Organisations should be wary, therefore, of cherry picking a lawful basis for processing. Where personal data is collected on the basis of consent, subsequent processing activities should also be based on consent. This is not the first time we’ve heard this from the ICO and it has general and far-reaching application.

Controller or processor?

The ICO has found that Experian is a controller for much of the processing it undertakes, even though Experian maintained that its processing takes the form of data analytics, rather than marketing in its own name. The ICO noted that Experian furthers the direct marketing activities of third parties on a very significant scale, which pointed to Experian being a controller rather than a processor.

And finally

There is something to be said about the outcome of this investigation being an enforcement notice rather than a fine. The ICO’s approach shows a willingness not to go straight to the fine book and instead to work with organisations to achieve compliance. However, the ICO has cautioned Experian that a failure to take action may lead to a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover. Apparently Experian are appealing, so stay tuned to see how this unfolds.