Q&A on UK regulator's action on data brokers

The ICO report details the outcome of a two year investigation by the ICO into how the credit reference agencies (CRAs) – Experian, Equifax and TransUnion – used personal data in the UK as part of their data broking activities. The ICO investigation revealed that the three CRAs were screening, trading, profiling, enriching or enhancing people’s personal data without their knowledge to provide direct marketing services. It found "widespread and systemic data protection failings across the sector", "significant data protection failures at each company" and that significant ‘invisible’ processing took place, likely affecting millions of individuals in the UK."

Following the ICO investigation, Equifax and TransUnion made requested improvements alongside withdrawing some products and services. The ICO has issued an enforcement notice against Experian, ordering the company to make fundamental changes to how it handles people’s personal data within its direct marketing services. The ICO is taking no further action against Equifax and TransUnion.

Offline marketing services refers to the more traditional methods of direct marketing such as information sent through the post, via SMS, or phone calls. Naturally, this excludes online direct marketing, which involves collecting information about a person's online activities in order to target them with adverts.

The ICO have signalled that they are separately investigating companies involved in the online advertising ecosystem as part of their work on "adtech". PI looks forward to the outcome of those investigations.

Today's report is the result of a two year investigation into Experian, Equifax and TransUnion initiated, in part, pursuant to a complaint filed by PI against Equifax and Experian in November 2018. Our complaint argued that the data broker industry, an industry premised on exploiting people's data, did not comply with fundamental data protection principles, and requested an investigation by the ICO.

The ICO report separates the two business functions of Experian, Equifax and TransUnion, only focusing on the data broking activities and not their role as a credit reference agency.

Credit reference agencies are private companies which collect and store information about you that is used to decide your credit score, for example when you're applying for a credit card or a mortgage. Though Experian, Equifax and TransUnion are credit reference agencies, they also carry out data broking activities.

Data brokers are organisations which collect data about you from a variety of sources, then combine it and ultimately sell it to other organisations for a variety of purposes.

While you may engage directly with a credit reference agency in order to view your credit score, the chances are you won't engage directly with a data broker, or know that they hold information about you, or that they are selling it onto others, or what that information is being used for.

When a company is both a credit reference agency AND a data broker, there are serious questions about the transparency and fairness of data collection and processing that the ICO are highlighting in their report. One of the ICO's key findings is that all three companies used their "unique position" of operating as a credit reference agency as an opportunity to share and profit from personal information with the data broking side of the business for direct marketing. This was not made clear to individuals who were under the impression they were engaging solely with a credit reference agency.

As the ICO notes in the report, credit reference agencies hold financial records on almost every individual in the country and therefore must be held to a high standard of accountability, transparency and fairness. Credit scores are an integral part of people's lives as they have no choice about whether their information is shared with credit reference agencies if they want to apply for that mortgage or loan. However, this privileged position and power should not extend to data broking activities. People do have a choice in this regard and the ICO is right to highlight these differences.

The data broking activities matter because the data they collect and later sell can be used for a range of different purposes, from commercial advertising to political campaigning, and in some worrying instances, law enforcement. For example, Experian's data is widely known to be used by political parties and private companies alike. For instance, it may be used to profile potential voters and craft political advertisements targeted at them, both in offline (such as canvassing) and online instances (social media advertising).

Law enforcement and other state agencies also use the data collected by such companies to power their increasingly intrusive surveillance activities. A 2018 investigation by Big Brother Watch showed how Durham Police in the UK were feeding Experian’s Mosaic marketing data into their ‘Harm Assessment Risk Tool’, to predict whether a suspect might be at low, medium or high risk of reoffending.

In its report, the ICO explained that it had engaged with all three CRAs in the course of its investigation. During the investigation, Equifax and TransUnion ceased the supply of products and services which did not comply with data protection laws, prompting the ICO to decide that no further action was necessary. Conversely, the ICO found that Experian had not taken sufficient steps to address its data protection concerns.

So, while the ICO investigation concerned all three CRAs, only Experian received an enforcement notice. An enforcement notice is a formal document issued by the ICO against a data controller or processor compelling them to take, or refrain from, a specific course of action. The report and the enforcement notice are distinct documents. You can find the enforcement notice against Experian here.

Data broker and ad-tech industries are premised on exploiting people's data. Despite exploiting the data of millions, most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives.

We have repeatedly said that, when the General Data Protection Regulation (GDPR) came into effect, the real test for GDPR would be in its enforcement. The ICO report and enforcement notice sends a strong message to this opaque and complex industry that has long operated without respecting data protection standards and our privacy.

Hopefully, this report will offer guidance to the further regulation of this industry and hidden exploitation practices across the EU and beyond. The Irish and French data protection authorities have also open investigations to data brokers and ad-tech companies.

The ICO has given Experian nine months to comply with the entirety of the enforcement notice. If Experian fails to comply within that time, it will risk further action, including a fine of up to 20 million euros or 4% of its total annual turnover.

Experian has announced that it intends to appeal the ICO's decision through the UK courts. If Experian does lodge an appeal, this will effectively "stop the clock" for compliance with the ICO's enforcement notice: in other words, Experian need not take the steps specified in the notice until the court makes a decision on its appeal. If the appeal succeeds, the court may review all aspects of the ICO's decision in relation to Experian.

We will continue fighting to expose and challenge the broader CRAs, data broker and ad-tech complex and we want to have you with us.

Having strong laws and technology which protect privacy is incredibly important, but the most important thing is that people are aware of the issues and are able to influence powerful companies and governments. You can read more about our work on data brokers.

To keep up to date on the case and all our work, you can sign up to our mailing list - don’t worry, you can choose the topics you are most interested in… and we take proper care of your data!

As we are a charity with limited funds, any support you can give us through a donation would be most appreciated.

To reiterate, however, to really ensure that we don’t sleepwalk into a world of ubiquitous state and corporate surveillance, it is essential that people put pressure on governments and corporations - so if there’s one thing you can do, it’s make your voice heard!