Data brokers, data processing, credit agencies  — for some of us, these terms are mere ambiguities, while for others, common technology buzzwords.

For the U.K. legal scene, though, they describe one of the most discussed cases, involving some billion-dollar industries that operate under the radar: "Credit Reference Agencies" and data brokers.

The U.K. Information Commissioner's Office recently ordered the credit reference agency Experian to obey its enforcement order and make critical modifications in its use of personal data, particularly within marketing services. To be sure, this development paves the way for further transparency in the data broking industry. 

The case background

On Oct. 27, 2020, and after two years of investigations, the ICO imposed an enforcement notice on Experian on the basis that it used its clients' data for marketing purposes. The court ordered Experian to "make fundamental changes to its offline direct marketing practices" and published a report on data protection compliance in the direct marketing brokering sector.

The ICO's investigation did not only cover Experian, but it extended to multiple actors of the credit reference industry — such as Equifax, TransUnion International UK and Callcredit Marketing — in an attempt to understand and assess their operations.

The decision was the outcome of a complaint that was partly initiated by Privacy International in 2018, which raised concerns about the entire credit reference industry, particularly Experian and Equifax. The process was lengthy and exposed a relatively unchartered field. "Our investigation uncovered data protection failings that likely affected millions of adults in the U.K.," Information Commissioner Elizabeth Denham said. The ICO found "widespread and systemic data protection failings across the sector" and "significant data protection failures at each company."

Further to an initial audit, Equifax and TransUnion followed the ICO's recommendations. They withdrew certain services and made substantive improvements in their data management processes that allowed them to continue their credit reference function and avoid further action. Yet, Experian insisted on maintaining its practices, which led the ICO to issue the enforcement notice.

The legal context

The ICO found the manner in which Experian has been using the data gathered by its clients violated the requirements of transparency and lawful processing, outlined in the Data Protection Act of 2018 and the EU General Data Protection Regulation. As a result, it served the company an enforcement note, requiring it to proceed to fundamental changes in its practice within nine months or otherwise risking a fine of up to 20 million GBP or 4% of its annual global turnover, whichever is greater. Experian was ordered to:

• Notify individuals about the use of their data for marketing purposes by July 2021.
• Cease processing and using the data gathered for credit referencing business for marketing purposes.
• Delete data clients had shared with Experian on the basis of their legitimate interests and consent.

Experian has already objected to this outcome and shared its intention to appeal. "We disagree with the ICO's decision today, and we intend to appeal. At heart, this is about the interpretation of GDPR, and we believe the ICO's view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis," Experian CEO Brian Cassin said.

Demystifying the terms

The companies under investigation were allegedly using data their users provided for the purpose of conducting credit checks and limited market activity to create products through "invisible processing." That means without their awareness and consent, people's data was processed, enriched, grouped, formed into products and sold to other data brokers, commercial companies and political parties, organizations, and charities.

In short, these CRAs were conducting data brokering activity. As accurately described in the complaint to the ICO, "A common feature of data brokers is that they are on the whole non-consumer facing. Therefore, despite processing data about millions of people, data broker companies are not household names, most people have never heard of them, do not know that they process their data and profile them, whether this data is accurate, for what purposes they are using it, or with whom it is being shared and the consequences of this processing."

Why did an enforcement notice make the headlines?

This update constitutes one of the first actions of the judiciary against data brokering related activities in the U.K., followed by an attempt to regulate it. After completing the investigation, the ICO published a report on data protection compliance in direct marketing brokering. Although not binding in nature, this report set standards regarding the use of people's information, highlighting the overarching principles of adequate transparency, fairness and lawfulness. The ICO is still performing audits and completing reports, which are expected to be released in the near future.

This case also introduced data brokering in the privacy debate in the U.K. With a public opinion linking data breach scandals with colossal tech companies, such as Google and Facebook, data brokers' activities tend to fly under the radar. Yet, their role is instrumental as they sell information to advertisers to help them make targeted marketing actions through social media platforms and search results.

It is essential to underline this investigation was limited to "offline" data broking activities, which means the CRAs used ways other than the internet to collect information, like voter records, vehicle registries, loyalty cards and so forth.

Nonetheless, as online data brokering constitutes the subject of a different ICO investigation, a lot is expected to be unraveled. 

Photo by Jurica Koletić on Unsplash