Why Experian Had Grounds for Non-compliance with the GDPR

Late registrations, overdraft, and utility invoices belong to the Credit Information category and can be processed for credit reference purposes.

Jan 27, 2021

Transparency is also a prerequisite for the exercise of consumer rights under the GDPR.

Late registrations, overdraft, and utility invoices belong to the Credit Information category and can be processed for credit reference purposes. These reports and notes allow lenders to conduct an appropriate credit assessment.

Experian also manages an independent data brokerage company: in addition to financial information, it also collects personal data such as names, addresses, house numbers, and purchases from various sources such as electoral registers, third party companies, and other brokers.

Since Experian can accumulate a wide variety of personal data such as names, addresses, payment data, card numbers, and addresses, it is able to create a very detailed and accurate profile of each individual. Sellers can use these profiles to tailor their offers, banks can adjust their payment terms, and political parties can plan their political campaigns based on these profiles. These individual data sets and profiles are valuable assets for sellers who can find and target specific groups of individuals economically appropriate to be interested in purchasing their products.

They can also filter those who cannot pass the affordability test. Experian allows third-party marketers to use these profiles to decide who to do direct marketing. If the financial situation of a person does not seem promising, for example, sellers remove them from direct marketing campaigns. As demonstrated by these practices, the data collected for credit reference purposes has been used for direct marketing purposes to third parties.

Although ICO's research involved several CRAs, most of them took the necessary steps with the exception of Experian, as he says he will challenge the decision. In its decision, ICO provided 6 key findings on Experian's non-compliance.

Experian's personal information did not meet the transparency requirement.

Privacy information provided some details about data brokerage operations However, it was not clear enough because it did not deal with how the data was collected, used or sold. It is not clear that the collected data may also be used for direct marketing purposes.

Data processing for direct marketing was not legal

Consumers cannot object to sharing their data with Experian for credit reference purposes if they wish to receive loans from lenders. CRAs such as Experian play an essential role in the lending process, as they enable informed decisions and are authorized by law. Consequently, maintaining trust is crucial.

Legal basis for processing

This part of the decision concerned exclusively the processing of data by Equifax on the basis of consent. Equifax collected data from external brokers and was based on the consent that these external brokers had obtained from individuals. The ICO determined that consent was not sufficiently precise to render the processing lawful.

Trust in Legitimate Interests

The CRAs were based on legitimate interests to justify the use of data for direct marketing services. Legitimate interests require a Legitimate Interest Assessment (LIA). In this evaluation, VCs must also take into account the interests and expectations of people. However, they did not consider that they treated data in a highly privacy-intrusive manner because it constituted profiling. In addition, the lack of transparency also weighed seriously on behalf of individuals in this assessment.

Change the legal basis for consent to legitimate interests

In some cases, Experian has collected data from third parties on the basis of individual consent. However, Experian has processed this data based on its legitimate interests. ICO found that it is not possible to alter the legal basis for consent to the processing of data to legitimate interests. When individuals expressed their consent, they were not informed of Experian's processing activities, so the initial consent was not sufficiently precise to make Experian's processing activity lawful. In other words, the legal basis for further processing should also have been consent.