UK Data Regulator Enforces in the Data Broking Sector
28 October 2020
Technology & eCommerce Regulation in the Spotlight
On 27 October 2020, the UK Information Commissioner’s Office (“ICO“) has published an investigation report on data protection compliance in the direct marketing data broking sector.
While the investigation mainly focused on the compliance of credit reference agencies (“CRA“), the investigation report contains important findings for all entities involved in data brokering. According to the ICO, a follow up report on additional data brokers is expected to be published in the future.
The investigation included audits of three of the UK’s largest CRAs. Following the investigation, one of these CRAs (Experian) was issued with an enforcement notice over ‘invisible’ data processing and other non-compliant practices. In order to avoid a significant fine, the CRA was required to fundamentally change its data handing practices.
The ICO recognizes in its report that data broking may also have positive impacts, but nevertheless highlights the data brokers’ obligation to comply with data protection law. Significant data protection failures were found at each of the companies investigated, namely concerning the principles of lawfulness, fairness and transparency.
The report emphasizes the following key findings of non-compliance with the General Data Protection Regulation (“GDPR“):
- Lawful grounds for processing:
In certain cases, data was collected based on consent and then processed based on legitimate interests. In the context of direct marketing, where personal data has been collected by a third party based on consent, subsequent processing must also rely on consent as a lawful basis;Where relied upon consent, some of the reviewed consents were found invalid. The ICO highlights that data broking activities must ensure consents are in accordance with the standard of the GDPR;
The ICO also emphasized that data broking activities which are relied on the GDPR’s ‘legitimate interest’ grounds for processing must be accompanied by an adequate legitimate interest assessment. The assessment must be conducted objectively, taking into account all relevant factors, and processing must not commence until a balance of interests is reached.
- Purpose limitation:
According the investigation report, personal data that was collected by the CRAs with the purpose of credit referencing was further used for direct marketing purposes. Using personal data for a different purpose must be transparently explained to data subjects beforehand, for their informed consent of this use.
According to the report, the information provided by the CRAs, in the context of the marketing services, did not clearly explain the processing practices and had to be revised. The ICO highlights that data broking activities must be accompanied by adequate and compliant privacy information.Under the GDPR, CRAs must provide data subjects directly with appropriate privacy information. In the context of direct marketing, the CRAs were incorrectly relying on an exception from this obligation, in a manner that led to ‘invisible’ processing practices. As personal data was obtained from third parties, the CRAs relied on their privacy policies. However, those did not address the CRAs processing for direct marketing purposes.
The ICO specifically addressed the argument that informing individuals (as per the requirement in Article 14 of the GDPR) would involve a ‘disproportionate effort’ due to the large volume of people whose data they hold, the costs associated with making each person aware of the processing and the value that individuals would derive from being told about the processing. The ICO mandated that very large numbers of individuals cannot be the deciding factor against it being proportional to notify people about the processing in these circumstances.
As part of its complementary actions, the ICO published guidance for organizations that use the services of data brokers regarding their obligations. In the future, the ICO also plans to publish two additional relevant codes of practice: Data Sharing Code, and Direct Marketing Code.
As mentioned above, although the investigation and enforcement actions were aimed at the CRAs and the direct marketing data broking sector, the ICO expects that disrupting the flow of non-compliant personal data in this case to impose considerable similar effects in other sectors as well. Therefore, companies operating in other sectors should be mindful to the findings and actions taken in this case.
Please feel free to contact us with any further question or comments regarding the update and subjects detailed above.
Feel free to contact us with any further question or comments regarding the update and subjects detailed above.
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation
Herzog Fox & Neeman