Experian told to 'make fundamental changes' and stop sharing data without consent

Kumutha Ramanathan
·Contributor
·3-min read
Experian is a credit rating company. Photo: Mike Blake/Reuters
Experian is a credit rating company. Photo: Mike Blake/Reuters

UPDATE: The headline and story has been rewritten to clarify and reflect that any potential fines are subject to the appeals process and following actions recommended and taken by the regulator.

UK watchdog — Information Commissioner's Office (ICO) — has told credit reference agency Experian that it has to stop sharing the personal information of millions of people without consent.

A two-year investigation by the ICO found that the businesses — Experian, Equifax and TransUnion — were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.

The agency said it was not taking action against Equifax and TransUnion as they had made improvements and withdrew some products and services.

“The investigation found how the three CRAs were trading, enriching and enhancing people’s personal data without their knowledge,” said ICO in a statement.

“This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.

“The ICO found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data. This is against data protection law.”

Experian CEO Brian Cassin said in a statement that the credit reference agency intends to appeal.

“We disagree with the ICO’s decision today and we intend to appeal,” said Cassin.

“At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.”

“We share the ICO’s goals on the need to provide transparency, maintain privacy and ensure consumers are in control of their data. The Experian Consumer Information Portal makes it very easy for consumers to fully understand the ways we work with data and to opt out of having their data processed if they wish.”

The ICO said that the company must make "fundamental changes" to how it handles data or face a £20m ($26.07m) fine or 4% of its total annual turnover.

The watchdog also called for Experian to stop using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes.

“At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements,” said Brian Cassin, chief executive officer of Experian, in response to Tuesday’s ICO announcement. “This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.”

The company added that all enforcement actions will be “stayed pending the appeal.”