Experian’s GDPR violation leaves companies scrambling to understand ‘legitimate interest’

Picture of Landmark House, Experian’s operational headquarters in Nottingham, U.K. (Martine Hamilton Knight/CC0 1.0)

A General Data Protection Regulation enforcement notice from United Kingdom regulators could leave credit reporting giant Experian on the hook for as much as $24 million – baffling U.S. and European Union companies alike, say legal experts.

The investigation that led to the notice found issues in each of the big three credit reporting agencies, and the data brokerage economy in general. While Experian, TransUnion and Equifax received praise for working with regulators on several of the problems apparently endemic to the industry, Experian reportedly failed to meet all its requests.

An enforcement notice is a warning that a fine will come should a company not take action. Experian now has nine months to do so, pending appeal.

The key issue flagged in the Experian enforcement is one that all companies that handle data from brokers need to consider when establishing data privacy practices.

“At a high level, the issue is transparency. It’s one of the key pillars of data protection,” said Sarah Pearce, an attorney at Paul Hastings' London offices. “You need a lawful basis for each use of data.”

In GDPR, there are several categories of ways to legally obtain data. Companies can outright the users for permission to store and process data, for example. Or, companies can claim “legitimate interest," where the data use is necessary for business purposes that aren’t seen as threats to privacy.

Direct marketing via mail is considered legitimate interest. But, in this case, the consent to use the data had been received by a broker that hadn’t specified the data would be sold. That negates the buyer (in this case Experian) being able to claim direct marketing as a legitimate interest.

“Because consent to use data was obtained by a broker, you are confusing users,” said Federica De Santis, an attorney with Goodwin’s privacy and cybersecurity practice.

This enforcement notice covers physical mail. De Santis notes that email marketing is governed by an entirely different standard that always requires consent.

For companies who use data brokers, De Santis advises first doing due diligence on a firm’s consent practices and not relying solely on contracts. She also suggests following guidance from the U.K.'s Information Commissioner's Office for companies who deal with data brokers.

Companies within the direct marketing industry say they are doing their best to meet those demands.

“For this space to continue to flourish, public trust is imperative, and so companies must act as responsible stewards of data,” said John Story, vice president and deputy general council at Acoustic, a cloud platform used to manage direct marketing data. Acoustic created an office for a chief data ethics officer, he added.  

Many privacy officers applauded the ICO notice.

“We need more rulings like this to set the tone that people and their privacy matters,” said Alok Ojha, vice president of security, privacy, & compliance products at cloud content management company Box.

The ICO report mentions that all three of the credit reporting bureaus worked with investigators to address problems during the investigation. TransUnion and Equifax withdrew products and services to become fully compliant.

The fact that the ICO didn’t need to issue notices to TransUnion or Equifax and that neither firm is currently at risk of being fined shouldn’t slip the attention of companies, said Shane McNamee, chief privacy officer of the cybersecurity firm Avast and a former regulator with the Data Protection Commission of Ireland.

“I think what’s more interesting than the potential fine to one credit reporting agency is that two credit reporting agencies did the remediation required by the regulators, and didn’t get enforcement notices,” he said.

McNamee said that while many companies might see the potential fines as a cost of doing business in Europe, they should be aware that the real regulatory power comes from their ability to ban business practices altogether. It's always more prudent, therefore, to take the time to work with lawyers during the engineering process rather than to be forced to rebuild from scratch after a regulator weighs in.

Other key strategies to stave off regulatory enforcement include accounting for a shifting landscape of GDPR requirements, said said Bridget Treacy, the attorney heading the U.K. privacy practice of Hunton Andrews Kurth.

“Organizations need to review their GDPR compliance programs on an ongoing basis, "she said. "What might have been fine when the GDPR took effect on May 25, 2018 may well be out of date by now."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.