Experian Data Protection Failure


In October 2020, the Information Commissioner’s Office (ICO) ordered credit reference agency Experian, to make changes to the way it handles personal data in direct marketing services. The command followed a two-year investigation by the ICO into how Experian, Equifax and TransUnion use personal data for marketing purposes. According to investigators: “The data of almost every adult in the UK was, in some way, screened, traded, profiled, enriched, or enhanced to provide direct marketing services.

The Experian Data Protection Failure

An investigation by the ICO discovered that Experian, Equifax and TransUnion were “trading, enriching and enhancing people’s personal data without their knowledge”. This was a clear breach of data protection law.

The practices uncovered by the ICO included taking personal data from the electoral roll and supplementing it with other information about an individual to build a more complete data profile. These profiles were then sold to commercial organisations, political parties, or charities and used to help them to find new customers, etc.

According to the ICO, “significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data.”

The ICO raised concerns with all three credit agencies. And, in response, Equifax and TransUnion made the necessary improvements/changes.

However, Experian did not accept the ICO’s instructions.  As a result, Experian was issued with an enforcement notice compelling it to make the changes or risk further action. Experian appealed the decision.  

The Experian Appeal

Experian did unlawfully process the personal data of over five million individuals.

That was the ruling of The First-Tier Tribunal (Information Rights), a body which settles legal disputes relating to data protection matters.  

The ruling by the Tribunal upheld some aspects of the ICO’s 2020 decision, while rejecting it in other areas. However, while Experian is claiming to be “very pleased” with the outcome of its appeal, the Tribunal ruled that it did not process the personal data of over five million individuals transparently, fairly, or lawfully, because it failed to notify them that it was processing their data for direct marketing purposes. In short, Experian broke data protection laws.  

Commenting on the case, our Head of Data & Privacy Litigation, Kingsley Hayes said:  

“Experian has been found guilty of processing data illegally, and breaching the data protection rights of up to five million people in the UK.  While the latest decision rejects the ICO’s view that Experian’s privacy notice was not transparent, that using credit reference data for direct marketing purposes is unfair, or that Experian did not properly assess its lawful basis, this is still a win for data protection advocates. Even if Experian tries to claim otherwise. 

Experian Data Protection Failure Timeline

  • 2015
    The ICO began gathering intelligence about the way personal data is traded in the UK. It found several ‘hubs’ that had large volumes of data flowing in and out of them. Three of the hubs were Experian, Equifax, and TransUnion (formerly Callcredit).
  • 2017
    The ICO contacted three agencies again to ask further detailed questions about personal data use and compliance. The ICO identified areas of significant concern requiring further investigation.
  • 2018
     The ICO undertook compulsory audits and issued assessment notices to the three credit agencies.
  • April 2020
    The ICO provided each of the credit reference agencies with a preliminary enforcement notice which set out its concerns, the steps they had to take, and a clear timescale for compliance.
  • October 2020
    The ICO published the results of its investigation into data protection compliance in the direct marketing data broking sector. The ICO also ordered Experian to make fundamental changes to how it handles people’s personal data.
  • February 2023
    In the case of Experian Limited v The Information Commissioner, the First-Tier Tribunal in the UK ruled on the ICO’s action to require Experian to make changes to how it processes personal data for direct marketing purposes. While the Tribunal supported the ICO in certain respects, it largely ruled in favor of Experian.