Biggest credit agency banned from selling financial data of millions without their permission

The UK’s Information Commissioner Office (ICO) has ruled that the credit agency Experian has been sharing personal data of millions of people without their consent. According to British authorities, the firm has sold this information to business aiming to identify users who could afford goods and services. Political parties may have accessed to this information too.   

Although the ICO has concluded that the company must implement fundamental changes on how it handles data or face a huge fine, Experian has stated its will to appeal the decision.

“We think the ICO’s view goes beyond the legal requirements,” the Dublin-based firm considers. “This interpretation may also place risks of damaging the services that help consumers, thousands of small business and charities, especially as they try to recover from the crisis”, the statement adds.

Experian argues it has made enormous efforts to improve its information security practices, the ICO said it’s still not enough. From now on, the company has a nine months term to satisfy the regulator’s measures; in case of not complying, Experian faces a fine of up to £20m, or 4% of its global turnover, as set by the General Data Protection Regulation (GDPR).

This is the conclusion of a two-year investigation prompted after a complaint by the non-benefit group Privacy International, which also involves Equifax and TransUnion; all these firms provide a way for people to check their credit score for loans and credit cards. These agencies also operate with data brokers, collecting and selling on information gathered from all kind of sources.

The investigation concluded that the agencies had access to the data of almost every adult in the UK, which was then screened, traded, profiled, enriched, or enhanced to provide direct marketing services. The probe was limited to offline data broking, so did not include data collected about online behavior. That is being investigated by the ICO separately.

Equifax and TransUnion are not facing further actions from the British regulators as they both have already made changes, including withdrawing some products and services. The report did not specify what these products and services were. All three credit reference agencies failed to clearly explain what they were doing with people’s data, said the ICO, despite this being a GDPR requirement.