Experian vows to drag UK's Information Commissioner's Office to court after being told off for data-slurping practices Experian has been rapped over the knuckles by the UK's Information Commissioner's Office (ICO) after it discovered the credit reference agency was trading "millions" of people's data for marketing purposes. Instead of issuing a monetary fine, however, the data regulator wrapped up a two-year probe yesterday by merely insisting …
The likes of Experian hold far too much information on all of us!
I have first hand experience of the information that they held about a mortgage was completely inaccurate being at least 10 years out of date! Secondly the security startup is was working for was acquired into a much larger org. I was told they they wanted to run a background check on me which I had expected. They sent me an email with a link to provide the required information. It was Experian’s site. I read the information/terms presented and noted that it said the information I provided would be used elsewhere not just for this check (don't recall exact wording but that was the gist of it). I was unhappy with this idea so went back to HR and explained that I was OK with providing the information for them(my employer) to do the background check but was not happy with providing the information to Experian and especially the statement about the data being used elsewhere. That was the last I heard of it….no more communication from HR…..I was in the job till I chose to move on. I suspect Experian had all the information anyway but it was the principle.
Unbelievable as that may be, it's not even the worst data grabbing out there.
If you really read the Terms of especially US companies, you will discover that they assign themselves uncontrolled and unfettered rights to your information, and free usage in whatever way they see fit.
Let me translate that for you:
- if you are discussing something that is worth a lot of money, you have given them the right to make a lot of money by selling all of your data to your competition
- if you dare say anything negative about it, they can publish your information - even radically altered to state the opposite because YOU gave them the right to do so
- there is nothing holding these companies back from collaborating and aggregating data on you so yes, the NSA probably already knows more about you than you think and it appears more and more a coordinated effort.
Start reading these things, guys, because it's not just Google who tries this - all of them do.
Yes - I recently traced back some inaccurate information held on me to Experian and did a full subject access request. The accuracy of their data on me was laughably bad. They even failed in areas that should be automatic wins for them, stuff from the census like how many kids I have.
I did a rough totting up of the info they will have harvested from sources that should be correct and it was about 40% accurate. For the data that their 'sophisticated' algorithms extrapolated about me? At best 10% accurate.
Frankly, they're snake-oil salesman promising things they can't possibly deliver.
Pull the other one, it's got bells on ya fekkin shites.
The three main credit reporting agencies hoover up our private data, use a black box algo to give us a score, then use that score to ruin our lives. "It's so companies can know your credit worthiness" is bullocks. It's so they can profile us, stick us in a slot, then monetize us for every last drop of blood.
We aren't given any means of telling them not to EVER profile us before they've amassed gigatons of PII that then gets spaffed all over the place like a horny bull shooting his load at an orgy. If we don't "agree" to them doing their profiling then companies refuse to do business with us. How is that NOT extortion?
Dear credit reporting agencies. Fuck you. Repeatedly. With a spinning chainsaw.
"...risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis."
I think he doth protest too much. What he is really worried about is Experian's bottom line and his resultant bonus.
These characters are leeches. They suck up everything they can find and sell it to the highest bidder. All without the people whose data it is either being asked or recompensed. They are bottom feeders without a shred of integrity.
I truly hope that they will get their arses well and truly kicked and thereby set a precedent which reins in some of the excesses we are seeing.
"...risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis."
... he doth protest too much.
Yeah, and he missed a real opportunity there to drop the child protection card beloved of such shites.
Plus, when compared to noted slurpers like Google, you don't have a choice with credit agencies. It is possible to de-Google much of their slurpage, but if you ever opened a bank account or applied for a loan or credit card (whether or not you got it) you had to sign a contract which included an eternal permission for your data to be given to the credit agencies and updated in perpetuity.
Unfortunately, if you ever need a loan (including insurance premiums paid monthly rather than annually), credit card or mortgage, the lender will go to one of those three credit reference agencies to get an idea of your credit worthiness. Given the data they hoover up includes utility bill payments (energy, water, phone/broadband) and bank overdraft usage, it's possible even they ask the agencies for your credit score before allowing you to use their products.
And if you want to examine the data they hold on you, you either have to give them money or sign up to a service such as Clearscore, which instead tries to sell you financial services (poorly, given their emails just try to sell you an identity protection service [hahaha] and the app is nice enough to hide all the offers on a separate tab). Amusingly, my only "off-track insight" is that I don't have a credit card.
Ah, technically you do give permission for your bank to share that data.
I have no connection with HSBC so I'll use them as an example.
See page 11 of https://www.hsbc.co.uk/content/dam/hsbc/gb/pdf/personal-banking-terms-conditions-14-mar-2020.pdf
Now look at pages 3 and 6 of https://www.hsbc.co.uk/content/dam/hsbc/gb/pdf/privacy-notice2.pdf
So you agree in the T&Cs to the Privacy Notice which explicitly states that they'll share your data for AML, fraud, financial crime and other purposes, and explicitly "We’ll continue to exchange information about you with CRAs while you have a relationship with us. We’ll also inform the
CRAs about your repayment history."
Comically if HSBC didn't provide that information and work with the CRAs (Credit Reference Agencies) they'd be at high risk of censure from the FCA (Financial Conduct Authority) for failing to meet TCF (Treating Customers Fairly) obligations.
a bank like any other company is on dodgy ground under GDPR
No, it isn't. "Consent" is not the only principle under which you may process personal data under the GDPR.
You can process personal data without consent if it's necessary for: a contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract.
You can process personal data without consent if it's necessary for: a contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract.
This is intended to cover things like recording your name and address to know where to deliver the pizza - It is not a carte blance excuse to sell your customer's personal data.
This is why we need some strong precedents set to strongly limit the "necessary" principle.
Of course, CRA relationships are not "necessary for a contract with an individual". They may be required by policy of the bank but that is different - you must be free to decline, and the bank then makes their decision on that basis (presumably refusing to do business with you).
"Necessary" needs to be clearly limited to things which are physically or logically necessary - like the delivery address example.
Ah, technically you do give permission for your bank to share that data.
I am not sure coercion is the same as consent.
You don't have to have a bank account, but then you could also try living in a cave and growing your own food. Since cash is rapidly becoming useless, this is what you will soon have to do without a bank account.
Grab some popcorn as NOYB are going after the Credit Reference Agencies' core business under GDPR, in that none of us are able to remove consent to them processing our data. I should be able to buy electricity without some 3rd party being fed the date and time of my payments.
See also CRIF in Poland making up credit scores for people they had no record of! https://noyb.eu/en/credit-scoring-negative-credit-rating-generated-without-data
Data is the new oil - isn't that how it is put these days. As has been expressed in posts above, far too many companies collect far too much data on individuals these days and too few people realize this or can even be bothered to consider the consequences. Just because we are taught to expect this kind of behavior in this digital age isn't a sufficient excuse to cover the sorts of Data Theft and Data Trading that goes on! Worse, the very fact that we live in an age so heavily reliant on digital data and it's storage creates an humongous target for criminals to go after and or lock-up and demand a ransome for!
I don't have an answer to the problem as a whole, except that widely educating folk about this and raising their awareness of it must be a good place to start. The ICO is but a mere sticking plaster just so those in high office can use it as an example to make us all believe they are actually doing something!
Grrrr . . . <rant over>
Perhaps the solution is to construct entirely fake data. Any resulting mail shots are handled by the seller of the data. In practice, of course, no mail shots can be sent as the addresses are fake but the profits should be shared with the mail handlers so they don't miss out.
The gullible buy it and are satisfied because they're none the wiser. The public don't get their privacy violated and don't get pissed off with importunate marketers so don't take it out on them by buying elsewhere. Everybody's a winner.
Perhaps the solution is to construct entirely fake data
Welcome to what I have been doing for almost a decade. In addition, I run my own mailserver so I give out a customised alias for every contact I don't trust - that way, I can (a) quickly see who is not trustworthy and (b) dispose of the email address when compromised.
Now for a fun one: after getting annoyed with having to zap many SEO/marketing/other crud emails from our site I also added a statement on my website next to the contact email address that states that using this email address for spam/UCE is a legally valid order for one day of premium consulting to process the email.
It's amazing how that (a) immediately cut down on spam and (b) how panicky persistent abusers become after you get them (via a friendly email) to confirm they picked up the email address from the site (and only then remind them by return email of the contract they so willingly entered into).
Not that I ever expect them to pay, but I could make this really nasty. It's occasionally entertaining..
I have always been baffled how credit reference companies can even exist alongside GDPR. As others have said, I have never explicitly given permission for my data to be passed on to them. The whole point of GDPR was to remove the implied consent of signing up for a service and then having these things hidden in the terms and conditions that your data will be sent left, right and centre to various other companies to hoover up.
Likewise, I have never given Experian, Equifax et al. permission to store or share my data with other companies.
In theory, open banking should be able to replace much of what the credit reference companies do today, rendering them obsolete.
Except you have - pretty much every financial service you have will include permission to share your information with CRAs, the government and various other bodies buried in their terms and conditions. You have to tick a box to confirm you have read those terms and conditions before you can use the service. Sneaky, but technically legal.
I remember speaking to a real bank manger. He wanted to know what I was going to do with the £1,250 I wanted to borrow. I explained that it was for a record deck. "Like a gramophone" I explained (prior to the Not the Nine O'Clock news sketch). He was baffled. Fortunately I had brought a few copies of Hi-Fi News & Record Review along. A quick call to head office and he approved the loan. That was 30+ years ago. I was in Natwest last week and it took 10 minutes, and two signatures, to get change for a £10 note.
If I asked for a loan now, I expect that I would just get given the money, no questions asked, but only after signing away all rights to my data - without them caring if I was buying some Hi-Fi or 20Kg of cocaine.
It turns out that there's much more to the enforcement notice than just "update your privacy policy. See the (redacted) enforcement notice for full details. It runs to 55 pages of closely argued challenge under five heads, albeit one of these is being resolved (controller/processor status w.r.t. Article 5(1)(a) (Principle 1) and one other considered to have been resolved (Right to Object under Article 21). The outstanding three are apparently fair and transparent processing under Article 5(1)(a), failure to notify data subjects under Article 14 (Information to be provided where personal data have not been obtained from the data subject), and lawfulness of processing under Articles Article 5(1)(a) and 6(1) (lawful basis for processing).
Couldn't be much worse overall, except for a "privacy policy" we've encountered that consisted only of Lorem Ipsum body copy text.
Ahh, I was waiting for the time these agencies would be dragged over the coals.
I've had the pleasure/displeasure of actually assessing one of these companies and visiting the associated data centre.
I was actually gobsmacked at how much processing was done, at what scale, and how you and I, as data subjects, are monetised for considerable profit, to other companies based on some spurious algorithms that produce "results" which are sold on to whomever thinks it will make their lives easier.
As an example, someone I know, was sent a letter from out of the blue suggesting they have been claiming a particular benefit they weren't entitled to, by the council local to them. I was asked my opinion and I suggested a CRA had probably concluded this by analysis of records on given addresses. I told them the options open to them and suggested they tell the council to go poke their allegations where the sun doesn't shine.
I would suggest processing of your data is one thing, but taking it to another level, such as the one above goes way beyond what you and I would deem to be acceptable, never mind the fact that you don't want to be used as a pawn in someone else's game of monetising data.
Good luck to anyone who can bring these parasitical companies in line.
It wouldn't be so bad if they didn't believe they were above the law.
It's time to turn things around.
Require all large scale brokers of PII to be licensed. Retention of the licence would require a regular audit. Fail audit, lose licence, lose business. That would give them every incentive to remain compliant.
Yes, they can appeal against the failure of audit but the licence is suspended until the appeal is allowed. Comply or appeal? Not a tricky choice.
The terms of the licence should include a regular statement to every data subject of each item of information held giving the subject right to challenge as to consent if required (the ICO report mentions some is public domain) and accuracy with the onus on the broker to prove their legitimacy if they refuse to amend or delete. Is it too expensive (as Experian argue)? Then obviously the business isn't financially viable so why are they running it?
I'd go further. If the banks and other institutions that use CRAs are to be allowed to continue to insist on customer consent/legimate purpose for sharing information with CRAs, then CRAs should be limited to specifically that purpose (i.e. credit reporting) and not all this secondary usage/monetisation.
Try and get a credit card without your PII in one of those three agencies in the UK. Nothing short of extortion. When they mess up, like sending your credit report by post to your address with someone else's name on the letter (looking at you Experian) the consequences to them are 0.00000000001%. To me that is a 100% impact enabling identity theft with years of rebuilding a score that they make up. They are not accountable to anyone other than the ICO. Let them be accountable.
I recently opened a new account at a bank that I won't mention by name but rhymes with: JP MORGAN CHASE BANK
(I've never been good at rhymes)
I had specifically told the bank representative that I wanted a local branch that I could walk into to avoid online banking or installing apps on my devices to limit what PII is spaffed to data miners and even mentioned to the bank employee the notices I have been sent from Experian and Equifax and others about data breaches and how I was involved at another class-action lawsuit with an unnamed bank that signed me up for different products without my permission that rhymes with: WELLS FARGO .
The bank teller still had me create a username and password using a keypad at her desk.
Minutes later this same teller accessed my newly created online bank account on her own computer and clicked "I Accept" to some online aggreement for some credit monitoring third-party.
I was dumbfounded and escalated my complaint to the bank branch manager that just made matters worse by telling me what an "Awesome Product" that the credit monitoring service was and assuring me that their bank representatives don't sign up their customers to extra products even though I had just witnessed the same minutes earlier.
My email inbox is now spammed each week by this credit monitoring service along with links to download the banks official app which was also ignored by the bank teller.
I'm still in the process of escalating the issue to a regional manager but I really doubt anything will be done about it.
We keep getting letters from these agencies asking about employees.
The letters contain all manner of very private details of the employees (like Attachment of Earnings Orders), and ask for yet more details.
The only problem is these employees aren't our employees, they're people we've never heard of.
At one time I tried getting in touch with the senders to straighten things out but it's like talking to a brick outhouse.
Now they just go straight into the shredder.
Bit late replying, but they should not go in the shredder - they should go to the ICO so the ICO can deal with them ... eventually ... if they ever get around to it.
And if there's enough information to identify the data subjects, you could drop them a line telling them what's going on so they can kick up a stink about it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
