13 November 2020

Data Blast: ICO issues warning to data broking industry and much more…

See below for the latest Data Blast from our legal team: ICO issues warning to data broking industry; Lawsuit claims Uber drivers being ‘fired by algorithm’; Marriot receives £18M fine for data security failings; Green light for Judicial Review to stop Facebook Ireland data transfers to the US

ICO concludes investigation of data brokers, takes enforcement action against Experian

On 20th October, the UK Information Commissioner’s Office (ICO) published an enforcement notice against Experian Limited, a credit rating agency and data broker, as a result of a two-year investigation into the use of personal data associated with its data broking. The investigation also examined the data broking practices of two other credit rating agencies, Equifax and TransUnion.

Instead of issuing a monetary fine at this stage, the notice requires Experian to change its offline direct marketing practices, including updating its privacy policies and informing consumers that it acquired their personal data.

The two-year investigation concluded that all three companies used personal data to assist charities and companies in identifying new customers and building profiles for individuals, without the knowledge of millions of data subjects.

The ICO concluded that ‘significant “invisible” processing took place, likely affecting millions of adults in the UK. It is “invisible” because the individual is not aware that the organization is collecting and using their personal data. This is against data protection law.’

The ICO held that Experian’s processing infringed the GDPR data protection principles of transparency and lawfulness, as well as data subjects’ rights. The investigation found several other contraventions of data protection law by the three organizations, including further use of personal data provided for credit referencing purposes, use of profiling to generate new information about data subjects, and incorrect use of lawful bases for processing.

All three companies altered their marketing practices at the ICO’s request, and Equifax and TransUnion ceased offering certain products and services, as requested by the ICO. However, the ICO found that Experian failed to make all of the changes requested, and that this amounted to a serious contravention of data protection law because:

a) The processing was invisible;
b) It involved profiling and collating personal data from several sources;
c) A very large number of data subjects were affected; and
d) There was no public interest in the processing.

The enforcement notice requires Experian to inform data subjects that it holds their personal data and how it uses the data for direct marketing purposes (by July 2021) and to cease using personal data obtained through its credit referencing business for direct marketing (by January 2021), as users have no say in whether such data is shared with Experian. Failing this, Experian may be subject to the fines available under the GDPR and Data Protection Act 2018, which can reach the heights of £17 million or 4% of annual global turnover.

The ICO investigation was triggered by privacy advocacy group Privacy International, which issued the following statement: ‘Data brokers are key actors in the hidden data ecosystem. The data they collect and later sell can be used for a range of different purposes, from commercial advertising to political campaigning, and in some worrying instances, law enforcement.’

Lawsuit claims that Uber drivers are ‘fired by algorithm’

In a lawsuit filed in Amsterdam on 26th October, four Uber drivers claim that Uber used its algorithm to dismiss them unfairly, and without a right of appeal.

The British and Portuguese drivers claim that alleged automated firing is not lawful under the GDPR, and that human intervention is required before such a decision is made. Under Art. 22 of the GDPR, individuals are protected from automated decision making with no human intervention which produces a legal or similarly significant effect. Uber denies the allegations, claiming human intervention did occur prior to the drivers’ accounts being deactivated, and is used in all such situations.

The drivers allege that they were banned from the platform after an Uber algorithm determined that they were guilty of ‘fraudulent activities.’ The drivers deny committing fraud and allege that Uber has defined the term too vaguely, stating that drivers may be accused of ‘fraud’ if they refuse a ride request or log out at strategic times to wait for higher prices.

According to the App Drivers and Couriers Union (ADCU) there have been over 1,000 cases of drivers being dismissed from Uber without appeal.

This is the second lawsuit relating to data protection brought against Uber in Amsterdam courts this year. In July, two British drivers brought a claim against the company for a lack of transparency in its algorithms (we previously covered that lawsuit here).

ICO fines Marriott £18million for data breach

On 30th October, the ICO announced that it had fined Marriott International Inc. for GDPR violations by failing to secure the personal data of roughly 339 million guests.

The fine is the second largest issued by the ICO to date and was imposed as a result of a data breach which took place between 2016 and 2018 (previously covered here). However, the fine is a considerable decrease from the fine of £99 million initially proposed by the ICO in July 2019. Marriott has not admitted liability for the breach, but it has indicated that it does not plan to pursue an appeal.

The breach stemmed from a 2014 cyberattack on Starwood Hotels and Resorts Worldwide (acquired by Marriott in 2016). The attacker was able to gain unrestricted access to the Starwood network, and quietly exfiltrated data over a 4-year timeframe. The compromised data included names, email addresses, phone numbers, passport numbers, dates of stay and loyalty program information. The attack was finally discovered in September 2018, when the attacker attempted to access payment card data, and Marriott notified the ICO and affected guests in November 2018, once it became fully aware of the nature of the breach.

The ICO investigation found that Marriott had failed to put in place appropriate technical measures to secure guest data, as required by Art. 5(1)(f) and 32 of the GDPR. The ICO also concluded that there were multiple measures Marriott could have taken to detect the attack earlier, that an extremely large number of individuals were affected, and that those individuals were caused considerable distress.

In settling on the reduced fine, the ICO considered the steps Marriott took to mitigate the impact of the breach on affected guests, the representation it made, and the economic impact of the Covid-19 pandemic. The ICO acknowledged that Marriott promptly attempted to mitigate the risks of damage to customers upon discovery of the breach, had acted promptly in contacting customers and the ICO, and has since improved its IT security systems. The ICO also took into consideration the fact that Marriott fully cooperated with its investigation, and took steps to assist affected data subjects.

Irish High Court allows Judicial Review to stop Facebook EU-US data transfers

On 13th October, the Irish High Court granted leave for a judicial review (JR), brought by Max Schrems’ ‘NYOB’ advocacy group, against the Irish Data Protection Commission (DPC).

The JR seeks the rapid implementation of the July decision of the Court of Justice of the European Union (CJEU) in Schrems 2, and to prohibit Facebook’s EU-US data transfers. Mr. Schrems initially filed a complaint with the DPC against Facebook Europe in 2013, for illegally sharing data with its parent company in California, due to the existence of US law allowing for extrajudicial government access to personal data held by US companies. Despite the complaint being referred to the CJEU, leading to the invalidation of both the EU-US Safe Harbour (in 2015) and the EU-US Privacy Shield (in September 2020), the DPC last month refused to make a final decision, instead suspending the complaints procedure indefinitely.

While the DPC initiated a second investigation into the original complaint’s subject matter, it provided no basis for doing so, and was immediately blocked by a JR brought by Facebook. Effectively, NYOB’s JR is in response to Facebook’s own claims.

Further complicating the situation, documents have emerged suggesting that Facebook relied on other legal bases than Privacy Shield and Standard Contractual Clauses (SCCs) to transfer data from the EU to the US, and that the DPC was informed of these alternative legal bases in 2016. Mr. Schrems has issued a statement regarding the documents, stating that ‘the documents… suggest that seven years of procedures and both references to the [CJEU] were largely irrelevant for the case before the DPC…We are therefore asking the High Court to clarify that all documents must be put on the table.’

It is expected the hearing will take place by early next year.

For more information please contact Partner, James Tumbridge at