Experian tried to cover up privacy fine by Dutch DPA
Last year, the Dutch data protection authority (DPA) imposed a fine and sanctions on Experian for reselling personal data of Dutch households. The Irish data broker tried to keep the fine a secret, because the company feared it would harm its reputation.
Dutch newspaper Het Financieele Dagblad found out about the fine anyway, because it came across an anonymized verdict from the court of justice in The Hague.
Experian is a global data analytics company that collects, stores and offers personal data on more than 1 billion people and businesses worldwide, including Dutch households. It sells this information to third party companies. In addition, Experian keeps track of consumers’ credit history to protect them from financial fraud and identity theft.
The Dutch DPA claims that Experian’s credit reference business in the Netherlands cannot process credit reference data based on ‘legitimate interest’ as a legal basis and is not sufficiently transparent according to the General Data Protection Regulation (GDPR). That’s why the privacy supervisor imposed a fine and sanctions on Experian in December 2023.
Experian however argued that the Dutch DPA’s position is contrary to established regulatory positions, which recognize that legitimate interest can be a proper legal basis to process credit reference data in order to maintain a fair and efficient lending process
“Based on external legal opinions, relevant precedents, and the facts of the underlying matter, we believe the AP’s position is legally wrong, we will contest the matter and we do not believe it will have a materially adverse effect on the Group’s financial position,” Experian says in its annual report regarding the Dutch DPA’s claim.
To prevent the amount of the fine and sanctions from going public, Experian filed a lawsuit. The data broker argued that this information would do irrefutable damage to the company’s image, causing customers to leave.
The judge ruled in favor of Experian and ordered the Dutch DPA to seal details regarding the amount of the fine and penalties.
There’s been much discussion among European DPA’s whether ‘legitimate interest’ could serve as a legal basis to process personal data. In other words: is collecting and selling personal data for profit legally justified according to the GDPR?
For years, the Dutch DPA argued that a commercial interest could never be legally justified as a legitimate interest. According to experts, the Dutch supervisor handled a too strict and narrow interpretation of the GDPR. This was recently validated by the European Court of Justice (CJEU), which claimed that commercial interest can indeed be interpreted as a legitimate interest.
Therefore, the Dutch AP can’t state in general terms that a commercial interest can never be a legitimate interest, but must consider all the facts on a case-by-case basis.
Your email address will not be published. Required fields are marked