Credit rating agency Experian’s Netherlands branch has been assessed a €2.7 million (about $3.2 million) GDPR fine for improper collection of personal data, which was drawn from multiple public and private sources that data subjects were not necessarily aware of.
Experian will not appeal GDPR fine
The Dutch Data Protection Authority (AP) says that the credit rating agency collected the data in question for a large database of profiles. The scores assigned to these profiles were delivered to service providers for use in determining initial deposit amounts and interest rates. Experian drew on sources including an assortment of companies that sold their own customer information, such as phone and utility providers, as well as public sources such as the Chamber of Commerce trade register. In some cases this included information about bankruptcies, late or missing payments or debts owed.
Some of the initial complaints that prompted the investigation came from utility customers who were asked for unusually high deposits when attempting to open new accounts. The AP found that consumers were not sufficiently aware of the fact that their personal data was being collected from this array of sources for use in these decisions, nor was the level of consent required by the GDPR met in some cases. The credit reporting agency was also found to be insufficiently able to justify why it needed to collect this full range of information for the purpose.
It was not specified exactly how many of the country’s residents were impacted by the database, but the GDPR fine noted that it was in use until the start of 2025 and that “a vast number of people in the Netherlands” were impacted. The regional branch of the credit rating agency has since shut down its operations earlier this year, but has promised to delete the collected information by the end of the year and has also indicated that it will not contest the GDPR fine.
Credit rating agency has run into privacy trouble before
While Experian has since withdrawn from the Netherlands, it remains one of the world’s largest consumer credit reporting firms and part of the “big three” creditworthiness agencies that are frequently intertwined with government operations as a third-party contractor, for example handling address validity checks for an assortment of agencies in the United States.
What is less commonly known is that it is also one of the world’s largest data brokers, in addition to being a more straightforward credit rating agency. The company is also in the “consumer behavior and preferences” business, selling lists of marketing leads based on sometimes highly detailed profiles of inferred interests and life events. And like its contemporaries, it has typically been cagey about disclosing the full range of sources of all of this data. Third-party research, often enabled only by national or state privacy laws, has only uncovered parts of how these profiles are made. One source is from shopping, with both online and retail stores profiting off of customer records and “loyalty programs” by selling that data to these types of brokers. They also comb public government records for information, buy data from social media companies, and obtain information from both public and private utility companies.
The also has a string of prior data breaches and privacy incidents dating back to at least 2013, when a Vietnamese national was indicted for selling detailed and sensitive personal information on hundreds of thousands of Americans that was obtained from Experian’s files. The information was first alleged to have been purchased from an Experian subsidiary called Court Ventures, before the thief swore an oath that it was instead purchased from Russian hackers via underground information trading forums.
The credit rating agency experienced another data breach in 2015, this one involving 15 million records largely tied to those that had credit checks for T-Mobile service done by the company. A 2020 incident with the regional South African branch saw another 24 million personal records leaked, along with information from about 800,000 businesses. There was another regional leak in Brazil in 2021 that resulted in the data of 220 million of its citizens being leaked, to include highly sensitive identity and income tax information. And in 2022 the company’s website was compromised when it was found that simply changing a small string of characters could bypass part of the identity authentication process and take an attacker directly to someone’s credit report. The credit reporting agency received a prior GDPR fine in Germany in 2022 in connection with this incident.
Dr. Kolochenko, CEO at ImmuniWeb, notes that the full scope of damage in this story may go beyond the elements the GDPR fine was issued for: “While the total number of affected EU residents, whose personal data was processed by Experian, remains unknown in this specific incident, we are likely talking about many millions. In the UK alone, where Experian faced similar troubles with the UK ICO in the previous years, it was reported that the credit score giant collected information about as many as 51 million British residents. Therefore, in this case, one may easily estimate the number of EU residents whose personal data was used without notice or consent. Worse, practically speaking, the personal data in question is highly sensitive, even if not expressly labeled as such by the blank ink of GDPR, and its misuse or disclosure can cause long-lasting and material damage to affected persons. In view of the long duration of such processing and taking into consideration the substantial financial harm suffered by individuals by unlawful processing activities, the Dutch DPA’s fine seems to be surprisingly mild and lenient. Having said this, the story unlikely ends here. The European Court of Justice has recently affirmed that individuals may sue for non-material damage when their GDPR rights are infringed, significantly expanding litigation opportunities for many plaintiffs whose damage is not quantifiable in simple numbers. In this incident, we will probably see numerous private lawsuits for both material and non-material damages. Lastly, in some countries, legal insurance companies offer generous coverage of legal expenses in GDPR-related disputes. There, we may witness an avalanche of lawsuits against Experian.”
