'I want to be forgotten!'
Jinfo Blog

By Tim Buckley Owen

Item

Credit reference agency Experian has announced that it is now including residential rental payment data in its United States credit reports.  As yet another facet of personal information becomes available to business, authorities in the United Kingdom and the European Union are currently taking a careful look at data protection issues.

In incorporating positive rental data from its own RentBureau division into the traditional credit file, Experian has the estimated 50 million 'underbanked' US consumers in its sights – including college students, recent graduates and immigrants, who it says will now be able to build credit with continuous on-time rental payments.   Leaving aside the fact that it was overtures to the 'undermortgaged' that triggered the current financial crisis, this is Experian's second personal information initiative in a few days, following its acquisition of an interest in social networking marketing specialist Techlightenment.

Business is scarcely likely to voluntarily restrain its exploitation of the information that individuals either choose or are required to reveal about themselves.  So it's perhaps not surprising that the issue remains of great interest to regulators.

In the UK, the personal privacy watchdog the Information Commissioner's Office has begun the new year by urging consumers to take control of the information that credit agencies hold about them.  It's relaunched its 2009 booklet Credit Explained and points out that almost a third of the data protection complaints it received in 2010/11 were about lenders.

Meanwhile the European Union has just published an Opinion on which country's data protection law should apply when.  Highlighting possible ambiguities in the wording of the EU's Data Protection Directive, the Article 29 Working Party, which is made up of the data protection authorities of the EU's 27 member states, is particularly concerned about the Cloud.

'Cloud computing makes it difficult to determine the location of personal data and of the equipment being used at any given time,' the Opinion states (alternatively see a handy résumé from Out-Law).  So the law that should apply should not simply be the one where the controller is based, but the one where the activities themselves take place – and it's not even necessary for the controller to own or fully control the equipment involved for the processing to fall within the scope of the Directive.

It's just one facet of a comprehensive approach to personal data launched by the European Commission last November introducing the concept of the 'right to be forgotten' (alternatively see a FreePint DocuBase summary).   As citizens we should be pleased; as information professionals we need to be on the look-out for all sorts of new compliance issues ahead.

« Blog