Are you Experian-ced? ICO criticised by Tribunal as it overturns Experian enforcement notice
Insight
In February this year, the First-tier Tribunal (ie the Information Rights tribunal) (FTT) handed down its decision in the case of Experian Limited v The Information Commissioner. The FTT largely found in Experian’s favour when considering its appeal against the Information Commissioner’s Office (ICO) Enforcement Notice concerning the use of personal data by Experian’s lesser-known marketing business.
The FTT’s decision has some potentially wide-reaching consequences as it provides two important "wins" for data controllers: it confirms that (i) legitimate interests can be used for processing personal data for direct marketing purposes, potentially even on a very large scale, and (ii) indirect notification of a data controller’s processing / provision of privacy notices via third parties can be sufficient to meet the UK GDPR’s "transparency" requirements.
Background
Experian is well known for its credit reference agency business which holds and processes personal data relating to over 51 million people in the UK (effectively the whole adult population in Britain). What is less well known is that Experian also operates a direct marketing business which provides marketing services to third-party clients. This marketing business also processes the personal data of around 51 million people in the UK which it collects from a variety of sources, including the electoral register, its own credit reference agency, and from data suppliers that had acquired personal data through their own interactions with individuals.
In October 2022, following a two-year long investigation, the ICO issued Experian with an Enforcement Notice in relation to this direct marketing business. The Enforcement Notice was made under the Data Protection Act and concerned the processing of personal data (rather than the sending of direct marketing communications under the Privacy and Electronic Communications Regulations). The ICO found that: (i) Experian’s processing was not sufficiently transparent, (ii) individuals were not appropriately notified of the data collection and processing, (iii) there had been "invisible processing" in relation to the data collected from publicly available sources, and (iv) there had been unlawful processing as Experian should not be able to rely on legitimate interests for its processing of personal data for direct marketing purposes, since this included intrusive profiling of data subjects.
Unsurprisingly, Experian appealed the decision and argued that the law had been applied incorrectly and / or that the ICO had come to flawed conclusions on the facts. Experian also argued that the Enforcement Notice was disproportionate and unfair given that the remedial actions it required would make it untenable to continue with Experian’s direct marketing services business.
What were the FTT’s key findings?
The FTT largely upheld Experian’s appeal. In doing so, the FTT found as follows:
- Legitimate interests is a valid lawful basis: Of particular interest to data protection lawyers was the FTT’s confirmation that legitimate interests can be a lawful basis for processing personal data for direct marketing purposes, even on a very large scale. Under the UK GDPR, a data controller may process personal data where that processing is necessary for the purposes of the controller’s legitimate interests, provided that those interests are not overridden by the fundamental rights and interests of the data subjects. This test therefore involves a balancing of the controller’s (commercial, and other) interests against the privacy rights and (other) interests of the individuals whose data are processed.
The FTT found that the ICO failed to recognise the benefits of Experian’s processing for Experian, its clients and indeed for the data subjects themselves, and that this should have formed part of the balancing exercise used to determine whether Experian could rely on legitimate interests for these marketing related data processing activities. The FTT even accepted Experian’s submission that the "worst case scenario" for (most) individuals as a result of their personal data being used in this way was for the individual to receive a marketing leaflet which might align to their interests rather than being irrelevant. Interestingly, the FTT criticised the ICO for appearing to assume that receiving marketing communications is always likely to cause distress or annoyance instead of recognising that disinterest, mild confusion and simply putting the marketing leaflet in the bin are equal, if not more likely, outcomes.
One important caveat is that the FTT did acknowledge that Experian had historically breached the UK GDPR when it relied on legitimate interests as the lawful basis for processing personal data which was original acquired by third-party suppliers on the basis of the data subjects’ consent. The FTT found that “there is a significant difficulty in moving data acquired on a consent basis [to] that data being used by Experian on the grounds of legitimate interests.” However, since Experian no longer has any suppliers which collect personal data on the basis of individuals’ consent, the FTT did not comment further or take any action in relation to this historical and technical breach. - Privacy notices provide sufficient transparency: The FTT found that the privacy notices provided to consumers via Experian’s Consumer Information Portal (CIP), the website maintained by Experian to provide transparency information to data subjects, were sufficiently clear, accessible and adequately displayed such that Experian had satisfied the UK GDPR’s transparency requirements. Somewhat uncomfortably for the ICO, the FTT also noted that the ICO were unable to provide sufficient evidence of the CIP’s alleged deficiencies at the time of issuing the Enforcement Notice.
- Indirect transparency via third parties: The FTT confirmed that indirect notification of a data controller’s processing through third parties can be sufficient to meet the UK GDPR’s transparency requirements. It found that sufficient information had been provided to data subjects when third parties provided them with their own privacy notice that linked through to Experian’s CIP. As noted above, the information available on the CIP (ie Experian’s privacy notices) satisfied the transparency requirements under UK GDPR. There was therefore no need for Experian to contact these data subjects directly since it could rely on third parties communicating transparency information on Experian’s behalf.
- The ICO’s understanding of the processing: The FTT criticised the ICO’s understanding of Experian’s marketing business and the extent of its data processing. It disagreed that the processing was "intrusive" and noted that that the ICO “fundamentally misunderstood the actual outcomes of Experian’s processing”. This is particularly striking given that the ICO had conducted such a lengthy investigation into Experian’s direct marketing activities.
- Obtaining personal data from publicly available sources: However, it was not all good news for Experian. The FTT found that approximately 5.3 million people whose data was obtained from "open" sources, such as the Open Electoral Register and Companies House, had not received a privacy notice, and so the processing of their data was not transparent, fair or lawful as required by the UK GDPR. The FTT considered that the expense of providing privacy notices to these individuals would not result in disproportionate effort for the purposes of Article 14(5) UK GDPR, which means that Experian was not exempt from providing notice of its processing to these individuals. In summing up, the FTT said on this: “if the costs of compliance were higher than Experian considered acceptable, then Experian was free to take a business decision not to undertake the processing.”
However, despite making this finding, the FTT did acknowledge that the 5.3 million individuals who had not been shown Experian’s privacy notices were unlikely to have suffered any damage or distress as a result of this breach, and that a blanket notification to these consumers at the point of the appeal would likely be met with disinterest, possible confusion or (in limited cases) distress. As such, the FTT found that it would be disproportionate to order Experian to notify this residual cohort of its processing now, but that it expects Experian to do so in relation to any processing of personal data obtained from publicly available sources in the future.
What does this mean for data controllers?
In our view, the FTT’s decision includes two messages of comfort and two warnings for businesses and other organisations who may be collecting, storing and using personal data for marketing purposes in ways that are similar to Experian’s marketing business.
Comfort: First, the FTT’s decision confirms that legitimate interests is a valid lawful basis for direct marketing related processing, even on a very large scale involving many data subjects, which will no doubt be good news to many businesses. When conducting a "legitimate interests assessment", a potentially huge volume of data, and indeed data collection from multiple sources including publicly available records, can be "balanced out" by the benefits of the processing to the controller, to the consumers, and indeed to third parties, which the ICO failed to consider in this case. This indicates that organisations do have a broad discretion when weighing up individual privacy rights against their own marketing interests.
Warning: The rules concerning the sending of direct marketing messages by email and other electronic means under the Privacy and Electronic Communications Regulations remain strict (and strictly enforced by the ICO) so a reliance on legitimate interests for direct marketing only supports the processing of personal information and not the sending of electronic communications, which must be considered separately (and often must rely on the recipient’s specific consent).
Comfort: The FTT confirms that an organisation can rely on third parties to notify individuals of its data processing, provided that the privacy notice information being passed on via those third parties is clear, accessible and compliant.
Warning: Data subjects must still be notified that their data is being used for marketing purposes even if their personal data is acquired through publicly available sources, and the Article 14(5) UK GDPR exemption for providing a privacy notice to data subjects will be construed narrowly, since the threshold for what amounts to a "disproportionate effort" is high. This is a challenge for organisations that obtain personal data for direct marketing purposes from Companies House, the electoral roll, and other publicly available sources.
Summary
In conclusion, the FTT’s decision adopts a common sense, pragmatic approach to data protection compliance, and will be seen largely as a "win" for businesses and other organisations which carry out direct marketing (especially on a large scale). However, the story is not yet over, as the ICO has since confirmed that it will appeal the FTT’s decision. We will of course watch out for the next appeal decision and provide our analysis of it in due course.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, May 2023