Case Update: Tribunal Rules Largely in Favour of Experian in Appeal Against Information Commissioner’s Office Data Protection Action

On 20 February 2023 the First-Tier Tribunal General Regulatory Chamber (Information Rights) found largely in favour of credit reference agency Experian in their appeal against an enforcement notice issued by the Information Commissioner’s Office (ICO) back in 2020 with respect to its direct marketing practices. 

What is the background to the appeal?

Experian processes the personal data of approximately 51 million UK individuals (‘data subjects’) to provide marketing services. It then sell to third party clients, alongside its primary business function as a credit reference agency. It acquires personal information from multiple sources including its own credit reference agency data, third party data suppliers and open sources like the electoral register.

Following an investigation, the ICO issued Experian with an enforcement notice in response to its alleged contraventions of the UK GDPR. The ICO found that the processing carried out by Experian would be surprising to the people whose personal data was being processed and that it was unclear to individuals that their personal data was being used in this way. This contravened the fair and transparent processing requirements in Article 5 UK GDPR.

Contrary to Article 14, the ICO found that Experian did not provide a privacy information notice directly to people whose data had been acquired from third parties. The ICO also found that the assessments undertaken in balancing Experian’s legitimate interests were flawed. Because of this, the lawful basis of ‘legitimate interests’ could not be relied on to process data which was originally collected on the basis of consent.

What were the Tribunal’s findings?

The Tribunal struggled to ascertain the historical position regarding the transparency of information provided when the enforcement notice had been issued. However, it concluded that Experian’s processing of its credit reference agency data was now adequately fair and transparent, and that the necessary information was prominent and available to people who wanted to understand how their data is processed.

However, the Tribunal found that roughly 5.3 million of the 51 million data subjects whose data had been processed by Experian had not received a privacy notice. Experian stated that giving notice to the estimated 5.3 million data subjects would require disproportionate effort, invoking the exemption afforded by Article 14(5) of the UK GDPR.

The Tribunal rejected Experian’s argument, admitting that while contacting 5.3 million data subjects would incur considerable business expense, it would not involve disproportionate effort. The Tribunal did however decide that Experian didn’t need to make the notifications to those 5.3 million people with respect to historic non-compliance, and instead should:

• correct the non-compliance for future data collections; and
• stop processing any data that was collected under those non-compliant circumstances.

The Tribunal also found that legitimate interests could be used for direct marketing purposes but not in circumstances where the data was originally processed with the lawful basis being consent. Experian had therefore breached the UK GDPR in this regard, but since Experian no longer obtain data in this manner it was treated as an academic point.

Noteworthy points

The Tribunal explained that the ICO failed to recognise the consumer benefits of the processing carried out by Experian. This includes the fact that individuals are unlikely to receive irrelevant marketing materials for products that are considered inappropriate.

The Tribunal accepted Experian’s submission that the “worst outcome of Experian’s processing in terms of what happens to the data at the end of the process is that an individual is likely to get a marketing leaflet which might align to their interests rather than be irrelevant.”

The Tribunal determined that the “Information Commissioner should have exercised her discretion differently in that she should have balanced the objectives in issuing the enforcement notice against (a) the fact that the uses to which the personal data were put did not result in adverse outcomes for the data subjects, (b) the economic impact that the expense would have on Experian when incurred at once rather than over months or years, and (c) the likely reaction of the data subjects to receiving an ‘out of the blue’ notification, which reaction we find was likely to be either disinterest resulting, for example in the data subject just putting it in the bin or possibly some confusion or even distress.”

Implications for businesses

Whilst Experian (and no doubt other data controllers seeking to rely on legitimate interests to direct market to consumers) are no doubt pleased with this outcome, the ICO has responded that it will take stock of the judgment and carefully consider its next steps, including whether to appeal, so this may not be the end of the story.

In any case, the decision highlights that the benefits to individuals from an organisation’s data processing can be included in any legitimate interest’s assessment to justify the relevant marketing practices.

It also provides helpful legal analysis on the application of Article 14 of the UK GDPR, particularly that organisations cannot refuse to notify individuals of their processing activities due to the cost of making such a notification being disproportionate, especially if they are profiting financially from the processing.

This, coupled with the latest draft of the UK’s Data Protection and Digital Information Bill which will eventually replace the legacy EU GDPR, suggests that we may see more flexibility with respect to direct marketing on a legitimate interests basis in the UK.

For more information on this topic or any other matters, please speak to a member of our privacy and data protection team today.