Experian’s appeal of ICO enforcement notice largely successful

Why is Experian’s appeal of interest?

What’s striking about the Tribunal’s decision is that the evidence given by one of the ICO’s key witnesses was found to be significantly flawed. The effect was that there was little or no evidence to support some of the positions taken in the enforcement notice, which contained various factual errors. In exercising her discretion, the Information Commissioner got the balance wrong in terms of proportionality because she fundamentally misunderstood the actual outcomes of Experian’s processing.

The decision confirms that the legitimate interests basis can be used for processing personal data for direct marketing purposes; and that notification to data subjects through third parties can be sufficient to meet the GDPR’s transparency requirements.

While the decision will be welcomed, the ICO is applying for permission to appeal and so this may not be the end of the story.

What’s the background to Experian’s appeal?

In July 2018 the ICO launched an investigation into data protection compliance in the data broking sector, where companies collect personal data from various sources, then combine it and sell/license it to others. The investigation focused on the provision of offline direct marketing services; by companies including the major credit reference agencies Equifax, Experian and TransUnion.

A business unit within Experian processes the data of around 51 million UK residents using data analytics to provide marketing services which it sells to third-party clients. Experian is a data controller for these purposes.

According to the ICO’s October 2020 report, significant data protection failures were found at each company. The key concerns centred on: the transparency of the processing; Article 14 of the GDPR and invisible processing; using credit reference data for limited direct marketing purposes and appropriate lawful bases for processing.

Article 14 of the GDPR is a key transparency requirement. It outlines the privacy notice information that the data controller must provide to the data subject where their personal data has been acquired from another source.

Reasons behind Experian’s appeal

The ICO issued Experian with an enforcement notice which required it, among other things, to make changes to how its privacy information was worded, presented and communicated. That included providing all data subjects with an Article 14 compliant privacy notice and to stop processing the personal data of any data subject who hadn’t been sent one.

The company was also required to stop using CRA-derived data for any direct marketing purposes except as requested by data subjects and to stop processing any personal data where the objective legitimate interest assessment could not be said to favour the interests of Experian, having particular regard to the transparency of the processing and the intrusive nature of profiling.

Experian’s appeal argued that the law had been applied incorrectly and/or that flawed conclusions had been reached on the facts and that the notice’s requirements were disproportionate and unfair and it should be set aside. Experian said it would be compelled as a result to adopt an unworkable, purely consent based, model for offline direct marketing services. If complied with, it would force the company to shut down that part of its business.

The ICO’s case was that Experian’s processing will be surprising to the individuals whose personal data is processed; the processing is intrusive; and the assessments undertaken in balancing Experian’s legitimate interests are flawed.

What was the outcome of Experian’s appeal?

The Tribunal’s substituted notice is much narrower in scope than the ICO’s. It focuses on the requirement for Experian to implement a system so that it can provide all data subjects whose personal data is obtained from one of three named open sources with a privacy notice; whether that’s directly or through the notifications given by those open sources. There are some exceptions to this, for example where Experian obtains the data from its CRA business, consumer services business or third-party commercial suppliers.

Here are the Tribunal’s key findings:

• The Information Commissioner should have balanced the objectives in issuing the enforcement notice against (a) the fact that the uses to which the personal data was put didn’t result in adverse outcomes for the data subjects; (b) the economic impact that the expense would have on Experian when incurred at once rather than over months or years; and (c) the likely reaction of the data subjects to receiving an ‘out of the blue’ notification now, which was likely to be either disinterest (resulting, for example, in the data subject just putting it in the bin) or possibly some confusion or even distress.

• The processing of CRA-derived data is sufficiently transparent. The great majority of lenders make the CRAIN (Credit Reference Agency Information Notice) available to individuals by providing them with a link from their own privacy notice. The CRAIN provides the data subject with an understanding of Experian’s business and links to further material. The data subject follows the link to the CRAIN, and from there to Experian’s Consumer Information Portal. The hyperlinks and websites are easy to follow.

• Experian’s Consumer Information Portal is adequately clear. The Tribunal accepted that the scale of the processing undertaken is very large and that’s something which would be surprising to data subjects; as would the uses to which that data is put. Despite this, the Tribunal found that the relevant information is sufficiently prominently displayed and accessible to data subjects who want to understand how their data will be processed. It’s interesting to note the comment that “common sense would tend to suggest that it’s only those who are actually interested in what happens to their data who would read beyond the first part of a privacy notice”.

• The legitimate interests basis can be used for processing personal data for direct marketing purposes (but not where the data was originally acquired by third-party suppliers on a consent basis). In this case, the Tribunal noted some of the benefits of the processing for data subjects, a factor that didn’t appear to have been taken into account in the enforcement notice. For example, Experian’s credit pre-screening product is useful because it removes people from marketing lists for credit products in circumstances where they would likely be declined.

• In addition, it was accepted that Experian’s clients are not trying to target particular individuals but merely to have a list of those who are more likely to respond to the offer they intend to send; the chances of direct mail marketing being effective are higher by sending mail to a list of individuals who may have particular characteristics, which is better than sending them at random.

• The Tribunal accepted Experian’s evidence that disclosure of data by Experian to a client is considered on a case-by-case basis subject to controls including whether it’s to be used for a permitted purpose as agreed in the contract.

• The Information Commissioner didn’t properly appreciate the limited extent to which CRA-derived data was used.

• The worst outcome of Experian’s processing in terms of what happens to the data at the end of the process is that an individual is likely to get a marketing leaflet which might align to their interests rather than be irrelevant. While this doesn’t mean there has been compliance, following Lloyd v Google [1] it’s unlikely a data subject would succeed in a damages claim in this scenario.

• Around 5.3 million data subjects didn’t receive a privacy notice and so Experian was in breach of the GDPR because the processing wasn’t transparent, fair or lawful. But the Tribunal said it would be disproportionate to order notification to that group now. The Tribunal was satisfied that it’s unlikely any person has suffered damage or distress as a result of the failure to provide an Article 14 notice.

• In relation to that finding of breach, the Tribunal disagreed with Experian’s attempt to rely on the ‘disproportionate effort’ exception in Article 14. That provision is construed narrowly. The fact that notifying the 5.3 million data subjects would involve a considerable business expense didn’t mean it would be a disproportionate effort. It was a business expense that should have been incurred over time as a matter of routine compliance. If the compliance costs were higher than Experian considered acceptable, then it was free to take a business decision not to undertake the processing.

How we can help

Our Regulatory & Compliance specialists, together with our Technology & Digital colleagues, have a great deal of experience advising businesses on all aspects of data protection compliance. Please contact Jeanette if you have any queries about Experian’s appeal, or need advice or assistance in relation to direct marketing and data processing, or with data protection compliance generally.

[1] See our earlier briefing on this case