Experian's win against the ICO in Upper Tribunal

Background to the case

The ICO issued an enforcement notice ("EN") to Experian, a credit reference agency, in October 2020 following a two-year investigation. The EN stated the ICO's view that Experian's offline direct marketing business line had unlawfully acquired personal data of around 51 million UK adults from a variety of sources and sold them to other organisations for marketing purposes without consent. The ICO explained in its EN that Experian had failed to provide an adequate privacy notice to data subjects and had erred in relying on legitimate interests where Experian was carrying out processing that would be "surprising" or "invisible" to the data subjects, namely data broking. The ICO imposed various requirements on Experian to make certain changes to its privacy notice and processing of personal data within nine months. To read more about this ICO enforcement action, read our reporting here.

Experian appealed to the FTT, which ruled in Experian's favour on 20 February 2023. While acknowledging that Experian had failed to lawfully process personal data of over five million individuals obtained from public sources for direct marketing purposes, the FTT struck out the EN and rejected several of the ICO's assertions, including concerns about the transparency of Experian's privacy notice and the fairness of using credit reference data for marketing. In summary, the FTT confirmed that legitimate interests can be relied upon for direct marketing activities and that Experian's privacy notice was at that time "sufficiently prominently displayed". Nevertheless, the FTT ordered Experian to provide privacy notices within 12 months to the 5.3 million data subjects whose data was obtained from certain open sources. To read more about the FTT's ruling, read our previous reporting here.

The ICO's appeal to the Tribunal primarily centred on transparency principles under Article 5(1)(a) and Article 14 of the UK General Data Protection Regulation ("UK GDPR"). The ICO argued that the FTT had misinterpreted how these principles should be applied to Experian's compliance with UK GDPR obligations to inform data subjects adequately and ensure easy access to information about data processing. However, the Tribunal rejected the ICO's arguments, finding no errors of law in the FTT's decision and dismissing all five grounds raised by the ICO.

Key findings

Key findings from the Tribunal's decision are as follows:

• Experian's privacy notices, accessible through Experian's portal with a layered approach, were considered clear and accessible, especially given the extensive nature of information that Experian must provide to data subjects in relation to its wide-ranging processing activities;
• The fact that notifying a large number of data subjects (i.e. 5.3 million) would entail a considerable business expense does not necessarily make it a disproportionate effort, which would exempt controllers from providing a privacy notice under the UK GDPR; and
• Legitimate interests can serve as a valid legal basis for processing modelled data in marketing and profiling contexts, even if Experian's processing might be "surprising" to some data subjects.

Implications of this case

The Tribunal's decision has implications for both the marketing sector and organisations engaged in data broking. This decision is also significant as it addresses the transparency principle under the UK GDPR, an issue that hasn't been closely examined in courts or tribunals many times before.

Key implications are as follows:

• Firstly, it highlights the need for clear and detailed privacy information to be provided to individuals whose personal data is being processed, even when the data is sourced from publicly available records such as the open electoral register or Companies House;
• Secondly, the "disproportionate effort" exemption under Article 14 is a narrow one and relying on it to be exempt from the requirement to provide privacy notices may not always be successful;
• Thirdly, this decision confirms that legitimate interests can be an appropriate lawful basis for certain direct marketing-related activities; and
• Lastly, if personal data obtained from third-party suppliers was originally obtained based on consent, it must continue to be processed on the same legal basis, meaning organisations cannot "switch" their legal basis from consent to legitimate interests or any other basis.

In summary, the assessment of whether personal data can be processed for purposes of direct marketing requires a careful balance of these principles, a task that can often be complex and context-specific. To read more about what organisations can practically implement with regards to these requirements, please read our detailed insights on the Experian EN here.

The Tribunal's ruling is another setback for the ICO's enforcement efforts, following FTT's ruling last year that ICO had no jurisdiction over Clearview, which you can read here. While the ICO has welcomed the clarity provided by the Tribunal, it has also confirmed that it is carefully considering the judgment, to decide whether to appeal the Tribunal's decision to the Court of Appeal.