In a recent case, Experian Limited v the ICO  UKFTT 00132 (GRC), the First-Tier Tribunal (Information Rights) provided useful judicial commentary for data controllers in relation to the appropriateness of using "legitimate interests" as a lawful basis for direct marketing purposes, what constitutes sufficient transparency of processing, and the application of Article 14 of the GDPR.
In addition to its core business function as a Credit Reference Agency ("CRA"), Experian processes the personal data of around 51 million UK data subjects to provide marketing services that it sells to third party clients. Broadly speaking, it does so by acquiring personal data from multiple sources (including its own CRA business data, third party data suppliers and open sources such as the electoral register) to combine basic identifiers (for example individuals' names and addresses) with other data categories it refers to as "attributes" and create modelled information on the demographic, social, economic and behavioural characteristics of these 51 million individuals.
Experian relied on the lawful basis of its "legitimate interests" to process the personal data for these purposes.
In 2020, the ICO issued an enforcement notice to Experian in relation to its UK direct marketing business' data processing operations, alleging a number of contraventions of the GDPR, including:
- Failures in relation to fair and transparent processing requirements, on the basis it considered it unclear that the personal data was being used for these purposes and that data subjects would find the processing "surprising" (contrary to Article 5(1)(a))
- That it did not provide a privacy information notice directly to data subjects where data had been acquired from third party suppliers (contrary to Article 14)
- That Experian processed all of the data held for direct marketing purposes on the basis of its "legitimate interests", but that the information provided to it by third party suppliers had been originally obtained by "consent". The ICO stated that switching to "legitimate interests" after the data was collected on the basis of "consent" meant the original consent was no longer specific or informed. The ICO further considered that it was unlikely that a data controller would be able to apply legitimate interests for what is regarded as "instrusive profiling for direct marketing purposes" (contrary to Article 5(1)(a) and Article 6(1)).
The ICO considered that the contraventions it had identified were significant and required enforcement action given the large number of data subjects affected by the processing and its significance in privacy terms (including elements of profiling, and the collation of a wide range of personal data from different sources). It also considered, as it is required to do so by Section 150(2) of the DPA, that for some data subjects "distress" was likely in the context, including for those who had received marketing they did not expect.
Experian averred that the ICO had applied the law incorrectly and that flawed conclusions had been reached on the facts. It also said that the ICO had attempted to apply subjective preferences as if they were legal requirements under the GDPR. The result of which being that Experian would be compelled to adopt an unworkable, purely consent based model for its marketing services and forcing it to shut down parts of its business. It stated that the criticisms of its reliance on "legitimate interests" were ill-founded and that given the consumer benefits derived from the processing activities undertaken, enforcement action was not justifiable.
The Tribunal's findings
Although the Tribunal found it difficult to determine the historic position in relation to the transparency of information provided at the time the enforcement notice had been issued, it determined that Experian's processing of CRA derived data was now sufficiently fair and transparent, and that the relevant information was prominent and accessible to any data subjects who wanted to understand how their data is processed.
The Tribunal did, however, find that a portion of the 51 million data subjects whose information had been processed by Experian had not received a privacy notice (c.5.3million individuals). The Tribunal explained that the fact that notifying 5.3 million data subjects would have involved a considerable business expense did not mean that it would be "disproportionate" for the purposes of Article 14 of the GDPR and Experian should have provided this cohort with a privacy notice.
It also found that Experian had, in the past, contravened GDPR with respect to data obtained from third party suppliers where that material was originally obtained on a "consent" basis and did not accept "legitimate interests" as a proper means by which that data could have been used by Experian for the purpose it was processed.
The Tribunal went on to explain that the ICO had not appreciated the consumer benefits derived from the processing undertaken by Experian, including that individuals would have likely not received irrelevant marketing material for products that are deemed inappropriate. With this in mind, the Tribunal found that the Commissioner had exercised their discretion wrong and should have balanced the objectives in issuing the enforcement notice against the fact that the uses to which the personal were put did not result in adverse outcomes for the data subjects.
In light of this, the Tribunal said that the ICO had "fundamentally misunderstood" the actual outcomes of Experian's processing.
The Tribunal did not consider it necessary to order Experian to now make Article 14 notifications to the cohort of c.5.3million individuals given the practical difficulties in doing so, the economic impact the expense would have on Experian when incurred at once, and the likely reaction of data subjects in receiving an 'out of the blue' notification - which it considered likely to be either "disinterest, confusion or distress", but stated that Experian should rectify this non-compliance in respect of future data collections, along with ceasing to process any data that was collected in such circumstances.
In what appears to be an attempt to limit any follow-on civil litigation as a result of the contraventions identified, the Tribunal also expressly stated that it considered it unlikely that any person had suffered damage or distress as a result of Experian's failure to provide an Article 14 notice.
This decision provides important judicial commentary for data controllers in relation to the appropriateness of using "legitimate interests" as a lawful basis for processing undertaken for direct marketing purposes, along with what constitutes sufficient transparency, and the practical application of Article 14 of the GDPR.
Whilst the Tribunal did, in general, find in Experian's favour and considered its processing activities in relation to direct marketing to now be sufficiently transparent, it nonetheless found that a residual cohort of data subjects (c.5.3million) should have been provided with an Article 14 privacy notice by Experian, and provided a clear message that businesses cannot consider it "disproportionate" to notify individuals on the basis of high business costs alone, particularly when they are benefitting commercially from the processing.
Although considered academic in the present appeal, the Tribunal also made clear that where personal data is being processed on the basis of "legitimate interests" and has originally been sourced from third parties that have obtained it on the basis of "consent" there is "significant difficulty" presented to the lawfulness of the processing because of concerns regarding the data's use following transfer and how withdrawal of consent might operate.
The Tribunal also set out that controllers can properly take into account the benefits presented to consumers from their processing activities when undertaking legitimate interests assessments to determine lawfulness and that, similarly, the ICO must consider these benefits and not just the intrusiveness and scale of processing when exercising its discretion to take enforcement proceedings.
We have no doubt that Experian and other data controllers involved in large-scale processing for direct marketing purposes will be considering the terms of this judgment carefully in relation to their data processing operations.
We understand that the ICO is also considering the implications of the judgment and whether to lodge an appeal at this time.
This article is part of Womble Bond Dickinson’s Growing Global series. For more insights, click here to visit our Growing Global hub.